“Multiple faults protection” field the associated safety mechanisms needed to correctly manage a multi-fault
scenario, including mitigation measures against safety mechanism disable.
It is strongly recommended to include into the safety concept the implementation of such mitigation measures.
This is more relevant for long-term operating systems, where error accumulation issues must be considered.
4.2 Dependent failures analysis
The analysis of dependent failures is important for microcontrollers. The main sub-classes of dependent failures
are the Common Cause Failures (CCF). Their analysis is ruled by the IEC 61508:2 annex E that lists the design
requirements to be verified to allow the use of on-chip redundancy for ICs with one common semiconductor
substrate. However, annexes E.1 and E.2 apply for HFT=1 while the Annex E.3 must be applied to every on-chip
redundancy, intended also in terms of diagnostic implemented on the same silicon.
As there are no on-chip redundancy on STM32F2 Series devices, the CCF quantification through the BetaIC
computation method is not required. Note that in the case of 1oo2 safety architecture implementation, the end
user is required to evaluate the parameter βD, which is the measure of the common-cause between the two
channels used in PFH computation.
The STM32F2 Series device architecture and structures can be potential sources of dependent failures. These
are analyzed in the following sections. The referred safety mechanisms are described in detail in Section
3.6 Description of hardware and software diagnostics.
4.2.1 Power supply
Power supply is a potential source of dependent failures, because any alteration of the power the supply can
affect many parts, leading to not-independent failures. The following safety mechanisms address and mitigate
those dependent failures:
• VSUP_SM_1: detection of abnormal value of supply voltage;
• VSUP_SM_2: the independent watchdog has a different supply source from the digital core of the MCU, and
this diversity helps to mitigate dependent failures related to the main supply alterations.
The adoption of such safety mechanisms is therefore highly recommended despite their minor contribution to the
safety metrics to reach the required safety integrity level. Refer to Section 3.6.19 Reset and clock control (RCC)
subsystem for the detailed safety mechanism descriptions.
4.2.2 Clock
System clocks are a potential source of dependent failures, because alterations in the clock characteristics
(frequency, jitter) can affect many parts, leading to not-independent failures. The following safety mechanisms
address and mitigate those dependent failures:
• CLK_SM_1: the clock security system is able to detect hard alterations (stop) of system clock and activate
the adequate recovery actions.
• CLK_SM_2: the independent watchdog has a dedicated clock source. The frequency alteration of the
system clock leads to the watchdog window violations by the triggering routine on the application software,
leading to the MCU reset by watchdog.
The adoption of such safety mechanism is therefore highly recommended despite their minor contribution to the
safety metrics to reach the required safety integrity level. Refer to Section 3.6.20 Independent watchdog (IWDG),
system window watchdog (WWDG) for detailed safety mechanisms description.
4.2.3 DMA
DMA is a widely shared resource involved in data transfers operated mainly by all peripherals. Failures of DMA
can interfere with the behavior of the system peripherals or application software, leading to non independent
failures. The safety mechanisms addressing such dependent failures are the following:
• DMA_SM_0,
• DMA_SM_1,
• DMA_SM_2.
The adoption of such safety mechanisms is therefore highly recommended. It is worth to note that if DMA is not
used for data transfer, then only DMA_SM_0 must be implemented. Refer to Section 3.6.6 Direct memory access
controller (DMA) for detailed safety mechanisms description.
UM1845
Dependent failures analysis
UM1845 - Rev 4
page 84/108
To Next Page
Loading...
