Um2318 stm32f7 Series Safety Manual Stmicroelectronics
Uploaded by
Bala Vetrivel RajanUm2318 stm32f7 Series Safety Manual Stmicroelectronics
Uploaded by
Bala Vetrivel RajanUM2318
User manual
STM32F7 series safety manual
Introduction
This document must be read along with the technical documentation such as reference manual(s) and datasheets for the
STM32F7 series microcontroller devices, available on www.st.com.
It describes how to use the devices in the context of a safety-related system, specifying the user's responsibilities for installation
and operation in order to reach the targeted safety integrity level. It also pertains to the X-CUBE-STL software product.
It provides the essential information pertaining to the applicable functional safety standards, which allows system designers to
avoid going into unnecessary details.
The document is written in compliance with IEC 61508.
The safety analysis in this manual takes into account the device variation in terms of memory size, available peripherals, and
package.
UM2318 - Rev 7 - August 2024 www.st.com
For further information contact your local STMicroelectronics sales office.
UM2318
About this document
1 About this document
1.1 Purpose and scope
This document describes how to use Arm® Cortex®‑M7 -based STM32F7 series microcontroller unit (MCU)
devices (further also referred to as Device(s)) in the context of a safety‑related system, specifying the user's
responsibilities for installation and operation, in order to reach the desired safety integrity level.
It is useful to system designers willing to evaluate the safety of their solution embedding one or more Device(s).
For terms used, refer to the glossary at the end of the document.
Note: Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.
1.2 Normative references
This document is written in compliance with the IEC 61508 international norm for functional safety of electrical,
electronic and programmable electronic safety-related systems, version IEC 61508-1-7 © IEC:2010. The
compliance to other functional safety standards is considered in reference document [3].
The following table maps the document content with respect to the IEC 61508-2 Annex D requirements.
Table 1. Document sections versus IEC 61508-2 Annex D safety requirements
Safety
Section number
requirement
D2.1 a) Section 3: Reference safety architecture
D2.1 b) Section 3.2: Compliant item
D2.1 c) Section 3.2: Compliant item
D2.2 a)
D2.2 b) General information are provided in Section 4.1: Random hardware failure safety results.
D2.2 c) Detailed information on failure modes and related failure rates are included in other reference documents
D2.2 d) [1], [2] referred in Section 1.3: Reference documents.
D2.2 e)
Useful information for DTI of each safety mechanisms are provided in related specification tables (filed
D2.2 f) “Periodicity”) of Section 3.6: Hardware and software diagnostics. General guidance on DTI is included in
Section 3.3.1: Safety requirement assumptions.
Because of the software-based nature of Device safety concept, the outputs of the Compliant Item
D2.2 g) triggered by internal diagnostics are decided at application software level, and so they cannot be
described in this manual.
D2.2 h) Periodic proof test is excluded by specific ASR3.1 in Section 3.3.1: Safety requirement assumptions
D2.2 i) Section 3.7: Conditions of use
Section 3.2.3: Reference safety architectures - 1oo1, Section 3.2.4: Reference safety architectures -
D2.2 j)
1oo2
D2.2 k) Section 3.2.2: Safety functions performed by Compliant item
1.3 Reference documents
[1] AN5137: Results of FMEA on STM32F7 series microcontrollers.
[2] AN5132: Results of FMEDA on microcontrollers of the STM32F7 series.
[3] AN5689: Adapting the X-CUBE-STL functional safety package for STM32 (IEC 61508 compliant) to other safety
standards
[4] AN5936 X-CUBE-STL: advanced topics
UM2318 - Rev 7 page 2/112
UM2318
Device development process
2 Device development process
STM32 series product development process (see Figure 1), compliant with the IATF 16949 standard, is a set of
interrelated activities dedicated to transform customer specification and market or industry domain requirements
into a semiconductor device and all its associated elements (package, module, sub-system, hardware, software,
and documentation), qualified with ST internal procedures and fitting ST internal or subcontracted manufacturing
technologies.
Figure 1. STMicroelectronics product development process
2 Design and 3 Qualification
1 Conception
validation
·Key characteristics and ·Semiconductor design ·Successful completion of
requirements related to future development the product qualification
uses of the device ·Hardware development plan
·Industry domain(s), specific ·Software development ·Secure product deliveries
customer requirements and ·Analysis of new product on advanced technologies
definition of controls and tests specification to forecast using stress methodologies
needed for compliance reliability performance to detect potential weak
·Product target specification ·Reliability plan, reliability parts
and strategy design rules, prediction of ·Successful completion of
·Project manager failure rates for operating life electrical characterization
appointment to drive product test using Arrhenius’s law and ·Global evaluation of new
development other applicable models product performance to
·Evaluation of the ·Use of tools and guarantee reliability of
technologies, design tools methodologies such as customer manufacturing
and IPs to be used APQP, DFM, DFT, DFMEA process and final application
·Design objective ·Detection of potential of use (mission profile)
specification and product reliability issues and solution ·Final disposition for
validation strategy to overcome them product test, control and
·Design for quality ·Assessment of Engineering monitoring
techniques (DFD, DFT, DFR, Samples (ES) to identify the
DFM, …) definition main potential failure
·Architecture and positioning mechanisms
to make sure the software ·Statistical analysis of
and hardware system electrical parameter drifts for
solutions meet the target early warning in case of fast
specification parametric degradation (such
·Product approval strategy as retention tests)
and project plan ·Failure analysis on failed
parts to clarify failure modes
and mechanisms and identify
the root causes
·Physical destructive
analysis on good parts after
reliability tests when required
·Electrostatic discharge
(ESD) and latch-up sensitivity
measurement
UM2318 - Rev 7 page 3/112
UM2318
Reference safety architecture
3 Reference safety architecture
This section reports details of the STM32F7 series safety architecture.
3.1 Safety architecture introduction
The Device(s) analyzed in this document can be used as Compliant item(s) within different safety applications.
The aim of this section is to identify such Compliant item(s), that is, to define the context of the analysis with
respect to a reference concept definition. The concept definition contains reference safety requirements, including
design aspects which are outside of the defined Compliant item.
As a consequence of a Compliant item approach, the goal is to list the system-related information considered
during the analysis, rather than to provide an exhaustive hazard and risk analysis of the system around Device.
Such information includes, among others, application-related assumptions for danger factors, frequency of
failures and diagnostic coverage guaranteed by the application.
3.2 Compliant item
This section defines the Compliant item term and provides information on its usage in different safety architecture
schemes.
3.2.1 Definition of Compliant item
According to IEC 61508-1 clause 8.2.12, a Compliant item is any item (for example an element) on which a claim
is being made with respect to the clauses of the IEC 61508 series. Any mature Compliant item must be described
in a safety manual available to the End user.
In this document, Compliant item is defined as a system including one or two STM32 devices (see Figure 2). The
communication bus is directly or indirectly connected to sensors and actuators.
Figure 2. STM32 as Compliant item
Actuator
Sensor
Processing element Remote A
Remote STM32 controller
S
controller device(s)
Compliant item Remote
A
Remote controller
S controller
Other components might be related to the Compliant item, like the external HW components needed to guarantee
either the functionality of the Device (external memory, clock quartz and so on) or its safety (for example, the
external watchdog or voltage supervisors).
A defined Compliant item can be classified as element according to IEC 61508-4, 3.4.5.
In summary, claims related to this Compliant item are related to the possible use of a Device for the
implementation of any safety function up to SIL2 (for a single Device) and up to SIL3 (for two destinct Devices),
with specific architectures and observing all the requirements and indications provided in this manual.
3.2.2 Safety functions performed by Compliant item
In essence, Compliant item architecture encompasses the following processes performing the safety function or a
part of it:
• input processing elements (PEi) reading safety related data from the remote controller connected to the
sensor(s) and transferring them to the following computation elements
• computation processing elements (PEc) performing the algorithm required by the safety function and
transferring the results to the following output elements
UM2318 - Rev 7 page 4/112
UM2318
Reference safety architecture
• output processing elements (PEo) transferring safety related data to the remote controller connected to the
actuator
• in 1oo2 architecture, potentially a further voting processing element (PEv)
• the computation processing elements can be involved (to the extent depending on the target safety
integrity) in the implementation of local software-based diagnostic functions; this is represented by the
block PEd
• processes external to Compliant item ensuring safety integrity, such as watchdog (WDTe) and voltage
monitors (VMONe)
The role of the PEv process is clarified in Section 3.2.4: Reference safety architectures - 1oo2. The role of the
WDTe and VMONe external processes is clarified under Section 3.6: Hardware and software diagnostics:
• WDTe: refer to External watchdog – CPU_SM_5 and Control flow monitoring in Application software –
CPU_SM_1,
• VMONe: refer to Supply voltage internal monitoring (PVD) – VSUP_SM_1 and System-level power supply
management - VSUP_SM_5.
In summary, Devices support the implementation of End user safety functions consisting of three operations:
• safe acquisition of safety-related data from input peripheral(s)
• safe execution of Application software program and safe computation of related data
• safe transfer of results or decisions to output peripheral(s)
Claims on Compliant item and computation of safety metrics are done with respect to these three basic
operations.
Caution: Due to the general purpose nature of the Device, its safety concept is mainly software-based. Accordingly, any
following claim related to the possibility of Device itself to support the implementation of safety functions up to a
certain SIL is strongly correlated to the observance of CoUs as requested in Section 3.7: Conditions of use.
According to the definition for implemented safety functions, Compliant item (element) can be regarded as type B
(as per IEC 61508-2, 7.4.4.1.3 definition). Despite accurate, exhaustive, and detailed failure analysis, Device has
to be considered as intrinsically complex. This implies its type B classification.
Two main safety architectures are identified: 1oo1 (using one Device) and 1oo2 (using two Devices).
3.2.3 Reference safety architectures - 1oo1
1oo1 reference architecture (Figure 3) ensures safety integrity of Compliant item through combining Device
internal processes (implemented safety mechanisms) with external processes WDTe and VMONe.
1oo1 reference architecture targets safety integrity level (SIL) SIL2.
Figure 3. 1oo1 reference architecture
VMONe WDTe
PEi PEc PEo
Sensors Actuators
PEd
UM2318 - Rev 7 page 5/112
UM2318
Reference safety architecture
3.2.4 Reference safety architectures - 1oo2
The 1oo2 reference architecture (Figure 4) contains two separate channels, either implemented as a 1oo1
reference architecture ensuring safety integrity of the Compliant item through combining Device internal
processes (implemented safety mechanisms) with external processes: WDTe and VMONe. The overall safety
integrity is then ensured by the external voter PEv, which allows claiming hardware fault tolerance (HFT) equal to
1. The PEv role is indeed to facilitate the safety function processing by each of the two individual channels, to
allow the correct execution of the safety function even in case one channel is faulty. The complexity of the PEv
implementation strongly depends on the nature of the safety function and safe state definitions. Achievement of
higher safety integrity levels as per IEC 61508-2 Table 3 is therefore possible. Appropriate separation between
the two channels (including power supply separation) must be implemented in order to avoid huge impact of
common-cause failures (refer to Section 4.2: Analysis of dependent failures). However, β and βD parameters
computation is required.
This architecture targets SIL3, under the assumption that each channel follows all requirements indicated for SIL2
in this manual.
Attention: According the clause 7.4.3.2 in IEC 61508-2, this architectural scheme may provide benefits to the software
applications systematic capability (SC) only in case diverse software is adopted on the two channels.
Figure 4. 1oo2 reference architecture
VMONe WDTe
PEi PEc PEo
PEd
Sensors PEv Actuators
PEi PEc PEo
PEd
VMONe WDTe
UM2318 - Rev 7 page 6/112
UM2318
Reference safety architecture
3.3 Safety analysis assumptions
This section collects all assumptions made during the safety analysis of the Devices.
3.3.1 Safety requirement assumptions
The safety concept specification, the overall safety requirement specification and the consequent allocation
determine the assumed requirements for Compliant item as further listed. ASR stands for assumed safety
requirement.
Caution: It is End user’s responsibility to check the compliance of the final application with these assumptions.
ASR1: Compliant item can be used to implement four kinds of safety function modes of operation according to
IEC 61508-4, 3.5.16:
• a continuous mode (CM) or high-demand (HD) SIL3 safety function (CM3), or
• a low-demand (LD) SIL3 safety function (LD3), or
• a CM or HD SIL2 safety function (CM2), or
• a LD SIL2 safety function (LD2).
ASR2: Compliant item is used to implement safety function(s) allowing a specific worst-case time budget (see
note below) for the STM32 MCU to detect and react to a failure. That time corresponds to the portion of the
process safety time (PST) allocated to Device (STM32xx Series duty in Figure 5) in error reaction chain at system
level.
Note: The computation for time budget mainly depends on the execution speed for periodic tests implemented by
software. Such duration might depends on the actual amount of hardware resources (RAM memory, flash
memory, peripherals) actually declared as safety-related. Further constraints and requirements from
IEC 61508-2, 7.4.5.3 must be considered.
Figure 5. Allocation and target for STM32 PST
STM32xx Series duty End user duty
….
MCU detection FW reaction SW reaction Actuator reaction
System-level PST
ASR3.1: Compliant item is assumed to be operating at constant failure rate and does not intrinsically require any
proof tests.
ASR3.2: It is assumed that the Device operates within specified electrical specifications and environment limits.
The End user is responsible for the compliance to this assumption.
ASR4: It is assumed that only one safety function is performed or if many, all functions are classified with the
same SIL and therefore they are not distinguishable in terms of their safety requirements.
ASR5: In case of multiple safety function implementations, it is assumed that End user is responsible to duly
ensure their mutual independence.
ASR6: It is assumed that there are no non-safety-related functions implemented in Application software,
coexisting with safety functions.
Note: This assumption is stated due to the lack of hardware-based mechanisms able to completely isolate non-safety
related software. Software-based isolation solutions are not forbidden.
ASR7: It is assumed that the implemented safety function(s) does (do) not depend on transition of Device to and
from a low-power state.
UM2318 - Rev 7 page 7/112
UM2318
Reference safety architecture
ASR8: After the emergence of a fault, the local safe state of Compliant item is the one in which either:
• SS1: Application software is informed by the presence of a fault and a reaction by Application software
itself is possible.
• SS2: Application software cannot be informed by the presence of a fault or Application software is not able
to execute a reaction.
Note: For a correct implementation of fault reaction, the End user must be aware that random hardware failures
affecting the Device can compromise its operation (for example failure modes affecting the program
counter may prevent the correct execution of the software). Accordingly, software-based transitions to a
safe state must be carefully evaluated. Refer to [4] for additional details.
The following table provides details on the SS1 and SS2 safe states.
Table 2. SS1 and SS2 safe state details
Safe Compliant item System transition to safe System transition to safe
Condition
state action state – 1oo1 architecture state – 1oo2 architecture
Application software is informed
Fault reporting to Application software drives Application software in one of
by the presence of a fault and a
SS1 Application the overall system in its safe the two channels drives the
reaction by Application software
software state overall system in its safe state
itself is possible.
Application software cannot be
WDTe drives the overall
informed by the presence of a Reset signal PEv drives the overall system
SS2 system in its safe state (“safe
fault or Application software is not issued by WDTe (1) in its safe state
shut-down”)
able to execute a reaction.
1. Safe state achievement intended here is compliant to Note on IEC 61508-2, 7.4.8.1
ASR9: It is assumed that the safe state defined at system level by End user is compatible with the assumed local
safe state (SS1, SS2) for Compliant item.
ASR10: Compliant item is assumed to be analyzed according to routes 1H and 1S of IEC 61508-2.
Note: Refer to Section 3.5: Systematic safety integrity and Section 3.6: Hardware and software diagnostics.
ASR11: Compliant item is assumed to be regarded as type B, as per IEC 61508-2, 7.4.4.1.3.
ASR12: It is assumed that dual-bank flash memory mass erase and reprogramming features are used during
maintenance state of the final system, and not for the implementation of the safety function.
ASR13: It is assumed that the evaluation of hazards related to human factors (like misuse or security issues)
related to the use of the Compliant item is under the full responsibility of the End user.
3.4 Electrical specifications and environment limits
To ensure safety integrity, the user must operate Device(s) within its (their) specified:
• absolute maximum rating
• capacity
• operating conditions
For electrical specifications and environmental limits of Device(s), refer to its (their) technical documentation such
as datasheet(s) and reference manual(s) available on www.st.com.
Note: The device operation within specified limits is a prerequisite for the correct implementation of any safety
function. This is explicitly assumed within the assumptions (refer to above ASR3.2).
3.5 Systematic safety integrity
According to the requirements of the IEC 61508-2, 7.4.2.2 clause, the Route 1S is considered in the safety
analysis of Device(s). As authorized by the IEC 61508-2, 7.4.6.1 clause, the STM32 MCU products can be
considered as standard, mass-produced electronic integrated devices, for which stringent development
procedures, rigorous testing and extensive experience of use minimize the likelihood of design faults. However,
ST internally assesses the compliance of the Device development flow, through techniques and measures
suggested in the IEC 61508-2 Annex F. As highly confidential information on ST processes are concerned within
the evaluation activity, the safety case database (see Section 5: List of evidences) keeps evidences of the current
compliance level to the standard.
UM2318 - Rev 7 page 8/112
UM2318
Reference safety architecture
3.6 Hardware and software diagnostics
This section lists all the safety mechanisms (hardware, software and application-level) considered in the Device
safety analysis. It is expected that users are familiar with the architecture of Device, and that this document is
used in conjunction with the related Device datasheet, user manual and reference information. To avoid
inconsistency and redundancy, this document does not report device functional details. In the following
descriptions, the words safety mechanism, method, and requirement are used as synonyms.
As the document provides information relative to the superset of peripherals available on the devices it covers
(not all devices have all peripherals), users are supposed to disregard any recommendations not applicable to
their Device part number of interest.
Information provided for a function or peripheral applies to all instances of such function or peripheral on Device.
Refer to its reference manual or/and datasheet for related information.
The implementation guidelines reported in the following section are for reference only. The safety verification
executed by ST during the Device safety analysis and related diagnostic coverage figures reported in this manual
(or related documents) are based on such guidelines. For clarity, safety mechanisms are grouped by Device
function.
Information is organized in form of tables, one per safety mechanism, with the following fields:
SM CODE Unique safety mechanism code/identifier used also in FMEA document. Identifiers use the scheme
mmm_SM_x where mmm is a 3- or 4-letter module (function, peripheral) short name, and x is a
number. It is possible that the numbering is not sequential (although usually incremental) and/or that
the module short name is different from that used in other documents.
Description Short mnemonic description
Ownership ST: method is available on silicon.
End user: method must be implemented by End user through Application software modification,
hardware solutions, or both.
Detailed Detailed implementation sometimes including notes about the safety concept behind the introduction
implementation of the safety mechanism.
Error reporting Describes how the fault detection is reported to Application software.
Fault detection time Time that the safety mechanism needs to detect the hardware failure.
Addressed fault Reports fault model(s) addressed by the diagnostic (permanent, transient, or both), and other
model information:
• If ranked for Fault avoidance: method contributes to lower the probability of occurrence of a
failure
• If ranked for Systematic: method is conceived to mitigate systematic errors (bugs) in
Application software design
Dependency on Reports if safety mechanism implementation or characteristics change among different Device part
Device configuration numbers.
Initialization Specific operation to be executed to activate the contribution of the safety mechanism
Periodicity Continuous : safety mechanism is active in continuous mode.
Periodic: safety mechanism is executed periodically(1).
On-demand: safety mechanism is activated in correspondence to a specified event (for instance,
reception of a data message).
Startup: safety mechanism to be executed only at power-up or during off-line maintenance periods.
This is due to functional-only aspects or due to the poor compatibility with the correct execution of
the safety function.
Test for the Reports specific procedure (if any and recommended) to allow on-line tests of safety mechanism
diagnostic efficiency. If no specific procedure applies (as for the majority of safety mechanisms), the field
indicates Not applicable.
Multiple-fault Reports the safety mechanism(s) associated in order to correctly manage a multiple-fault scenario
protection (refer to Section 4.1.3: Notes on multiple-fault scenario).
Recommendations Additional recommendations or limitations (if any) not reported in other fields.
and known limitations
1. In CM systems, safety mechanism can be accounted for diagnostic coverage contribution only if it is executed at least once
per PST. For LD and HD systems, constraints from IEC 61508-2, 7.4.5.3 must be applied.
UM2318 - Rev 7 page 9/112
UM2318
Reference safety architecture
3.6.1 Arm® Cortex®-M7 CPU
Table 3. CPU_SM_0
SM CODE CPU_SM_0
Description Periodic core self-test software for Arm® Cortex®-M7 CPU.
Ownership End user or ST (X-CUBE-STL, see Appendix A)
The software test is built around well-known techniques already addressed by IEC 61508-7,
A.3.2 (Self-test by software: walking bit one-channel). To reach the required values of
Detailed implementation
coverage, the self-test software is specified by means of a detailed analysis of all the CPU
failure modes and related failure modes distribution.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration None
Initialization None
Periodicity Periodic
Self-diagnostic capabilities can be embedded in the software, according to the test
Test for the diagnostic implementation design strategy chosen. The adoption of checksum protection on results
variables and defensive programming are recommended.
Multiple-fault protection CPU_SM_5: External watchdog
This method is the main asset in STM32F7 series safety concept. Hardware integrity of the
CPU is a key factor, given that the defined diagnostics for MCU peripherals are to major part
Recommendations and known limitations software-based.
Startup execution of this safety mechanism is recommended for multiple fault mitigations -
refer to Section 4.1.3: Notes on multiple-fault scenario for details.
UM2318 - Rev 7 page 10/112
UM2318
Reference safety architecture
Table 4. CPU_SM_1
SM CODE CPU_SM_1
Description Control flow monitoring in Application software.
Ownership End user
A significant part of the failure distribution of CPU core for permanent faults is related to failure
modes directly related to program counter loss of control or hang-up. Due to their intrinsic
nature, such failure modes are not addressed by a standard software test method like
SM_CPU_0. Therefore, it is necessary to implement a run-time control of Application software
flow in order to monitor and detect deviation from the expected behavior due to such faults.
Linking this mechanism to watchdog firing assures that severe loss of control (or, in the worst
case, a program counter hang-up) is detected.
The guidelines for the implementation of the method are the following:
• Different internal states of Application software are well documented and described (the
use of a dynamic state transition graph is encouraged).
• Monitoring of the correctness of each transition between different states of Application
Detailed implementation software is implemented.
• Transition through all expected states during the normal Application software program
loop is checked.
• A function in charge of triggering the system watchdog is implemented in order to
constrain the triggering (preventing the issue of CPU reset by watchdog) also to the
correct execution of the above-described method for program flow monitoring. The use
of window feature available on internal window watchdog (WWDG) is recommended.
• The use of the independent watchdog (IWDG), or an external one, helps to implement a
more robust control flow mechanism fed by a different clock source.
In any case, safety metrics do not depend on the kind of watchdog in use (the adoption of
independent or external watchdog contributes to the mitigation of dependent failures, see
Section 4.2.2: Clock).
Error reporting Depends on implementation
Fault detection time Depends on implementation. Higher value is fixed by watchdog timeout interval.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Recommendations and known limitations None
UM2318 - Rev 7 page 11/112
UM2318
Reference safety architecture
Table 5. CPU_SM_2
SM CODE CPU_SM_2
Description Double computation in Application software
Ownership End user
A timing redundancy for safety-related computation is considered to detect transient faults
affecting the Arm®Cortex®-M7 CPU subparts devoted to mathematical computations and data
access.
The guidelines for the implementation of the method are the following:
• The requirement needs be applied only to safety-relevant computation, which in case of
Detailed implementation wrong result could interfere with the system safety functions. Such computation must be
therefore carefully identified in the original Application software source code
• Both mathematical operation and comparison are intended as computation.
• The redundant computation for mathematical computation is implemented by using
copies of the original data for second computation, and by using an equivalent formula
if possible
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
End user is responsible to carefully avoid that the intervention of optimization features of the
used compiler removes timing redundancies introduced according to this condition of use.
Recommendations and known limitations Reduction to the application scope for this method is achieved by executing an accurate
safety analysis of the software. Refer to [4] for details. However, the scope reduction may not
be possible nor desirable.
Table 6. CPU_SM_3
SM CODE CPU_SM_3
Description Arm®Cortex®-M7 HardFault exceptions
Ownership ST
HardFault exception raise is an intrinsic safety mechanism implemented in Arm®Cortex®-M7
core, mainly dedicated to intercept systematic faults due to software limitations or error in
Detailed implementation software design (causing for example execution of undefined operations, unaligned address
access). This safety mechanism is also able to detect hardware random faults inside the CPU
bringing to such described abnormal operations.
Error reporting High-priority interrupt event
Fault detection time Depends on implementation. Refer to functional documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization None
Periodicity Continuous
It is possible to write a test procedure to verify the generation of the HardFault exception;
Test for the diagnostic anyway, given the expected minor contribution in terms of hardware random-failure detection,
such implementation is optional.
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Recommendations and known limitations Enabling related interrupt generation on the detection of errors is highly recommended.
UM2318 - Rev 7 page 12/112
UM2318
Reference safety architecture
Table 7. CPU_SM_4
SM CODE CPU_SM_4
Description Stack hardening for Application software
Ownership End user
The stack hardening method is required to address faults (mainly transient) affecting CPU
register bank. This method is based on source code modification, introducing information
redundancy in register-passed information to called functions.
The guidelines for the implementation of the method are the following:
• To pass also a redundant copy of the passed parameters values (possibly inverted) and
Detailed implementation to execute a coherence check in the function.
• To pass also a redundant copy of the passed pointers and to execute a coherence
check in the function.
• For parameters that are not protected by redundancy, to implement defensive
programming techniques (plausibility check of passed values). For example
enumerated fields are to be checked for consistency.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
This method partially overlaps with defensive programming techniques required by IEC 61508
Recommendations and known limitations for software development. Therefore in presence of Application software qualified for safety
integrity greater or equal to SC2, optimizations are possible.
UM2318 - Rev 7 page 13/112
UM2318
Reference safety architecture
Table 8. CPU_SM_5
SM CODE CPU_SM_5
Description External watchdog
Ownership End user
Using an external watchdog linked to control flow monitoring method (refer to CPU_SM_1)
addresses failure mode of program counter or control structures of CPU.
External watchdog can be designed to be able to generate the combination of signals needed
on the final system to achieve the safe state. It is recommended to carefully check the
Detailed implementation
assumed requirements about system safe state reported in Section 3.3.1: Safety requirement
assumptions.
Compared to the MCU internal watchdogs, it is not affected by potential common cause
failures, because the external watchdog is clocked and supplied independently of Device.
Error reporting Depends on implementation
Fault detection time Depends on implementation (watchdog timeout interval)
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic To be defined at system level (outside the scope of Compliant item analysis).
Multiple-fault protection CPU_SM_1: Control flow monitoring in Application software
In case of usage of windowed watchdog, End user must consider possible tolerance in
Application software execution to avoid false error reports (affecting system availability).
Recommendations and known limitations It is worth noting that the use of an external watchdog is needed when Device is used to
trigger final elements, in order to comply at system level with requirements from
IEC 61508-2:2010 Table A.1/Table A.14.
Table 9. CPU_SM_6
SM CODE CPU_SM_6
Description Independent watchdog
Ownership ST
Using the IDWG watchdog linked to control flow monitoring method (refer to CPU_SM_1)
Detailed implementation
addresses failure mode of program counter or control structures of CPU.
Error reporting Reset signal generation
Fault detection time Depends on implementation (watchdog timeout interval)
Addressed fault model Permanent
Dependency on Device configuration None
IWDG activation. It is recommended to use hardware watchdog in option byte settings (IWDG
Initialization
is automatically enabled after reset).
Periodicity Continuous
Test for the diagnostic WDG_SM_1: Software test for watchdog at startup
CPU_SM_1: Control flow monitoring in Application software
Multiple-fault protection
WDG_SM_0: Periodic read-back of configuration registers
The IWDG intervention is able to achieve a potentially “incomplete” local safe state because it
can only guarantee that CPU is reset. No guarantee that Application software can be still
Recommendations and known limitations executed to generate combinations of output signals that might be needed by the external
system to achieve the final safe state. If this limitation turn out in a blocking point, End user
must adopt CPU_SM_5.
UM2318 - Rev 7 page 14/112
UM2318
Reference safety architecture
Table 10. CPU_SM_7
SM CODE CPU_SM_7
Description Memory protection unit (MPU).
Ownership ST
The CPU memory protection unit is able to detect illegal access to protected memory areas,
Detailed implementation
according to criteria set by End user.
Error reporting Exception raise (MemManage).
Fault detection time Refer to functional documentation
Systematic (software errors)
Addressed fault model
Permanent/transient (only program counter and memory access failures)
Dependency on Device configuration None
Initialization MPU registers must be programmed at start-up.
Periodicity On line
Test for the diagnostic MPU_SM_1: MPU software test
Multiple-fault protection MPU_SM_0: Periodic read-back of MPU configuration registers
The use of memory partitioning and protection by MPU functions is highly recommended
when multiple safety functions are implemented in Application software. The MPU can be
indeed used to
• enforce privilege rules
Recommendations and known limitations • separate processes
• enforce access rules
Hardware random-failure detection capability for MPU is restricted to well-selected failure
modes, mainly affecting program counter and memory access CPU functions. The associated
diagnostic coverage is therefore not expected to be relevant for the safety concept of Device.
Table 11. CPU_SM_9
SM CODE CPU_SM_9
Description Periodic self-test software for Arm®Cortex® -M7 caches
Ownership End user or ST
The software test is built around well-known techniques already addressed by IEC 61508-7,
A.3.2 (Self-test by software: walking bit one-channel).The scope of the software test are
Detailed implementation failure modes affecting Arm®Cortex® -M7 L1 caches controllers.
The achieved diagnostic coverage strongly depends on the complexity of the test
implementation, and on the percentage of caches failure modes addressed.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Periodic
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_5: External watchdog
End user waiver of cache features, disabling it by software, leads to the following
simplifications in STM32F7 series safety concept:
Recommendations and known limitations
• No need to implement this method (CPU_SM_9)
• Decrease of Arm®Cortex® -M7 overall failure rate.
UM2318 - Rev 7 page 15/112
UM2318
Reference safety architecture
Table 12. MPU_SM_0
SM CODE MPU_SM_0
Description Periodic read-back of MPU configuration registers
Ownership End user
This method must be applied to MPU configuration registers (also unused by End user
Application software).
Detailed implementation
Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 13. MPU_SM_1
SM CODE MPU_SM_1
Description MPU software test
Ownership End user
This method tests MPU capability to detect and report memory accesses violating the policy
enforcement implemented by the MPU itself.
The implementation is based on intentionally performing read and write accesses outside the
Detailed implementation
memory areas allowed by the MPU region programming, and collecting and verifying related
generated error exceptions.
Test can be executed with the final MPU region programming or with a dedicated one.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Startup execution of this safety mechanism is recommended for multiple fault mitigations -
Recommendations and known limitations
refer to Section 4.1.3: Notes on multiple-fault scenario.
UM2318 - Rev 7 page 16/112
UM2318
Reference safety architecture
3.6.2 System bus architecture/BusMatrix
Table 14. BUS_SM_0
SM CODE BUS_SM_0
Description Periodic software test for interconnections
Ownership End user
The intra-chip connection resources (Bus Matrix, AHB or APB bridges) needs to be
periodically tested for permanent faults detection. Note that STM32F7 series devices have no
hardware safety mechanism to protect these structures. The test executes a connectivity test
Detailed implementation of these shared resources, including the testing of the arbitration mechanisms between
peripherals.
According to IEC 61508-2 Table A.8, A.7.4 the method is considered able to achieve high
levels of coverage.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Periodic
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Implementation can be considered in large part as overlapping with the widely used Periodic
Recommendations and known limitations
read-back of configuration registers required for several peripherals.
Table 15. BUS_SM_1
SM CODE BUS_SM_1
Description Information redundancy in intra-chip data exchanges
Ownership End user
This method requires to add some kind of redundancy (for example a CRC checksum at
packet level) to each data message exchanged inside Device.
Detailed implementation
Message integrity is verified using the checksum by the Application software, before
consuming data.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Implementation can be in large part overlapping with other safety mechanisms requiring
Recommendations and known limitations information redundancy on data messages for communication peripherals. Optimizations are
therefore possible.
UM2318 - Rev 7 page 17/112
UM2318
Reference safety architecture
3.6.3 Embedded SRAM
Table 16. RAM_SM_0
SM CODE RAM_SM_0
Description Periodic software test for static random access memory (SRAM)
Ownership End user or ST (X-CUBE-STL, see Appendix A)
To enhance the coverage on SRAM data cells and to ensure adequate coverage for
permanent faults affecting the address decoder it is required to execute a periodic software
Detailed implementation test on the system RAM memory. The selection of the algorithm must ensure the target SFF
coverage for both the RAM cells and the address decoder. Evidences of the effectiveness of
the coverage of the selected method must also be collected
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration RAM size can change according to the part number.
Initialization Depends on implementation
Periodicity Periodic
Self-diagnostic capabilities can be embedded in the software, according to the test
Test for the diagnostic
implementation design strategy chosen.
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Usage of a March test C- is recommended.
Because the nature of this test can be destructive, RAM contents restore must be
implemented. Possible interferences with interrupt-serving routines fired during test execution
must be also considered (such routines can access to RAM invalid contents).
Recommendations and known limitations
Startup execution of this safety mechanism is recommended for multiple fault mitigations -
refer to Section 4.1.3: Notes on multiple-fault scenario.
Unused RAM section can be excluded by the testing, under End user responsibility on actual
RAM usage by final Application software.
UM2318 - Rev 7 page 18/112
UM2318
Reference safety architecture
Table 17. RAM_SM_2
SM CODE RAM_SM_2
Description Stack hardening for Application software
Ownership End user
The stack hardening method is used to enhance the Application software robustness to SRAM
faults that affect the address decoder. The method is based on source code modification,
introducing information redundancy in the stack-passed information to the called functions.
Detailed implementation Method contribution is relevant in case the combination between the final Application software
structure and the compiler settings requires a significant use of the stack for passing function
parameters.
Implementation is the same as method CPU_SM_4.
Error reporting Refer to CPU_SM_4
Fault detection time Refer to CPU_SM_4
Addressed fault model Refer to CPU_SM_4
Dependency on Device configuration Refer to CPU_SM_4
Initialization Refer to CPU_SM_4
Periodicity Refer to CPU_SM_4
Test for the diagnostic Refer to CPU_SM_4
Multiple-fault protection Refer to CPU_SM_4
Recommendations and known limitations Refer to CPU_SM_4
UM2318 - Rev 7 page 19/112
UM2318
Reference safety architecture
Table 18. RAM_SM_3
SM CODE RAM_SM_3
Description Information redundancy for safety-related variables in the Application software
Ownership End user
To address transient faults affecting the SRAM controller and memory cells, it is required to
implement information redundancy on the safety-related system variables stored in the SRAM.
The guidelines for the implementation of this method are the following:
• The system variables that are safety-related (in the sense that a wrong value due to a
failure in reading on the RAM affects the safety functions) are well-identified and
documented.
• The arithmetic computation or decision based on such variables are executed twice and
Detailed implementation the two final results are compared.
• Safety-related variables are stored and updated in two redundant locations, and
comparison is checked before consuming data.
• Enumerated fields must use non-trivial values, checked for coherence with the same
frequency as for periodically executed diagnostics (see (1) in Section 3.6: Hardware and
software diagnostics).
• Data vectors stored in SRAM must be protected by an encoding checksum (such as
CRC).
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Implementation of this safety method shows a partial overlap with an already foreseen method
for Arm® Cortex®-M7 (CPU_SM_2) ; optimizations in implementing both methods are
therefore possible.
Recommendations and known limitations
Reduction to the application scope for this method is achieved by executing an accurate
safety analysis of the software. Refer to [4] for details. However, the scope reduction may not
be possible nor desirable.
UM2318 - Rev 7 page 20/112
UM2318
Reference safety architecture
Table 19. RAM_SM_4
SM CODE RAM_SM_4
Description Control flow monitoring in Application software
Ownership End user
In case End user Application software is executed from SRAM, permanent and transient faults
affecting the memory (cells and address decoder) can interfere with the program execution.
Detailed implementation
The implementation of this method is required to address such failures.
For more details on the implementation, refer to CPU_SM_1 description.
Error reporting Depends on implementation
Fault detection time Depends on implementation. Higher value is fixed by watchdog timeout interval.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Needed only in case of Application software execution from SRAM.
Recommendations and known limitations
CPU_SM_1 correct implementation supersedes this requirement.
Table 20. RAM_SM_5
SM CODE RAM_SM_5
Description Periodic integrity test for Application software in RAM
Ownership End user
In case Application software or diagnostic libraries are executed in RAM, it is needed to
protect the integrity of the code itself against soft-error corruptions and related code
Detailed implementation mutations. This method must check the integrity of the stored code by checksum computation
techniques, on a periodic basis. For implementation details, refer to similar method
FLASH_SM_0.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Periodic
Self-diagnostic capabilities can be embedded in the software, according to the test
Test for the diagnostic
implementation design strategy chosen.
CPU_SM_0: Periodic core self-test software
Multiple-fault protection
CPU_SM_1: Control flow monitoring in Application software
This method must only be implemented if application software or diagnostic libraries are
Recommendations and known limitations
executed from RAM.
UM2318 - Rev 7 page 21/112
UM2318
Reference safety architecture
3.6.4 Embedded flash memory
Table 21. FLASH_SM_0
SM CODE FLASH_SM_0
Description Periodic software test for flash memory
Ownership End user or ST (X-CUBE-STL, see Appendix A)
Permanent faults affecting the system flash memory, memory cells, and address decoder are
addressed through a dedicated software test that checks the memory cells contents versus
the expected value, using signature-based techniques. According to IEC 61508-2 Table A.5,
the effective diagnostic coverage of such techniques depends on the width of the signature in
relation to the block length of the information to be protected - therefore the signature
Detailed implementation computation method is to be carefully selected. Note that the simple signature method
(IEC 61508-7 - A.4.2 modified checksum) is inadequate as it only achieves a low value of
coverage.
The information block does not need to be addressed with this test as it is not used during
normal operation (no data or program fetch).
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration Flash memory size changes according to the part number.
Initialization Memory signatures must be stored in flash memory as well.
Periodicity Periodic
Self-diagnostic capabilities can be embedded in the software, according to the test
Test for the diagnostic
implementation design strategy chosen.
CPU_SM_0: Periodic core self-test software
Multiple-fault protection
CPU_SM_1: Control flow monitoring in Application software
This test is expected to have a relevant time duration–test integration must therefore consider
the impact on Application software execution.
The use of internal cyclic redundancy check (CRC) module is recommended. In principle
Recommendations and known limitations direct memory access (DMA) feature for data transfer can be used.
Unused flash memory sections can be excluded from testing.
Startup execution of this safety mechanism is recommended for multiple fault mitigations -
refer to Section 4.1.3: Notes on multiple-fault scenario for details.
UM2318 - Rev 7 page 22/112
UM2318
Reference safety architecture
Table 22. FLASH_SM_1
SM CODE FLASH_SM_1
Description Control flow monitoring in Application software
Ownership End user
Permanent and transient faults affecting the system flash memory, memory cells and address
decoder, can interfere with the access operation by the CPU, leading to wrong data or
instruction fetches.
Detailed implementation
Such failures can be detected by control flow monitoring techniques implemented in
Application software loaded from flash memory.
For more details on the implementation, refer to description CPU_SM_1.
Error reporting Depends on implementation
Fault detection time Depends on implementation. Higher value is fixed by watchdog timeout interval.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Recommendations and known limitations CPU_SM_1 correct implementation supersedes this requirement.
Table 23. FLASH_SM_2
SM CODE FLASH_SM_2
Description Arm®Cortex®-M7 HardFault exceptions
Ownership ST
Hardware random faults (both permanent and transient) affecting system flash memory
(memory cells, address decoder) can lead to wrong instruction codes fetches, and eventually
Detailed implementation
to the intervention of the Arm®Cortex®-M7 HardFault exceptions. Refer to CPU_SM_3 for
detailed description.
Error reporting Refer to CPU_SM_3
Fault detection time Refer to CPU_SM_3
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Refer to CPU_SM_3
Periodicity Continuous
Test for the diagnostic Refer to CPU_SM_3
Multiple-fault protection Refer to CPU_SM_3
Recommendations and known limitations Refer to CPU_SM_3
UM2318 - Rev 7 page 23/112
UM2318
Reference safety architecture
Table 24. FLASH_SM_3
SM CODE FLASH_SM_3
Description Option byte write protection
Ownership ST
This safety mechanism prevents unintended writes on the option byte. The use of this method
Detailed implementation
is encouraged to enhance end application robustness for systematic faults.
Error reporting Write protection exception
Fault detection time Not applicable
Addressed fault model None (systematic only)
Dependency on Device configuration None
Initialization Not applicable (enabled by default)
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
This method addresses systematic faults in software application and it have zero efficiency in
Recommendations and known limitations addressing hardware random faults affecting the option byte value during running time. No DC
value is therefore associated.
Table 25. FLASH_SM_4
SM CODE FLASH_SM_4
Description Static data encapsulation
Ownership End user
If static data are stored in flash memory, encapsulation by a checksum field with encoding
Detailed implementation capability (such as CRC) must be implemented.
Checksum validity is checked by Application software before static data consuming.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Recommendations and known limitations None
UM2318 - Rev 7 page 24/112
UM2318
Reference safety architecture
Table 26. FLASH_SM_6
SM CODE FLASH_SM_6
Description Flash memory unused area-filling code
Ownership End user
Used flash memory area must be filled with deterministic data. This way in case that the
Detailed implementation program counter jumps outside the application program area due to a transient fault affecting
CPU, the system evolves in a deterministic way.
Error reporting Not applicable
Fault detection time Not applicable
Addressed fault model None (fault avoidance)
Dependency on Device configuration None
Initialization Not applicable
Periodicity Not applicable
Test for the diagnostic Not applicable
Multiple-fault protection Not applicable
Filling code can be made of NOP instructions, or an illegal code that leads to a HardFault
Recommendations and known limitations
exception raise.
Table 27. FLASH_SM_8
SM CODE FLASH_SM_8
Description Read protection (RDP), write protection (WRP)
Ownership ST
Flash memory can be protected against illegal read or erase/write accesses by using these
Detailed implementation protection features. The combination of these techniques and the related different protection
levels allows End user to build an effective access protection policy.
Refer to functional documentation.
Error reporting
In some cases, a HardFault error is generated.
Fault detection time Refer to functional documentation.
Addressed fault model Systematic
Dependency on Device configuration None
Initialization Not required
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection Not required
Hardware random-failure detection capability for Flash memory access policy is restricted to
well-selected marginal failure modes, mainly affecting program counter and Flash memory
Recommendations and known limitations
interface functions. The associated diagnostic coverage is therefore expected to be irrelevant
in the framework of STM32F7 series safety concept.
UM2318 - Rev 7 page 25/112
UM2318
Reference safety architecture
3.6.5 Power controller (PWR)
Table 28. VSUP_SM_0
SM CODE VSUP_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 29. VSUP_SM_1
SM CODE VSUP_SM_1
Description Supply voltage internal monitoring (PVD)
Ownership ST
The device features an embedded programmable voltage detector (PVD) that monitors the
Detailed implementation VDD power supply and compares it to the VPVD threshold. An interrupt can be generated when
VDD drops below the VPVD threshold or when VDD is higher than the VPVD threshold.
Error reporting Interrupt event generation
Fault detection time Depends on threshold programming. Refer to functional documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Protection enable by the PVDE bit and the threshold setting in the Power control register
Initialization
(PWR_CR)
Periodicity Continuous
Direct test procedure for PVD efficiency is not available. PVD run-time hardware failures
leading to disabling such protection fall into multiple-fault scenario, from IEC 61508
Test for the diagnostic
perspective. Related failures are adequately mitigated by the combination of safety
mechanisms reported in this table, field Multiple-fault protection.
Multiple-fault protection DIAG_SM_0: Periodic read-back of hardware diagnostics configuration registers
Internal monitoring PVD has limited capability to address failures affecting STM32F7 series
internal voltage regulator. Refer to [1] for details.
Internal monitoring PVD has limited capability to address failures affecting the internal voltage
Recommendations and known limitations regulator. Refer to Device FMEA for details.
In case the hardware option is not available on the chosen partnumbers, its contribution to the
overall safety concept is supported by other overlapping methods indicated for the mitigation
of failures affecting internal power.
UM2318 - Rev 7 page 26/112
UM2318
Reference safety architecture
Table 30. VSUP_SM_2
SM CODE VSUP_SM_2
Description Independent watchdog
Ownership ST
Failures in the power supplies for digital logic (core or peripherals) may lead to alteration of
Application software timing, which can be detected by IWDG as safety mechanism introduced
Detailed implementation
to monitor the Application software control flow. Refer to CPU_SM_1 and CPU_SM_6 for
further information.
Error reporting Reset signal generation
Fault detection time Depends on implementation (watchdog timeout interval)
Addressed fault model Permanent
Dependency on Device configuration None
IWDG activation. It is recommended to use Hardware watchdog in Option byte settings (IWDG
Initialization
is automatically enabled after reset).
Periodicity Continuous
Test for the diagnostic Refer to CPU_SM_6.
Multiple-fault protection CPU_SM_1: Control flow monitoring in Application software
In specific part numbers, IWDG can be fed by a power supply independent from the one used
for CPU core and main peripherals. Such diversity helps to increase the protection guaranteed
Recommendations and known limitations by IWDG from main power supply anomalies.
The adoption of an external watchdog (refer to CPU_SM_5) adds further diversity.
Table 31. VSUP_SM_3
SM CODE VSUP_SM_3
Description Internal temperature sensor check
Ownership End user
The internal temperature sensor must be periodically tested in order to detect abnormal
Detailed implementation increase of the die temperature – hardware faults in supply voltage system may cause
excessive power consumption and consequent temperature rise.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration None
Initialization None
Periodicity Periodic
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
This method also mitigates the probability of common-cause failure due to excessive
Recommendations and known limitations temperature, affecting the Device.
Refer to the Device datasheet to set the threshold temperature.
UM2318 - Rev 7 page 27/112
UM2318
Reference safety architecture
Table 32. VSUP_SM_5
SM CODE VSUP_SM_5
Description System-level power supply management
Ownership End user
This method is implemented at system level in order to guarantee the stability of power supply
value over time. It can include a combination of different overlapped solutions, some listed
here below (but not limited to):
Detailed implementation • additional voltage monitoring by external components
• passive electronics devices able to mitigate overvoltage
• specific design of power regulator in order to avoid power supply disturbance in
presence of a single failure
Error reporting Depends on implementation
Fault detection time Fault avoidance
Addressed fault model None
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection Not applicable
Usually, this method is already required/implemented to guarantee the stability of each
Recommendations and known limitations
component of the final electronic board.
3.6.6 Reset and clock controller (RCC)
Table 33. CLK_SM_0
SM CODE CLK_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to configuration registers for clock and reset system (refer to
RCC register map).
Detailed implementation
Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 28/112
UM2318
Reference safety architecture
Table 34. CLK_SM_1
SM CODE CLK_SM_1
Description Clock security system (CSS)
Ownership ST
The clock security system (CSS) detects the loss of high-speed external (HSE) oscillator clock
activity and executes the corresponding recovery action, such as:
Detailed implementation • switch-off HSE
• commutation on the HSI
• generation of related NMI
Error reporting NMI
Fault detection time Depends on implementation (clock frequency value)
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization CSS protection must be enabled through Clock interrupt register (RCC_CIR) after boot.
Periodicity Continuous
Test for the diagnostic Not applicable
CPU_SM_5: External watchdog
Multiple-fault protection
CLK_SM_0: Periodic read-back of configuration registers
It is recommended to carefully read reference manual instruction on NMI generation, in order
to correctly managing the faulty situation by Application software.
Recommendations and known limitations As the test of the diagnostic is not available in the hardware, it must be done at system level
during startup or maintenance period. The use of this method to implement fail operational
schemes is not recommended.
Table 35. CLK_SM_2
SM CODE CLK_SM_2
Description Independent watchdog
Ownership ST
The independent watchdog IWDG is able to detect failures in internal main MCU clock (lower
Detailed implementation
frequency).
Error reporting Reset signal generation
Fault detection time Depends on implementation (watchdog timeout interval)
Addressed fault model Permanent
Dependency on Device configuration None
IWDG activation. It is recommended to use the hardware watchdog in Option byte settings
Initialization
(IWDG is automatically enabled after reset).
Periodicity Continuous
Test for the diagnostic Refer to CPU_SM_6.
Multiple-fault protection CPU_SM_1: Control flow monitoring in Application software
Recommendations and known limitations The adoption of an external watchdog (refer to CPU_SM_5) adds further diversity.
UM2318 - Rev 7 page 29/112
UM2318
Reference safety architecture
Table 36. CLK_SM_3
SM CODE CLK_SM_3
Description Internal clock cross-measurement
Ownership End user
This method is implemented using general-purpose timers capabilities to be fed by the 32 KHz
RTC clock or an external clock source (if available). Timer counter progress is compared with
Detailed implementation
another counter (fed by internal clock). Abnormal values of oscillator frequency can therefore
be detected.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Periodic
Test for the diagnostic Not applicable
CPU_SM_1: Control flow monitoring in Application software
Multiple-fault protection
CPU_SM_5: External watchdog
Efficiency versus transient faults is negligible. It provides only medium efficiency in permanent
Recommendations and known limitations
clock-related failure mode coverage.
3.6.7 Clock recovery system (CRS)
No safety mechanisms are defined for CRS because of the consequences of CoU_8 (refer to
Section 3.7: Conditions of use). CRS deactivation is guaranteed by Section 3.6.41: Disable and periodic cross-
check of unintentional activation of unused peripherals.
3.6.8 General-purpose input/output (GPIO)
Table 37. GPIO_SM_0
SM CODE GPIO_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to GPIO configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration GPIO availability can differ according to part number
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
The execution of the method before any update on GPIO registers helps to mitigate the
Recommendations and known limitations possibility of unintended glitches on outputs due to soft errors. For more information refer to
[4].
UM2318 - Rev 7 page 30/112
UM2318
Reference safety architecture
Table 38. GPIO_SM_1
SM CODE GPIO_SM_1
Description 1oo2 for input GPIO lines
Ownership End user
This method addresses GPIO lines used as inputs. Implementation is done by connecting the
external safety-related signal to two independent GPIO lines. Comparison between the two
Detailed implementation
GPIO values is executed by the Application software each time the signal is used to affect
Application software behavior. This method applies to the single GPIO line used as input.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Permanent/transient
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
To reduce the potential impact of common cause failure, it is recommended to use GPIO lines:
• belonging to different I/O ports (for instance port A and B)
• with different bit port number (for instance PA1 and PB5)
Recommendations and known limitations • mapped to non-adjacent pins on the device package
As GPIO pins are shared with other MCU functions, this method must not be applied to pin
connections already used by another peripheral and addressed by related safety
mechanisms.
UM2318 - Rev 7 page 31/112
UM2318
Reference safety architecture
Table 39. GPIO_SM_2
SM CODE GPIO_SM_2
Description Loopback scheme for output GPIO lines
Ownership End user
This method addresses GPIO lines used as outputs. Implementation is done by a loopback
scheme, connecting the output to a different GPIO line programmed as input and by using the
Detailed implementation input line to check the expected value on output port. Comparison is executed by the
Application software periodically and each time output is updated. This method applies to the
single GPIO line used as output.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
To reduce the potential impact of common cause failure, it is recommended to use GPIO lines:
• belonging to different I/O ports (for instance port A and B)
• with different bit port number (for instance PA1 and PB5)
• mapped to non-adjacent pins on the device package
Efficiency versus transient failures is linked to final application characteristics. We define as
Recommendations and known limitations Tm the minimum duration of GPIO output wrong signal permanence required to violate the
related safety function(s). Efficiency is maximized when execution test frequency is higher
than 1/Tm.
As GPIO pins are shared with other MCU functions, this method must not be applied to pin
connections already used by another peripheral and addressed by related safety
mechanisms.
Table 40. GPIO_SM_3
SM CODE GPIO_SM_3
Description GPIO port configuration lock register
Ownership ST
This safety mechanism prevents configuration changes for GPIO registers; it addresses
therefore systematic faults in software application.
Detailed implementation
The use of this method is encouraged to enhance the end-application robustness for
systematic faults.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model None (Systematic only)
Dependency on Device configuration None
Application software must apply a correct locking write sequence after writing the final GPIO
Initialization
configuration.
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection Not required
This method does not address transient faults (soft errors) that can possibly cause bit-flips on
Recommendations and known limitations
GPIO registers at running time.
UM2318 - Rev 7 page 32/112
UM2318
Reference safety architecture
3.6.9 Debug system or peripheral control
Table 41. DBG_SM_0
SM CODE DBG_SM_0
Description Watchdog protection
Ownership ST
The debug unintentional activation due to hardware random fault results in the massive
Detailed implementation disturbance of CPU operations, leading to an intervention of the independent watchdog or,
alternatively, the other system watchdog WWDG or the external one (CPU_SM_5).
Error reporting Reset signal generation
Fault detection time Depends on implementation (watchdog timeout interval).
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Refer to CPU_SM_6.
Multiple-fault protection CPU_SM_1: Control flow monitoring in Application software
Recommendations and known limitations None
Table 42. LOCK_SM_0
SM CODE LOCK_SM_0
Description Lock mechanism for configuration options
Ownership ST
The STM32F7 series devices feature spread protection to prevent unintended configuration
changes for some peripherals and system registers. The spread protection detects systematic
Detailed implementation
faults in software application. The use of this method is encouraged to enhance the end
application robustness to systematic faults.
Error reporting Not generated (when locked, register overwrites are simply ignored).
Fault detection time Not applicable
Addressed fault model None (systematic only)
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection Not required
Recommendations and known limitations No DC associated because this test addresses systematic faults.
UM2318 - Rev 7 page 33/112
UM2318
Reference safety architecture
3.6.10 System configuration controller (SYSCFG)
Table 43. SYSCFG_SM_0
SM CODE SYSCFG_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to system configuration controller configuration registers.
This method is strongly recommended to protect registers related to hardware diagnostics
Detailed implementation activation and error reporting chain related features.
Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
This method is mainly overlapped by several other configuration register read-backs required
Recommendations and known limitations
for other MCU peripherals. It is reported here for the sake of completeness.
Table 44. DIAG_SM_0
SM CODE DIAG_SM_0
Description Periodic read-back of hardware diagnostics configuration registers
Ownership End user
In STM32F7 series, several hardware-based safety mechanisms are available (those with the
Ownership field set to ST). This method must be applied to any configuration register related
to diagnostic measure operations, including error reporting. End user must therefore
Detailed implementation individuate configuration registers related to:
• hardware diagnostic enable
• interrupt/NMI enable (if used for diagnostic error management)
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 34/112
UM2318
Reference safety architecture
3.6.11 Direct memory access controller (DMA)
Table 45. DMA_SM_0
SM CODE DMA_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to DMA configuration register and channel address register.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 46. DMA_SM_1
SM CODE DMA_SM_1
Description Information redundancy on data packet transferred via DMA
Ownership End user
This method is implemented by adding, to data packets transferred by DMA, a redundancy
check (such as CRC check or similar one) with encoding capability. Full data packet
redundancy would be an overkill.
Detailed implementation
The checksum encoding capability must be robust enough to guarantee at least 90%
probability of detection for a single bit flip in the data packet.
Consistency of data packet must be checked by Application software before consuming data.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
To give an example about checksum encoding capability, using just a bit-by-bit addition is
Recommendations and known limitations
inappropriate.
UM2318 - Rev 7 page 35/112
UM2318
Reference safety architecture
Table 47. DMA_SM_2
SM CODE DMA_SM_2
Information redundancy by including sender or receiver identifier on data packet transferred
Description
via DMA
Ownership End user
This method helps to identify inside the MCU the source and the originator of the message
exchanged by DMA.
Implementation is realized by adding an additional field to protected message, with a coding
convention for message type identification fixed at Device level. Guidelines for the
identification fields are:
• Identification field value must be different for each possible couple of sender or receiver
Detailed implementation
on DMA transactions.
• Values chosen must be enumerated and non-trivial.
• Coherence between the identification field value and the message type is checked by
the Application software before consuming data.
This method, when implemented in combination with DMA_SM_4, makes available a kind of
virtual channel between source and destinations entities.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Recommendations and known limitations None
Table 48. DMA_SM_3
SM CODE DMA_SM_3
Description Periodic software test for DMA
Ownership End user
This method requires the periodic testing of the DMA basic functionality, implemented through
a deterministic transfer of a data packet from one source to another (for example from
memory to memory) and the checking of the correct transfer of the message on the target.
Data packets are composed by non-trivial patterns (avoid the use of 0x0000, 0xFFFF values)
Detailed implementation and organized in order to allow the detection during the check of the following failures:
• incomplete packed transfer
• errors in single transferred word
• wrong order in packed transmitted data
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Periodic
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Recommendations and known limitations None
UM2318 - Rev 7 page 36/112
UM2318
Reference safety architecture
Table 49. DMA_SM_4
SM CODE DMA_SM_4
Description DMA transaction awareness
Ownership End user
DMA transactions are non-deterministic by nature, because typically driven by external events
like communication messages reception. Anyway, well-designed safety systems should keep
much control as possible of events – refer for instance to IEC 61508-3 Table 2 item 13
requirements for software architecture.
Detailed implementation
This method is based on system knowledge of frequency and type of expected DMA
transaction. For instance, an externally connected sensor supposed to send periodically some
messages to a STM32 peripheral. Monitoring DMA transaction by a dedicated state machine
allows the detection of missing or unexpected DMA activities.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Because DMA transaction termination is often linked to an interrupt generation,
Recommendations and known limitations implementation of this method can be merged with the safety mechanism NVIC_SM_1:
Expected and unexpected interrupt check.
UM2318 - Rev 7 page 37/112
UM2318
Reference safety architecture
3.6.12 Extended interrupt and events controller (EXTI)
Table 50. NVIC_SM_0
SM CODE NVIC_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This test is implemented by executing a periodic check of the configuration registers for a
system peripheral against its expected value. Expected values are previously stored in RAM
and adequately updated after each configuration change. The method mainly addresses
transient faults affecting the configuration registers, by detecting bit flips in the registers
contents. It addresses also permanent faults on registers because it is executed at least once
per PST (or another timing constraint; refer to (1) in Section 3.6: Hardware and software
diagnostics) after an update of the peripheral.
Method must be implemented to any configuration register whose contents are able to
interfere with NVIC or EXTI behavior in case of incorrect settings. Check includes NVIC vector
table.
Detailed implementation
According to the state-of-the-art automotive safety standard ISO26262, this method can
achieve high levels of diagnostic coverage (DC) (refer to ISO26262-5:2018, Table D.4).
An alternative valid implementation requiring less space in SRAM can be realized on the basis
of signature concept:
• Peripheral registers to be checked are read in a row, computing a CRC checksum (use
of hardware CRC is encouraged).
• Obtained signature is compared with the golden value (computed in the same way after
each register update, and stored in SRAM).
• Coherence between signatures is checked by Application software – signature
mismatch is considered as failure detection.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Periodic
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
This method addresses only failures affecting configuration registers, and not peripheral core
logic or external interface.
Recommendations and known limitations Attention must be paid to registers containing mixed combination of configuration and status
bits. Mask must be used before saving register contents affecting signature, and related
checks done, to avoid false positive detections.
UM2318 - Rev 7 page 38/112
UM2318
Reference safety architecture
Table 51. NVIC_SM_1
SM CODE NVIC_SM_1
Description Expected and unexpected interrupt check
Ownership End user
According to IEC 61508-2 Table A.1 recommendations, a diagnostic measure for continuous,
absence or cross-over of interrupt must be implemented. The method of expected and
unexpected interrupt check is implemented at Application software level.
The guidelines for the implementation of the method are the following:
• The interrupts implemented on the MCU are well documented, also reporting, when
possible, the expected frequency of each request (for example, the interrupts related to
ADC conversion completion that come on a regular basis).
• Individual counters are maintained for each interrupt request served, in order to detect
in a given time frame the cases of a) no interrupt at all b) too many interrupt requests.
Detailed implementation
The control of the time frame duration must be regulated according to the individual
interrupt expected frequency.
• Interrupt vectors related to unused interrupt source point to a default handler that
reports, in case of triggering, a faulty condition (unexpected interrupt).
• In case an interrupt service routine is shared between different sources, a plausibility
check on the caller identity is implemented.
Important: Interrupt requests generated by non-safety-related peripherals must be
handled using the same method as all safety related interupts outlined in the
list above.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
The extension of the method to non-safety related peripherals (see last bullet in "Detailed
Recommendations and known limitations implementation" box above) is introduced to mitigate interferences between non-safety and
safety functions/hardware (FFI).
UM2318 - Rev 7 page 39/112
UM2318
Reference safety architecture
3.6.13 Cyclic redundancy-check calculation unit (CRC)
Table 52. CRC_SM_0
SM CODE CRC_SM_0
Description CRC self-coverage
Ownership ST
The CRC algorithm implemented in this module (CRC-32 Ethernet polynomial: 0x4C11DB7)
offers excellent features in terms of error detection in the message. Therefore permanent and
Detailed implementation
transient faults affecting CRC computations are easily detected by any operations using the
module to recompute an expected signature.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Recommendations and known limitations None
3.6.14 Flexible static memory controller (FSMC)
Table 53. FSMC_SM_0
SM CODE FSMC_SM_0
Description Control flow monitoring in Application software
Ownership End user
If FSMC is used to connect an external memory containing software code to be executed by
the CPU, permanent and transient faults affecting the FSMC memory controller are able to
interfere with the access operation by the CPU, leading to wrong data or instruction fetches. A
Detailed implementation strong control flow mechanism linked to a system watchdog is able to detect such failures, in
case they interfere with the expected flow of Application software.
The implementation of this method is identical to the one reported for CPU_SM_1, refer there
for details.
Error reporting Depends on implementation
Fault detection time Depends on implementation. Higher value is fixed by watchdog timeout interval.
Addressed fault model Permanent/transient
Dependency on Device configuration FSMC interface is available only on selected part numbers.
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
This mechanism must only be used if FSMC external memory is used to store executable
Recommendations and known limitations
programs.
UM2318 - Rev 7 page 40/112
UM2318
Reference safety architecture
Table 54. FSMC_SM_1
SM CODE FSMC_SM_1
Description Information redundancy on external memory connected to FSMC
Ownership End user
If FSMC interface is used to connect an external memory where safety-relevant data are
stored, information redundancy techniques for stored data are able to address faults affecting
the FSMC interface. The possible techniques are:
Detailed implementation
• using redundant copies of safety-relevant data and performing coherence check before
consuming
• organizing data in arrays and computing the checksum field to check before use
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration FSMC interface is available only on selected part numbers.
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
This mechanism must be used just if FSMC external memory is used to store safety-related
data.
Recommendations and known limitations
This safety mechanism can overlap with information redundancy techniques implemented at
system level to address failure of physical device connected to FSMC port.
Table 55. FSMC_SM_2
SM CODE FSMC_SM_2
Description Periodic read-back of FSMC configuration registers
Ownership End user
This method must be applied to FSMC configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration FSMC interface is available only on selected part numbers.
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 41/112
UM2318
Reference safety architecture
Table 56. FSMC_SM_3
SM CODE FSMC_SM_3
Description ECC engine on NAND interface in FSMC module
Ownership ST
The FMC NAND Card controller includes two error correction code computation hardware
blocks, one per memory bank. They reduce the host CPU workload when processing the ECC
Detailed implementation by software.
ECC mechanism protects data integrity on the external memory connected to NAND port.
Error reporting Refer to functional documentation
Fault detection time ECC bits are checked during memory reading.
Addressed fault model Permanent/transient
Dependency on Device configuration FSMC interface is available only on selected part numbers.
Initialization None
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection FSMC_SM_2: Periodic read-back of FSMC configuration registers
This method has negligible efficiency in detecting hardware random failures affecting the
Recommendations and known limitations FSMC interface. It can be part of End user safety concept because addressing memories
outside STM32F7 series MCU.
3.6.15 Octo-SPI interface (OCTOSPI)
Table 57. QSPI_SM_0
SM CODE QSPI_SM_0
Description Periodic read-back of OCTOSPI configuration registers
Ownership End user
This method must be applied to OCTOSPI configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 42/112
UM2318
Reference safety architecture
Table 58. QSPI_SM_1
SM CODE QSPI_SM_1
Description Protocol error signals including hardware CRC
Ownership ST
OCTOSPI communication module embeds protocol error checks (like overrun, underrun,
timeout and so on), conceived to detect communication-related abnormal conditions. These
Detailed implementation
mechanisms are only able to detect a small fraction of hardware random failures affecting the
module itself.
Error reporting Error flag raise and optional interrupt event generation
Depends on peripheral configuration (for example baud rate). Refer to functional
Fault detection time
documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Direct test procedure for CRC efficiency is not available. CRC run-time hardware failures
leading to disabling such protection fall into multiple-fault scenario, from IEC 61508
Test for the diagnostic
perspective. Related failures are adequately mitigated by the combination of safety
mechanisms reported in this table, field Multiple-fault protection.
Multiple-fault protection QSPI_SM_2: Information redundancy techniques on messages
Recommendations and known limitations Enabling related interrupt generation on the detection of errors is highly recommended.
Table 59. QSPI_SM_2
SM CODE QSPI_SM_2
Description Information redundancy techniques on messages
Ownership End user
This method is implemented adding to data packets (not commands) transferred by OCTOSPI
interface a redundancy check (like a CRC check, or similar one) with encoding capability. The
Detailed implementation checksum encoding capability must be robust enough to guarantee at least 90% probability of
detection for a single bit flip in the data packet.
Consistency of data packet must be checked by Application software before consuming data.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
To give an example on checksum encoding capability, using just a bit-by-bit addition is
unappropriated.
Recommendations and known limitations
This safety mechanism can overlap with information redundancy techniques implemented at
system level to address failure of physical device connected to OCTOSPI port.
UM2318 - Rev 7 page 43/112
UM2318
Reference safety architecture
3.6.16 Analog-to-digital converter (ADC)
Table 60. ADC_SM_0
SM CODE ADC_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to the ADC configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 61. ADC_SM_1
SM CODE ADC_SM_1
Description Multiple acquisition by Application software
Ownership End user
This method implements a timing information redundancy by executing multiple acquisitions
Detailed implementation on the same input signal. Multiple data acquisitions are then combined by a filter algorithm to
determine the signal correct value.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Depends on implementation
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
It is highly probable that this recommendation is satisfied by design by the End
userApplication software. Usage of multiple acquisitions followed by average operations is a
Recommendations and known limitations
common technique in industrial applications exposed to electromagnetic interference on
sensor lines.
UM2318 - Rev 7 page 44/112
UM2318
Reference safety architecture
Table 62. ADC_SM_2
SM CODE ADC_SM_2
Description Range check by Application software
Ownership End user
The guidelines for the implementation of the method are the following:
• The expected range of the data to be acquired are investigated and adequately
documented. Note that in a well-designed application it is improbable that during normal
operation an input signal has a very near or over the upper and lower rail limit
(saturation in signal acquisition).
• If the Application software is aware of the state of the system, this information is to be
Detailed implementation used in the range check implementation. For example, if the ADC value is the
measurement of a current through a power load, reading an abnormal value such as a
current flowing in opposite direction versus the load supply may indicate a fault in the
acquisition module.
• As the ADC module is shared between different possible external sources, the
combination of plausibility checks on the different signals acquired can help to cover the
whole input range in a very efficient way.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Depends on implementation
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
The implementation and the related diagnostic efficiency of this safety mechanism are strongly
Recommendations and known limitations
application-dependent.
Table 63. ADC_SM_3
SM CODE ADC_SM_3
Description Periodic software test for ADC
Ownership End user
The method is implemented acquiring multiple signals and comparing the read value with the
expected one, supposed to be known. Method can be implemented with different level of
complexity:
Detailed implementation • Basic complexity: acquisition and check of upper or lower rails (VDD or VSS) and
internal reference voltage
• High complexity: in addition to basic complexity tests, acquisition of a DAC output
connected to ADC input and checking all voltage excursion and linearity
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Periodic
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Combination of two methods with different complexity can be used to better optimize test
Recommendations and known limitations
frequency in high-demand safety functions.
UM2318 - Rev 7 page 45/112
UM2318
Reference safety architecture
Table 64. ADC_SM_4
SM CODE ADC_SM_4
Description 1oo2 scheme for ADC inputs
Ownership End user
This safety mechanism is implemented using two different SAR ADC channels belonging to
Detailed implementation separate ADC modules to acquire the same input signal. The Application software checks the
coherence between the two readings.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection ADC_SM_0: Periodic read-back of configuration registers
This method can be used in conjunction with ADC_SM_0 / ADC_SM_2 / ADC_SM_3 to
Recommendations and known limitations
achieve highest level of ADC module diagnostic coverage.
3.6.17 Digital-to-analog converter (DAC)
Table 65. DAC_SM_0
SM CODE DAC_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to DAC configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 46/112
UM2318
Reference safety architecture
Table 66. DAC_SM_1
SM CODE DAC_SM_1
Description DAC output loopback on ADC channel
Ownership End user
Route the active DAC output to one ADC channel, and check the output current value against
Detailed implementation
the expected one.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous or on demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Efficiency versus transient failures is linked to final application characteristics. We define as
Recommendations and known limitations Tm the minimum duration of DAC wrong signal permanence required to violate the related
safety function(s). Efficiency is maximized when execution test frequency is higher than 1/Tm.
3.6.18 Digital filter for sigma delta modulators (DFSDM)
Table 67. DFS_SM_0
SM CODE DFS_SM_0
Description Periodic read-back of DFSDM configuration registers
Ownership End user
This method must be applied to DFSDM configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 47/112
UM2318
Reference safety architecture
Table 68. DFS_SM_1
SM CODE DFS_SM_1
Description Multiple acquisition by Application software
Ownership End user
This method implements a timing information redundancy by executing multiple acquisitions
Detailed implementation on the same input signal. Multiple acquisition data are then combined by a filter algorithm to
determine the signal correct value.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
It is highly probable that this recommendation is satisfied by design by End userApplication
software. Usage of multiple acquisitions followed by average operations is a common
Recommendations and known limitations
technique in industrial applications where it is needed to survive with spurious EMI disturbs on
sensor lines.
Table 69. DFS_SM_2
SM CODE DFS_SM_2
Description Range check by Application software
Ownership End user
This method is implemented as described in ADC_SM_2: Range check by Application
Detailed implementation
software.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Not applicable
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Recommendations and known limitations The implementation of this safety mechanism is strongly application-dependent.
UM2318 - Rev 7 page 48/112
UM2318
Reference safety architecture
Table 70. DFS_SM_3
SM CODE DFS_SM_3
Description 1oo2 scheme for DFSM inputs
Ownership End user
This safety mechanism is implemented using two different DFSM modules to acquire the
Detailed implementation
same input signal. The Application software checks the coherence between the two readings.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection DFS_SM_0: Periodic read-back of DFSDM configuration registers
This method can be used in conjunction with DFS_SM_0 to achieve highest level of DFSM
Recommendations and known limitations
module diagnostic coverage (as an alternative to DFS_SM_1 and DFS_SM_2).
3.6.19 Digital camera interface (DCMI)
Table 71. DCMI_SM_0
SM CODE DCMI_SM_0
Description Periodic read-back of DCMI configuration registers
Ownership End user
This method must be applied to DCMI configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration DCMI interface is available only on selected part numbers.
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 49/112
UM2318
Reference safety architecture
Table 72. DCMI_SM_1
SM CODE DCMI_SM_1
Description DCMI video input data synchronization
Ownership ST
According to the nature of video data stream received, DCMI module implements
synchronization controls, from the simplest one (hardware synchronization) to the most
Detailed implementation
complex (e.g. embedded data synchronization mode). DCMI internal failures leading to the
incapability of correcting synchronizing the data stream can be therefore detected.
Error reporting No explicit error signal/message generation is provided (*).
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration DCMI interface is available only on selected part numbers.
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection DCMI_SM_0: Periodic read-back of DCMI configuration registers
(*) For its nature, the detection of an actual hardware failure by this safety mechanism can be
confused with functional-related scenarios (e.g. camera device disconnected or powered-off).
Recommendations and known limitations
It is responsibility of Application software to discriminate, as far as it is technically possible,
among different events.
3.6.20 LCD-TFT display controller (LTDC)
Table 73. LCD_SM_0
SM CODE LCD_SM_0
Description Periodic read-back of LTDC configuration registers and buffer memory
Ownership End user
This method must be applied to LTDC configuration registers and to the buffer memory.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 50/112
UM2318
Reference safety architecture
Table 74. LCD_SM_1
SM CODE LCD_SM_1
Description LTDC acquisition by ADC channel
Ownership End user
Correct generation of LTDC driving signals is checked by ADC reading versus expected
Detailed implementation
values
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration None
Initialization None
Periodicity Periodic
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
This method is conceived to mainly detect permanent failures affecting analog parts and
Recommendations and known limitations therefore the execution on periodic way is acceptable. Diagnostic coverage achievable
depends on the quantity of LTDC signals checked
Note: The above-described safety mechanism addresses the LTDC interface included in STM32 MCUs. Because
actual capability of correct image generation on LTDC is not addressed by this safety mechanism, in case such
feature is considered safety relevant, End user is warned to evaluate the adoption of adequate system-level
measures.
3.6.21 DSI Host (DSI)
Table 75. DSI_SM_0
SM CODE DSI_SM_0
Description Periodic read-back of DSI configuration registers
Ownership End user
This method must be applied to DSI configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 51/112
UM2318
Reference safety architecture
Table 76. DSI_SM_1
SM CODE DSI_SM_1
Description Protocol error signals and information redundancy including hardware checksums
Ownership ST
DSI communication/command protocol is based on a packet handling concept, including
(where applicable) ECC and checksum capabilities. This mechanism, mainly implemented to
Detailed implementation
manage on field communication disturbance, is able to achieve a relevant diagnostic coverage
on several DSI module failure modes.
Error reporting Error conditions are reported by flag bits in related registers.
Depends on peripheral configuration and the type of violation detected. Refer to functional
Fault detection time
documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection DSI_SM_0: Periodic read-back of DSI configuration registers
Recommendations and known limitations None
Note: The above-described safety mechanisms addresses the DSI interface included in STM32 MCUs, including PHY.
Because actual capability of correct physical signal generation to drive the connected monitor is not addressed
by these safety mechanisms, in case such feature is considered safety relevant, End user is warned to evaluate
the adoption of adequate system-level measures.
3.6.22 JPEG codec (JPEG)
Table 77. JPEG_SM_0
SM CODE JPEG_SM_0
Description Periodic read-back of JPEG codec configuration registers
Ownership End user
This method must be applied to JPEG codec configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple faults protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 52/112
UM2318
Reference safety architecture
Table 78. JPEG_SM_1
SM CODE JPEG_SM_1
Description Periodic test for JPEG encoding/decoding functions
Ownership End user
JPEG encoding/decoding functions performed by JPEG codec are tested by comparison,
executing the functions over a set of reference images stored in the flash memory and
checking the correctness of output images. The method diagnostic coverage depends on the
Detailed implementation quantity and composition of image set used for the checks.
The comparison of output image with expected result can be executed bit-by-bit or even by
faster methods like CRC-seed (computed via DMA transactions) checks.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Periodic
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
If only one kind of function between encoding and decoding is used by Application software,
Recommendations and known limitations
the method can be simplified restricting the test to the used function only.
Table 79. JPEG_SM_2
SM CODE JPEG_SM_2
Description Application-level detection of failures affecting JPEG coding/encoding
Ownership End user
Several application-level methods can be used to detect failures affecting JPEG coding/
encoding; being no possible to give detailed information for its implementation, only high level
guidelines/hints are provided:
• Permanent and transient failures: Application software checks on expected output
Detailed implementation image characteristics (for example, after the processing by image recognition
algorithms)
• Transient faults: Application software checks on images redundancy (in case of
sequence coming from video stream) possibly discarding wrongly-processed frames.
This rationale could be also used to derate a part of transient failure rate as no effect.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Periodic/On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
These methods are strictly application-dependent; therefore, their implementation and any
Recommendations and known limitations
related claims in terms of failure mitigations are End user’s responsibility.
Note: The use of the DMA feature inside this module requires the adoption of the set of safety mechanism defined for
the system DMA (refer to Section 3.6.11: Direct memory access controller (DMA)).
UM2318 - Rev 7 page 53/112
UM2318
Reference safety architecture
3.6.23 HASH processor (HASH)
Table 80. HASH_SM_0
SM CODE HASH_SM_0
Description Periodic read-back of HASH configuration registers
Ownership End user
This method must be applied to HASH configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration HASH module available only on specific part numbers
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 81. HASH_SM_1
SM CODE HASH_SM_1
Description HASH processing collateral detection
Ownership ST
Message digest computation performed by HASH module is composed by several data
Detailed implementation manipulations and checks. A major part of the hardware random failures affecting HASH
module leads to algorithm violations/errors, and so to decoding errors on the receiver side.
Error reporting Several error condition can happens, check functional documentation.
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration HASH module available only on specific part numbers
Initialization Depends on implementation
Periodicity Continuous
Direct test procedure for HASH efficiency is not available. HASH run-time hardware failures
leading to disabling related collateral protection fall into multiple-fault scenario, from
Test for the diagnostic
IEC 61508 perspective. Related failures are adequately mitigated by the combination of safety
mechanisms reported in this table, field Multiple-fault protection.
HASH_SM_0: Periodic read-back of HASH configuration registersCPU_SM_0: Periodic core
Multiple-fault protection
self-test software
This detection capability can be used to implement software-based tests (by processing a
Recommendations and known limitations predefined message and further checking the expected results) which can be executed
periodically to early detect HASH failures before its use by application software.
Note: Hardware random failures consequences on potential security features violations are not analyzed in this
manual.
UM2318 - Rev 7 page 54/112
UM2318
Reference safety architecture
3.6.24 True random number generator (RNG)
Table 82. RNG_SM_0
SM CODE RNG_SM_0
Description Periodic read-back of RNG configuration register
Ownership End user
This method must be applied to RNG configuration register RNG_CR.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration RNG module available only on specific part numbers
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 83. RNG_SM_1
SM CODE RNG_SM_1
Description RNG module entropy on-line tests
Ownership ST and End user
RNG module include an internal diagnostic for the analog source entropy that can be used to
detect failures on the module itself. Furthermore, the required test on generated random
number difference between the previous one (as required by FIPS PUB 140-2) can be
exploited as well.
Detailed implementation
Implementation:
• Check for RNG error conditions.
• Check the difference between generated random number and the previous one.
CEIS, SEIS error bits of the RNG status register (RNG_SR)
Error reporting
Application software error for FIPS PUB 140-2 test fail
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration RNG module available only on specific part numbers
Initialization Permanent/transient
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Recommendations and known limitations None
UM2318 - Rev 7 page 55/112
UM2318
Reference safety architecture
3.6.25 Cryptographic processor (CRYP)
Table 84. CRYP_SM_0
SM CODE CRYP_SM_0
Description Periodic read-back of CRYP configuration registers
Ownership End user
This method must be applied to CRYP configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration CRYP module available only on specific part numbers
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 85. CRYP_SM_1
SM CODE CRYP_SM_1
Description Encryption/decryption collateral detection
Ownership ST
Encryption and decryption operations performed by CRYP module are composed by several
data manipulations and checks, with different level of complexity according to the selected
Detailed implementation
chaining algorithm. A major part of the hardware random failures affecting CRYP module
leads to algorithm violations/errors. Leading to decoding errors on the receiver side.
Error reporting Several error conditions can happen, check functional documentation.
Fault detection time Dependency on Device configuration
Addressed fault model Permanent/transient
Dependency on Device configuration CRYP module available only on specific part numbers
Initialization Dependency on Device configuration
Periodicity Continuous
Direct test procedure for CRYP efficiency is not available. CRYP run-time hardware failures
leading to disabling such protection fall into multiple-fault scenario, from IEC 61508
Test for the diagnostic
perspective. Related failures are adequately mitigated by the combination of safety
mechanisms reported in this table, field Multiple-fault protection.
CRYP_SM_2: Information redundancy techniques on messages, including end-to-end
Multiple-fault protection
protection
Recommendations and known limitations None
UM2318 - Rev 7 page 56/112
UM2318
Reference safety architecture
Table 86. CRYP_SM_2
SM CODE CRYP_SM_2
Description Information redundancy techniques on messages, including end-to-end protection
Ownership End user
This method aim to protect the communication between a peripheral and his external
counterpart. It is used in CRYP local safety concept to address failures not detected by the
Detailed implementation encryption/decryption features.
Refer to UART_SM_3 description for detailed information.
Error reporting Refer to UART_SM_3
Fault detection time Refer to UART_SM_3
Addressed fault model Refer to UART_SM_3
Dependency on Device configuration CRYP module available only on specific part numbers
Initialization Refer to UART_SM_3
Periodicity Refer to UART_SM_3
Test for the diagnostic Refer to UART_SM_3
Multiple-fault protection Refer to UART_SM_3
Important note: it is assumed that the remote counterpart has an equivalent capability of
Recommendations and known limitations performing the checks described.
Refer to UART_SM_3 for further notice.
Important: Hardware random failure consequences on potential violations of Device security feature are not detailed in this
manual.
3.6.26 Advanced-control/General-purpose timers
As the timers have multiple mutually independent channels possibly used for different functions, the safety
mechanism is selected individually for each channel.
Table 87. ATIM_SM_0
SM CODE ATIM_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to advanced, general-purpose and low-power timer configuration
registers.
Detailed implementation
Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 57/112
UM2318
Reference safety architecture
Table 88. ATIM_SM_1
SM CODE ATIM_SM_1
Description 1oo2 for counting timers
Ownership End user
This method implements via software a 1oo2 scheme between two counting resources.
The guidelines for the implementation of the method are the following:
• Two timers are programmed with same time base or frequency.
• In case of timer use as a time base: use in Application software one of the timer as time
Detailed implementation base source, and the other one just for check. Coherence check for the 1oo2 is done at
application level, comparing two counter values each time the timer value is used to
affect safety function.
• In case of interrupt generation: use the first timer as main interrupt source for the
service routines, and the second timer as a “reference” to be checked at the initial of
interrupt routine.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Tolerance implementation in timer checks is recommended to avoid false positive outcomes of
the diagnostic.
This method applies to timer channels merely used as elapsed time counters.
Recommendations and known limitations
Events related to timers protected by the safety mechanisms must be monitored inside the
routine managing the external watchdog (CPU_SM_5) reset.
Note: One timer may act as a reference for multiple other timers.
UM2318 - Rev 7 page 58/112
UM2318
Reference safety architecture
Table 89. ATIM_SM_2
SM CODE ATIM_SM_2
Description 1oo2 for input capture timers
Ownership End user
This method is conceived to protect timers used for acquisition and measurement of external
signals (input capture, encoder reading). The implementation consists in connecting the
external signals also to a redundant timer, and checking the coherence of the measured data
Detailed implementation at application level.
Coherence check between timers is executed each time the reading is used by Application
software.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
To reduce the potential effect of common cause failures, it is suggested to use for redundant
Recommendations and known limitations check a channel belonging to a different timer module and mapped to non-adjacent pin on the
device package.
UM2318 - Rev 7 page 59/112
UM2318
Reference safety architecture
Table 90. ATIM_SM_3
SM CODE ATIM_SM_3
Description Loopback scheme for pulse width modulation (PWM) outputs
Ownership End user
This method is implemented by connecting the PWM to a separate timer channel to acquire
the generated waveform characteristics.
The guidelines are the following:
• Both PWM frequency and duty cycle are measured and checked versus the expected
value.
Detailed implementation • To reduce the potential effect of common cause failure, it is suggested to use for the
loopback check a channel belonging to a different timer module and mapped to non-
adjacent pins on the device package.
This measure can be replaced under the end-user responsibility by different loopback
schemes already in place in the final application and rated as equivalent. For example if the
PWM is used to drive an external power load, the reading of the on-line current value can be
used instead of the PWM duty cycle measurement.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Depends on implementation
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Efficiency versus transient failures is linked to final application characteristics. We define as
Tm the minimum duration of PWM wrong signal permanence (wrong frequency, wrong duty, or
Recommendations and known limitations
both) required to violate the related safety function(s). Efficiency is maximized when execution
test frequency is higher than 1/Tm.
Table 91. ATIM_SM_4
SM CODE ATIM_SM_4
Description Lock bit protection for timers
Ownership ST
This safety mechanism allows End user to lock down specified configuration options, thus
Detailed implementation avoiding unintended modifications by Application software. Therefore, it addresses software
development systematic faults.
Error reporting Not applicable
Fault detection time Not applicable
Addressed fault model None (Fault avoidance)
Dependency on Device configuration None
Initialization Lock protection must be enabled using LOCK bits in the TIMx_BDTR register.
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection Not applicable
Recommendations and known limitations This method does not address timer configuration changes due to soft errors.
Note: IRTIM is not individually mentioned here as its implementation is mostly based on general-purpose timer
functions. Refer to related prescriptions.
UM2318 - Rev 7 page 60/112
UM2318
Reference safety architecture
3.6.27 Basic timers
Table 92. GTIM_SM_0
SM CODE GTIM_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to basic timer configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 93. GTIM_SM_1
SM CODE GTIM_SM_1
Description 1oo2 for counting timers
Ownership End user
This method implements via software a 1oo2 scheme between two counting resources.
The guidelines for the implementation of the method are the following:
• Two timers are programmed with same time base or frequency.
• In case of timer use as a time base: use in Application software one of the timer as time
Detailed implementation base source, and the other one just for check. Coherence check for the 1oo2 is done at
application level, comparing two counters values each time the timer value is used to
affect safety function.
• In case of interrupt generation usage: use the first timer as main interrupt source for the
service routines, and use the second timer as a “reference” to be checked at the initial
of interrupt routine.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Tolerance implementation in timer checks is recommended to avoid false positive outcomes of
the diagnostic.
Recommendations and known limitations Events related to timers protected by the safety mechanisms must be monitored inside the
routine managing the external watchdog reset.
Note: One timer may act as a reference for multiple other timers.
UM2318 - Rev 7 page 61/112
UM2318
Reference safety architecture
3.6.28 Independent and system window watchdogs (IWDG and WWDG)
Table 94. WDG_SM_0
SM CODE WDG_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to IWDG/WWDG configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 95. WDG_SM_1
SM CODE WDG_SM_1
Description Software test for watchdog at startup
Ownership End user
This safety mechanism ensures the right functionality of the internal watchdogs in use. The
test implementation allows the application software to induce a watchdog reset for a specific
purpose such as at startup, and to determine that the cause of the reset was the test
procedure itself, and not a software/hardware malfunction. This is confirmed by reading the
Detailed implementation
associated hardware flag in the RCC status register before and after the test and applying
specific SW flag, which stores nontrivial pattern at SRAM, just during the test execution. Both
the HW and SW flags must be cleared once the test is done. This is essential to avoid
repeating the test in a loop, and to correctly manage watchdog resets related to failures.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Startup
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
In a typical End user application, this test can be executed only at startup and during
Recommendations and known limitations maintenance or offline periods. It could be associated to IEC 61508 concept of “proof test” and
so it cannot be accounted for a diagnostic coverage contribution during operating time.
UM2318 - Rev 7 page 62/112
UM2318
Reference safety architecture
3.6.29 Real-time clock module (RTC)
Table 96. RTC_SM_0
SM CODE RTC_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to RTC configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 97. RTC_SM_1
SM CODE RTC_SM_1
Description Application check of running RTC
Ownership End user
The Application software implements some plausibility check on RTC calendar or timing data,
mainly after a power-up and further date reading by RTC.
The guidelines for the implementation of the method are the following:
• RTC backup registers are used to store coded information in order to detect the
absence of VBAT during power-off period.
Detailed implementation • RTC backup registers are used to periodically store compressed information on current
date or time
• The Application software executes minimal consistence checks for date reading after
power-on (detecting “past” date or time retrieve).
• The Application software periodically checks that RTC is actually running, by reading
RTC timestamp progress and comparing with an elapsed time measurement based on
STM32 internal clock or timers.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Periodic
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
This method provides a limited diagnostic coverage for RTC failure modes. In case of End
user application where RTC timestamps accuracy can affect in severe way the safety function
Recommendations and known limitations
(for example, medical data storage devices), it is strongly recommended to adopt more
efficient system-level measures.
UM2318 - Rev 7 page 63/112
UM2318
Reference safety architecture
Table 98. RTC_SM_2
SM CODE RTC_SM_2
Description Information redundancy on backup registers
Ownership End user
Data stored in RTC backup registers must be protected by a checksum with encoding
capability (for instance, CRC). Checksum must be checked by application software before
Detailed implementation consuming stored data.
This method guarantees data versus erases due to backup battery failures.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Periodic/On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Recommendations and known limitations None
Table 99. RTC_SM_3
SM CODE RTC_SM_3
Description Application-level measures to detect failures in timestamps/event capture
Ownership End user
This method must detect failures affecting the RTC capability to correct execute the
Detailed implementation timestamps/event capture functions. Due to the nature strictly application-dependent of this
solution, no detailed guidelines for its implementation are given here.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Periodic/On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
This method must be used only if the timestamps/event capture function is used in the safety
function implementation. It is worth noting that the use of timestamp / event capture in safety-
Recommendations and known limitations
related applications with the MCU in Sleep or Stop mode is prevented by the assumed
requirement ASR7 (refer to Section 3.3.1: Safety requirement assumptions).
UM2318 - Rev 7 page 64/112
UM2318
Reference safety architecture
3.6.30 Inter-integrated circuit (I2C)
Table 100. IIC_SM_0
SM CODE IIC_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to I2C configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 101. IIC_SM_1
SM CODE IIC_SM_1
Description Protocol error signals
Ownership ST
I2C communication module embeds protocol error checks (like overrun, underrun, packet
Detailed implementation error etc.) conceived to detect network-related abnormal conditions. These mechanisms are
only able to detect a small fraction of hardware random failures affecting the module itself.
Error reporting Error flag raise and optional interrupt event generation
Depends on peripheral configuration (for example baud rate). Refer to functional
Fault detection time
documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection IIC_SM_2: Information redundancy techniques on messages
Adoption of SMBus option grants the activation of more efficient protocol-level hardware
Recommendations and known limitations checks such as CRC-8 packet protection.
Enabling related interrupt generation on the detection of errors is highly recommended.
UM2318 - Rev 7 page 65/112
UM2318
Reference safety architecture
Table 102. IIC_SM_2
SM CODE IIC_SM_2
Description Information redundancy techniques on messages
Ownership End user
This method is implemented adding to data packets transferred by I2C a redundancy check
(such as a CRC check, or similar one) with encoding capability. The checksum encoding
Detailed implementation capability must be robust enough to guarantee at least 90% probability of detection for a
single bit flip in the data packet.
Consistency of data packet must be checked by Application software before consuming data.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
It is assumed that the remote I2C counterpart has an equivalent capability of performing the
check described.
To give an example on checksum encoding capability, using just a bit-by-bit addition is
Recommendations and known limitations unappropriated.
Important: This method must be considered as a subset of IIC_SM_4. Therefore, the
implementation of IIC_SM_4 completely overlap this method. Refer to [4] for
additional details.
Table 103. IIC_SM_3
SM CODE IIC_SM_3
Description CRC packet-level
Ownership ST
I2C communication module allows to activate for specific mode of operation (SMBus) the
Detailed implementation
automatic insertion (and check) of CRC checksums to packet data.
Error reporting Error flag raise and optional Interrupt Event generation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Direct test procedure for CRC efficiency is not available. CRC run-time hardware failures
leading to disabling such protection fall into multiple-fault scenario, from IEC 61508
Test for the diagnostic
perspective. Related failures are adequately mitigated by the combination of safety
mechanisms reported in this table, field Multiple-fault protection.
Multiple-fault protection IIC_SM_2: Information redundancy techniques on messages
This method can be part of the implementation for IIC_SM_2 or IIC_SM_4. In that case,
because of the warning issued in the Test for the diagnostic field, this mechanism can not be
Recommendations and known limitations the only one to guarantee message integrity.
Enabling related interrupt generation on the detection of errors is highly recommended.
UM2318 - Rev 7 page 66/112
UM2318
Reference safety architecture
Table 104. IIC_SM_4
SM CODE IIC_SM_4
Description Information redundancy techniques on messages, including end-to-end protection
Ownership End user
This method aims to protect the communication between a I2C peripheral and his external
Detailed implementation counterpart.
Refer to UART_SM_3 description for detailed information.
Error reporting Refer to UART_SM_3
Fault detection time Refer to UART_SM_3
Addressed fault model Refer to UART_SM_3
Dependency on Device configuration Refer to UART_SM_3
Initialization Refer to UART_SM_3
Periodicity Refer to UART_SM_3
Test for the diagnostic Refer to UART_SM_3
Multiple-fault protection Refer to UART_SM_3
It is assumed that the remote I2C counterpart has an equivalent capability of performing the
Recommendations and known limitations checks described.
Refer to UART_SM_3 for further notice.
3.6.31 Universal synchronous receiver transmitter (USART)
Table 105. UART_SM_0
SM CODE UART_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to USART configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 67/112
UM2318
Reference safety architecture
Table 106. UART_SM_1
SM CODE UART_SM_1
Description Protocol error signals
Ownership ST
USART communication module embeds protocol error checks (like additional parity bit check,
overrun, frame error) conceived to detect network-related abnormal conditions. These
mechanisms are only able to detect a small fraction of hardware random failures affecting the
Detailed implementation module itself.
Error signals connected to these checkers are normally handled in a standard communication
software, so the overhead is reduced.
Error reporting Error flag raise and optional interrupt event generation
Depends on peripheral configuration (for example baud rate). Refer to functional
Fault detection time
documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection UART_SM_2: Information redundancy techniques on messages
USART communication module allows several different configurations. The actual composition
Recommendations and known limitations of communication error checks depends on the selected configuration.
Enabling related interrupt generation on the detection of errors is highly recommended.
Table 107. UART_SM_2
SM CODE UART_SM_2
Description Information redundancy techniques on messages
Ownership End user
This method is implemented by adding to data packets transferred by this peripheral a
redundancy check (such as a CRC check, or similar one) with encoding capability. The
Detailed implementation checksum encoding capability must be robust enough to guarantee at least 90% probability of
detection for a single bit flip in the data packet.
Consistency of data packet must be checked by Application software before consuming data.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
It is assumed that the remote counterpart has an equivalent capability of performing the check
described.
To give an example on checksum encoding capability, using just a bit-by-bit addition is
Recommendations and known limitations unappropriated.
Important: This method must be considered as a subset of UART_SM_3. Therefore,
the implementation of UART_SM_3 completely overlap this method. Refer to
[4] for additional details.
UM2318 - Rev 7 page 68/112
UM2318
Reference safety architecture
Table 108. UART_SM_3
SM CODE UART_SM_3
Description Information redundancy techniques on messages, including end-to-end protection
Ownership End user
This method aims to protect the communication between a peripheral and his external
counterpart establishing a kind of “protected” channel. The aim is to specifically address
communication failure modes as reported in IEC 61508-2, 7.4.11.1.
Implementation guidelines are as follows:
• Data packet must be protected (encapsulated) by an information redundancy check,
like for instance a CRC checksum computed over the packet and added to payload.
Checksum encoding capability must be robust enough to guarantee at least 90%
Detailed implementation probability of detection for a single-bit flip in the data packet.
• Additional field added in payload reporting an unique identification of sender or receiver
and an unique increasing sequence packet number.
• Timing monitoring of the message exchange (for example check the message arrival
within the expected time window), detecting therefore missed message arrival
conditions.
• Application software must verify before consuming data packet its consistency (CRC
check), its legitimacy (sender or receiver) and the sequence correctness (sequence
number check, no packets lost).
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
A major overlap between the requirements of this method and the implementation of complex
communication software protocols can exists. Due to large adoption of these protocols in
Recommendations and known limitations industrial applications, optimizations can be possible.
It is assumed that the remote counterpart has an equivalent capability of performing the
checks described.
UM2318 - Rev 7 page 69/112
UM2318
Reference safety architecture
3.6.32 Serial peripheral interface (SPI)
Table 109. SPI_SM_0
SM CODE SPI_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to SPI configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 110. SPI_SM_1
SM CODE SPI_SM_1
Description Protocol error signals
Ownership ST
SPI communication module embeds protocol error checks (like overrun, underrun, timeout
Detailed implementation and so on) conceived to detect network-related abnormal conditions. These mechanisms are
only able to detect a small fraction of hardware random failures affecting the module itself.
Error reporting Error flag raise and optional interrupt event generation
Depends on peripheral configuration (for example baud rate). Refer to functional
Fault detection time
documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection SPI_SM_2: Information redundancy techniques on messages
Recommendations and known limitations None
UM2318 - Rev 7 page 70/112
UM2318
Reference safety architecture
Table 111. SPI_SM_2
SM CODE SPI_SM_2
Description Information redundancy techniques on messages
Ownership End user
This method is implemented adding to data packets transferred by SPI a redundancy check
(such as a CRC check, or similar one) with encoding capability. The checksum encoding
Detailed implementation capability must be robust enough to guarantee at least 90% probability of detection for a
single bit flip in the data packet.
Consistency of data packet must be checked by Application software before consuming data.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
It is assumed that the remote counterpart has an equivalent capability of performing the check
described.
To give an example on checksum encoding capability, using just a bit-by-bit addition is
Recommendations and known limitations unappropriated.
Important: This method must be considered as a subset of SPI_SM_4. Therefore, the
implementation of SPI_SM_4 completely overlap this method. Refer to [4]
for additional details.
Table 112. SPI_SM_3
SM CODE SPI_SM_3
Description CRC packet-level
Ownership ST
SPI communication module allows to activate automatic insertion (and check) of CRC-8 or
Detailed implementation
CRC-18 checksums to packet data.
Error reporting Error flag raise and optional Interrupt Event generation
Depends on peripheral configuration (for example baud rate). Refer to functional
Fault detection time
documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Direct test procedure for CRC efficiency is not available. CRC run-time hardware failures
leading to disabling such protection fall into multiple-fault scenario, from IEC 61508
Test for the diagnostic
perspective. Related failures are adequately mitigated by the combination of safety
mechanisms reported in this table, field Multiple-fault protection.
Multiple-fault protection SPI_SM_2: Information redundancy techniques on messages
This method can be part of the implementation for SPI_SM_2 or SPI_SM_4. In that case,
Recommendations and known limitations because of the warning issued in the Test for the diagnostic field, this mechanism can not be
the only one to guarantee message integrity.
UM2318 - Rev 7 page 71/112
UM2318
Reference safety architecture
Table 113. SPI_SM_4
SM CODE SPI_SM_4
Description Information redundancy techniques on messages, including end-to-end protection
Ownership End user
This method aims to protect the communication between SPI peripheral and his external
Detailed implementation counterpart.
Refer to UART_SM_3 description for detailed information.
Error reporting Refer to UART_SM_3
Fault detection time Refer to UART_SM_3
Addressed fault model Refer to UART_SM_3
Dependency on Device configuration Refer to UART_SM_3
Initialization Refer to UART_SM_3
Periodicity Refer to UART_SM_3
Test for the diagnostic Refer to UART_SM_3
Multiple-fault protection Refer to UART_SM_3
Refer to UART_SM_3 for further notice.
Recommendations and known limitations It is assumed that the remote SPI counterpart has an equivalent capability of performing the
checks described.
3.6.33 Serial audio interface (SAI)
Table 114. SAI_SM_0
SM CODE SAI_SM_0
Description Periodic read-back of SAI configuration registers
Ownership End user
This method must be applied to SAI configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 72/112
UM2318
Reference safety architecture
Table 115. SAI_SM_1
SM CODE SAI_SM_1
Description SAI output loopback scheme
Ownership End user
This method uses a loopback scheme to detect permanent and transient faults on the output
channel used for serial audio frame generation. It is implemented by connecting the second
Detailed implementation
serial audio interface as input for primary output generation. Application software is able
therefore to identify wrong or missing audio frame generation.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous/ On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Efficiency versus transient failures is linked to final application characteristics. We define as
Tm the minimum duration of serial audio wrong signal permanence required to violate the
Recommendations and known limitations related safety function(s). Efficiency is maximized when execution test frequency is higher
than 1/Tm.
Method to be used when SAI interface safety-related use is audio stream generation.
Table 116. SAI_SM_2
SM CODE SAI_SM_2
Description 1oo2 scheme for SAI module
Ownership End user
This safety mechanism is implemented using the two SAI interfaces to decode/receive the
Detailed implementation same input stream audio. Application software checks the coherence between the received
data.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
The MCU performance overload and the implementation complexity associated to this method
Recommendations and known limitations can be relevant.
Method to be used when SAI interface safety-related use is audio stream receive.
UM2318 - Rev 7 page 73/112
UM2318
Reference safety architecture
3.6.34 SPDIF receiver interface (SPDIFRX)
Table 117. SPDF_SM_0
SM CODE SPDF_SM_0
Description Periodic read-back of SPDIF configuration registers
Ownership End user
This method must be applied to SPDIF configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 118. SPDF_SM_1
SM CODE SPDF_SM_1
Description Protocol error signals
Ownership ST
IEC60598 S/PDIF data frame specification used in SPDIF interface embeds protocol error
checks (like overrun, underrun, bit timing violations, parity, etc.) conceived to detect
Detailed implementation
transmission-related abnormal conditions. These mechanisms are able anyway to detect a
marginal percentage of hardware random failures affecting the module itself.
Error reporting Error flag raise and optional Interrupt Event generation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection SPDF_SM_0: Periodic read-back of SPDIF configuration registers
Recommendations and known limitations Enabling related interrupt generation on the detection of errors is highly recommended.
UM2318 - Rev 7 page 74/112
UM2318
Reference safety architecture
Table 119. SPDF_SM_2
SM CODE SPDF_SM_2
Description Information redundancy techniques on messages
Ownership End user
This method is implemented adding to data S/PDIF data stream some form of information
Detailed implementation redundancy, possibly including information repetition, to address failure modes affecting the
decoding section of the module.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
This method could be replaced by application-level alternative measures checking the
Recommendations and known limitations correctness of the audio stream received. One given example could be represented by a set
of plausibility checks executed after post-elaboration by voice recognition algorithms.
3.6.35 Management data input/output (MDIOS)
Table 120. MDIO_SM_0
SM CODE MDIO_SM_0
Description Periodic read-back of MDIO slave configuration registers
Ownership End user
This method must be applied to MDIO slave configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 121. MDIO_SM_1
SM CODE MDIO_SM_1
Description Protocol error signals
Ownership ST
MDIO communication protocol is based on a packet handling concept, including preamble/
start/stop correct conditions checks. This mechanism, mainly implemented to manage on field
Detailed implementation
communication disturbance, is able to achieve a relevant diagnostic coverage on several
MDIO module failure modes.
UM2318 - Rev 7 page 75/112
UM2318
Reference safety architecture
SM CODE MDIO_SM_1
Error reporting Error conditions are reported by flag bits in related registers, and interrupt generation.
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Permanent/transient
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection DSI_SM_0: Periodic read-back of DSI configuration registers
Recommendations and known limitations Not applicable
Table 122. MDIO_SM_2
SM CODE MDIO_SM_2
Information redundancy techniques on MDIO registers contents, including register update
Description
awareness
Ownership End user
Information provided by external parties by MDIO communication must be protected by
redundancy schemes (encoded data values and possibly the definition of a checksum
register).
Application software must be aware of any register value update executed by external parties,
Detailed implementation
so it is needed the implementation of a validate/invalidate mechanism to:
• report to external party that updated data have been consumed
• mark as invalidated any data already consumed
• allow external party to inform Application software that new data are available
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not required
Multiple-fault protection CPU_SM_0: Periodic core self-test software
It is assumed that the external entity responsible to update/send data to Application software
Recommendations and known limitations by the MDIO communication link is able to contribute to the MDIO failure mitigation, by
detecting missing or incomplete data consumption.
UM2318 - Rev 7 page 76/112
UM2318
Reference safety architecture
3.6.36 Secure digital input/output MultiMediaCard interface (SDMMC)
Table 123. SDIO_SM_0
SM CODE SDIO_SM_0
Description Periodic read-back of SDIO/SMMC configuration registers
Ownership End user
This method must be applied to SDIO/SMMC configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 124. SDIO_SM_1
SM CODE SDIO_SM_1
Description Protocol error signals including hardware CRC
Ownership ST
SDIO/SMMC communication module embeds protocol error checks (like overrun, underrun,
timeout etc.) and CRC-packet checks as well, conceived to detect network-related abnormal
Detailed implementation
conditions. These mechanisms are only able to detect a small fraction of hardware random
failures affecting the module itself.
Error reporting Error flag raise and optional interrupt event generation
Depends on peripheral configuration (for example baud rate). Refer to functional
Fault detection time
documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection SDIO_SM_2: Information redundancy techniques on messages
Recommendations and known limitations Enabling related interrupt generation on the detection of errors is highly recommended.
UM2318 - Rev 7 page 77/112
UM2318
Reference safety architecture
Table 125. SDIO_SM_2
SM CODE SDIO_SM_2
Description Information redundancy techniques on messages
Ownership End user
This method is implemented adding to data packets transferred by SDIO/SMMC a redundancy
check (like a CRC check, or similar one) with encoding capability. The checksum encoding
Detailed implementation capability must be robust enough to guarantee at least 90% probability of detection for a
single bit flip in the data packet.
Consistency of data packet must be checked by Application software before consuming data.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
To give an example on checksum encoding capability, using just a bit-by-bit addition is
unappropriated.
Recommendations and known limitations
This safety mechanism can overlap with information redundancy techniques implemented at
system level to address failure of physical device connected to SDIO/SMMMC port.
Note: The safety mechanisms mentioned above are addressing the SDIO/SMMC interface included in STM32 MCUs.
No claims are done in this Safety Manual about the mitigation of hardware random faults affecting the external
memory connected to SDIO/SMMC port.
3.6.37 Controller area network (CAN)
Table 126. CAN_SM_0
SM CODE CAN_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to CAN configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 78/112
UM2318
Reference safety architecture
Table 127. CAN_SM_1
SM CODE CAN_SM_1
Description Protocol error signals
Ownership ST
CAN communication module embeds protocol error checks (like error counters) conceived to
detect network-related abnormal conditions. These mechanisms are only able to detect a
Detailed implementation small fraction of hardware random failures affecting the module itself.
Error signals connected to these checkers are normally handled in a standard communication
software, so the overhead is reduced.
Error reporting Several error condition are reported by flag bits in related CAN registers.
Depends on peripheral configuration (for example baud rate). Refer to functional
Fault detection time
documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
CAN_SM_2: Information redundancy techniques on messages, including end-to-end
Multiple-fault protection
protection.
Recommendations and known limitations Enabling related interrupt generation on the detection of errors is highly recommended.
UM2318 - Rev 7 page 79/112
UM2318
Reference safety architecture
Table 128. CAN_SM_2
SM CODE CAN_SM_2
Description Information redundancy techniques on messages, including end-to-end protection.
Ownership End user
This method aims to protect the communication between a peripheral and his external
counterpart establishing a kind of “protected” channel. The aim is to specifically address
communication failure modes as reported in IEC 61508-2, 7.4.11.1.
Implementation guidelines are as follows:
• Data packet must be protected (encapsulated) by an information redundancy check,
like for instance a CRC checksum computed over the packet and added to payload.
Checksum encoding capability must be robust enough to guarantee at least 90%
Detailed implementation probability of detection for a single-bit flip in the data packet.
• Additional field added in payload reporting an unique identification of sender or receiver
and an unique increasing sequence packet number.
• Timing monitoring of the message exchange (for example check the message arrival
within the expected time window), detecting therefore missed message arrival
conditions.
• Application software must verify before consuming data packet its consistency (CRC
check), its legitimacy (sender or receiver) and the sequence correctness (sequence
number check, no packets lost).
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
A major overlap between the requirements of this method and the implementation of complex
communication software protocols can exists. Due to large adoption of these protocols in
Recommendations and known limitations industrial applications, optimizations can be possible.
It is assumed that the remote counterpart has an equivalent capability of performing the
checks described.
UM2318 - Rev 7 page 80/112
UM2318
Reference safety architecture
3.6.38 Universal serial bus full-speed device interface (USB)
Table 129. USB_SM_0
SM CODE USB_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to USB configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 130. USB_SM_1
SM CODE USB_SM_1
Description Protocol error signals
Ownership ST
USB communication module embeds protocol error checks (like overrun, underrun, NRZI, bit
Detailed implementation stuffing etc.) conceived to detect network-related abnormal conditions. These mechanisms are
only able to detect a small fraction of hardware random failures affecting the module itself.
Error reporting Error flag raise and optional interrupt event generation
Depends on peripheral configuration (for example baud rate). Refer to functional
Fault detection time
documentation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection USB_SM_2: Information redundancy techniques on messages
Recommendations and known limitations Enabling related interrupt generation on the detection of errors is highly recommended.
UM2318 - Rev 7 page 81/112
UM2318
Reference safety architecture
Table 131. USB_SM_2
SM CODE USB_SM_2
Description Information redundancy techniques on messages
Ownership End user or ST
The implementation of required information redundancy on messages, USB communication
Detailed implementation module is fitted by hardware capability. It basically allows to activate the automatic insertion
(and check) of CRC checksums to packet data.
Error reporting Error flag raise and optional interrupt event generation
Depends on peripheral configuration (for example baud rate). Refer to functional
Fault detection time
documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Error reporting configuration, if interrupt events are planned
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
Important: This method must be considered as a subset of USB_SM_3. Therefore, the
Recommendations and known limitations implementation of USB_SM_3 completely overlap this method. Refer to [4]
for additional details.
Table 132. USB_SM_3
SM CODE USB_SM_3
Description Information redundancy techniques on messages, including end-to-end protection.
Ownership End user
This method aims to protect the communication between the USB peripheral and its external
Detailed implementation counterpart.
Refer to UART_SM_3 description for detailed information.
Error reporting Refer to UART_SM_3
Fault detection time Refer to UART_SM_3
Addressed fault model Refer to UART_SM_3
Dependency on Device configuration Refer to UART_SM_3
Initialization Refer to UART_SM_3
Periodicity Refer to UART_SM_3
Test for the diagnostic Refer to UART_SM_3
Multiple-fault protection Refer to UART_SM_3
This method applies in case USB bulk or isochronous transfers are used. For other transfers
Recommendations and known limitations modes the USB hardware protocol already implements several features of this requirement.
Refer to UART_SM_3 for further notice.
UM2318 - Rev 7 page 82/112
UM2318
Reference safety architecture
3.6.39 Ethernet (ETH): media access control (MAC) with DMA controller
Table 133. ETH_SM_0
SM CODE ETH_SM_0
Description Periodic read-back of Ethernet configuration registers
Ownership End user
This method must be applied to Ethernet configuration registers (including those relate to
Detailed implementation unused module features). Detailed information on the implementation of this method can be
found in Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
Table 134. ETH_SM_1
SM CODE ETH_SM_1
Description Protocol error signals including hardware CRC
Ownership ST
Ethernet communication module embeds protocol error checks (like overrun, underrun,
timeout, packet composition violation etc.) and CRC-packet checks as well, conceived to
Detailed implementation
detect network-related abnormal conditions. These mechanisms are able anyway to detect a
percentage of hardware random failures affecting the module itself.
Error reporting Error flag raise and optional Interrupt Event generation
Depends on peripheral configuration (for example baud rate). Refer to functional
Fault detection time
documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Direct test procedure for CRC efficiency is not available. CRC run-time hardware failures
leading to disabling such protection fall into multiple-fault scenario, from IEC 61508
Test for the diagnostic
perspective. Related failures are adequately mitigated by the combination of safety
mechanisms reported in this table, field Multiple-fault protection.
ETH_SM_2: Information redundancy techniques on messages, including end-to-end
Multiple-fault protection
protection
Recommendations and known limitations Enabling related interrupt generation on the detection of errors is highly recommended.
UM2318 - Rev 7 page 83/112
UM2318
Reference safety architecture
Table 135. ETH_SM_2
SM CODE ETH_SM_2
Description Information redundancy techniques on messages, including end-to-end protection
Ownership End user
This method aim to protect the communication between a peripheral and its external
counterpart. It is used in Ethernet local safety concept to address failures not detected by
Detailed implementation ETH_SM_1 and to increase its associated diagnostic coverage.
Refer to UART_SM_3 description for detailed information.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
The implementation on Application software of complex Ethernet-based communication
Recommendations and known limitations
stacks (like TCP/IP) is able to satisfy the requirements of this method.
Note: The use of the DMA feature inside Ethernet module requires the adoption of the set of safety mechanisms
defined for DMA (refer to Section 3.6.11: Direct memory access controller (DMA)).
3.6.40 HDMI-CEC (CEC)
Table 136. HDMI_SM_0
SM CODE HDMI_SM_0
Description Periodic read-back of configuration registers
Ownership End user
This method must be applied to CEC configuration registers.
Detailed implementation Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 84/112
UM2318
Reference safety architecture
Table 137. HDMI_SM_1
SM CODE HDMI_SM_1
Description Protocol error signals
Ownership ST
CEC communication module embeds protocol error checks (such as additional parity bit
check, overrun, frame error) conceived to detect network-related abnormal conditions. These
mechanisms are able anyway to detect a marginal percentage of hardware random failures
Detailed implementation affecting the module itself.
Error signals connected to these checkers are normally handled in a standard communication
software, so the overhead is reduced.
Error reporting Error flag raise and optional interrupt event generation
Depends on peripheral configuration (for instance baud rate). Refer to functional
Fault detection time
documentation.
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic Not applicable
Multiple-fault protection HDMI_SM_2: Information redundancy techniques on messages
Recommendations and known limitations Enabling related interrupt generation on the detection of errors is highly recommended.
Table 138. HDMI_SM_2
SM CODE HDMI_SM_2
Description Information redundancy techniques on messages
Ownership End user
This method is implemented adding to data packets transferred by CEC a redundancy check
(such as CRC check, or similar one) with encoding capability. The checksum encoding
Detailed implementation capability must be robust enough to guarantee at least 90% probability of detection for a
single bit flip in the data packet.
Consistency of data packet must be checked by Application software before consuming data.
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device configuration None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software
It is assumed that the remote HDMI-CEC counterpart has an equivalent capability of
performing the check described.
Recommendations and known limitations
To give an example on checksum encoding capability, using just a bit-by-bit addition is
inappropriate.
UM2318 - Rev 7 page 85/112
UM2318
Reference safety architecture
3.6.41 Disable and periodic cross-check of unintentional activation of unused peripherals
This section reports safety mechanisms that address peripherals not used by the safety application, or not used at
all.
Table 139. FFI_SM_0
SM CODE FFI_SM_0
Description Disable of unused peripherals
Ownership End user
This method contributes to the reduction of the probability of cross-interferences caused by
peripherals not used by the software application, in case a hardware failure causes an
unintentional activation.
Detailed implementation After the system boot, Application software must disable all unused peripherals with this
procedure:
• Enable reset flag on AHB and APB peripheral reset register.
• Disable clock distribution on AHB and APB peripheral clock enable register.
Error reporting Not applicable
Fault detection time Not applicable
Addressed fault model Not applicable
Dependency on Device configuration None
Initialization Not applicable
Periodicity Startup
Test for the diagnostic Not applicable
Multiple-fault protection FFI_SM_1: Periodic read-back of interference avoidance registers
Recommendations and known limitations None
Table 140. FFI_SM_1
SM CODE FFI_SM_1
Description Periodic read-back of interference avoidance registers
Ownership End user
This method contributes to the reduction of the probability of cross-interferences between
peripherals that can potentially conflict on the same input/output pins, including for instance
unused peripherals. This diagnostic measure must be applied to following registers:
Detailed implementation • clock enable and disable registers
• alternate function programming registers
Detailed information on the implementation of this method can be found in
Section 3.6.12: Extended interrupt and events controller (EXTI).
Error reporting Refer to NVIC_SM_0
Fault detection time Refer to NVIC_SM_0
Addressed fault model Refer to NVIC_SM_0
Dependency on Device configuration Refer to NVIC_SM_0
Initialization Refer to NVIC_SM_0
Periodicity Refer to NVIC_SM_0
Test for the diagnostic Refer to NVIC_SM_0
Multiple-fault protection Refer to NVIC_SM_0
Recommendations and known limitations Refer to NVIC_SM_0
UM2318 - Rev 7 page 86/112
UM2318
Reference safety architecture
3.6.42 System
Table 141. DUAL_SM_0
SM CODE DUAL_SM_0
Description Cross-check between two STM32 devices
Ownership End user
This method is implemented in the spirit of technique described in IEC 61508-7, A.3.5 “Reciprocal comparison
by software”, which is rated in IEC 61508-2 Table A.4 as capable to achieve high level of diagnostic coverage.
The two processing units exchange data reciprocally, and a fail in the comparison is considered as a detection
of a failure in one of the two unit. The guidelines for the implementation are the following:
• Data exchanged include output results, intermediate results(1) and the results (pass/fail) of each software-
implemented safety mechanisms executed on periodic basis on both MCUs (for example CPU_SM_0)
• Software routines devoted to data exchange/comparison must be logically separated from the software
Detailed implementation implementing the safety function(s).
• Systematic capability of software implementing this method must be equal or above the one of the
software implementing the safety function(s).
• Independence and lack of interference between the software implementing the data exchange/
comparison and the one implementing the safety function(s) must be proven.
• Frequency of data exchange/comparison is imposed by the system PST (refer to related timing
constraints for periodic safety mechanisms), except for output results which needs to be exchanged/
compared at the same rate they are potentially updated.
Error reporting -
Fault detection time Depends on implementation
Addressed fault model Permanent/transient
Dependency on Device
None
configuration
Initialization Depends on implementation
Periodicity Periodic
Test for the diagnostic Not applicable
Multiple-fault protection CPU_SM_0: Periodic core self-test software (individually executed on both processing units)
This method is usually rated as optional because it is not strictly needed in the framework of 1oo2 architecture
described in Section 3.2.4: Reference safety architectures - 1oo2. Anyway, it is included here only for its use in
such an architecture.
Recommendations and This method can provide additional safety margin for systems that need further protection against fault
known limitations accumulation.
Because this method could be a potential source of common cause failure between the two 1oo2 channels (in
case of incorrect implementation), End user is recommended to closely follow the Detailed implementation
guidelines in this table.
1. the value of each variable able to directly influence the final individual channel output, such as:
– variables included in computation of the final result; for example, of a PWM rate
– variables involved in a decision determining the final result; for example, two variables used in a comparison which determines if a
GPIO output is set high or low.
UM2318 - Rev 7 page 87/112
UM2318
Reference safety architecture
3.7 Conditions of use
The table below provides a summary of the safety concept recommendations reported in Section 3.6: Hardware
and software diagnostics. The conditions of use to be applied to STM32F7 series devices are reported in form of
safety mechanism requirements. Exception is represented by some conditions of use introduced by FMEA
analysis in order to correctly address specific failure modes. These conditions of use are reported at the end of
the table presented in this section.
Rank column reports how related safety mechanism has been considered during the analysis, with following
meaning:
++ The safety mechanism is highly recommended as common practice. It is considered in this document for the
computation of safety metrics to allow the use of Device in systems implementing safety functions up to SIL2 with
a single MCU or up to SIL3 with two MCUs in 1oo2 scheme. Missing implementation may lead to invalidate any
safety feature claimed in this manual and must be supported by adequate arguments under end user responsibility
(refer to Section 4.1.1 for guidance).
+ The safety mechanism is recommended as additional safety measure, but not considered in this document for the
computation of safety metrics. The End user can skip the implementation in case it is in contradiction with
functional requirements or overlapped by another mechanism ranked ++.
o The safety mechanism is optional. It is not strictly required for the implementation of safety functions up to SIL2, or
it is related to a specific MCU configuration.
The X marker in the Perm and Trans table columns indicates that the related safety mechanism is effective for
such fault model.
Table 142. List of safety recommendations
Diagnostic Description Rank Perm Trans
Arm® Cortex®-M7
Periodic core self-test software for Arm® Cortex®-
CPU_SM_0 ++ X -
M7 CPU.
CPU_SM_1 Control flow monitoring in Application software. ++ X X
CPU_SM_2 Double computation in Application software ++ - X
CPU_SM_3 Arm®Cortex®-M7 HardFault exceptions ++ X X
CPU_SM_4 Stack hardening for Application software + X X
CPU_SM_5 External watchdog ++(1) X X
CPU_SM_6 Independent watchdog ++(1) X X
CPU_SM_7 Memory protection unit (MPU). ++(2) X X
CPU_SM_9 Periodic self-test software for Arm®Cortex® -M7 caches ++(3) X -
MPU_SM_0 Periodic read-back of MPU configuration registers ++(2) X X
MPU_SM_1 MPU software test o X -
System bus architecture/BusMatrix
BUS_SM_0 Periodic software test for interconnections ++ X -
BUS_SM_1 Information redundancy in intra-chip data exchanges ++ X X
Embedded SRAM
Periodic software test for static random access memory
RAM_SM_0 ++ X -
(SRAM)
RAM_SM_2 Stack hardening for Application software + X X
Information redundancy for safety-related variables in the
RAM_SM_3 ++ X X
Application software
RAM_SM_4 Control flow monitoring in Application software o(4) X X
UM2318 - Rev 7 page 88/112
UM2318
Reference safety architecture
Diagnostic Description Rank Perm Trans
RAM_SM_5 Periodic integrity test for Application software in RAM o(4) X X
Embedded flash memory
FLASH_SM_0 Periodic software test for flash memory ++ X -
FLASH_SM_1 Control flow monitoring in Application software ++ X X
FLASH_SM_2 Arm®Cortex®-M7 HardFault exceptions ++ X X
FLASH_SM_3 Option byte write protection ++ - -
FLASH_SM_4 Static data encapsulation + X X
FLASH_SM_6 Flash memory unused area-filling code + - -
FLASH_SM_8 Read protection (RDP), write protection (WRP) + - -
Power controller (PWR)
VSUP_SM_0 Periodic read-back of configuration registers ++ X X
VSUP_SM_1 Supply voltage internal monitoring (PVD) ++ X -
VSUP_SM_2 Independent watchdog ++ X -
VSUP_SM_3 Internal temperature sensor check o - -
VSUP_SM_5 System-level power supply management ++ - -
Reset and clock controller (RCC)
CLK_SM_0 Periodic read-back of configuration registers ++ X X
CLK_SM_1 Clock security system (CSS) + X -
CLK_SM_2 Independent watchdog ++ X -
CLK_SM_3 Internal clock cross-measurement + X -
General-purpose input/output (GPIO)
GPIO_SM_0 Periodic read-back of configuration registers ++ X X
GPIO_SM_1 1oo2 for input GPIO lines ++ X X
GPIO_SM_2 Loopback scheme for output GPIO lines ++ X X
GPIO_SM_3 GPIO port configuration lock register + - -
Debug system or peripheral control
DBG_SM_0 Watchdog protection ++ X X
LOCK_SM_0 Lock mechanism for configuration options + - -
System configuration controller (SYSCFG)
SYSCFG_SM_0 Periodic read-back of configuration registers ++ X X
Periodic read-back of hardware diagnostics configuration
DIAG_SM_0 ++ X X
registers
Direct memory access controller (DMA)
DMA_SM_0 Periodic read-back of configuration registers ++ X X
Information redundancy on data packet transferred via
DMA_SM_1 ++ X X
DMA
Information redundancy by including sender or receiver
DMA_SM_2 ++ X X
identifier on data packet transferred via DMA
DMA_SM_3 Periodic software test for DMA ++ X -
DMA_SM_4 DMA transaction awareness ++ X X
Extended interrupt and events controller (EXTI)
NVIC_SM_0 Periodic read-back of configuration registers ++ X X
UM2318 - Rev 7 page 89/112
UM2318
Reference safety architecture
Diagnostic Description Rank Perm Trans
NVIC_SM_1 Expected and unexpected interrupt check ++ X X
Cyclic redundancy-check calculation unit (CRC)
CRC_SM_0 CRC self-coverage ++ X X
Flexible static memory controller (FSMC)
FSMC_SM_0 Control flow monitoring in Application software ++(5) X X
Information redundancy on external memory connected
FSMC_SM_1 ++(5) X X
to FSMC
FSMC_SM_2 Periodic read-back of FSMC configuration registers ++ X X
FSMC_SM_3 ECC engine on NAND interface in FSMC module ++ - X
Octo-SPI interface (OCTOSPI)
QSPI_SM_0 Periodic read-back of OCTOSPI configuration registers ++ X X
QSPI_SM_1 Protocol error signals including hardware CRC ++ X X
QSPI_SM_2 Information redundancy techniques on messages ++ X X
Analog-to-digital converter (ADC)
ADC_SM_0 Periodic read-back of configuration registers ++ X X
ADC_SM_1 Multiple acquisition by Application software ++ - X
ADC_SM_2 Range check by Application software ++ X X
ADC_SM_3 Periodic software test for ADC ++ X -
ADC_SM_4 1oo2 scheme for ADC inputs + X X
Digital-to-analog converter (DAC)
DAC_SM_0 Periodic read-back of configuration registers ++ X X
DAC_SM_1 DAC output loopback on ADC channel ++ X X
Digital filter for sigma delta modulators (DFSDM)
DFS_SM_0 Periodic read-back of DFSDM configuration registers ++ X X
DFS_SM_1 Multiple acquisition by Application software ++ - X
DFS_SM_2 Range check by Application software ++ X X
DFS_SM_3 1oo2 scheme for DFSM inputs + X X
Digital camera interface (DCMI)
DCMI_SM_0 Periodic read-back of DCMI configuration registers ++ X X
DCMI_SM_1 DCMI video input data synchronization ++ X X
LCD-TFT display controller (LTDC)
Periodic read-back of LTDC configuration registers and
LCD_SM_0 ++ X X
buffer memory
LCD_SM_1 LTDC acquisition by ADC channel ++ X -
DSI Host (DSI)
DSI_SM_0 Periodic read-back of DSI configuration registers ++ X X
Protocol error signals and information redundancy
DSI_SM_1 ++ X X
including hardware checksums
JPEG codec (JPEG)
JPEG_SM_0 Periodic read-back of JPEG codec configuration registers ++ X X
JPEG_SM_1 Periodic test for JPEG encoding/decoding functions ++ X -
Application-level detection of failures affecting JPEG
JPEG_SM_2 ++ X X
coding/encoding
UM2318 - Rev 7 page 90/112
UM2318
Reference safety architecture
Diagnostic Description Rank Perm Trans
True random number generator (RNG)
RNG_SM_0 Periodic read-back of RNG configuration register ++ X X
RNG_SM_1 RNG module entropy on-line tests ++ X -
Cryptographic processor (CRYP)
CRYP_SM_0 Periodic read-back of CRYP configuration registers ++ X X
CRYP_SM_1 Encryption/decryption collateral detection ++ X X
Information redundancy techniques on messages,
CRYP_SM_2 ++ X X
including end-to-end protection
HASH processor (HASH)
HASH_SM_0 Periodic read-back of HASH configuration registers ++ X X
HASH_SM_1 HASH processing collateral detection ++ X X
Advanced-control/General-purpose timers
ATIM_SM_0 Periodic read-back of configuration registers ++ X X
ATIM_SM_1 1oo2 for counting timers ++ X X
ATIM_SM_2 1oo2 for input capture timers ++ X X
Loopback scheme for pulse width modulation (PWM)
ATIM_SM_3 ++ X X
outputs
ATIM_SM_4 Lock bit protection for timers + - -
Basic timers
GTIM_SM_0 Periodic read-back of configuration registers ++ X X
GTIM_SM_1 1oo2 for counting timers ++ X X
Independent and system window watchdogs (IWDG and WWDG)
WDG_SM_0 Periodic read-back of configuration registers ++ X X
WDG_SM_1 Software test for watchdog at startup o X -
Real-time clock module (RTC)
RTC_SM_0 Periodic read-back of configuration registers ++ X X
RTC_SM_1 Application check of running RTC ++ X X
RTC_SM_2 Information redundancy on backup registers o X X
Application-level measures to detect failures in
RTC_SM_3 o X X
timestamps/event capture
Inter-integrated circuit (I2C)
IIC_SM_0 Periodic read-back of configuration registers ++ X X
IIC_SM_1 Protocol error signals ++ X X
IIC_SM_2 Information redundancy techniques on messages ++ X X
IIC_SM_3 CRC packet-level + X X
Information redundancy techniques on messages,
IIC_SM_4 + X X
including end-to-end protection
Universal synchronous receiver transmitter (USART)
UART_SM_0 Periodic read-back of configuration registers ++ X X
UART_SM_1 Protocol error signals ++ X X
UART_SM_2 Information redundancy techniques on messages ++ X X
Information redundancy techniques on messages,
UART_SM_3 ++ X X
including end-to-end protection
UM2318 - Rev 7 page 91/112
UM2318
Reference safety architecture
Diagnostic Description Rank Perm Trans
Serial peripheral interface (SPI)
SPI_SM_0 Periodic read-back of configuration registers ++ X X
SPI_SM_1 Protocol error signals ++ X X
SPI_SM_2 Information redundancy techniques on messages ++ X X
SPI_SM_3 CRC packet-level + X X
Information redundancy techniques on messages,
SPI_SM_4 + X X
including end-to-end protection
Serial audio interface (SAI)
SAI_SM_0 Periodic read-back of SAI configuration registers ++ X X
SAI_SM_1 SAI output loopback scheme ++ X X
SAI_SM_2 1oo2 scheme for SAI module ++ X X
SPDIF receiver interface (SPDIFRX)
SPDF_SM_0 Periodic read-back of SPDIF configuration registers ++ X X
SPDF_SM_1 Protocol error signals ++ X X
SPDF_SM_2 Information redundancy techniques on messages ++ X X
Management data input/output (MDIOS)
MDIO_SM_0 Periodic read-back of MDIO slave configuration registers ++ X X
MDIO_SM_1 Protocol error signals ++ X X
Information redundancy techniques on MDIO registers
MDIO_SM_2 ++ X X
contents, including register update awareness
Secure digital input/output MultiMediaCard interface (SDMMC)
Periodic read-back of SDIO/SMMC configuration
SDIO_SM_0 ++ X X
registers
SDIO_SM_1 Protocol error signals including hardware CRC ++ X X
SDIO_SM_2 Information redundancy techniques on messages ++ X X
Controller area network (CAN)
CAN_SM_0 Periodic read-back of configuration registers ++ X X
CAN_SM_1 Protocol error signals ++ X X
Information redundancy techniques on messages,
CAN_SM_2 ++ X X
including end-to-end protection.
Universal serial bus full-speed device interface (USB)
USB_SM_0 Periodic read-back of configuration registers ++ X X
USB_SM_1 Protocol error signals ++ X X
USB_SM_2 Information redundancy techniques on messages ++ X X
Information redundancy techniques on messages,
USB_SM_3 + X X
including end-to-end protection.
Ethernet (ETH): media access control (MAC) with DMA controller
ETH_SM_0 Periodic read-back of Ethernet configuration registers ++ X X
ETH_SM_1 Protocol error signals including hardware CRC ++ X X
Information redundancy techniques on messages,
ETH_SM_2 ++ X X
including end-to-end protection
HDMI-CEC (CEC)
HDMI_SM_0 Periodic read-back of configuration registers ++ X X
HDMI_SM_1 Protocol error signals + X X
UM2318 - Rev 7 page 92/112
UM2318
Reference safety architecture
Diagnostic Description Rank Perm Trans
HDMI_SM_2 Information redundancy techniques on messages ++ X X
Disable and periodic cross-check of unintentional activation of unused peripherals
FFI_SM_0 Disable of unused peripherals ++ - -
FFI_SM_1 Periodic read-back of interference avoidance registers ++ - -
Arm®Cortex®-M7 CPU
The reset condition of Arm® Cortex®- M7 CPU must be
CoU_1 ++ - -
compatible as valid safe state at system level
Debug
Device debug features must not be used in safety
CoU_2 ++ - -
function(s) implementation.
Arm®Cortex®-M7 / Supply system
Low-power mode state must not be used in safety
CoU_3 ++ - -
function(s) implementation.
Device peripherals
End user must implement the required combination of
CoU_4 safety mechanism/CoUs for each STM32 peripheral used ++ X X
in implementation of safety function(s).
Flash memory subsystem
During flash memory bank mass erase and
CoU_5 reprogramming there must not be safety functions(s) ++ - -
executed by Device.
On‑field Application software live update by dual‑bank
Flash memory system must include the execution of
CoU_6 ++ X X
code/data integrity check through methods such as
FLASH_SM_0
CPU subsystem
In case of multiple safety functions implementations,
CoU_7 methods to guarantee their mutual independence must ++ - -
include MPU use.
Clock recovery system (CRS)
CRS features must not be used in safety function(s)
CoU_8 ++ - -
implementation.
System
DUAL_SM_0 Cross-check between two STM32 devices o X X
1. To achieve on the single MCU local safety metrics compatible with SIL2 target , method CPU_SM_6 could be sufficient. Anyway, to
understand the rationale behind "++" classification for both methods, refer to the “Recommendations” row of related description in
Section 3.6: Hardware and software diagnostics for more details.
2. Can be considered ranked as “+” if only one safety function is implemented and the presence of non-safety-related software is excluded.
3. In case L1 caches are permanently disabled during end user application software execution, these methods can be considered ranked as
"-" ( no need to be executed).
4. Must be considered ranked as “++” if Application software is executed on RAM.
5. Can be considered ranked as “o” depending on the intended use of external memory connected to FSMC.
The above-described safety mechanism or conditions of use are conceived with different levels of abstraction
depending on their nature: the more a safety mechanism is implemented as application-independent, the wider is
its possible use on a large range of End user applications.
The safety analysis highlights two major partitions inside the MCU:
UM2318 - Rev 7 page 93/112
UM2318
Reference safety architecture
• System-critical MCU modules
Every End user application is affected, from safety point of view, by a failure on these modules. Because
they are used by every End user application, related methods or safety mechanism are mainly conceived
to be application-independent. The system-critical modules on Device are: CPU, RCC, PWR, bus matrix
and interconnect, and flash memory and RAM (including their interfaces).
• Peripheral modules
Such modules could be not used by the end-user application, or they could be used for non-safety related
tasks. Related safety methods are therefore implemented mainly at application level, as Application
software solutions or architectural solutions.
UM2318 - Rev 7 page 94/112
UM2318
Safety results
4 Safety results
This section reports the results of the safety analysis of the STM32F7 series devices, according to IEC 61508 and
to ST methodology flow, related to the hardware random and dependent failures.
4.1 Random hardware failure safety results
The analysis for random hardware failures of STM32F7 series devices reported in this safety manual is executed
according to STMicroelectronics methodology flow for safety analysis of semiconductor devices in compliance
with IEC 61508 (refer to [4] for more details). The accuracy of results obtained are guaranteed by three factors:
• STMicroelectronics methodology flow strict adherence to IEC 61508 requirements and prescriptions
• the use, during the analysis, of detailed and reliable information on microcontroller design
• the use, for specific diagnostic coverage evaluation, of state-of-the-art fault injection methods and tools for
safety metrics verification
The Device safety analysis explored the overall and exhaustive list of Device failure modes, to individuate for
each of them an adequate mitigation measure (safety mechanism). The overall list of Device failure modes is
maintained in the related FMEA document [1], provided on demand by local STMicroelectronics sales office.
In summary, with the adoption of the safety mechanisms and conditions of use reported in Section 3.7: Conditions
of use, it is possible to achieve the integrity levels summarized in the following table.
Table 143. Overall achievable safety integrity levels
Number of Safety
Target Safety analysis result
Devices used architecture
SIL2 LD Achievable
1 1oo1
SIL2 HD/CM Achievable with potential performance impact (1)
SIL3 LD Achievable
2 1oo2
SIL3 HD/CM Achievable with potential performance impact
1. Note that the potential performance impact related to some above-reported target achievements is mainly related to the
need of execution of periodic software-based diagnostics (refer to safety mechanism description for details). The impact is
therefore strictly related to how much “aggressive” the system level PST is (see Section 3.3.1: Safety requirement
assumptions).
The resulting relative safety metrics (DC and safe failure fraction (SFF)) and absolute safety metrics (probability of
failure per hour (PFH), probability of dangerous failure on demand (PFD)) are not reported in this section but in
the failure mode effect diagnostic analysis (FMEDA) snapshot [2], due to:
• a large number of different STM32F7 series parts,
• a possibility to declare non-safety-relevant unused peripherals, and
• a possibility to enable or not the different available safety mechanisms.
The FMEDA snapshot [2] is a static document reporting the safety metrics computed at different detail levels (at
microcontroller level and for microcontroller basic functions) for a given combination of safety mechanisms and for
a given part number. If FMEDA document is needed, contact the local STMicroelectronics sales representative as
early as possible, in order to receive information on expected delivery dates for specific Device target part
numbers.
Note: Safety metrics computations are restricted to STM32F7 series boundary, hence they do not include the WDTe,
PEv, and VMONe processes described in Section 3.3.1: Safety requirement assumptions).
4.1.1 Safety analysis result customization
The safety analysis executed for STM32F7 series devices documented in this safety manual considers all
microcontroller modules to be safety-related, thus able to interfere with the safety function, with no exclusion. This
is in line with the conservative approach to be followed during the analysis of a general-purpose microcontroller,
in order to be agnostic versus the final application. This means that no microcontroller module has been declared
safe as per IEC 61508-4, 3.6.8. Therefore, all microcontroller modules are included in SFF computations.
In actual End user applications, not all the STM32F7 series parts or modules implement a safety function. That
happens if:
UM2318 - Rev 7 page 95/112
UM2318
Safety results
• The part is not used at all (disabled), or
• The part implements functions that are not safety-related (for example, a GPIO line driving a power-on
signaling light on an electronic board).
Note: Implementation of non-safety-related functions is in principle forbidden by the assumed safety
requirement ASR6 (see Section 3.3.1: Safety requirement assumptions), hence under End user's entire
responsibility. As any other derogation from safety requirements included in this manual, it is End user's
responsibility to provide consistent rationales and evidences that the function does not bring additional
risks, by following the procedure described in this section. Therefore, it is strongly recommended to
reserve such derogation to very simple functions (as the one provided in the example).
Implementing safety mechanisms on such parts would be a useless effort for End user. The safety analysis
results can therefore be customized.
End user can define a STM32F7 series part as non-safety-related based on:
• Collecting rationales and evidences that the part does not contribute to safety function.
• Collecting rationales and evidences that the part does not interfere with the safety function during normal
operation, due to final system design decisions. Mitigation of unused modules is exhaustively addressed in
Section 4.1.2: General requirements for freedom from interferences (FFI).
• Fulfilling the general condition for the mitigation of intra-MCU interferences (see Section 4.1.2: General
requirements for freedom from interferences (FFI)).
For a non-safety-related part, End user is allowed to:
• Exclude the part from computing metrics to report in FMEDA, and
• Not implement safety mechanisms as listed in Table 142. List of safety recommendations.
With regard to SFF computation, this section complies with the no part / no effect definition as per IEC 61508‑4,
3.6.13 / 3.6.14.
4.1.2 General requirements for freedom from interferences (FFI)
A dedicated analysis has highlighted a list of general requirements to be followed in order to mitigate potential
interferences between Device internal modules in case of internal failures (freedom from interferences, FFI).
These precautions are integral part of the Device safety concept and they can play a relevant role when multiple
microcontroller modules are declared as non-safety-related by End user as per Section 4.1.1: Safety analysis
result customization.
End user must implement the safety mechanisms listed in Table 144 (implementation details in
Section 3.6: Hardware and software diagnostics) regardless any evaluation of their contribution to safety metrics.
Table 144. List of general requirements for FFI
Diagnostic Description
BUS_SM_0 Periodic software test for interconnections
GPIO_SM_0 Periodic read-back of configuration registers
DMA_SM_0 Periodic read-back of configuration registers
DMA_SM_2 Information redundancy by including sender or receiver identifier on data packet transferred via DMA(1)
DMA_SM_4 DMA transaction awareness(1)
NVIC_SM_0 Periodic read-back of configuration registers
NVIC_SM_1 Expected and unexpected interrupt check
FFI_SM_0 Disable of unused peripherals
FFI_SM_1 Periodic read-back of interference avoidance registers
1. To be implemented only if DMA is actually used.
UM2318 - Rev 7 page 96/112
UM2318
Safety results
4.1.3 Notes on multiple-fault scenario
According to the requirements of IEC 61508, the safety analysis for STM32F7 series devices considered multiple-
fault scenarios. Furthermore, following the spirit of ISO26262 (the reference and state-of-the-art standard norm for
integrated circuit safety analysis), the analysis investigated possible causes preventing the implemented safety
mechanisms from being effective, in order to determine appropriate counter-measures. In the Multiple-fault
protection field, the tables in Section 3.6: Hardware and software diagnostics report the safety mechanisms
required to properly manage a multiple-fault scenario, including mitigation measures against failures making
safety mechanisms ineffective. It is strongly recommended that the safety concept includes such mitigation
measures, and in particular for systems operating during long periods, as they tend to accumulate errors. Indeed,
fault accumulation issue has been taken into account during STM32F7 series devices safety analysis.
Another potential source of multiple error condition is the accumulation of permanent failures during power-off
periods. Indeed, if the end system is not powered, no safety mechanism are active and so able to early detect the
insurgence of such failures. To mitigate this potential issue, it is strongly recommended to execute all periodic
safety mechanism at each system power-up; this measure guarantees a fresh system start with a fault-free
hardware. This recommendation is given for periodic safety mechanisms rated as "++" (highly recommended) in
the Device safety concept, and mainly for the most relevant ones in term of failure distribution: CPU_SM_0,
FLASH_SM_0, RAM_SM_0. This startup execution is strongly recommended regardless the safety functions
mode of operations and/or the value of PST.
4.2 Analysis of dependent failures
The analysis of dependent failures is important for microcontroller and microprocessor devices. The main
subclasses of dependent failures are CCFs. Their analysis is ruled by IEC 61508-2 annex E, which lists the
design requirements to be verified to allow the use of on-chip redundancy for integrated circuits with one common
semiconductor substrate.
As there is no on-chip redundancy on STM32F7 series devices, the CCF quantification through the βIC
computation method - as described in Annex E.1, item i - is not required. Note that, in the case of 1oo2 safety
architecture implementation, End user is required to evaluate the β and βD parameters (used in PFH
computation) that reflect the common cause factors between the two channels.
The Device architecture and structures can be potential sources of dependent failures. These are analyzed in the
following sections. The safety mechanisms referred to are described in Section 3.6: Hardware and software
diagnostics.
4.2.1 Power supply
Power supply is a potential source of dependent failures, because any alteration can simultaneously affect many
modules, leading to not-independent failures. The following safety mechanisms address and mitigate those
dependent failures:
• VSUP_SM_1: detection of abnormal value of supply voltage;
• VSUP_SM_2: the independent watchdog is different from the digital core of the MCU, and this diversity
helps to mitigate dependent failures related to the main supply alterations. As reported in VSUP_SM_2
description, separate power supply for IWDG or/and the adoption of an external watchdog (CPU_SM_5)
increase such diversity.
• VSUP_SM_5: power supply stability (guaranteed by system level measures) is an important mitigation
factor
The adoption of such safety mechanisms is therefore highly recommended despite their minor contribution to the
safety metrics to reach the required safety integrity level. Refer to Section 3.6.5: Power controller (PWR) for the
detailed safety mechanism descriptions.
4.2.2 Clock
System clocks are a potential source of dependent failures, because alterations in the clock characteristics
(frequency, jitter) can affect many parts, leading to not-independent failures. The following safety mechanisms
address and mitigate such dependent failures:
• CLK_SM_1: the clock security system is able to detect hard alterations (stop) of system clock and activate
the adequate recovery actions.
• CLK_SM_2: the independent watchdog has a dedicated clock source. The frequency alteration of the
system clock leads to the watchdog window violations by the triggering routine on Application software,
leading to the MCU reset by watchdog. The adoption of external watchdog (CPU_SM_5) provides
additional diversity and so further mitigation of clock-related common cause failures.
UM2318 - Rev 7 page 97/112
UM2318
Safety results
The adoption of such safety mechanism is therefore highly recommended despite their minor contribution to the
safety metrics to reach the required safety integrity level. Refer to Section 3.6.6: Reset and clock controller (RCC)
for detailed safety mechanisms description.
4.2.3 DMA
The DMA function can be involved in data transfers operated by most of the peripherals. Failures of DMA can
interfere with the behavior of the system peripherals or Application software, leading to dependent failures. The
adoption of the following safety mechanisms is therefore highly recommended (refer to Section 3.6.11: Direct
memory access controller (DMA) for description):
• DMA_SM_0
• DMA_SM_1
• DMA_SM_2
Note: Only DMA_SM_0 must be implemented if DMA is not used for data transfer.
4.2.4 Internal temperature
The abnormal increase of the internal temperature is a potential source of dependent failures, as it can affect
many MCU parts. The following safety mechanism mitigates this potential effect (refer to Section 3.6.5: Power
controller (PWR) for description):
VSUP_SM_3: the internal temperature read and check allows the user to quickly detect potential risky conditions
before they lead to a series of internal failures.
UM2318 - Rev 7 page 98/112
UM2318
List of evidences
5 List of evidences
A safety case database stores all the information related to the safety analysis performed to derive the results and
conclusions reported in this safety manual.
The safety case database is composed of the following:
• safety case with the full list of all safety-analysis-related documents
• STMicroelectronics' internal FMEDA tool database for the computation of safety metrics, including
estimated and measured values
• safety report, a document that describes in detail the safety analysis executed on STM32F7 series devices
and the compliance to IEC 61508 applicable clauses
• STMicroelectronics' internal fault injection campaign database including tool configuration and settings,
fault injection logs and results, related to the MCU modules for which fault injection is adopted as
verification method.
As these resources contain STMicroelectronics confidential information, they are only available for the purpose of
audit and inspection by authorized bodies, without being published, which conforms to Note 2 of IEC 61508-2,
7.4.9.7.
Important: The combination of this document (safety manual), the [1] and [2] documents, the [4] provides per se an
exhaustive view of the rationales for the compliance to IEC 61508 requirements of the whole STM32 safety
concept. All these documents are available under NDA and they can be shared with certification entities (refer to
applicable NDA for details).
UM2318 - Rev 7 page 99/112
UM2318
X-CUBE-STL self-test software library
Appendix A X-CUBE-STL self-test software library
Note: Contact your ST representative for X-CUBE-STL-WBA availability.
The X-CUBE-STL (also referred as "STL" in this document) is a Software-based diagnostic library designed to
detect random hardware failures in STM32 safety-critical core components (CPU + SRAM + flash memory). It is
provided by STMicroelectronics to simplify the implementation of STM32 MCU safety concept, by offering a pre-
certified brick addressing the most challenging MCU functions.
X-CUBE-STL implements a set of of key safety mechanisms described in this Safety Manual:
• CPU_SM_0 Periodic core self-test software for CPU.
• RAM_SM_0 Periodic software test for static random access memory (SRAM)
Figure 6. STL architecture
User application
STL
Function return value
User
Test result value
APIs
STL User
HAL/LL
STL scheduler parameters
STL STL STL
CPU Arm® core Flash memory SRAM
test modules test module test module
STM32 microcontroller
Legend:
DT67412V1
STL
User
X-CUBE-STL characteristics:
• Partitioned into Test Modules to ease its coexistence with end user application software
• Provided with a Scheduler function to simplify the periodic execution of the tests
• Flash and SRAM test area can be partitioned in programmable sections to reduce the time for the
execution of atomic test sections
• Application independent: can be used in potentially any end-user application
• It can be interrupted at practically any time by the end user application; the few critical sections are
automatically protected by an interrupt disable function
• Compiler independent: delivered as object code
• Independence: designed as HAL-, BSP- and CMSIS-agnostic (there are no dependencies from these
software packages)
• Compatible with most popular safe RTOS (white papers/application notes on integration with safe RTOS
are available)
• Portability: the X-CUBE-STL shares the same APIs set across all the STM32 MCU Series, so projects
portability across STM32 portfolio is guaranteed
• Provided with exhaustive end user documentation: safety manual and user guide
UM2318 - Rev 7 page 100/112
UM2318
X-CUBE-STL self-test software library
• Diagnostic coverage verified by state-of-the-art ST proprietary fault injection methodology
• Development flow compliant to SC3 systematic capability requirements from IEC 61508
• Certified by TÜV Rheinland (certification covers claims related to achieved DC and SC3 development flow)
X-CUBE-STL is available on demand under NDA agreement (contact your local ST representative).
UM2318 - Rev 7 page 101/112
UM2318
Revision history
Table 145. Document revision history
Date Revision Changes
24-Nov-2017 1 Initial release.
28-Nov-2017 2 Updated List of safety mechanisms FLASH_SM_0 rank from ‘+’ to ‘++’ table.
Updated introduction.
Updated title of IEC 62061:2005+AMD1:2012+AMD2:2015.
Updated SIL classification versus HFT table.
Updated Analysis of dependent failures.
19-Apr-2018 3
Updated SRECS high-level diagram figure.
Updated IEC 62061 safety metrics computation.
Removed Section A.4: IEC 60730-1:2010.
Updated Normative references.
Updated Terms and abbreviations table.
12-Nov-2018 4
Updated Table 1.
Updated functional safety documentation framework.
Added Reference documents.
Added Clock recovery system (CRS)
Updated:
• Introduction.
• Normative references.
• Device development process.
• Safety functions performed by Compliant item.
• Reference safety architectures - 1oo2.
• Safety requirement assumptions all Devices functions.
• Embedded Flash memory.
• Power controller (PWR) adding VSUP_SM_5.
• Conditions of use.
• Notes on multiple-fault scenario adding paragraph Section 3.2.2 Safety
functions performed by Compliant item on fault accumulation issue.
13-Jan-2020 5
• Analysis of dependent failures.
• Change impact analysis for other safety standards.
• ISO 13849 architectural categories.
• ISO 13849 safety metrics computation.
• IEC 62061:2005+AMD1:2012+AMD2:2015.
• IEC 62061 architectural categories.
• IEC 62061 safety metrics computation.
• IEC 61800-5-2:2016.
• IEC 61800 architectural categories.
• IEC 61800 safety metrics computation.
Changed appendix in paragraphs.
Removed:
• ISO 13849 work products from ISO 13849-1:2015, ISO 13849-2:2012.
• ISO 62061 work products from IEC 62061:2005+AMD1:2012+AMD2:2015.
• IEC 61800 work products from IEC 61800-5-2:2016.
Updated:
• Section 3.2.2: Safety functions performed by Compliant item
• Section 3.2.4: Reference safety architectures - 1oo2
03-Oct-2023 6 • Section 3.3.1: Safety requirement assumptions
• Section 3.5: Systematic safety integrity
• Minor updates of tables and table titles in Section 3.6: Hardware and software
diagnostics
UM2318 - Rev 7 page 102/112
UM2318
Date Revision Changes
• Section 4.1: Random hardware failure safety results
• Table 143. Overall achievable safety integrity levels
• Section 4.1.1: Safety analysis result customization
• Section 4.2.1: Power supply
• Section 5: List of evidences
Added:
• Appendix A: X-CUBE-STL self-test software library
Replacement of Flash by flash in the document.
Updated:
01-Aug-2024 7 • Section 3.6.3: Embedded SRAM
• Section 3.6.9: Debug system or peripheral control: Detailed implementation in
LOCK_SM_0.
UM2318 - Rev 7 page 103/112
UM2318
Glossary
Glossary
Application software within the software executed by LD low-demand
Device, the part that ensures functionality of End user's
application and integrates safety functions MCU microcontroller unit
ASR assumed safety requirement MPU memory protection unit
CCF common cause failure MTBF mean time between failures
CM continuous mode MTTFd mean time to dangerous failure
Compliant item any item subject to claim with respect NDA non disclosure agreement
to the clauses of IEC 61508 series of standards
PEc computation processing elements
COTS commercial off-the-shelf
PEi input processing elements
CoU conditions of use
PEo output processing elements
CPU central processing unit
PEv voting processing element
CRC cyclic redundancy check
PFD probability of dangerous failure on demand
DC diagnostic coverage
PFH probability of failure per hour
Device depending on context, any single or all of the
silicon products PL performance level
DMA direct memory access PST process safety time
DTI diagnostic test interval SFF safe failure fraction
End user individual person or company who SIL safety integrity level
integrates Device in their application, such as an
electronic control board
SoC system on chip
EUC equipment under control
VMONe voltage monitors
FIT failure in time
WDTe watchdog
FMEA failure mode effect analysis
FMEDA failure mode effect diagnostic analysis
HD high-demand
HFT hardware fault tolerance
HW hardware
ITRS international technology roadmap for
semiconductors
UM2318 - Rev 7 page 104/112
UM2318
Contents
Contents
1 About this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1 Purpose and scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Normative references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Reference documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 Device development process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3 Reference safety architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1 Safety architecture introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2 Compliant item. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.1 Definition of Compliant item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.2 Safety functions performed by Compliant item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.3 Reference safety architectures - 1oo1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2.4 Reference safety architectures - 1oo2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.3 Safety analysis assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.3.1 Safety requirement assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.4 Electrical specifications and environment limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.5 Systematic safety integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.6 Hardware and software diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.6.1 Arm® Cortex®-M7 CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.6.2 System bus architecture/BusMatrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.6.3 Embedded SRAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.6.4 Embedded flash memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.6.5 Power controller (PWR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.6.6 Reset and clock controller (RCC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.6.7 Clock recovery system (CRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.6.8 General-purpose input/output (GPIO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.6.9 Debug system or peripheral control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.6.10 System configuration controller (SYSCFG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.6.11 Direct memory access controller (DMA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.6.12 Extended interrupt and events controller (EXTI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.6.13 Cyclic redundancy-check calculation unit (CRC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.6.14 Flexible static memory controller (FSMC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.6.15 Octo-SPI interface (OCTOSPI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.6.16 Analog-to-digital converter (ADC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.6.17 Digital-to-analog converter (DAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.6.18 Digital filter for sigma delta modulators (DFSDM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
UM2318 - Rev 7 page 105/112
UM2318
Contents
3.6.19 Digital camera interface (DCMI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.6.20 LCD-TFT display controller (LTDC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.6.21 DSI Host (DSI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.6.22 JPEG codec (JPEG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.6.23 HASH processor (HASH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.6.24 True random number generator (RNG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.6.25 Cryptographic processor (CRYP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.6.26 Advanced-control/General-purpose timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.6.27 Basic timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.6.28 Independent and system window watchdogs (IWDG and WWDG) . . . . . . . . . . . . . . . . . . 62
3.6.29 Real-time clock module (RTC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.6.30 Inter-integrated circuit (I2C). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.6.31 Universal synchronous receiver transmitter (USART) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.6.32 Serial peripheral interface (SPI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.6.33 Serial audio interface (SAI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.6.34 SPDIF receiver interface (SPDIFRX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.6.35 Management data input/output (MDIOS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.6.36 Secure digital input/output MultiMediaCard interface (SDMMC) . . . . . . . . . . . . . . . . . . . . 77
3.6.37 Controller area network (CAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.6.38 Universal serial bus full-speed device interface (USB) . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
3.6.39 Ethernet (ETH): media access control (MAC) with DMA controller . . . . . . . . . . . . . . . . . . 83
3.6.40 HDMI-CEC (CEC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
3.6.41 Disable and periodic cross-check of unintentional activation of unused peripherals . . . . . 86
3.6.42 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
3.7 Conditions of use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4 Safety results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
4.1 Random hardware failure safety results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.1.1 Safety analysis result customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.1.2 General requirements for freedom from interferences (FFI) . . . . . . . . . . . . . . . . . . . . . . . 96
4.1.3 Notes on multiple-fault scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.2 Analysis of dependent failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.2.1 Power supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.2.2 Clock. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.2.3 DMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
4.2.4 Internal temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5 List of evidences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Appendix A X-CUBE-STL self-test software library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
UM2318 - Rev 7 page 106/112
UM2318
Contents
Revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
UM2318 - Rev 7 page 107/112
UM2318
List of tables
List of tables
Table 1. Document sections versus IEC 61508-2 Annex D safety requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Table 2. SS1 and SS2 safe state details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Table 3. CPU_SM_0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Table 4. CPU_SM_1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Table 5. CPU_SM_2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Table 6. CPU_SM_3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Table 7. CPU_SM_4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Table 8. CPU_SM_5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Table 9. CPU_SM_6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Table 10. CPU_SM_7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 11. CPU_SM_9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 12. MPU_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Table 13. MPU_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Table 14. BUS_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Table 15. BUS_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Table 16. RAM_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Table 17. RAM_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Table 18. RAM_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Table 19. RAM_SM_4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Table 20. RAM_SM_5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Table 21. FLASH_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Table 22. FLASH_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 23. FLASH_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 24. FLASH_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Table 25. FLASH_SM_4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Table 26. FLASH_SM_6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Table 27. FLASH_SM_8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Table 28. VSUP_SM_0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Table 29. VSUP_SM_1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Table 30. VSUP_SM_2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Table 31. VSUP_SM_3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Table 32. VSUP_SM_5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Table 33. CLK_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Table 34. CLK_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table 35. CLK_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table 36. CLK_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Table 37. GPIO_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Table 38. GPIO_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Table 39. GPIO_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Table 40. GPIO_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Table 41. DBG_SM_0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 42. LOCK_SM_0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 43. SYSCFG_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table 44. DIAG_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table 45. DMA_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 46. DMA_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 47. DMA_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 48. DMA_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 49. DMA_SM_4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Table 50. NVIC_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Table 51. NVIC_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 52. CRC_SM_0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Table 53. FSMC_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
UM2318 - Rev 7 page 108/112
UM2318
List of tables
Table 54. FSMC_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Table 55. FSMC_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Table 56. FSMC_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Table 57. QSPI_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Table 58. QSPI_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Table 59. QSPI_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Table 60. ADC_SM_0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Table 61. ADC_SM_1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Table 62. ADC_SM_2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Table 63. ADC_SM_3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Table 64. ADC_SM_4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Table 65. DAC_SM_0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Table 66. DAC_SM_1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Table 67. DFS_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Table 68. DFS_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Table 69. DFS_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Table 70. DFS_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Table 71. DCMI_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Table 72. DCMI_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Table 73. LCD_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Table 74. LCD_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Table 75. DSI_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Table 76. DSI_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Table 77. JPEG_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Table 78. JPEG_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Table 79. JPEG_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Table 80. HASH_SM_0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Table 81. HASH_SM_1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Table 82. RNG_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Table 83. RNG_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Table 84. CRYP_SM_0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Table 85. CRYP_SM_1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Table 86. CRYP_SM_2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Table 87. ATIM_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Table 88. ATIM_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Table 89. ATIM_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Table 90. ATIM_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Table 91. ATIM_SM_4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Table 92. GTIM_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Table 93. GTIM_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Table 94. WDG_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Table 95. WDG_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Table 96. RTC_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Table 97. RTC_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Table 98. RTC_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Table 99. RTC_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Table 100. IIC_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table 101. IIC_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table 102. IIC_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Table 103. IIC_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Table 104. IIC_SM_4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Table 105. UART_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Table 106. UART_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Table 107. UART_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Table 108. UART_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
UM2318 - Rev 7 page 109/112
UM2318
List of tables
Table 109. SPI_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Table 110. SPI_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Table 111. SPI_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Table 112. SPI_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Table 113. SPI_SM_4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Table 114. SAI_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Table 115. SAI_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Table 116. SAI_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Table 117. SPDF_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Table 118. SPDF_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Table 119. SPDF_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Table 120. MDIO_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Table 121. MDIO_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Table 122. MDIO_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Table 123. SDIO_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Table 124. SDIO_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Table 125. SDIO_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Table 126. CAN_SM_0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Table 127. CAN_SM_1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Table 128. CAN_SM_2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Table 129. USB_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Table 130. USB_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Table 131. USB_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Table 132. USB_SM_3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Table 133. ETH_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Table 134. ETH_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Table 135. ETH_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Table 136. HDMI_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Table 137. HDMI_SM_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Table 138. HDMI_SM_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Table 139. FFI_SM_0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table 140. FFI_SM_1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table 141. DUAL_SM_0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 142. List of safety recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Table 143. Overall achievable safety integrity levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Table 144. List of general requirements for FFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Table 145. Document revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
UM2318 - Rev 7 page 110/112
UM2318
List of figures
List of figures
Figure 1. STMicroelectronics product development process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 3
Figure 2. STM32 as Compliant item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 4
Figure 3. 1oo1 reference architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 5
Figure 4. 1oo2 reference architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 6
Figure 5. Allocation and target for STM32 PST. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 7
Figure 6. STL architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
UM2318 - Rev 7 page 111/112
UM2318
IMPORTANT NOTICE – READ CAREFULLY
STMicroelectronics International NV and its affiliates (“ST”) reserve the right to make changes corrections, enhancements, modifications, and improvements to
ST products and/or to this document any time without notice.
This document is provided solely for the purpose of obtaining general information relating to an ST product. Accordingly, you hereby agree to make use of this
document solely for the purpose of obtaining general information relating to the ST product. You further acknowledge and agree that this document may not be
used in or in connection with any legal or administrative proceeding in any court, arbitration, agency, commission or other tribunal or in connection with any
action, cause of action, litigation, claim, allegation, demand or dispute of any kind. You further acknowledge and agree that this document shall not be
construed as an admission, acknowledgment or evidence of any kind, including, without limitation, as to the liability, fault or responsibility whatsoever of ST or
any of its affiliates, or as to the accuracy or validity of the information contained herein, or concerning any alleged product issue, failure, or defect. ST does not
promise that this document is accurate or error free and specifically disclaims all warranties, express or implied, as to the accuracy of the information
contained herein. Accordingly, you agree that in no event will ST or its affiliates be liable to you for any direct, indirect, consequential, exemplary, incidental,
punitive, or other damages, including lost profits, arising from or relating to your reliance upon or use of this document.
Purchasers should obtain the latest relevant information on ST products before placing orders. ST products are sold pursuant to ST’s terms and conditions of
sale in place at the time of order acknowledgment, including, without limitation, the warranty provisions thereunder.
In that respect, note that ST products are not designed for use in some specific applications or environments described in above mentioned terms and
conditions.
Purchasers are solely responsible for the choice, selection, and use of ST products and ST assumes no liability for application assistance or the design of
purchasers’ products.
Information furnished is believed to be accurate and reliable. However, ST assumes no responsibility for the consequences of use of such information nor for
any infringement of patents or other rights of third parties which may result from its use. No license, express or implied, to any intellectual property right is
granted by ST herein.
Resale of ST products with provisions different from the information set forth herein shall void any warranty granted by ST for such product.
ST and the ST logo are trademarks of ST. For additional information about ST trademarks, refer to www.st.com/trademarks. All other product or service names
are the property of their respective owners.
Information in this document supersedes and replaces information previously supplied in any prior versions of this document.
© 2024 STMicroelectronics – All rights reserved
UM2318 - Rev 7 page 112/112
You might also like
- Um2331 Stm32h7 Singlecore Series Safety Manual StmicroelectronicsNo ratings yetUm2331 Stm32h7 Singlecore Series Safety Manual Stmicroelectronics134 pages
- Um3066 stm32c0 Series Safety Manual StmicroelectronicsNo ratings yetUm3066 stm32c0 Series Safety Manual Stmicroelectronics78 pages
- Um2840 stm32h7 Dualcore Series Safety Manual StmicroelectronicsNo ratings yetUm2840 stm32h7 Dualcore Series Safety Manual Stmicroelectronics145 pages
- An1709 Application Note: Emc Design Guide For Stm8, Stm32 and Legacy McusNo ratings yetAn1709 Application Note: Emc Design Guide For Stm8, Stm32 and Legacy Mcus38 pages
- An5698 Adapting The Xcubestl Functional Safety Package For stm32 Iec 61508 Compliant To Other Safety Standards StmicroelectronicsNo ratings yetAn5698 Adapting The Xcubestl Functional Safety Package For stm32 Iec 61508 Compliant To Other Safety Standards Stmicroelectronics9 pages
- Um3083 stm32g0 Series Iec 60730 Selftest Library User Guide StmicroelectronicsNo ratings yetUm3083 stm32g0 Series Iec 60730 Selftest Library User Guide Stmicroelectronics61 pages
- STM32U5 Series IEC 60730 Self-Test Library User GuideNo ratings yetSTM32U5 Series IEC 60730 Self-Test Library User Guide59 pages
- Um3461 stm32f4 Series Ulcsaiec 607301603351 Selftest Library User Guide StmicroelectronicsNo ratings yetUm3461 stm32f4 Series Ulcsaiec 607301603351 Selftest Library User Guide Stmicroelectronics58 pages
- Esp Hardware Design Guidelines en Master Esp32No ratings yetEsp Hardware Design Guidelines en Master Esp3244 pages
- Um3191 Stm32wl Series Ulcsaiec 607301603351 Selftest Library User Guide StmicroelectronicsNo ratings yetUm3191 Stm32wl Series Ulcsaiec 607301603351 Selftest Library User Guide Stmicroelectronics63 pages
- UM1658 User Manual: Discovery Kit For STM32F030 Value Line MicrocontrollersNo ratings yetUM1658 User Manual: Discovery Kit For STM32F030 Value Line Microcontrollers39 pages
- UM1658 User Manual: Discovery Kit For STM32F030 Value Line MicrocontrollersNo ratings yetUM1658 User Manual: Discovery Kit For STM32F030 Value Line Microcontrollers39 pages
- ESP32 Hardware Design Guidelines en Master Esp32No ratings yetESP32 Hardware Design Guidelines en Master Esp3244 pages
- Um1472 Discovery Kit With Stm32f407vg Mcu StmicroelectronicsNo ratings yetUm1472 Discovery Kit With Stm32f407vg Mcu Stmicroelectronics40 pages
- MCU System Based On IEC61508 For Autonomous Functional Safety PlatformNo ratings yetMCU System Based On IEC61508 For Autonomous Functional Safety Platform6 pages
- Spruid8d - Functional Safety Manual For TMS320F28004xNo ratings yetSpruid8d - Functional Safety Manual For TMS320F28004x103 pages
- UM1956 User Manual: STM32 Nucleo-32 Boards (MB1180)No ratings yetUM1956 User Manual: STM32 Nucleo-32 Boards (MB1180)37 pages
- Um1956 stm32 Nucleo32 Boards mb1180 Stmicroelectronics - AewgyukhfrtgNo ratings yetUm1956 stm32 Nucleo32 Boards mb1180 Stmicroelectronics - Aewgyukhfrtg37 pages
- UM2312 User Manual: Development Checklist For STM32Cube Expansion PackagesNo ratings yetUM2312 User Manual: Development Checklist For STM32Cube Expansion Packages15 pages
- An2674 Application Note: PCB Layout Guidelines For Spear3XxNo ratings yetAn2674 Application Note: PCB Layout Guidelines For Spear3Xx22 pages
- Esp Hardware Design Guidelines en Master Esp32No ratings yetEsp Hardware Design Guidelines en Master Esp3236 pages
- NewTec's FPGA Functional Safety SolutionsNo ratings yetNewTec's FPGA Functional Safety Solutions45 pages
- STM32F30xx-31xx Standard Peripheral Library UM1581No ratings yetSTM32F30xx-31xx Standard Peripheral Library UM1581584 pages
- Um3191 stm32wl Series Ulcsaiec 607301603351 Selftest Library User Guide StmicroelectronicsNo ratings yetUm3191 stm32wl Series Ulcsaiec 607301603351 Selftest Library User Guide Stmicroelectronics62 pages
- UM1570 User Manual: Discovery Kit With STM32F303VC MCUNo ratings yetUM1570 User Manual: Discovery Kit With STM32F303VC MCU37 pages
- Um3166 stm32l4 and stm32l4 Series Ulcsaiec 607301603351 Selftest Library User Guide StmicroelectronicsNo ratings yetUm3166 stm32l4 and stm32l4 Series Ulcsaiec 607301603351 Selftest Library User Guide Stmicroelectronics58 pages
- Um2262 Getting Started With The Xcubesbsfu Stm32cube Expansion Package StmicroelectronicsNo ratings yetUm2262 Getting Started With The Xcubesbsfu Stm32cube Expansion Package Stmicroelectronics109 pages
- Um1779 User Manual: Getting Started With Stm32Cubef0 For Stm32F0 SeriesNo ratings yetUm1779 User Manual: Getting Started With Stm32Cubef0 For Stm32F0 Series26 pages
- UM1525 STM32F0 Discovery Kit User ManualNo ratings yetUM1525 STM32F0 Discovery Kit User Manual31 pages
- Luyện tập TOEIC Listening Part 1 - PhotoNo ratings yetLuyện tập TOEIC Listening Part 1 - Photo5 pages
- Competency Level of Milk Tea Shops in San Nicolas, Pangasinan: An AnalysisNo ratings yetCompetency Level of Milk Tea Shops in San Nicolas, Pangasinan: An Analysis62 pages
- United Nations - Peace, Dignity and Equality On A Healthy PlanetNo ratings yetUnited Nations - Peace, Dignity and Equality On A Healthy Planet34 pages
- 61st ICAI Campus Placement Brochure For Nov24 Qualified CAs - CA MonkNo ratings yet61st ICAI Campus Placement Brochure For Nov24 Qualified CAs - CA Monk8 pages
- P-2 Land Use Bylaw Consolidation March 2020 - BNo ratings yetP-2 Land Use Bylaw Consolidation March 2020 - B60 pages
- Malware Diffusion Models For Wireless Complex Networks. Theory and Applications 1st Edition Karyotis PDF VersionNo ratings yetMalware Diffusion Models For Wireless Complex Networks. Theory and Applications 1st Edition Karyotis PDF Version90 pages
- Corporate America's Role in Marijuana LegalizationNo ratings yetCorporate America's Role in Marijuana Legalization10 pages
- MP.0.24.00.45 (Rev03) Sep16 For Spec-3Phase-DEMU-1600HPNo ratings yetMP.0.24.00.45 (Rev03) Sep16 For Spec-3Phase-DEMU-1600HP26 pages
- 2in1 Bosiet - Gdoge Course Outline February2025No ratings yet2in1 Bosiet - Gdoge Course Outline February20253 pages
