
Details on safe states SS1 and SS2 are provided in the following table:
Table 3. SS1 and SS2 safe state details
Safe
state Condition Compliant item
action
System Transition to Safe
state – 1oo1 architecture
System Transition to Safe
state – 1oo2 architecture
SS1
The application software is
informed by the presence of a
fault and a reaction by the
application software itself is
possible.
Fault reporting to
application
software
Application software drives
the overall system in his safe
state
Application software in one of
the two channels drives the
overall system in his safe
state
SS2
The application software cannot
be informed by the presence of a
fault or the application software is
not able to execute a reaction.
Reset signal
issued by WDTe
WDTe drives the overall
system in his safe state
(“safe shut-down”) (1)
PEv drives the overall system
in his safe state
1. Safe state achievement intended here is compliant to Note on IEC61508-2, 7.4.8.1
ASR9: It is assumed that the safe state defined at system level by the end user is compatible with the assumed
local safe state (SS1, SS2) for the compliant item.
ASR10: The compliant item is assumed to be analyzed according to routes 1H and 1S of IEC 61508-2.
Note: refer to Section 3.5 Systematic safety integrity and Section 3.6 Description of hardware and software
diagnostics.
ASR11: The compliant item is assumed to be regarded as type B as per IEC61508:2, 7.4.4.1.2.
3.4 Electrical specifications and environment limits
The user must not exceed the electrical specification and the environmental limits defined in the below list as
reported in the STM32F2 Series user manual in order to guarantee the STM32F2 Series safety integrity:
• Absolute maximum rating,
• Capacity,
• Operating conditions.
Due to the large number of STM32F2 Series part numbers, the related user manuals and datasheets are not
listed in this document; users are responsible to carefully check the above reported limits in the technical
documentation on the related part number available on .
3.5 Systematic safety integrity
According to the requirements of IEC 61508 -2, 7.4.2.2, the Route 1S has been considered in the STM32F2
Series development. As clearly authorized by IEC61508-2, 7.4.6.1, STM32 MCU series can be considered a
standard, mass-produced electronic integrated device – for which stringent development procedures, rigorous
testing and extensive experience of use minimizes the likelihood of design faults. Anyway, an internal assessment
against the compliance of STM32 MCU development flow with the techniques and measures suggested in IEC
61508-2 Annex F has been executed. The Safety Case Database (Section 5 List of evidences) maintains the
evidences of the compliance to the norm.
3.6 Description of hardware and software diagnostics
This section lists all the safety mechanisms (hardware, software and application level) considered in the safety
analysis of the microcontrollers of the STM32F2 Series. It is expected that users are familiar with the STM32F2
Series architecture, and that this document is used in conjunction with the related device datasheet, user manual
and reference information. Therefore, to avoid the eventuality of mistakes and reduce the amount of information
to be shown, minimum functional details are included in this document. In following descriptions the words “safety
mechanism”, “method” or “requirement” are used as synonym.
UM1845
Electrical specifications and environment limits
UM1845 - Rev 4 page 11/108