manualshive.com logo in svg

ST STM8AF6166, User Manual, Page: 28 / 43

Share
Download
ST STM8AF6166 User Manual Download Page 28

STM8AF safety architecture

UM1915

28/43

UM1915 Rev 3

regulated according to the individual interrupt expected frequency.

Interrupt vectors related to unused interrupt source point to a default handler that 
reports, in case of triggering, a faulty condition (unexpected interrupt).

In case an interrupt service routine is shared between different sources, a plausibility 
check on the caller identity is implemented.

Interrupt requests related to not-safety-relevant peripherals are handled with the same 
method here described, despite their originator safety classification; in order to 
decrease the complexity of this method implementation, the use of polling instead of 
interrupt for not-safety-relevant peripherals is suggested.

3.6.22 Latent 

fault 

detection

ISO 26262 considers also a metric for “latent” faults. The latent fault is a multiple-point fault 
which presence is not detected by a safety mechanism nor perceived by the driver within 
the multiple-point fault detection interval. In practical words, the latent fault is a combination 
of a fault in a safety mechanism - that by itself does NOT cause the violation of the safety 
goal (function) - and a fault in the mission logic supervised by that safety mechanism.

The following reported methods mainly address latent fault for the planned safety 
mechanism at MCU level.

Independent Watchdog - LAT_SM_0

Each safety mechanism implemented as periodical software testing runs on the CPU. 
Possible faults in the safety mechanism are therefore faults in the “support” for the 
execution that is the CPU. The independent watchdog is considered here as safety 
mechanism addressing the program counter failures due to the CPU hardware random 
faults.

Periodical core self-test software - LAT_SM_1

As the major part of the safety mechanism described in this safety manual is implemented 
by software, the periodical core self-test software execution able to detect faults in the 
STM8 CPU acts as safety mechanism for latent faults. For implementation details refer to 
the description of 

CPU_SM_0 

safety mechanism.

3.6.23 

Disable and periodic cross-check of unintentional activation

 

of unused  peripherals

This section reports the safety mechanism that addresses peripherals not used by the 
safety application, or not used at all.

Unused peripherals disable - FFI_SM_0

This method contributes to the reduction of the probability of cross-interferences caused by 
peripherals not used by the software application. It is implemented by end users, taking 
care of disabling by software (for instance during the system boot) each peripheral that is 
not used.

Periodical read-back of interference avoidance registers - FFI_SM_1

This method contributes to the reduction of the probability of cross-interferences between 
peripherals that can potentially conflict on the same output pins, including for instance 
unused peripherals (refer to FFI_SM_0). This diagnostic measure executes a periodical 

Summary of Contents for STM8AF6166

Page 1: ...x and STM8AF6166 68 high density devices with 32 to 128 Kbytes of Flash memory STM8AF6269 8x Ax and STM8AF6178 99 9A the STM8AF52 line STM8AF automotive MCUs with CAN high density devices with 32 to 128 Kbytes of Flash memory STM8AF52xx and STM8AF51xx System designers can avoid going into the details of the ISO26262 functional safety standard application to the STM8AF microcontrollers by following...

Page 2: ...target safety metrics ASIL SPFM LFM and PMHF 11 3 3 2 The assumed target time intervals FTTI and MPFDI 12 3 4 Electrical specifications and environment limits 13 3 5 Systematic safety integrity 13 3 6 Safety mechanisms measures 13 3 6 1 STM8AF core 13 3 6 2 Program Flash memory 15 3 6 3 Data EEPROM 16 3 6 4 RAM 16 3 6 5 Boot ROM 17 3 6 6 Basic enhanced CAN beCAN 18 3 6 7 LINUART 18 3 6 8 USART 19 ...

Page 3: ...of unintentional activation of unused peripherals 28 3 7 Assumption of use AoU 29 3 7 1 List of AoUs 29 4 Safety analysis results 33 4 1 Hardware random failure analysis 33 4 1 1 Safety analysis result customization 34 4 1 2 General requirements for FFI freedom from interferences 34 4 2 Dependent failures analysis 35 4 2 1 Power supply 35 4 2 2 Clock 35 5 List of evidences 36 Appendix A Change imp...

Page 4: ...rget safety metric values at the item level 11 Table 4 List of safety mechanisms 29 Table 5 List of general requirements for FFI 34 Table 6 Some reference architectures for IEC 61508 38 Table 7 Mapping between this document content and IEC 61508 2 Annex D requirements 40 Table 8 IEC 61508 work product grid 41 Table 9 Document revision history 42 ...

Page 5: ...res 5 List of figures Figure 1 Definition of the STM8AF as a SEooC 10 Figure 2 Relationship between assumptions and SEooC development 10 Figure 3 STM8AF FTTI allocation and cycle time 12 Figure 4 Correlation matrix between SIL and ASIL 38 ...

Page 6: ...se failure COTS Commercial off the shelf CPU Central processing unit CRC Cyclic redundancy check DC Diagnostic coverage DTI Diagnostic test interval FIT Failure in time FTTI Fault tolerant time interval FMEA Failure mode effect analysis FMEDA Failure mode effect diagnostic analysis HFT Hardware fault tolerance HW Hardware INTC Interrupt controller LFM Latent fault metric MCU Microcontroller unit M...

Page 7: ...8 1 7 IEC 2010 1 4 Annexes UM2138 is a collection of FMEDA snapshots It is a static document reporting the safety metrics computed for different detail levels at microcontroller level and for microcontroller basic functions for a given combination of safety mechanisms a given set of assumptions and for a given part number If a FMEDA computation sheet is needed contact your local STMicroelectronics...

Page 8: ...s in order to achieve the required quality levels and product stability Automotive safety a subset of the automotive domain ST uses as a reference the ISO 26262 Road vehicles Functional safety standard ST supports customer inquiries regarding product failure rates and FMEDA to support hardware system compliance to established safety goals ST provides products that are safe in their intended use wo...

Page 9: ...buted development Assumptions are made both on the requirements including safety requirements on the element at higher levels of design and also on the design external to the element In a safety context these elements can be developed as a Safety Element out of Context SEooC as described in ISO 26262 10 Clause 9 According to ISO 26262 a safety element out of context SEooC is a safety related eleme...

Page 10: ...ncluding external interfaces Figure 2 Figure 2 Relationship between assumptions and SEooC development The validity of the aforementioned assumptions is checked in the context of the actual item after the integration of the SEooC In this document it is assumed that the concept specification the hazard and risk analysis the overall safety requirement specification and the consequent allocation have ...

Page 11: ...f 250 msec 1 1 FTTI value is used for reference only The end user shall verify that the FTTI value of the final application is compatible with the requirements in terms of execution of periodical software based test refer to Section 3 6 AR07 It is assumed that the STM8AF implements a safe state defined as one in which either the application software running on the MCU is informed of the presence o...

Page 12: ...ult before it can contribute to a multiple point failure From a system point of view the STM8AF MCU is a safety related element to which a portion of the FTTI system budget is associated As shown in Figure 3 the portion of FTTI assigned to a SEooC in this case the STM8AF strongly depends on the application Figure 3 STM8AF FTTI allocation and cycle time In this document according to ISO 26262 10 9 ...

Page 13: ...liar with the STM8AF architecture and that this document is used in conjunction with the related device datasheet user manual and reference information Therefore in order to avoid any mistake and reduce the amount of information to be shown no functional details are included in this document Note that the part numbers of the STM8AF Series represent different combinations of peripherals for instanc...

Page 14: ...on from the expected behavior Linking this mechanism to watchdog firing assures that severe loss of control or in the worst case a program counter hang up is detected within DTI This diagnostic measure also contributes to the transient fault detection affecting the program counter and branch execution subpart in STM8AFcore The guidelines for the implementation of the method are the following The d...

Page 15: ...s required to address faults affecting the CPU register bank This method is based on source code modification introducing information redundancy in register passed information to the called functions The guidelines for the implementation of the method are the following Pass also the redundant copy of the passed parameters values possibly inverted and execute a coherence check in the function Pass ...

Page 16: ...erence checks before use organize data in arrays and compute and check checksum field before use Due to their nature data stored in EEPROM are typically managed directly by the end user application software therefore it is reasonable to rely on methods implemented in the final software solution Software read back after write operation EEP_SM_1 To address missing writes on EEPROM cells it is requir...

Page 17: ...wrong value read in the RAM affects the safety functions are well identified and documented The arithmetic computation and or decision based on such variables are is executed twice and the two final results are compared Non numeric variables uses enumerated type constant values for coding avoiding trivial patterns all 0x00 or all 0xFF application software checks for consistence the value assumed b...

Page 18: ...udes the end to end safing For the implementation of redundant information it is possible to adopt a different approach Multiple sending of the same message with comparison of the received results Addition by the sender of a checksum field to the message to be verified by the receiver In case the checksum field approach is adopted the selection of the algorithm for checksum computation ensures a s...

Page 19: ...sage corruption as that ensured by a full redundancy Theoretical demonstrations on coverage capability are admitted the use of CRC coding is anyway suggested The above reported approaches are equivalent an additional criterion for the selection of the approach is the availability of a quick hardware support on the MCU platform and the evaluation of the computation capability of the external device...

Page 20: ...ion registers of I2C respect to their expected value previously stored in RAM and adequately updated after each configuration change It mainly addresses transient faults affecting the configuration registers detecting bit flips The registers test is executed at least once per DTI Protocol error signals IIC_SM_1 The I2C protocol errors signals despite being conceived to detect physical layer relate...

Page 21: ...mation technique is used to protect the SPI communications by detecting both the permanent and transient faults There are two different approaches to implement this method multiple sending of the same message with comparison of the received results addition by the sender of a checksum field to the message to be verified by the receiver In case the checksum field approach is adopted the selection o...

Page 22: ...n opposite direction versus the load supply may indicate a fault in the acquisition module As the ADC module is shared between different possible external sources the combination of plausibility checks on the different signals acquired helps to cover the whole input range in a very efficient way Note The implementation of this safety mechanism is strongly application dependent Periodical software ...

Page 23: ... application level To reduce the potential effect of the common cause failure it is suggested for redundancy to use a channel belonging to a different timer module and mapped to not adjacent pins on the device package Loop back scheme for PWM outputs TIM_SM_3 This method uses a loop back scheme to detect permanent and transient faults on the timer channels used for output waveform generations outp...

Page 24: ...ect to their expected values previously stored in RAM and adequately updated after each configuration change It mainly addresses transient faults affecting the configuration registers detecting bit flips The registers test is executed at least once per DTI Dual channel redundancy for input GPIO lines GPIO_SM_1 To address both permanent and transient faults on GPIO lines used as input it is require...

Page 25: ...configuration registers executes a periodical check of the configuration registers of the Power control logic respect to their expected values previously stored in RAM and adequately updated after each configuration change It mainly addresses transient faults affecting the configuration registers detecting bit flips The registers test is executed at least once per DTI Supply voltage monitoring VSU...

Page 26: ...tion of the IWDG window for the key value write by the application software leading to a system reset Note that the efficiency of this safety mechanism is strongly dependent on the correct window setting and handling for the IWDG The refresh of the IWDG has to be implemented to bring alteration of the program flow able to bypass the time window limit 3 6 18 Auto wakeup timer AWU The AWU is used to...

Page 27: ...configuration registers INTC _SM_0 This diagnostic measure typically referred to as Read back periodic by software of configuration registers is implemented by executing a periodical check of the configuration registers of each used system peripheral respect to its expected value previously stored in RAM and adequately updated after each configuration change It mainly addresses the transient fault...

Page 28: ...h safety mechanism implemented as periodical software testing runs on the CPU Possible faults in the safety mechanism are therefore faults in the support for the execution that is the CPU The independent watchdog is considered here as safety mechanism addressing the program counter failures due to the CPU hardware random faults Periodical core self test software LAT_SM_1 As the major part of the s...

Page 29: ...STM8AF MCU system integrator The following table lists the assumptions of use and for each of them shows the degree of recommendation using the typical ISO 26262 coding in order to keep the text consistent with the standard and to facilitate their interpretation by the user For each AoU the degree of recommendation to use the corresponding method depends on the ASIL and is categorized as follows i...

Page 30: ...col error signals X X CAN_SM_2 Information redundancy techniques on messages including End to End safing X X LINUART LINUART_SM_0 Periodical read back of configuration registers X LINUART_SM_1 Protocol error signals X X LINUART_SM_2 Information redundancy techniques on messages X X UART UART_SM_0 Periodical read back of configuration registers X X UART_SM_1 Protocol error signals X X UART_SM_2 Inf...

Page 31: ...PIO lines X X GPIO_SM_2 Loop back scheme for output GPIO lines X X GPIO_SM_3 GPIO port configuration lock register Address and Data bus BUS_SM_0 Periodical software test for interconnections X BUS_SM_1 Information redundancy in intra chip data exchanges X X Supplyvoltage system VSUP_SM_0 Periodical read back of configuration registers X X VSUP_SM_1 Supply voltage monitoring X VSUP_SM_2 Independent...

Page 32: ...BG_SM_0 Independent watchdog X X Interrupt controller INTC_SM_0 Periodical read back of configuration registers X X INTC_SM_1 Expected and unexpected interrupt check by application software X X Software based safety LAT_SM_0 Independentwatchdog X LAT_SM_1 Periodical core self test software X Part separation no interference FFI_SM_0 Unused peripherals disable FFI_SM_1 Periodical read back of interf...

Page 33: ...r of the manufacturing process operational procedures documentation or other relevant factors As mentioned before the target for the safety functions is ASILB therefore every consideration about absolute and relative safety metrics takes ASILB targets It is worth to recap here that ASILB report as target limits 90 for SPF overall system and 100 FIT for PMHF 100 FIT is indeed the overall budget ava...

Page 34: ...ntra MCU interferences Table 5 The end user is allowed for non safety related parts to do the following discard the part contribution from metrics computations in FMEDA not implement the related safety mechanisms listed in Table 3 See 1 for more information 4 1 2 General requirements for FFI freedom from interferences A dedicated analysis has highlighted a list of general requirements to be follow...

Page 35: ...ing safety mechanisms address and mitigate those dependent failures VSUP_SM_1 detection of abnormal value of supply voltage VSUP_SM_2 the independent watchdog has a different supply source from the digital core of the MCU and this diversity helps to mitigate dependent failures related to the main supply alterations The adoption of such safety mechanisms is therefore strongly recommended despite th...

Page 36: ...es The Safety case stores all the information related to the safety analysis performed to derive the results and conclusions reported in this safety manual These contents are not public but can be made available for possible competent bodies audit and inspections ...

Page 37: ...O 26262 compliance activity The safety standard examined within this change impact analysis is the following IEC 61508 1 7 ed 2 IEC 2010 Functional safety of electrical electronic programmable electronic safety related systems A 1 IEC 61508 The IEC 61508 is the international norm for functional safety of electrical electronic programmable electronic E E PE safety related systems The ISO 26262 stan...

Page 38: ...EC 61508 6 Annex B requires representing a safety system by means of subsystem block diagram and representing each subsystem as one or more 1oo1 1oo2 2oo2 1oo2D 1oo3 or 2oo3 voted groups In principle the safety architectures targeted in this document can be mapped to 1oo1 or 1oo1d if HFT 0 is selected or 1oo2 or 1oo2d if HFT 1 if selected see Table 6 06 9 6DIHW QWHJULW HYHO 6 62 XWRPRWLYH 6DIHW QW...

Page 39: ...s are Not Applicable as IEC 61508 does not define this metric Considering the metrics computation the main differences between IEC 61508 and ISO 26262 are related to how the safe faults are computed and how the failure rate of diagnostic is computed with the mission The differences in failure rates related to hardware diagnostics are assumed to be negligible hardware native safety failures in STM8...

Page 40: ...m Section 3 7 Assumption of use AoU D2 2 b for every failure mode in a an estimated failure rate D2 2 c the failure modes of the compliant item due to random hardware failures that result in a failure of the function and that are detected by diagnostics internal to the compliant item D2 2 d the failure modes of the diagnostics internal to the compliant item due to random hardware failures that res...

Page 41: ...fety integrity 7 2 3 3 Safety validation planning 7 3 2 Validation plan 6 5 3 End user responsibility E E PE system design and development 7 4 2 to 7 4 11 System design 7 5 1 to 7 5 4 Integration 7 5 2 Item integration and testing planIntegrationtesting specification s Integration testing report s 8 5 1 to 8 5 3 E E PE system installation commissioning operation and maintenance procedures 7 6 2 E ...

Page 42: ...is for other safety standards and its subsections Updated Table 2 List of STM8AF assumed requirements Table 4 List of safety mechanisms Table 6 Some reference architectures for IEC 61508 and Table 8 IEC 61508 work product grid Updated Figure 1 Definition of the STM8AF as a SEooC Figure 2 Relationship between assumptions and SEooC development Figure 3 STM8AF FTTI allocation and cycle time and Figur...

Page 43: ...e liable to you for any direct indirect consequential exemplary incidental punitive or other damages including lost profits arising from or relating to your reliance upon or use of this document Purchasers should obtain the latest relevant information on ST products before placing orders ST products are sold pursuant to ST s terms and conditions of sale in place at the time of order acknowledgment...

Reviews:

No comments