cancel
Showing results for 
Search instead for 
Did you mean: 

Safety integrity level (SIL) and STM32

matic
Associate III
Posted on October 31, 2015 at 08:21

We are looking to make a product which would be SIL (level  2 or 3) compliant. In that product we use STM32F303.

I would like to ask if any of you have experience with SIL? Especially with SIL and STM32 micros. Do you have any good sources where to start? I would be grateful for any kind of information.

Thanks

#sil
2 REPLIES 2
Chris1
Senior III
Posted on November 02, 2015 at 22:39

I haven't taken this road, but I've studied it.

My biggest concern would be that you have to demonstrate that all the safety-related firmware has been rigorously designed and tested (including design reviews, code reviews, and full unit test).  To reduce the effort involved with that, you could partition the system software into safety-related and non-safety-related, similarly partition RAM, and use the MPU to deny access to safety-related memory except by the safety-related tasks.  (Unless your project can accommodate rigorous design and test of all the firmware).

Incorporating a safety-certified RTOS would presumably allow you to ignore that software (rather than having to qualify it yourself), ST's peripheral library functions would likely be judged inappropriate and should not be used in the safety-related functions.

Certified self-test libraries such as from Yogitech could be useful:

''fRSTL for ST’s STM32 MCUs is a set of software libraries addressing the STM32 microcontroller series, and meant to detect hardware random faults. They are an application-independent, off-the-shelf product designed to be easily integrated into safety-relevant systems.''

http://www.yogitech.com/en/press-and-news/press-release/frstl-software-test-libraries-stm32-microcontrollers-stmicroelectronics

Use of an independent ''windowed'' watchdog is important to cover many hardware failures, the watchdog should reset the system to a safe state if program flow (monitored at ''very many'' checkpoints) is not occurring normally.

Your system's outputs should also be monitored and set to a safe state if there are discrepancies between the commanded value, and actual (to the extent possible).

This is a substantial topic...

Chris1
Senior III
Posted on November 02, 2015 at 22:59

As far as where to begin, if you are pursuing an IEC 61508 SIL development project, I recommend this book:

Functional Safety - An IEC 61508 SIL 3 Compliant Development Process, 3rd Edition

''exida.com LLC is pleased to present this third edition of Functional Safety - An IEC 61508 SIL 3 Compatible Development Process by Michael D. Medoff and Rainer I. Faller. The intent of this book is to provide the reader with an example development process for safety application products that meets all of the requirements for Safety Integrity Level (SIL) 3 of the IEC 61508 family of standards (IEC 61508, IEC 62061, ISO 13849, ISO 26262, etc.).

The description of this product development process will help illuminate and interpret the requirements of the standard, and should help with the effort of adapting existing processes in an organization to be compliant with this standard. This third edition expands on the popular previous editions of this book with extended descriptions, more templates, more detailed explanations and minor corrections.''

Publish Date: Jul 07, 2014  ISBN-13: 978-193497708-8

The book covers a lot of the ongoing corporate process and product lifecycle requirements associated with maintaining a SIL 3 product.