St Stm8af6223 User manual

July 2015 DocID028066 Rev 1 1/59

UM1915

User Manual

STM8AF Safety Manual

Introduction

The STM8A is a family of microcontrollers designed for automotive applications, with different

memory

densities, packages and peripherals.

This document describes how to use the STM8AF series of microcontrollers in the context of

a safety-related system (STM8A-SafeASIL functional safety package), specifying the user's

responsibilities for installation and operation, in order to reach the targeted

safety integrity

level.

This manual applies to the following STM8AF series:

The STM8AF62 line that is the mainstay of the automotive STM8A 8 bit MCU:

– The low density devices with 8 Kbytes of Flash memory:

STM8AF6223/26

– The medium density with 16 to 32 Kbytes of Flash memory

STM8AF624x,

STM8AF6266/68, STM8AF612x/4x and STM8AF6166/68

– The high density devices with 32 to 128 Kbytes of Flash memory:

STM8AF6269/8x/Ax and STM8AF6178/99/9A

The STM8AF52 line: STM8AF automotive MCUs with CAN:

– The high density devices with 32 to 128 Kbytes of Flash memory: STM8AF52xx and

STM8AF51xx

If the STM8AF microcontrollers are used in adherence to this manual, the system designer

can avoid

going into the details of the functional safety design and validation, to give an

estimation about the impact to

the overall safety function.

This manual is written in compliance with ISO 26262. It also indicates how to use the

STM8AF MCUs in

the context of other functional safety standards such as IEC 61508. This

manual and FMEDA data were

developed in cooperation with the safety expertise company

YOGITECH, using their fault Robust

Methodology(fRMethodology).

The safety analysis summarized in this manual, takes into account the variation in terms of

memory size, number of internal peripherals and the different packages available among

the different part numbers of the STM8A microcontrollers family.

This manual has to be read along with the technical documentation on related part numbers

available on www.st.com/stm8.

www.st.com

Content UM1915

2/59 DocID028066 Rev 1

Content

1 About this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.1 Purpose and scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.2 Terms and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.3 Reference normative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.4 Annexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 STM8AFxxxx device development process . . . . . . . . . . . . . . . . . . . . . . 9

2.1 STMicroelectronics standard development process . . . . . . . . . . . . . . . . . . 9

2.2 YOGITECH fRMethodology process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3 STM8AF Safety Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.1.1 Definition of the Safety Element out of Context . . . . . . . . . . . . . . . . . . . 10

3.2 STM8AF as a SEooC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.3 Assumed safety requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

3.3.1 The target safety metrics (ASIL, SPFM, LFM and PMHF) . . . . . . . . . . . 12

3.3.2 The assumed target time intervals (FTTI and MPFDI) . . . . . . . . . . . . . . 13

3.4 Electrical specifications and environment limits . . . . . . . . . . . . . . . . . . . . 14

3.5 Systematic safety integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.6 Safety mechanisms/measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.6.1 STM8A CORE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.6.2 Program FLASH memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.6.3 Data EEPROM memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.6.4 RAM memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.6.5 Boot ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.6.6 Basic enhanced CAN (beCAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.6.7 LINUART . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.6.8 USART . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.6.9 I2C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.6.10 SPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.6.11 Analog to Digital Converter (ADC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.6.12 Basic timer (TIM 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.6.13 GPIO – PORT A/B/C/D/E/F/G/H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

DocID028066 Rev 1 3/59

UM1915 Content

3.6.14 Address and Data bus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.6.15 Supply voltage system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.6.16 Reset and Clock control subsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.6.17 Auto-wakeup timer (AWU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.6.18 Watchdogs (IWDG, WWDG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.6.19 Debug/ SWIM (single wire interface module) . . . . . . . . . . . . . . . . . . . . 29

3.6.20 Interrupt controller (NVIC and EXTI) . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.6.21 Latent fault detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.6.22 Disable and periodic cross-check of unintentional activation of unused

peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.7 Assumption of Use (AoU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.7.1 List of Assumptions of Use (AoU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4 Safety Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4.1 Hardware random failure analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4.1.1 Safety analysis result customization . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.1.2 General requirements for Freedom From Interferences (FFI) . . . . . . . . 36

4.2 Dependent failures analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.2.1 Power supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.2.2 Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

5 List of evidences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Appendix A Appendix A Overview of fRMethodology . . . . . . . . . . . . . . . . . . . . 40

A.1 The essence of fRMethodology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

A.2 fRMethodology and its flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

A.3 fRTools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Appendix B Appendix B Change impact analysis for other safety standards . 44

B.1 IEC 60730-1:2010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

B.2 Architectural categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

B.3 Safety metrics recomputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

B.4 Work products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

B.5 IEC 61508 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

B.6 Architectural categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

B.7 Safety metrics re-computation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Content UM1915

4/59 DocID028066 Rev 1

B.8 Work products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

6 Revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

DocID028066 Rev 1 5/59

UM1915 List of Tables

List of Tables

Table 1. Terms and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Table 2. List of STM8AF Assumed Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Table 3. Target safety metric values at the item level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Table 4. List of safety mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Table 5. List of general requirements for FFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Table 6. Level of detail in fRMethodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Table 7. IEC 60730 required safety mechanism for Class B/C compliance. . . . . . . . . . . . . . . . . . . 46

Table 8. IEC 60730 work product grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Table 9. Some reference architectures for IEC 61508. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Table 10. Mapping between this document content and IEC 61508-2 Annex D

requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Table 11. IEC 61508 work product grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Table 12. Document revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

List of Figures UM1915

6/59 DocID028066 Rev 1

List of Figures

Figure 1. Definition of the STM8AF as a SEooC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Figure 2. Relationship between assumptions and SEooC development . . . . . . . . . . . . . . . . . . . . . . 11

Figure 3. STM8AF FTTI allocation and cycle time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Figure 4. The fRMethodology flow for ISO 26262 and IEC 61508. . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Figure 5. Overview of the YOGITECH fRTool suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Figure 6. Correlation matrix between SIL and ASIL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

DocID028066 Rev 1 7/59

UM1915 About this document

1 About this document

1.1 Purpose and scope

This document describes how to use the STM8AF microcontrollers in the context of a



safety-related system, specifying the user's responsibilities for installation and operation, in

order to reach the desired safety integrity level.

This document is useful to system designers willing evaluate the safety of their solution.

1.2 Terms and abbreviations

Table 1. Terms and abbreviations

Acronym Definition

AoU Assumptions to Use

ASIL Automotive Safety Integrity Level

CCF Common Cause Failure

COTS Commercial Off-the-Shelf

CPU Central Processing Unit

CRC Cyclic Redundancy Check

DC Diagnostic Coverage

DTI Diagnostic Test Interval

FIT Failure In Time

FTTI Fault Tolerant Time Interval

FMEA Failure Mode Effect Analysis

FMEDA Failure Mode Effect Diagnostic Analysis

HFT Hardware Fault Tolerance

HW Hardware

INTC Interrupt Controller

LFM Latent Fault Metric

MCU Microcontroller Unit

MPF Multiple Point Failures

MPFDI Multiple Point Fault Detection Interval

NVIC Nested vector interrupt controller

PMHF Probabilistic Metric for random Hardware Failures

QM Quality Management

SFF Safe Failure Fraction

SIL Safety Integrity level

SEooC Safety Element Out of Context

SPF Single Point Fault

About this document UM1915

8/59 DocID028066 Rev 1

1.3 Reference normative

This document is written in compliance with the ISO 26262 international standard for

functional safety of electrical and/or electronic (E/E) systems within road vehicles.

The versions used as reference are:

ISO/IS 26262-1 – 9 :2011(E)

ISO/IS 26262-10:2012(E)

This Safety Manual follows the list of recommended contents in Annex A, clause A.3.10 of

ISO 26262-10.

The other functional safety standards considered in this manual are the following:

IEC 61508:1-7 © IEC:2010

IEC 60730-1:2010, ed. 4.0

1.4 Annexes

Annex 1. “STM8AF FMEDA snapshot handling Application Note”:

it provides clarifications, guidelines and examples on how to handle the Failure Mode

Effect Diagnostic Analysis (FMEDA) outcomes related to STM8AF microcontroller

family

Annex 2. “STM8AF FMEDA snapshot”:

it summarizes the common results of FMEDA activities

it provides all the necessary information, which will allow the reader to understand

how

to combine different scenarios, by using the FMEDA outcomes and to evaluate

the

costs and benefits at system-level.

SPFM Single Point Fault Metric

SW Software

Table 1. Terms and abbreviations (continued)

Acronym Definition

DocID028066 Rev 1 9/59

UM1915 STM8AFxxxx device development process

2 STM8AFxxxx device development process

The development process of a microelectronic device that is used in safety critical

application, takes into account the adequate management, to reduce the probability of

systematic faults, introduced during the design phase.

ISO 26262-10 Annex A (“A.3.7: Example of techniques or measures to detect or avoid

systematic failures during design of a microcontroller”) acts as a guidance in tailoring the

microcontroller standard design and manufacturer process to the compliance of the

ISO

26262 requirements. The checklist reported in the named Annex A (Table A.8) helps to

collect all related evidences of a given real process.

2.1 STMicroelectronics standard development process

STMicroelectronics (ST) serves four industry domains:

Standard products

Automotive products: ST automotive products are AEC-Q100 compliant. They are

submitted to a specific stress testing activity and processing instructions, in order to

achieve the

required quality levels and product stability

Automotive safety: a subset of the automotive domain. ST uses, as a reference, the

ISO 26262 Road vehicles functional safety standard. ST supports customers’ inquiries,

regarding product failure rates and FMEDA, to support hardware system compliance to

established safety goals. ST provides products that are safe in their intended use,

working in cooperation with customers, to understand the mission profile, adopt

common methods and define countermeasures for residual risks

Medical products: ST complies with applicable regulations for medical products and

applies due diligence in the development and validation of these products

STMicroelectronics product development process, compliant with the ISO/TS 16949

standard, is a set of interrelated activities dedicated to transform a customer specification

and a market or industry domain requirements into a semiconductor device with all its

associated elements (package, module, sub-system, application, hardware, software and

documentation), qualified respecting ST internal procedures and able to be manufactured,

using ST internal or subcontracted technologies.

2.2 YOGITECH fRMethodology process

YOGITECH fRMethodology is the “white-box” approach for safety design exploration.

It is

proprietary of YOGITECH, including tools and methodology for FMEA/FTA analysis and

fault injection of integrated circuits. Appendix A Overview of fRMethodology reports

additional information.

YOGITECH contribution to ISO 26262 compliance of STMicroelectronics development

process can be summarized in failure rate estimation, based on multiple industry standards

as well as STMicroelectronics manufacturing data.

STM8AF Safety Architecture UM1915

10/59 DocID028066 Rev 1

3 STM8AF Safety Architecture

This section describes the safety architectures that could be implemented, using the

STM8AF microcontroller for automotive applications.

3.1 Introduction

The STM8AF microcontroller described in this document is a Safety Element out of Context

(SEooC), that is, a safety element that can be used in different safety applications.

The aim of this section is to define the context of the analysis, in terms of assumptions with

respect to reference safety requirements as well as assumptions with respect to the design

external to that SEooC.

As a consequence of the SEooC approach, the goal is not to provide an exhaustive hazard

and risk analysis of the system around the microcontroller, but rather to list the



system-related information (such as the application-related assumptions for dangerousness

factors, frequency of failures and diagnostic coverage already guaranteed by the

application), that have been considered during the consecutive steps of the analysis.

3.1.1 Definition of the Safety Element out of Context

The automotive industry develops generic elements for different applications and for

different customers. These generic elements can be developed concurrently and by

different companies in different tiers of the supply chain, as a distributed development.

Assumptions are made both on the requirements (including safety requirements) on the

element at higher levels of design and also on the design external to the element.

In a safety context, these elements can be developed as a “Safety Element out of Context”

(SEooC), as described in ISO 26262-10, Clause 9.

According to ISO 26262, a “safety element out of context (SEooC)” is a safety-related

element that is not developed for a specific item (i.e. in the context of a particular vehicle). A

SEooC can be a system, an array of systems, a subsystem, a software component or a

hardware component.

This document considers the STM8AF as a SEooC, which is required to have an ASIL

capability, up to and including ASIL level B (i.e. it is to be used in an ASIL level A and ASIL

level B

environment).

3.2 STM8AF as a SEooC

The STM8AF is a general purpose RISC microcontroller, suitable for embedded

applications

and, in particular, for safety related applications.

For a detailed description of the STM8AF functionality refers to the microcontroller technical

reference manual (RM0016).

In this document, the SEooC is identified as the STM8AF microcontroller (MCU),

references

as a functional block inserted in a system defined by the following Figure 1: Definition of the

STM8AF as a SEooC. The

MCU acts as the processing unit of the system, acquiring field

data from sensors,

processing according to the implemented algorithm and taking

This manual suits for next models

Table of contents

Other ST Controllers manuals

ST L6917BD User manual

ST STM32F101 series User manual

ST STNRG011A User manual

ST STEVAL-IAS001V1 User manual

ST STM32MP13-ETZPC User manual

ST UM2520 User manual

ST ST7735R User manual

ST Sitronix ST7038 User manual

ST EVLSPIN32G4-ACT User manual

ST ST5-Q User manual

ST STEVAL-ESC002V1 User manual

ST STEVAL-IHM037V1 User manual

ST STEVAL-A6983NV1 User manual

ST STM32F101xx series User manual

ST P-NUCLEO-IHM001 User manual

ST STM32W-SK User manual

ST STM32F101xx series Owner's manual

ST ST-PMC1 User manual

Popular Controllers manuals by other brands

Sunricher

Sunricher SR-ZV9003T3-RGBW-US Installation

Ksenia

Ksenia intro Installation and configuration manual

Inovance

Inovance CAN200 Series manual

Gauzy

Gauzy LC6 FLEX Controller Installation and operation guide

Viking

Viking SLP-1 Technical practice

CKD

CKD KBX-30E-U Series instruction manual

Sharp Energy

Sharp Energy Sun Flux User manual & installation guide

Yamaha

Yamaha RCX40 user manual

AB Quality

AB Quality PowerFlex 400 Frames D-H Service bulletin

Yamaha

Yamaha MJC8 owner's manual

AL-KO

AL-KO ATC operating instructions

Savant

Savant SmartControl 2 Deployment guide

GameSir

GameSir T3S user manual

Kostal

Kostal inveor operating manual

Emerson

Emerson Yarway 20-55 Operating and safety instructions

CoCo

CoCo ACM-LV24 Quick installation guide

Brooks

Brooks SLA5810/20 Installation and operation manual

SIGMA TEK

SIGMA TEK SR 011 Technical manual

ST STM8AF6223 User manual

Popular Controllers manuals by other brands