manualshive.com logo in svg

ST STM8AF6166, Руководство пользователя, Страница: 14 / 43

Поделиться
Скачать
ST STM8AF6166 Скачать руководство пользователя страница 14

STM8AF safety architecture

UM1915

14/43

UM1915 Rev 3

processing unit (CPU) is tested for functional correctness by applying at least one 
pattern per instruction. The testing of the same class of instruction with multiple not-trivial 
patterns in order to involve each operand’s input and output bits, at least once equal to “0” 
e once equal to “1”, is high recommended. The accumulation by means of not-trivial 
computation (e.g. XOR) of the single instruction test result on the basis of the concept of 
signature is high recommended. The safety analysis of the CPU hardware has shown that 
a stress-test for the pipeline structure is high recommended.

The overall test software suite is assumed to be periodically executed with a time period 
compatible with the ISO 26262 requirements for the relationship between FTTI and the 
diagnostic test interval (DTI).

Control flow monitoring in application software - CPU_SM_1

A significant part of the failure distribution of STM8AFcore for permanent faults is related to 
failure modes directly related to program counter loss of control or hang-up. Due to their 
intrinsic nature, such failure modes are not addressed by a standard software test method 
based on the execution of sequences of instruction/data access and consequent checks. 
Therefore it is necessary to implement a run-time control of the application software flow, in 
order to monitor and detect deviation from the expected behavior. Linking this mechanism 
to watchdog firing assures that severe loss of control (or, in the worst case, a program 
counter hang-up) is detected within DTI.

This diagnostic measure also contributes to the transient fault detection affecting the 
program counter and branch execution subpart in STM8AFcore.

The guidelines for the implementation of the method are the following:

The different internal states of the application software is well documented and 
described (the use of a dynamic state transition graph is encouraged).

The monitoring of the correctness of each transition between different states of  the 
application software is implemented.

The transition through all expected states during the normal application software 
program loop is checked.

The function in charge of triggering the system watchdog is implemented in order  to 
constrain the triggering (preventing the watchdog reset) also to the correct 
execution of the above-described method for program flow monitoring.

The use of the window feature of the independent watchdog (IWDG) or an external one 
helps to implement a more robust control flow mechanism fed by a different clock source. 
In any case the safety metrics do not depend on the watchdog in use (the adoption of 
independent or external watchdog contributes to the mitigation of dependent failures, see 

Section 4.2.2: Clock

).

Double computation in application software - CPU_SM_2

A timing redundancy for safety-related computation is considered to detect transient faults 
affecting the STM8AFsubparts devoted to mathematical computations and data access.

Содержание STM8AF6166

Страница 1: ...x and STM8AF6166 68 high density devices with 32 to 128 Kbytes of Flash memory STM8AF6269 8x Ax and STM8AF6178 99 9A the STM8AF52 line STM8AF automotive MCUs with CAN high density devices with 32 to 128 Kbytes of Flash memory STM8AF52xx and STM8AF51xx System designers can avoid going into the details of the ISO26262 functional safety standard application to the STM8AF microcontrollers by following...

Страница 2: ...target safety metrics ASIL SPFM LFM and PMHF 11 3 3 2 The assumed target time intervals FTTI and MPFDI 12 3 4 Electrical specifications and environment limits 13 3 5 Systematic safety integrity 13 3 6 Safety mechanisms measures 13 3 6 1 STM8AF core 13 3 6 2 Program Flash memory 15 3 6 3 Data EEPROM 16 3 6 4 RAM 16 3 6 5 Boot ROM 17 3 6 6 Basic enhanced CAN beCAN 18 3 6 7 LINUART 18 3 6 8 USART 19 ...

Страница 3: ...of unintentional activation of unused peripherals 28 3 7 Assumption of use AoU 29 3 7 1 List of AoUs 29 4 Safety analysis results 33 4 1 Hardware random failure analysis 33 4 1 1 Safety analysis result customization 34 4 1 2 General requirements for FFI freedom from interferences 34 4 2 Dependent failures analysis 35 4 2 1 Power supply 35 4 2 2 Clock 35 5 List of evidences 36 Appendix A Change imp...

Страница 4: ...rget safety metric values at the item level 11 Table 4 List of safety mechanisms 29 Table 5 List of general requirements for FFI 34 Table 6 Some reference architectures for IEC 61508 38 Table 7 Mapping between this document content and IEC 61508 2 Annex D requirements 40 Table 8 IEC 61508 work product grid 41 Table 9 Document revision history 42 ...

Страница 5: ...res 5 List of figures Figure 1 Definition of the STM8AF as a SEooC 10 Figure 2 Relationship between assumptions and SEooC development 10 Figure 3 STM8AF FTTI allocation and cycle time 12 Figure 4 Correlation matrix between SIL and ASIL 38 ...

Страница 6: ...se failure COTS Commercial off the shelf CPU Central processing unit CRC Cyclic redundancy check DC Diagnostic coverage DTI Diagnostic test interval FIT Failure in time FTTI Fault tolerant time interval FMEA Failure mode effect analysis FMEDA Failure mode effect diagnostic analysis HFT Hardware fault tolerance HW Hardware INTC Interrupt controller LFM Latent fault metric MCU Microcontroller unit M...

Страница 7: ...8 1 7 IEC 2010 1 4 Annexes UM2138 is a collection of FMEDA snapshots It is a static document reporting the safety metrics computed for different detail levels at microcontroller level and for microcontroller basic functions for a given combination of safety mechanisms a given set of assumptions and for a given part number If a FMEDA computation sheet is needed contact your local STMicroelectronics...

Страница 8: ...s in order to achieve the required quality levels and product stability Automotive safety a subset of the automotive domain ST uses as a reference the ISO 26262 Road vehicles Functional safety standard ST supports customer inquiries regarding product failure rates and FMEDA to support hardware system compliance to established safety goals ST provides products that are safe in their intended use wo...

Страница 9: ...buted development Assumptions are made both on the requirements including safety requirements on the element at higher levels of design and also on the design external to the element In a safety context these elements can be developed as a Safety Element out of Context SEooC as described in ISO 26262 10 Clause 9 According to ISO 26262 a safety element out of context SEooC is a safety related eleme...

Страница 10: ...ncluding external interfaces Figure 2 Figure 2 Relationship between assumptions and SEooC development The validity of the aforementioned assumptions is checked in the context of the actual item after the integration of the SEooC In this document it is assumed that the concept specification the hazard and risk analysis the overall safety requirement specification and the consequent allocation have ...

Страница 11: ...f 250 msec 1 1 FTTI value is used for reference only The end user shall verify that the FTTI value of the final application is compatible with the requirements in terms of execution of periodical software based test refer to Section 3 6 AR07 It is assumed that the STM8AF implements a safe state defined as one in which either the application software running on the MCU is informed of the presence o...

Страница 12: ...ult before it can contribute to a multiple point failure From a system point of view the STM8AF MCU is a safety related element to which a portion of the FTTI system budget is associated As shown in Figure 3 the portion of FTTI assigned to a SEooC in this case the STM8AF strongly depends on the application Figure 3 STM8AF FTTI allocation and cycle time In this document according to ISO 26262 10 9 ...

Страница 13: ...liar with the STM8AF architecture and that this document is used in conjunction with the related device datasheet user manual and reference information Therefore in order to avoid any mistake and reduce the amount of information to be shown no functional details are included in this document Note that the part numbers of the STM8AF Series represent different combinations of peripherals for instanc...

Страница 14: ...on from the expected behavior Linking this mechanism to watchdog firing assures that severe loss of control or in the worst case a program counter hang up is detected within DTI This diagnostic measure also contributes to the transient fault detection affecting the program counter and branch execution subpart in STM8AFcore The guidelines for the implementation of the method are the following The d...

Страница 15: ...s required to address faults affecting the CPU register bank This method is based on source code modification introducing information redundancy in register passed information to the called functions The guidelines for the implementation of the method are the following Pass also the redundant copy of the passed parameters values possibly inverted and execute a coherence check in the function Pass ...

Страница 16: ...erence checks before use organize data in arrays and compute and check checksum field before use Due to their nature data stored in EEPROM are typically managed directly by the end user application software therefore it is reasonable to rely on methods implemented in the final software solution Software read back after write operation EEP_SM_1 To address missing writes on EEPROM cells it is requir...

Страница 17: ...wrong value read in the RAM affects the safety functions are well identified and documented The arithmetic computation and or decision based on such variables are is executed twice and the two final results are compared Non numeric variables uses enumerated type constant values for coding avoiding trivial patterns all 0x00 or all 0xFF application software checks for consistence the value assumed b...

Страница 18: ...udes the end to end safing For the implementation of redundant information it is possible to adopt a different approach Multiple sending of the same message with comparison of the received results Addition by the sender of a checksum field to the message to be verified by the receiver In case the checksum field approach is adopted the selection of the algorithm for checksum computation ensures a s...

Страница 19: ...sage corruption as that ensured by a full redundancy Theoretical demonstrations on coverage capability are admitted the use of CRC coding is anyway suggested The above reported approaches are equivalent an additional criterion for the selection of the approach is the availability of a quick hardware support on the MCU platform and the evaluation of the computation capability of the external device...

Страница 20: ...ion registers of I2C respect to their expected value previously stored in RAM and adequately updated after each configuration change It mainly addresses transient faults affecting the configuration registers detecting bit flips The registers test is executed at least once per DTI Protocol error signals IIC_SM_1 The I2C protocol errors signals despite being conceived to detect physical layer relate...

Страница 21: ...mation technique is used to protect the SPI communications by detecting both the permanent and transient faults There are two different approaches to implement this method multiple sending of the same message with comparison of the received results addition by the sender of a checksum field to the message to be verified by the receiver In case the checksum field approach is adopted the selection o...

Страница 22: ...n opposite direction versus the load supply may indicate a fault in the acquisition module As the ADC module is shared between different possible external sources the combination of plausibility checks on the different signals acquired helps to cover the whole input range in a very efficient way Note The implementation of this safety mechanism is strongly application dependent Periodical software ...

Страница 23: ... application level To reduce the potential effect of the common cause failure it is suggested for redundancy to use a channel belonging to a different timer module and mapped to not adjacent pins on the device package Loop back scheme for PWM outputs TIM_SM_3 This method uses a loop back scheme to detect permanent and transient faults on the timer channels used for output waveform generations outp...

Страница 24: ...ect to their expected values previously stored in RAM and adequately updated after each configuration change It mainly addresses transient faults affecting the configuration registers detecting bit flips The registers test is executed at least once per DTI Dual channel redundancy for input GPIO lines GPIO_SM_1 To address both permanent and transient faults on GPIO lines used as input it is require...

Страница 25: ...configuration registers executes a periodical check of the configuration registers of the Power control logic respect to their expected values previously stored in RAM and adequately updated after each configuration change It mainly addresses transient faults affecting the configuration registers detecting bit flips The registers test is executed at least once per DTI Supply voltage monitoring VSU...

Страница 26: ...tion of the IWDG window for the key value write by the application software leading to a system reset Note that the efficiency of this safety mechanism is strongly dependent on the correct window setting and handling for the IWDG The refresh of the IWDG has to be implemented to bring alteration of the program flow able to bypass the time window limit 3 6 18 Auto wakeup timer AWU The AWU is used to...

Страница 27: ...configuration registers INTC _SM_0 This diagnostic measure typically referred to as Read back periodic by software of configuration registers is implemented by executing a periodical check of the configuration registers of each used system peripheral respect to its expected value previously stored in RAM and adequately updated after each configuration change It mainly addresses the transient fault...

Страница 28: ...h safety mechanism implemented as periodical software testing runs on the CPU Possible faults in the safety mechanism are therefore faults in the support for the execution that is the CPU The independent watchdog is considered here as safety mechanism addressing the program counter failures due to the CPU hardware random faults Periodical core self test software LAT_SM_1 As the major part of the s...

Страница 29: ...STM8AF MCU system integrator The following table lists the assumptions of use and for each of them shows the degree of recommendation using the typical ISO 26262 coding in order to keep the text consistent with the standard and to facilitate their interpretation by the user For each AoU the degree of recommendation to use the corresponding method depends on the ASIL and is categorized as follows i...

Страница 30: ...col error signals X X CAN_SM_2 Information redundancy techniques on messages including End to End safing X X LINUART LINUART_SM_0 Periodical read back of configuration registers X LINUART_SM_1 Protocol error signals X X LINUART_SM_2 Information redundancy techniques on messages X X UART UART_SM_0 Periodical read back of configuration registers X X UART_SM_1 Protocol error signals X X UART_SM_2 Inf...

Страница 31: ...PIO lines X X GPIO_SM_2 Loop back scheme for output GPIO lines X X GPIO_SM_3 GPIO port configuration lock register Address and Data bus BUS_SM_0 Periodical software test for interconnections X BUS_SM_1 Information redundancy in intra chip data exchanges X X Supplyvoltage system VSUP_SM_0 Periodical read back of configuration registers X X VSUP_SM_1 Supply voltage monitoring X VSUP_SM_2 Independent...

Страница 32: ...BG_SM_0 Independent watchdog X X Interrupt controller INTC_SM_0 Periodical read back of configuration registers X X INTC_SM_1 Expected and unexpected interrupt check by application software X X Software based safety LAT_SM_0 Independentwatchdog X LAT_SM_1 Periodical core self test software X Part separation no interference FFI_SM_0 Unused peripherals disable FFI_SM_1 Periodical read back of interf...

Страница 33: ...r of the manufacturing process operational procedures documentation or other relevant factors As mentioned before the target for the safety functions is ASILB therefore every consideration about absolute and relative safety metrics takes ASILB targets It is worth to recap here that ASILB report as target limits 90 for SPF overall system and 100 FIT for PMHF 100 FIT is indeed the overall budget ava...

Страница 34: ...ntra MCU interferences Table 5 The end user is allowed for non safety related parts to do the following discard the part contribution from metrics computations in FMEDA not implement the related safety mechanisms listed in Table 3 See 1 for more information 4 1 2 General requirements for FFI freedom from interferences A dedicated analysis has highlighted a list of general requirements to be follow...

Страница 35: ...ing safety mechanisms address and mitigate those dependent failures VSUP_SM_1 detection of abnormal value of supply voltage VSUP_SM_2 the independent watchdog has a different supply source from the digital core of the MCU and this diversity helps to mitigate dependent failures related to the main supply alterations The adoption of such safety mechanisms is therefore strongly recommended despite th...

Страница 36: ...es The Safety case stores all the information related to the safety analysis performed to derive the results and conclusions reported in this safety manual These contents are not public but can be made available for possible competent bodies audit and inspections ...

Страница 37: ...O 26262 compliance activity The safety standard examined within this change impact analysis is the following IEC 61508 1 7 ed 2 IEC 2010 Functional safety of electrical electronic programmable electronic safety related systems A 1 IEC 61508 The IEC 61508 is the international norm for functional safety of electrical electronic programmable electronic E E PE safety related systems The ISO 26262 stan...

Страница 38: ...EC 61508 6 Annex B requires representing a safety system by means of subsystem block diagram and representing each subsystem as one or more 1oo1 1oo2 2oo2 1oo2D 1oo3 or 2oo3 voted groups In principle the safety architectures targeted in this document can be mapped to 1oo1 or 1oo1d if HFT 0 is selected or 1oo2 or 1oo2d if HFT 1 if selected see Table 6 06 9 6DIHW QWHJULW HYHO 6 62 XWRPRWLYH 6DIHW QW...

Страница 39: ...s are Not Applicable as IEC 61508 does not define this metric Considering the metrics computation the main differences between IEC 61508 and ISO 26262 are related to how the safe faults are computed and how the failure rate of diagnostic is computed with the mission The differences in failure rates related to hardware diagnostics are assumed to be negligible hardware native safety failures in STM8...

Страница 40: ...m Section 3 7 Assumption of use AoU D2 2 b for every failure mode in a an estimated failure rate D2 2 c the failure modes of the compliant item due to random hardware failures that result in a failure of the function and that are detected by diagnostics internal to the compliant item D2 2 d the failure modes of the diagnostics internal to the compliant item due to random hardware failures that res...

Страница 41: ...fety integrity 7 2 3 3 Safety validation planning 7 3 2 Validation plan 6 5 3 End user responsibility E E PE system design and development 7 4 2 to 7 4 11 System design 7 5 1 to 7 5 4 Integration 7 5 2 Item integration and testing planIntegrationtesting specification s Integration testing report s 8 5 1 to 8 5 3 E E PE system installation commissioning operation and maintenance procedures 7 6 2 E ...

Страница 42: ...is for other safety standards and its subsections Updated Table 2 List of STM8AF assumed requirements Table 4 List of safety mechanisms Table 6 Some reference architectures for IEC 61508 and Table 8 IEC 61508 work product grid Updated Figure 1 Definition of the STM8AF as a SEooC Figure 2 Relationship between assumptions and SEooC development Figure 3 STM8AF FTTI allocation and cycle time and Figur...

Страница 43: ...e liable to you for any direct indirect consequential exemplary incidental punitive or other damages including lost profits arising from or relating to your reliance upon or use of this document Purchasers should obtain the latest relevant information on ST products before placing orders ST products are sold pursuant to ST s terms and conditions of sale in place at the time of order acknowledgment...

Отзывы:

Нет отзывов