Skip to main content
M
Mike Bailey
Visitor II
October 29, 2019
Question

STM32MP1 Suitability for a Functional Safety System

  • October 29, 2019
  • 2 replies
  • 1356 views

I recently attended and intro course to the STM32MP1, which was very informative. Subsequently, in considering possible applications, I have questioned wither the STM32 MPUs are suitable for use in functional safety systems as a processor for the execution of safety critical software, e.g. in an automotive, avionics or medical system.

The use of Linux on the A7 side of things make it very difficult to use this for safety critical real time software and clearly the M4 is more appropriate anyway. However, as I see it, the M4 is effectively a co-processor with critical parts of the M4 and associated peripherals controlled by the A7 side which means that M4 cannot be adequately segregated from the A7. I understand that some peripherals can be assigned solely to the M4 and protected from access from the A7 but the A7 still controls important related aspects such as clocks and regulators. Furthermore, the A7 must bring up the chip and load and start the M4.

This is a similar problem to running multi-criticality software components on say a STM32 MCU under the control of an OS. In this scenario the MPU can be configure to protect access to the peripherals but the system control block needs also to be under control of the highest criticality components, otherwise lower criticality software can affect higher criticality software. However, the complication with the STM32MP1 is that the A7 Linux side is unable to be the highest criticality component.

A further complication would be the use of CubeMX tool and third party components, such as the STM32 HAL, in a functional safety system.

Does anybody have any advice? TIA.

      This topic has been closed for replies.

      2 replies

      M
      Mike BaileyAuthor
      Visitor II
      November 13, 2019

      After 18 views and no responses I decided to raise a case with ST, their response was: "basically, for safety-critical systems are our automotive microcontrollers (32-bit SPC5 and 8-bit STM8A). STM32 family does not have appropriate certificates." This conflicts a lot of information provided for the STM32 such as Achieving Safety Integrity with STM32 & STM8.

        M
        Mike BaileyAuthor
        Visitor II
        November 19, 2019

        An update from ST regarding suitability of STM32 MCU and ST32MP1 for functional safety: "sure, You can use STM32 MCU for safety-critical systems, but the firmware must be written with extra care. But there is still the fact, that these MCUs are not certified for this kind of usage. Especially MP1 cannot be recommended for this purpose because of its complexity."

          R
          ReliableEmbeddedSystems
          Visitor II
          June 8, 2021

          I looked into this a bit and one would think that the M4 could be used for a "safety-critical system". Like e.g. as a supervisor for the cortex A. Unfortunately, the M4 e.g. does not seem to have its own memory and the A7 could do nasty things to it in runtime. So it does not look like a reasonable solution for a safety-critical system. Even if you write firmware with extra care there seem to be hardware limitations. The Cortex-A and the Cortex-M are not properly separated hardware-wise, meaning the Cortex-M can not work independently of the Cortex-A. Maybe someone from ST can enlighten us and prove me wrong. Until then I would not use this approach for a safety-critical system. You could e.g. add an additional M4.

            Terms & ConditionsAccessibility statement