ST STM8AF Series User Manual
  1. Manuals
  2. Brands
  3. ST Manuals
  4. Microcontrollers
  5. STM8AF Series
  6. User manual
ST STM8AF Series User Manual

ST STM8AF Series User Manual

Hide thumbs Also See for STM8AF Series:
Table of Contents

Advertisement

Quick Links

Download this manual
Introduction
The microcontrollers of the STM8AF Series, featuring different memory densities, packages
and peripherals, are designed for automotive applications.
This document describes how to use them in the context of a safety-related system
(STM8A-SafeASIL functional safety package), specifying the user's responsibilities for
installation and operation, in order to reach the targeted safety integrity level.
This manual applies to the following STM8AF products:
• the STM8AF62 line, which is the mainstay of the automotive STM8A 8-bit MCU:
– low density devices with 8 Kbytes of Flash memory: STM8AF6223/26
– medium density devices with 16 to 32 Kbytes of Flash memory: STM8AF624x,
STM8AF6266/68, STM8AF612x/4x and STM8AF6166/68
– high density devices with 32 to 128 Kbytes of Flash memory:STM8AF6269/8x/Ax and
STM8AF6178/99/9A
• the STM8AF52 line: STM8AF automotive MCUs with CAN:
– high density devices with 32 to 128 Kbytes of Flash memory: STM8AF52xx and
STM8AF51xx
System designers can avoid going into the details of the ISO26262 functional safety
standard application to the STM8AF microcontrollers by following the indications reported in
this manual.
This manual is written in compliance with ISO 26262. It also indicates how to use the
STM8AF MCUs in the context of other functional safety standards such as IEC 61508.
The safety analysis summarized in this manual takes into account the variation in terms of
memory size, number of internal peripherals and the different packages available among
the different part numbers of STM8AF microcontrollers.
This manual has to be read along with the technical documentation on related part numbers
available on www.st.com/stm8.
October 2019
UM1915 Rev 3
UM1915
User manual
STM8AF safety manual
1/43
www.st.com
1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the STM8AF Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ST STM8AF Series

Summary of Contents for ST STM8AF Series

  • Page 1 User manual STM8AF safety manual Introduction The microcontrollers of the STM8AF Series, featuring different memory densities, packages and peripherals, are designed for automotive applications. This document describes how to use them in the context of a safety-related system (STM8A-SafeASIL functional safety package), specifying the user's responsibilities for installation and operation, in order to reach the targeted safety integrity level.

  • Page 2: Table Of Contents

    Contents UM1915 Contents About this document ........6 Purpose and scope .
  • Page 3 UM1915 Contents 3.6.15 Address and Data bus ........24 3.6.16 Supply voltage system .
  • Page 4 List of tables UM1915 List of tables Table 1. Terms and abbreviations ........... 6 Table 2.
  • Page 5 UM1915 List of figures List of figures Figure 1. Definition of the STM8AF as a SEooC ........10 Figure 2.

  • Page 6: About This Document

    About this document UM1915 About this document Purpose and scope This document is addressed to system designers willing to evaluate the safety of their solutions. It describes how to use STM8AF microcontrollers in the context of a safety-related system, specifying the user responsibilities for installation and operation, to reach the desired safety integrity level.

  • Page 7: Reference Normative

    IEC 61508:1-7 IEC:2010. Annexes UM2138 FMEDA analysis for STM8AF Series MCUs UM2139 FMEDA handling for STM8AF Series MCUs UM2138 is a collection of FMEDA snapshots. It is a static document reporting the safety metrics computed for different detail levels (at microcontroller level and for microcontroller basic functions) for a given combination of safety mechanisms, a given set of assumptions and for a given part number.

  • Page 8: Stm8Af Device Development Process

    • Automotive safety: a subset of the automotive domain. ST uses as a reference the ISO 26262 Road vehicles Functional safety standard. ST supports customer inquiries regarding product failure rates and FMEDA to support hardware system compliance to established safety goals.

  • Page 9: Stm8Af Safety Architecture

    For a detailed description of the STM8AF functionality refer to the reference manuals, available on www.st.com. In this document, the SEooC is identified as the STM8AF microcontroller (MCU), referenced as a functional block inserted in a system defined by Figure 1.

  • Page 10: Assumed Safety Requirements

    STM8AF safety architecture UM1915 Figure 1. Definition of the STM8AF as a SEooC Other components, like the external HW components needed to guarantee either the functionality of the STM8AF (external memory, clock quartz) or its safety (e.g. the external watchdog, voltage supervisors) can be connected to the SEooC. Assumed safety requirements A SEooC is developed, according to ISO 2626-10 clause 9, on the basis of assumptions for its intended functionality, use and context, including external interfaces...

  • Page 11: The Target Safety Metrics (Asil, Spfm, Lfm And Pmhf)

    UM1915 STM8AF safety architecture Table 2. List of STM8AF assumed requirements Assumed requirement AR01 The SEooC is defined as the STM8AF playing the role of processing unit, as in Figure Failures in STM8AF HW part leading to wrong execution of the application program and/or wrong data computations shall be mitigated to fulfil the ASILB capability, i.e.

  • Page 12: The Assumed Target Time Intervals (Ftti And Mpfdi)

    STM8AF safety architecture UM1915 In this document any claim and computation in terms of safety metrics is done on the activity safety scope represented by the SEooC block diagram reported in Table The budget of the PMHF given to the SEooC must be (if possible) lower than 10% of the overall PMHF budget of the safety goal, and therefore (for ASILB) the budget for the STM8AF is 10% * 100 FIT = 10 FIT.

  • Page 13: Electrical Specifications And Environment Limits

    Safety mechanisms/measures This section lists all the safety mechanisms/measures (hardware, software and application level) considered in the safety analysis of the microcontrollers of the STM8AF Series. According to ISO 26262-1, “…a safety mechanism is a technical solution implemented by Electrical/Electronic (E/E) functions or elements, or by other technologies, to detect faults or control failures in order to achieve or maintain a safe state”.
  • Page 14 STM8AF safety architecture UM1915 processing unit (CPU) is tested for functional correctness by applying at least one pattern per instruction. The testing of the same class of instruction with multiple not-trivial patterns in order to involve each operand’s input and output bits, at least once equal to “0” e once equal to “1”, is high recommended.

  • Page 15: Program Flash Memory

    UM1915 STM8AF safety architecture The guidelines for the implementation of the method are the following: • The requirement needs to be applied only to safety-relevant computation, that is those that can interfere with the system safety functions. Such computation needs to be therefore carefully identified in the original application software source code.

  • Page 16: Data Eeprom

    STM8AF safety architecture UM1915 Without information about the frequency of usage of different occupied Flash memory sections, in principle, all the area used by the Flash memory is assumed to be tested with a time period compatible with the ISO 26262 requirements for the relationship between FTTI and the diagnostic test interval (DTI).

  • Page 17: Boot Rom

    UM1915 STM8AF safety architecture called functions. This method is relevant in case the combination between the final application software structure and the compiler settings requires a significant use of the stack for passing function parameters. The guidelines for the implementation of the method are the following: •...

  • Page 18: Basic Enhanced Can (Becan)

    STM8AF safety architecture UM1915 3.6.6 Basic enhanced CAN (beCAN) Periodical read-back of configuration registers - CAN_SM_0 This diagnostic measure, typically referred to as “Read back periodic by software of configuration registers”, executes a periodical check of the configuration registers of beCAN peripheral respect to its expected value that is previously stored in the RAM and adequately updated after each configuration change.

  • Page 19: Usart

    UM1915 STM8AF safety architecture configuration registers, detecting bit flips . The registers test is executed at least once per DTI. Protocol error signal - LINUART_SM_1 The LIN protocol errors signals (if used) despite being conceived to detect physical layer related abnormal conditions, are able to contribute to the detection to faults leading to error messages generation.

  • Page 20: I2C

    STM8AF safety architecture UM1915 Information redundancy techniques on messages - UART_SM_2 The redundant information technique is used to protect the USART communications by detecting both the permanent and transient faults. There are two different approaches to implement this technique: • multiple sending of the same message, with comparison of the received results •...

  • Page 21: Spi

    UM1915 STM8AF safety architecture The above-reported approaches are equivalent; an additional criterion for the selection is the evaluation of the computation capability of the external device exchanging data with STM8AF. 3.6.10 Periodical read-back of configuration registers - SPI_SM_0 This diagnostic measure, typically referred to as “Read back periodic by software of configuration registers”, executes a periodical check of the configuration registers of SPI respect to their expected values previously stored in RAM and adequately updated after each configuration change.

  • Page 22: Advanced Control And General Purpose Timers (Tim 1 And Tim 2/3)

    STM8AF safety architecture UM1915 Multiple acquisitions by application software - ADC_SM_1 To address the transient faults that affect the ADC module, it is required to implement a timing information redundancy scheme that executes multiple acquisitions of the same signal. This recommendation is most probably satisfied by the end user application software.

  • Page 23: Basic Timer (Tim 4)

    UM1915 STM8AF safety architecture Dual channel redundancy for counting timers –TIM_SM_1 This method provides a high level of coverage for both permanent and transient faults on the addressed timers. The method is conceived to protect the timers with counting features, for example the timers dedicated to maintain a system time base and/or to generate a timed interrupt for the execution of service routines (like for instance general timing counters update/increase).

  • Page 24: Gpio - Ports A/B/C/D/E/F/G/H

    STM8AF safety architecture UM1915 configuration registers, detecting bit flips. The registers test is executed at least once per DTI. Dual channel redundancy for counting timers - BTIM_SM_1 This method provides a high level of coverage for both permanent and transient faults on the addressed timers.

  • Page 25: Supply Voltage System

    UM1915 STM8AF safety architecture testing of the arbitration mechanisms between peripherals. This method, based on the periodical execution of software-based tests is executed at least once per DTI. Note that the implementation of this safety method is overlapped by already planned methods for the configuration register checks for the STM8AF peripherals (e.g.

  • Page 26: Reset And Clock Control Subsystems

    STM8AF safety architecture UM1915 3.6.17 Reset and clock control subsystems Periodical read-back of configuration registers - CLK_SM_0 This diagnostic measure, typically referred to as “Read back periodic by software of configuration registers”, executes a periodical check of the configuration registers of the Reset and Clock Control logic respect to their expected values (previously stored in RAM and adequately updated after each configuration change).

  • Page 27: Watchdogs (Iwdg, Wwdg)

    UM1915 STM8AF safety architecture 3.6.19 Watchdogs (IWDG, WWDG) Periodical read-back of configuration registers - WDG_SM_0 This diagnostic measure, typically referred to as “Read back periodic by software of configuration registers”, executes a periodical check of the configuration registers of the watchdogs respect to their expected values (previously stored in RAM and adequately updated after each configuration change).

  • Page 28: Latent Fault Detection

    STM8AF safety architecture UM1915 regulated according to the individual interrupt expected frequency. • Interrupt vectors related to unused interrupt source point to a default handler that reports, in case of triggering, a faulty condition (unexpected interrupt). • In case an interrupt service routine is shared between different sources, a plausibility check on the caller identity is implemented.

  • Page 29: Assumption Of Use (Aou)

    UM1915 STM8AF safety architecture check of the below described registers respect to their expected values (previously stored in RAM and adequately updated after each configuration change). The register test is executed at least once per DTI. The configuration registers to be tested with this method are those related to clock disabling features for peripherals and those related to the enabling of alternate functions on I/O pins.
  • Page 30 STM8AF safety architecture UM1915 Table 4. List of safety mechanisms (continued) STM8AF ASIL Diagnostic Description Perm Trans function FLASH_SM_0 Periodical software test for Flash memory Program Control flow monitoring in application FLASH_SM_1 Flash memory software FLASH_SM_3 Option byte write protection EEP_SM_0 Information redundancy Data EEPROM...
  • Page 31 UM1915 STM8AF safety architecture Table 4. List of safety mechanisms (continued) STM8AF ASIL Diagnostic Description Perm Trans function Periodical read-back of configuration ADC_SM_0 registers Multiple acquisition by application ADC_SM_1 software ADC_SM_2 Range check by application software ADC_SM_3 Periodical software test for ADC Periodical read-back of configuration TIM_SM_0 registers...
  • Page 32 STM8AF safety architecture UM1915 Table 4. List of safety mechanisms (continued) STM8AF ASIL Diagnostic Description Perm Trans function Debug DBG_SM_0 Independent watchdog Periodical read-back of configuration INTC_SM_0 registers Interrupt controller Expected and unexpected interrupt INTC_SM_1 check by application software Software- LAT_SM_0 Independent watchdog based...

  • Page 33: Safety Analysis Results

    UM1915 Safety analysis results Safety analysis results This section reports the results of the safety analysis of the STM8AF MCU, according to ISO 26262 (in particular ISO 26262-10 Annex A). ISO 26262-10 Annex A is a guideline about how to perform a safety analysis of a microcontroller according to ISO 26262.

  • Page 34: Safety Analysis Result Customization

    Safety analysis results UM1915 4.1.1 Safety analysis result customization The safety analysis executed for STM8AF devices and contained in this safety manual is considered to be safety relevant, that is able to interfere with the safety function, to all microcontroller parts, with no exclusion. This is in line with the conservative approach to be followed during the analysis of a general-purpose microcontroller, in order to be agnostic versus the final application.

  • Page 35: Dependent Failures Analysis

    UM1915 Safety analysis results AR08 is a consequence of the performed FFI analysis. Dependent failures analysis The analysis of dependent failures is important for microcontrollers. The main sub-classes of dependent failures are the Common Cause Failures (CCF). According to ISO 26262 they need to be addressed on a qualitative basis (ISO 26262- 9:2011, 7.4.1 Note3) but an evaluation can be supported by appropriate checklists.

  • Page 36: List Of Evidences

    List of evidences UM1915 List of evidences The Safety case stores all the information related to the safety analysis performed to derive the results and conclusions reported in this safety manual. These contents are not public, but can be made available for possible competent bodies audit and inspections.

  • Page 37: Appendix A Change Impact Analysis For Other Safety Standards

    UM1915 Change impact analysis for other safety standards Appendix A Change impact analysis for other safety standards The safety analysis reported in this user manual is carried out according to ISO 26262 safety norm. In this appendix a change impact analysis with respect to different safety standard is performed.

  • Page 38: Architectural Categories

    Change impact analysis for other safety standards UM1915 Figure 4. Correlation matrix between SIL and ASIL In the IEC 61508 scope, end-users can rely on SIL decomposition to define system architectures where the highest SIL requirements are fulfilled by using lower SILs redundant sub systems but respecting the requirements in part 2 §7.4.4.2.4.

  • Page 39: Safety Metrics Re-Computation

    UM1915 Change impact analysis for other safety standards Table 6. Some reference architectures for IEC 61508 (continued) Hardware fault Architecture Description tolerance (HFT) Architecture of two set of components / component connected in parallel with a diagnostic section, having a hardware fault tolerance of 1. 1oo2d Failure of a unit does not lead to a loss of the safety function.

  • Page 40: Work Products

    Change impact analysis for other safety standards UM1915 A.1.3 Work products Table 7, mapping this document content with respect to the requirements listed in the IEC 61508-2 Annex D, acts as a checklist in guidance in providing the evidences of the compliance of the IEC 61508 requirements.

  • Page 41: Table 8. Iec 61508 Work Product Grid

    UM1915 Change impact analysis for other safety standards Table 8. IEC 61508 work product grid IEC 61508 ISO 26262 Part 4 Information to be provided Reference Document 61508-2 Clause Design requirements 7.2.2 specification Design requirements Technical safety 7.2.3.2 specification relating to safety 6.5.1 Safety manual requirements specification...

  • Page 42: Revision History

    Revision history UM1915 Revision history Table 9. Document revision history Date Revision Changes 07-Jul-2015 Initial version. Updated Introduction, Section 1.3: Reference normative, Section 1.4: Annexes, Section 3.4: Electrical specifications and environment limits, Section 3.6: Safety mechanisms/measures, Section 4: Safety analysis results, Section 4.1: Hardware random failure analysis,...
  • Page 43 You further acknowledge and agree that this document shall not be construed as an admission, acknowledgment or evidence of any kind, including, without limitation, as to the liability, fault or responsibility whatsoever of ST or any of its affiliates, or as to the accuracy or validity of the information contained herein, or concerning any alleged product issue, failure, or defect.

This manual is also suitable for:

Stm8af6226Stm8af6223Stm8af6266Stm8af6268Stm8af6166Stm8af614 series ... Show all

Table of Contents