FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Should I apply the SM4.STM.SWCHECK in the ASIL B product?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Should I apply the SM4.STM.SWCHECK in the ASIL B product?

‎01-03-2024 02:53 AM
498 Views
zeyu_yan
Contributor III

Hello,

    when i analyse the safety manual and FMEDA of the S32K324 for ASIL B product,  I get confused about  this SM:SM4.STM.SWCHECK

   My application of STM:STM is used as the timer for servicing the watchdog just like the description in the document(the STM can be used to trigger the safety core to service a watchdog within the FHTI.)

   should I treat the failure mode of STM as latent fault?

   my rationale:

      when a fault occurs in the STM, it does not mean that the application Software will not excute timely.

      is the failure mode of STM a Latent fault?     

      whis the meaning of effection( • CO: AMP Master Effects Library   HA: [STM_1] No or incorrect system time interrupts) of the cause(No or incorrect system and application software timing due to faults in timers/module clock/prescaler)

   2) if we treat failure mode of STM as SPF, how to understand this sentence?

      the DC of SM.SWT will not reach 60% unless I enable SM4.STM.SWCHECK?

 

System Timer Module Software Check
If the STM is used as part of a safety function application software should check that the STM is operating correctly within the FHTI. For example the STM can be used to trigger the safety core to service a watchdog within the FHTI.

       60% DC of single point faults along with SM1.SWT.As a conservative approach, the FMEDA considers low DC by upholding the limitation of application SW algorithms. Higher diagnostic coverage could be obtained after analysis at system level

 

zeyu_yan_1-1704275507428.png

 

zeyu_yan_0-1704274638408.png

 

Labels (1)
Labels
Tags (1)
0 Kudos
Reply
1 Reply

‎01-12-2024 04:00 AM
425 Views
nxf55526
NXP Employee
NXP Employee

Hello zeyu_yan,

If STM is used for timekeeping for any safety function in the chip, then failure of STM will be a single point failure. In such a case, a safety mechanism is required to ensure the correct functioning of the STM by checking it periodically at-least once per FHTI. One of the possible safety mechanisms for STM is the usage of SWT with STM which helps to check that the STM is counting correctly. This has been described in the description of SM4.STM.SWCHECK as follows: "For example the STM can be used to trigger the safety core to service a watchdog within the FHTI." The effect below implies that failure in STM can lead to loss of interrupt or incorrect interrupt at system level. 

Regarding the 2nd point below, the diagnostic coverage for this mechanism is considered to be low (60%) since SWT can check that STM is counting correctly but it won't be able to detect failure in comparison logic within the STM. If higher coverage is required, then an analysis should be done at system level since STM is a safety-related application dependent module in the safety concept and an alternate/additional mechanism should be used to get higher coverage. Hope this explains.

Kind Regards,

Avni

0 Kudos
Reply