3.3 Safety analysis assumptions
This section collects all assumptions made during the safety analysis of Devices.
3.3.1 Safety requirement assumptions
The safety concept specification, the overall safety requirement specification and the consequent allocation
determine the requirements for Compliant item as further listed. ASR stands for assumed safety requirement.
Caution: It is End user’s responsibility to check the compliance of the final application with these assumptions.
ASR1: Compliant item can be used to implement four kinds of safety function modes of operation according to
IEC61508-4,3.5.16:
• a continuous mode (CM) or high-demand (HD) SIL3 safety function (CM3), or
• a low-demand (LD) SIL3 safety function (LD3), or
• a CM or HD SIL2 safety function (CM2), or
• a LD SIL2 safety function (LD2).
ASR2: Compliant item is used to implement safety function(s) allowing a specific worst-case time budget (see
note below) for the STM32 MCU to detect and react to a failure. That time corresponds to the portion of the
process safety time (PST) allocated to Device (STM32xx Series duty in Figure 5) in error reaction chain at system
level.
Note: The computation for time budget mainly depends on the execution speed for periodic tests implemented
by software. Such duration might depends on the actual amount of hardware resources (RAM memory,
Flash memory, peripherals) actually declared as safety-related. Further constraints and requirements from
IEC61508-2, 7.4.5.3 must be considered.
Figure 5. Allocation and target for STM32 PST
System-level PST
MCU detection FW reaction SW reaction Actuator reaction
STM32xx Series duty End user duty
….
ASR3: Compliant item is used to implement safety function(s) that can be continuously powered on for a period
over eight hours. It is assumed to not require any proof test, and the lifetime of the product is considered to be no
less than 10 years.
ASR4: It is assumed that only one safety function is performed or if many, all functions are classified with the
same SIL and therefore they are not distinguishable in terms of their safety requirements.
ASR5: In case of multiple safety function implementations, it is assumed that End user is responsible to duly
ensure their mutual independence.
ASR6: It is assumed that there are no non-safety-related functions implemented in Application software,
coexisting with safety functions.
ASR7: It is assumed that the implemented safety function(s) does (do) not depend on transition of Device to and
from a low-power state.
ASR8: The local safe state of Compliant item is the one in which either:
• SS1: Application software is informed by the presence of a fault and a reaction by Application software itself
is possible.
• SS2: Application software cannot be informed by the presence of a fault or Application software is not able
to execute a reaction.
Note: End user must take into account that random hardware failures affecting Device can compromise its operation
(for example failure modes affecting the program counter prevent the correct execution of software).
UM2305
Safety analysis assumptions
UM2305 - Rev 10
page 8/110
To Next Page
Loading...
Need help?
General
