Table of Contents
Advertisement
Introduction
The STM8A is a family of microcontrollers designed for automotive applications, with different
memory densities, packages and peripherals.
This document describes how to use the STM8AF series of microcontrollers in the context of
a safety-related system (STM8A-SafeASIL functional safety package), specifying the user's
responsibilities for installation and operation, in order to reach the targeted safety integrity
level.
This manual applies to the following STM8AF series:
The STM8AF62 line that is the mainstay of the automotive STM8A 8 bit MCU:
– The low density devices with 8 Kbytes of Flash memory: STM8AF6223/26
– The medium density with 16 to 32 Kbytes of Flash memory: STM8AF624x,
STM8AF6266/68, STM8AF612x/4x and STM8AF6166/68
– The high density devices with 32 to 128 Kbytes of Flash memory:
STM8AF6269/8x/Ax and STM8AF6178/99/9A
The STM8AF52 line: STM8AF automotive MCUs with CAN:
– The high density devices with 32 to 128 Kbytes of Flash memory: STM8AF52xx and
STM8AF51xx
If the STM8AF microcontrollers are used in adherence to this manual, the system designer
can avoid going into the details of the functional safety design and validation, to give an
estimation about the impact to the overall safety function.
This manual is written in compliance with ISO 26262. It also indicates how to use the
STM8AF MCUs in the context of other functional safety standards such as IEC 61508. This
manual and FMEDA data were developed in cooperation with the safety expertise company
YOGITECH, using their fault Robust Methodology (fRMethodology).
The safety analysis summarized in this manual, takes into account the variation in terms of
memory size, number of internal peripherals and the different packages available among
the different part numbers of the STM8A microcontrollers family.
This manual has to be read along with the technical documentation on related part numbers
available on www.st.com/stm8.
July 2015
DocID028066 Rev 1
UM1915
User Manual
STM8AF Safety Manual
1/59
www.st.com
1
Advertisement
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for ST STM8AF6223
Summary of Contents for ST STM8AF6223
- Page 1 The STM8AF62 line that is the mainstay of the automotive STM8A 8 bit MCU: – The low density devices with 8 Kbytes of Flash memory: STM8AF6223/26 – The medium density with 16 to 32 Kbytes of Flash memory: STM8AF624x, STM8AF6266/68, STM8AF612x/4x and STM8AF6166/68 –...
-
Page 2: Table Of Contents
Content UM1915 Content About this document ........7 Purpose and scope . - Page 3 UM1915 Content 3.6.14 Address and Data bus ........26 3.6.15 Supply voltage system .
- Page 4 Content UM1915 Work products ..........56 Revision history .
- Page 5 UM1915 List of Tables List of Tables Table 1. Terms and abbreviations ........... 7 Table 2.
- Page 6 List of Figures UM1915 List of Figures Figure 1. Definition of the STM8AF as a SEooC ........11 Figure 2.
-
Page 7: About This Document
UM1915 About this document About this document Purpose and scope This document describes how to use the STM8AF microcontrollers in the context of a safety-related system, specifying the user's responsibilities for installation and operation, in order to reach the desired safety integrity level. This document is useful to system designers willing evaluate the safety of their solution. -
Page 8: Reference Normative
About this document UM1915 Table 1. Terms and abbreviations (continued) Acronym Definition SPFM Single Point Fault Metric Software Reference normative This document is written in compliance with the ISO 26262 international standard for functional safety of electrical and/or electronic (E/E) systems within road vehicles. The versions used as reference are: ... -
Page 9: Stm8Afxxxx Device Development Process
Automotive safety: a subset of the automotive domain. ST uses, as a reference, the ISO 26262 Road vehicles functional safety standard. ST supports customers’ inquiries, regarding product failure rates and FMEDA, to support hardware system compliance to established safety goals. -
Page 10: Stm8Af Safety Architecture
STM8AF Safety Architecture UM1915 STM8AF Safety Architecture This section describes the safety architectures that could be implemented, using the STM8AF microcontroller for automotive applications. Introduction The STM8AF microcontroller described in this document is a Safety Element out of Context (SEooC), that is, a safety element that can be used in different safety applications. The aim of this section is to define the context of the analysis, in terms of assumptions with respect to reference safety requirements as well as assumptions with respect to the design external to that SEooC. -
Page 11: Assumed Safety Requirements
UM1915 STM8AF Safety Architecture decisions, sent to external actuators in the form of specific commands. The MCU is connected directly or indirectly to sensors and actuators by communication busses. Figure 1. Definition of the STM8AF as a SEooC Other components might be connected to the SEooC, like the external HW components needed to guarantee either the functionality of the STM8AF (external memory, clock quartz etc.) or its safety (for example the external watchdog, voltage supervisors). -
Page 12: The Target Safety Metrics (Asil, Spfm, Lfm And Pmhf)
STM8AF Safety Architecture UM1915 Table 2. List of STM8AF Assumed Requirements Type Assumed Requirement Assumed The SEooC is defined as the STM8A MCU playing a role of processing unit, AR01 Figure 1: Definition of the STM8AF as a SEooC requirement as in Failures in STM8AF HW part leading to wrong execution of the application program and/or wrong data computations shall be mitigated to fulfil the ASILB... -
Page 13: The Assumed Target Time Intervals (Ftti And Mpfdi)
UM1915 STM8AF Safety Architecture Table 3. Target safety metric values at the item level Target value at Target value at Safety metric defined Metric type system level SEooC level Single-point fault metric (SPFM) ≥ 90% ≥ 90% relative Latent-fault metric (LFM) ≥... -
Page 14: Electrical Specifications And Environment Limits
Due to the large number of STM8AF part numbers, the related user manuals/datasheets are not listed in this document; users are responsible to carefully check the above reported limits in the technical documentation on the related part number available on www.st.com. 14/59... -
Page 15: Systematic Safety Integrity
Due to known device limitations for STM8AFxxxx automotive MCUs, the user must follow the errata sheets (e.g. ES0143 for STM8AF6xxx and ES0144 for STM8AF5xxx series) available on www.st.com, in order to avoid the introduction of systematic failures. Safety mechanisms/measures This section lists all the safety mechanisms/measures (hardware, software and application level) considered in the safety analysis of the microcontrollers of the STM8AF series. - Page 16 STM8AF Safety Architecture UM1915 Control flow monitoring in application software: CPU_SM_1 A significant part of the failure distribution of STM8A core for permanent faults is related to failure modes directly related to program counter loss of control or hang-up. Due to their intrinsic nature, such failure modes are not addressed by a standard software test method, based on the execution of sequences of instruction/data access and consequent checks.
-
Page 17: Program Flash Memory
UM1915 STM8AF Safety Architecture The redundant computation is implemented by using copies of the original data for second computation, and by using an equivalent formula if possible End users are responsible to carefully avoid that the optimization features of the used compiler removes the timing redundancy introduced according to this current condition of use Stack hardening for application software: CPU_SM_3... -
Page 18: Data Eeprom Memory
STM8AF Safety Architecture UM1915 3.6.3 Data EEPROM memory Information redundancy: EEP_SM_0 To address permanent faults affecting the internal EEPROM bank it is required to implement information redundancy techniques. Possible techniques are: use redundant copies of safety relevant data and perform coherence check before use ... -
Page 19: Boot Rom
UM1915 STM8AF Safety Architecture Information redundancy for safety-related variables in application software: RAM_SM_2 To address transient faults affecting RAM controller and RAM cells, it is required to implement information redundancy of the safety-related system variables stored in the RAM. The guidelines for the implementation of this method are the following: ... -
Page 20: Linuart
STM8AF Safety Architecture UM1915 Handling such error signals at application level of is a common technique in embedded applications. Information redundancy techniques on messages, including End to End safing: CAN_SM_2 The CAN communications are protected by addressing both the permanent and transient faults with the redundant information technique that includes the End to End safing. -
Page 21: Usart
UM1915 STM8AF Safety Architecture Information redundancy techniques on messages: LINUART_SM_2 The redundant information technique is used to protect the LIN/UART communications by detecting both the permanent and transient faults. There are two different approaches to implement this technique: Multiple sending of the same message, with comparison of the received results ... -
Page 22: I2C
STM8AF Safety Architecture UM1915 evaluation of the computation capability of the external device exchanging data with STM8AF. 3.6.9 Periodical read-back of configuration registers: IIC_SM_0 This diagnostic measure that is typically referred to as “Read Back Periodic by Software of Configuration Registers” executes a periodical check of the configuration registers of I2C respect to their expected value (previously stored in RAM and adequately updated after each configuration change). -
Page 23: Analog To Digital Converter (Adc)
UM1915 STM8AF Safety Architecture Handling such error signals at application level is a common technique in embedded applications. Information redundancy techniques on messages: SPI_SM_2 The redundant information technique is used to protect the SPI communications by detecting both the permanent and transient faults. There are two different approaches to implement this method: ... - Page 24 STM8AF Safety Architecture UM1915 instance a current flowing in opposite direction versus the load supply) may indicate a fault in the acquisition module. As the ADC module is shared between different possible external sources, the combination of plausibility checks on the different signals acquired helps to cover the whole input range in a very efficient way.
-
Page 25: Basic Timer (Tim 4)
UM1915 STM8AF Safety Architecture measured data at application level. To reduce the potential effect of the common cause failure, it is suggested, for redundancy, to use a channel belonging to a different timer module and mapped to not-adjacent pins on the device package. Loopback scheme for PWM outputs: TIM_SM_3 This method uses a loopback scheme to detect permanent and transient faults on the timer channels used for output waveform generations (output compare, PWM and one-pulse... -
Page 26: Gpio - Port A/B/C/D/E/F/G/H
STM8AF Safety Architecture UM1915 3.6.13 GPIO – PORT A/B/C/D/E/F/G/H Periodical read-back of configuration registers: GPIO_SM_0 This diagnostic measure that is typically referred to as “Read Back Periodic by Software of Configuration Registers” executes a periodical check of the configuration registers of GPIO respect to their expected values, previously stored in RAM and adequately updated after each configuration change. -
Page 27: Supply Voltage System
UM1915 STM8AF Safety Architecture 3.6.15 Supply voltage system Periodical read-back of configuration registers: VSUP_SM_0 This diagnostic measure that is typically referred to as “Read Back Periodic by Software of Configuration Registers” executes a periodical check of the configuration registers of the Power Control logic respect to their expected values, previously stored in RAM and adequately updated after each configuration change. -
Page 28: Auto-Wakeup Timer (Awu)
STM8AF Safety Architecture UM1915 The CSS detection of abnormal condition is considered as equivalent to hardware faults and brings to similar recovery actions by the application software. Independent watchdog: CLK_SM_2 The independent watchdog is fed by a dedicated oscillator; therefore, major failures on clock generation at system level will not affect its behavior but may lead to a violation of the IWDG window for the key value write by the application software, leading to a system reset. -
Page 29: Debug/ Swim (Single Wire Interface Module)
UM1915 STM8AF Safety Architecture 3.6.19 Debug/ SWIM (single wire interface module) Independent watchdog: DBG_SM_0 The debug unintentional activation due to hardware random fault will result in the massive disturbance of the independent watchdog or alternately, the other system watchdog WWDG or an external one. -
Page 30: Disable And Periodic Cross-Check Of Unintentional Activation Of Unused
STM8AF Safety Architecture UM1915 The following reported methods mainly address latent fault for the planned safety mechanism at MCU level. Independent Watchdog: LAT_SM_0 Each safety mechanism implemented as periodical software testing runs on the CPU. Possible faults in the safety mechanism are therefore faults in the “support” for the execution that is the CPU. -
Page 31: List Of Assumptions Of Use (Aou)
UM1915 STM8AF Safety Architecture 3.7.1 List of Assumptions of Use (AoU) The following tables summarize the Assumptions of Use (AoU) to be fulfilled by users of the STM8AF MCUs. The results shown in the following Table 4: Safety Analysis Results are valid under the condition that the AoU, described herein, and the assumed requirements listed in Table 2:... - Page 32 STM8AF Safety Architecture UM1915 Table 4. (continued) List of safety mechanisms STM8AF Diagnostic Description ASIL B Perm Trans function Periodical software test for RAM RAM_SM_0 memory RAM Memory RAM_SM_1 Stack hardening for application software Information redundancy for system variables RAM_SM_2 in application software Control flow monitoring in application Boot ROM...
- Page 33 UM1915 STM8AF Safety Architecture Table 4. (continued) List of safety mechanisms STM8AF Diagnostic Description ASIL B Perm Trans function Periodical read-back of configuration TIM_SM_0 registers TIM_SM_1 Dual channel redundancy for counting timers TIM1 and TIM2/3 Dual channel redundancy for input capture TIM_SM_2 timers TIM_SM_3...
- Page 34 STM8AF Safety Architecture UM1915 Table 4. (continued) List of safety mechanisms STM8AF Diagnostic Description ASIL B Perm Trans function Periodical read-back of configuration INTC_SM_0 registers Interrupt controller Expected and unexpected interrupt check INTC_SM_1 by application software Software- based LAT_SM_0 Independent Watchdog safety LAT_SM_1 Periodical core self-test software...
-
Page 35: Safety Analysis Results
UM1915 Safety Analysis Results Safety Analysis Results This section reports the results of the safety analysis of the STM8AF MCU, according to ISO 26262 (in particular ISO 26262-10 Annex A) and following to the YOGITECH fRMethodology flow, related to the hardware random and dependent failures. ISO 26262-10 Annex A is a guideline about how to perform a safety analysis of a microcontroller according to ISO 26262. -
Page 36: Safety Analysis Result Customization
Safety Analysis Results UM1915 In summary, with the adoptions of the safety mechanism and conditions of use reported in Section 3.7: Assumption of Use (AoU)”, it is possible for the STM8AF family devices to achieve the ASILB target. 4.1.1 Safety analysis result customization The safety analysis executed for STM8AF devices and contained in this safety manual is considered to be safety relevant, that is able to interfere with the safety function, to all microcontroller parts, with no exclusion. -
Page 37: Dependent Failures Analysis
UM1915 Safety Analysis Results Table 5. List of general requirements for FFI (continued) FFI_SM_0 Unused peripheral disable FFI_SM_1 Periodical read-back of interference avoidance registers BUS_SM_0 Periodical software test for interconnections GPIO_SM_1 Dual channel redundancy for input GPIO lines GPIO_SM_2 Loopback configuration for output GPIO lines The AR08 safety assumed safety requirement reported in Table 2: List of STM8AF Assumed Requirements... -
Page 38: Clock
Safety Analysis Results UM1915 4.2.2 Clock System clocks are a potential source of dependent failures, because alterations in the clock characteristics (frequency, jitter) can affect many parts, leading to not-independent failures. The following safety mechanisms address and mitigate those dependent failures: ... -
Page 39: List Of Evidences
UM1915 List of evidences List of evidences The Safety Case stores all the information related to the safety analysis performed to derive the results and conclusions reported in this safety manual. In detail, the Safety Case is composed of the following: ... -
Page 40: Appendix A Appendix A Overview Of Frmethodology
Appendix A Overview of fRMethodology UM1915 Appendix A Appendix A Overview of fRMethodology This section provides an overview of YOGITECH fault Robust Methodology (fRMethodology). The essence of fRMethodology The quality and completeness of the safety analysis is necessary to: identify the failure modes of a microcontroller ... -
Page 41: Figure 4. The Frmethodology Flow For Iso 26262 And Iec 61508
UM1915 Appendix A Overview of fRMethodology international working group, YOGITECH is a leading author of the Annex A of part 10, that is about how to deal with microcontrollers in the context of an ISO 26262 application. Moreover, YOGITECH extended both IEC 61508 and ISO 26262 requirements to analogue circuits thanks to its consolidated experience in analogue design and analogue verification. -
Page 42: Frtools
Appendix A Overview of fRMethodology UM1915 Table 6. Level of detail in fRMethodology Level of Verification Phase Input from customer Accuracy of metrics detail type Initial Estimated figures driven by info Block diagrams, preliminary A1.0 Part-level from standard and experience with gate / flip-flop count similar architectures Inspection... -
Page 43: Figure 5. Overview Of The Yogitech Frtool Suite
UM1915 Appendix A Overview of fRMethodology The fRTools offer a number of advantages both to YOGITECH and to YOGITECH’s customers: Improved control of all the steps required by the methodology A cleaner, more controllable and predictable flow Improved capacity to scale up and serve more customers and projects ... -
Page 44: Appendix B Appendix B Change Impact Analysis For Other Safety Standards
Appendix B Change impact analysis for other safety standards UM1915 Appendix B Appendix B Change impact analysis for other safety standards The safety analysis reported in this user manual is executed according to ISO 26262 safety norm. In this appendix a change impact analysis with respect to different safety standard is executed. -
Page 45: Safety Metrics Recomputation
UM1915 Appendix B Change impact analysis for other safety standards hazardous situation. A pressure limiting and a door lock control are Class B control functions Class C (§H.2.22.3): control functions which are intended to prevent special hazards such as explosion or which failure could directly cause a hazard in the appliance. -
Page 46: Table 7. Iec 60730 Required Safety Mechanism For Class B/C Compliance
Appendix B Change impact analysis for other safety standards UM1915 parts/functions of the STM8AF device, that are detailed in Section 3.6: Safety mechanisms/measures. In case the IEC 60730 requires a safety method not yet foreseen in the framework of the ISO 26262 safety analysis, the gap is reported in the related field. For sake of clarity the original text of the standard requirement is omitted in the table (refer to standard). - Page 47 UM1915 Appendix B Change impact analysis for other safety standards Table 7. IEC 60730 required safety mechanism for Class B/C compliance (continued) Component Software SM for Class SM for Class Fault/ error Definitions Gaps/Notes class H.2.18.15 H.2.18.3 H.2.18.9 DC fault H.2.16.7 BUS_SM_0 None...
- Page 48 Appendix B Change impact analysis for other safety standards UM1915 Table 7. IEC 60730 required safety mechanism for Class B/C compliance (continued) Component Software SM for Class SM for Class Fault/ error Definitions Gaps/Notes class H.2.19.6 DC fault RAM_SM_ 0 None H.2.19.8.2 H.2.18.15...
- Page 49 UM1915 Appendix B Change impact analysis for other safety standards Table 7. IEC 60730 required safety mechanism for Class B/C compliance (continued) Component Software SM for Class SM for Class Fault/ error Definitions Gaps/Notes class CAN_SM_2 H.2.19.8.1 LINUART_ SM_2 H.2.19.4.1 Hamming None distance 3...
- Page 50 Appendix B Change impact analysis for other safety standards UM1915 Table 7. IEC 60730 required safety mechanism for Class B/C compliance (continued) Component Software SM for Class SM for Class Fault/ error Definitions Gaps/Notes class GPIO_SM_ 1 H.2.18.13 None GPIO_SM_ 2 H.2.18.15 Fault H.2.18.3...
-
Page 51: Work Products
UM1915 Appendix B Change impact analysis for other safety standards Note: Safety mechanisms separated by “or” word are alternative; safety mechanism listed together are intended to be applied all together. Work products Table 8: IEC 60730 work product grid provides the list of work products that are required by the IEC 60730standard and their mapping with the work products from the ISO 26262 compliance activity: Table 8. - Page 52 Appendix B Change impact analysis for other safety standards UM1915 Table 8. IEC 60730 work product grid (continued) IEC 60730 5.2 ISO 26262 IEC 60730 document Information to be provided Part-Clause Pollution degree in the micro-environment of the creepage or Tab.1 - 79 clearance if cleaner than that of the control, and how this is Rated impulse voltage for the creepage or clearance if different...
-
Page 53: Iec 61508
UM1915 Appendix B Change impact analysis for other safety standards IEC 61508 The IEC 61508 is the international norm for functional safety of electrical/ electronic/ programmable electronic (E/E/PE) safety-related systems. The ISO 26262 standard is derives from IEC 61508 standard. As ISO 26262, the IEC 61508 standard defines four safety integrity levels (SILs), based on the assessment of the hazard and risk analysis, with SIL1 being the lowest and SIL4 being the highest. -
Page 54: Architectural Categories
Appendix B Change impact analysis for other safety standards UM1915 Architectural categories IEC 61508-6, Annex B requires representing a safety system by means of subsystem block diagram and representing each subsystem as one or more 1oo1, 1oo2, 2oo2, 1oo2D, 1oo3 or 2oo3 voted groups. - Page 55 UM1915 Appendix B Change impact analysis for other safety standards The ISO 26262 is mainly focused on the capability of identification of the safe failure fraction (SFF), defined as following: Safe Failure Fraction (SFF): The percentages of failures that are safe or detected and so do not lead to the violation of a safety goal.
-
Page 56: Table 10. Mapping Between This Document Content And Iec 61508-2 Annex D
Appendix B Change impact analysis for other safety standards UM1915 Work products Table 10: Mapping between this document content and IEC 61508-2 Annex D requirements, mapping this document content with respect to the requirements listed in the IEC 61508-2 Annex D, acts as a checklist in guidance in providing the evidences of the compliance of the IEC 61508 requirements. - Page 57 UM1915 Appendix B Change impact analysis for other safety standards Table 11. IEC 61508 work product grid IEC 61508 ISO 26262 ISO 26262 ISO 26262- Information to be provided 61508-2 ISO 26262 document reference 4 -Clause Clause Designrequirements 7.2.2 specification designrequirements Technical safety 7.2.3.2...
-
Page 58: Table 12. Document Revision History
Revision history UM1915 Revision history Table 12. Document revision history Date Revision Changes 07/07/2015 Initial version 58/59 DocID028066 Rev 1... - Page 59 ST products and/or to this document at any time without notice. Purchasers should obtain the latest relevant information on ST products before placing orders. ST products are sold pursuant to ST’s terms and conditions of sale in place at the time of order acknowledgement.
Need help?
Do you have a question about the STM8AF6223 and is the answer not in the manual?
Questions and answers