4.1.3 Notes on multiple-fault scenario
According to the requirements of IEC61508, the safety analysis for STM32L4 and STM32L4+ Series devices
considered multiple-fault scenarios. Furthermore, following the spirit of ISO26262 (the reference and state-of-the-
art standard norm for integrated circuit safety analysis), the analysis investigated possible causes preventing
the implemented safety mechanisms from being effective, in order to determine appropriate counter-measures.
In the Multiple-fault protection field, the tables in Section 3.6 Hardware and software diagnostics report the
safety mechanisms required to properly manage a multiple-fault scenario, including mitigation measures against
failures making safety mechanisms ineffective. It is strongly recommended that the safety concept includes such
mitigation measures, and in particular for systems operating during long periods, as they tend to accumulate
errors. Indeed, fault accumulation issue has been taken into account during STM32L4 and STM32L4+ Series
devices safety analysis.
Another potential source of multiple error condition is the accumulation of permanent failures during power-off
periods. Indeed, if the end system is not powered, no safety mechanism are active and so able to early detect
the insurgence of such failures. To mitigate this potential issue, it is strongly recommended to execute all periodic
safety mechanism at each system power-up; this measure guarantees a fresh system start with a fault-free
hardware. This recommendation is given for periodic safety mechanisms rated as "++" (highly recommended)
in the Device safety concept, and mainly for the most relevant ones in term of failure distribution: CPU_SM_0,
FLASH_SM_0, RAM_SM_0. This startup execution is strongly recommended regardless the safety functions
mode of operations and/or the value of PST.
4.2 Analysis of dependent failures
The analysis of dependent failures is important for microcontroller and microprocessor devices. The main
subclasses of dependent failures are CCFs. Their analysis is ruled by IEC 61508:2 annex E, which lists the
design requirements to be verified to allow the use of on-chip redundancy for integrated circuits with one common
semiconductor substrate.
As there is no on-chip redundancy on STM32L4 and STM32L4+ Series devices, the CCF quantification through
the βIC computation method - as required by Annex E.1, item i - is not required. Note that, in the case of 1oo2
safety architecture implementation, End user is required to evaluate the β and βD parameters (used in PFH
computation) that reflect the common cause factors between the two channels.
The Device architecture and structures can be potential sources of dependent failures. These are analyzed in
the following sections. The safety mechanisms referred to are described in Section 3.6 Hardware and software
diagnostics.
4.2.1 Power supply
Power supply is a potential source of dependent failures, because any alteration can simultaneously affect
many modules, leading to not-independent failures. The following safety mechanisms address and mitigate those
dependent failures:
• VSUP_SM_1: detection of abnormal value of supply voltage;
• VSUP_SM_2: the independent watchdog is different from the digital core of the MCU, and this diversity
helps to mitigate dependent failures related to the main supply alterations. As reported in VSUP_SM_2
description, separate power supply for IWDG or/and the adoption of an external watchdog (CPU_SM_5)
increase such diversity.
The adoption of such safety mechanisms is therefore highly recommended despite their minor contribution to the
safety metrics to reach the required safety integrity level. Refer to Section 3.6.6 Power controller (PWR) for the
detailed safety mechanism descriptions.
4.2.2 Clock
System clocks are a potential source of dependent failures, because alterations in the clock characteristics
(frequency, jitter) can affect many parts, leading to not-independent failures. The following safety mechanisms
address and mitigate such dependent failures:
• CLK_SM_1: the clock security system is able to detect hard alterations (stop) of system clock and activate
the adequate recovery actions.
• CLK_SM_2: the independent watchdog has a dedicated clock source. The frequency alteration of the
system clock leads to the watchdog window violations by the triggering routine on Application software,
leading to the MCU reset by watchdog.
UM2305
Analysis of dependent failures
UM2305 - Rev 10
page 93/110
To Next Page
Loading...
Need help?
General
