ST STM32F2 Series User manual

Introduction

This document describes how to use the microcontrollers of the STM32F2 Series in the context of a safety-related system,

specifying the user's responsibilities for installation and operation in order to reach the targeted safety integrity level.

This manual applies to the microcontrollers of the STM32F2 Series and to X-CUBE-STL part number.

System designers can avoid going into the details of the functional safety standards application of the STM32F2 Series by

following the indications reported in this manual.

This manual is written in compliance with IEC 61508. It indicates how to use the STM32F2 Series microcontrollers in the context

of other functional safety standards such as safety machine directives ISO 13849.

The safety analysis summarized in this manual takes into account the variation in terms of memory size, internal peripheral

number and package among the different part numbers of the Arm ® Cortex® -M3 based STM32F2 Series microcontrollers.

This manual has to be read along with the technical documentation for the related part numbers (such as reference manuals

and datasheets) available on www.st.com.

STM32F2 Series safety manual

UM1845

User manual

UM1845 - Rev 4 - August 2018

For further information contact your local STMicroelectronics sales office.

www.st.com

1About this document

1.1 Purpose and scope

This document describes how to use the Arm ® Cortex ® -M3 based STM32F2 Series in the context of a safety-

related system, specifying the user's responsibilities for installation and operation, in order to reach the desired

safety integrity level.

This document is useful to system designers willing evaluate the safety of their solution embedding one or more

STM32F2 Series microcontroller(s).

Note: Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.

1.2 Terms and abbreviations

Abbreviations related to STM32F2 Series hardware modules (like DMA, GPIO etc.) are the same than the ones

used in STM32F2 Series technical documentation. See the following table for a list of acronyms used in this

document.

Table 1. Terms and abbreviations

Acronym Definition

CCF Common cause failure

CM Continuous mode

COTS Commercial off-the-shelf

CoU Conditions of use

CPU Central processing unit

CRC Cyclic redundancy check

DC Diagnostic coverage

DMA Direct memory access

DTI Diagnostic test interval

ECM Engine control module

ECU Electronic control unit

EUC Equipment under control

FIT Failure in time

FMEA Failure mode effect analysis

FMEDA Failure mode effect diagnostic analysis

HD High demand

HFT Hardware fault tolerance

HW Hardware

ITRS International technology roadmap for semiconductors

LD Low demand

MCU Microcontroller unit

MTBF Mean time between failure

UM1845

About this document

UM1845 - Rev 4 page 2/108

Acronym Definition

MTTFd Mean time to failure

NA Not available

PDS(SR) Power drive system (safety related)

PEc Programmable electronics - core

PEd Programmable electronics - diagnostic

PFD Probability of Dangerous Failure on Demand

PFH Probability of failure per hour

PL Performance level

PST Process safety time

SFF Safe failure fraction

SIL Safety integrity level

SRCF Safety-related control function

SRECS Safety-related electrical control systems

SRP/CS Safety-related parts of control systems

SW Software

Read also the following definitions used within this manual:

• End user: the STM32F2 Series final user of that is in charge of integrating the MCU in a real application (for

example an electronic control board).

• Application software: the actual software running on the STM32F2 Series MCUs and implementing the

safety function.

1.3 Reference normative

This document is written in compliance with the IEC 61508 international norm for functional safety of electrical,

electronic and programmable electronic safety-related systems.

The version used as reference is IEC 61508:1-7 © IEC:2010.

The other functional safety standards considered in this manual are the following:

• ISO 26262-1, 2, 3, 4, 5, 6, 7, 8, 9: 2011(E), ISO 26262-10: 2012(E),

• ISO 13849-1:2006, ISO 13849-2:2010,

• IEC 62061:2012-11, ed. 1.1,

• IEC 61800-5-2:2007, ed.1.0,

The following table reports the mapping of this document content with respect to the requirements listed in the

IEC 61508-2 Annex D.

Table 2. Mapping between this document content and IEC 61508-2 Annex D requirements

IEC 61508 requirement (part 2 annex D) Reference

D2.1 a) a functional specification of the functions capable of being performed Section 3

D2.1 b) identification of the hardware and/or software configuration of the compliant item Section 3.2

D2.1 c) constraints on the use of the compliant item or assumptions on which analysis of the behavior or

failure rates of the item are based Section 3.2

UM1845

Reference normative

UM1845 - Rev 4 page 3/108

IEC 61508 requirement (part 2 annex D) Reference

D2.2 a) the failure modes of the compliant item due to random hardware failures, that result in a failure of

the function and that are not detected by diagnostics internal to the compliant item;

Conditions of use

D2.2 b) for every failure mode in a), an estimated failure rate;

D2.2 c) the failure modes of the compliant item due to random hardware failures, that result in a failure of

the function and that are detected by diagnostics internal to the compliant item;

D2.2 d) the failure modes of the diagnostics, internal to the compliant item due to random hardware

failures, that result in a failure of the diagnostics to detect failures of the function;

D2.2 e) for every failure mode in c) and d), the estimated failure rate;

D2.2 f) for every failure mode in c) that is detected by diagnostics internal to the compliant item, the

diagnostic test interval; Section 3.2.2

D2.2 g) for every failure mode in c) the outputs of the compliant item initiated by the internal diagnostics; Section 3.6

D2.2 h) any periodic proof test and/or maintenance requirements;

Conditions of use

D2.2 i) for those failure modes, in respect of a specified function, that are capable of being detected by

external diagnostics, sufficient information must be provided to facilitate the development of an external

diagnostics capability.

D2.2 j) the hardware fault tolerance;

Section 3

D2.2 k) the classification as type A or type B of that part of the compliant item that provides the function

(see 7.4.4.1.2 and 7.4.4.1.3);

The safe failure fraction reported in this manual has been computed under the assumptions described in this

document and especially according to the conditions of use described in Conditions of use.

UM1845

Reference normative

UM1845 - Rev 4 page 4/108

2STM32F2 Series microcontroller development process

The development process of a microelectronic device that is used in safety critical application takes into account

the adequate management to reduce the probability of systematic faults introduced during the design phase.

IEC 61508:2 in Annex F (Techniques and measures for ASICs - avoidance of systematic failures) act as a

guidance in tailoring the microcontroller standard design and manufacturer process to the compliance of the IEC

61508 requirements. The checklist reported in the named Annex F helps to collect all related evidences of a given

real process.

2.1 STMicroelectronics standard development process

STMicroelectronics (ST) serves four industry domains:

• Standard products.

• Automotive products: ST automotive products are AEC-Q100 compliant. They are subject to specific stress

testing and processing instructions in order to achieve the required quality levels and product stability.

• Automotive safety: a subset of the automotive domain. ST uses as a reference the ISO 26262 Road vehicles

Functional safety standard. ST supports customer inquiries regarding product failure rates and FMEDA to

support hardware system compliance to established safety goals. ST provides products that are safe in their

intended use, working in cooperation with customers to understand the mission profile, adopt common

methods and define countermeasures for residual risks.

• Medical products: ST complies with applicable regulations for medical products and applies due diligence in

the development and validation of these products.

STMicroelectronics product development process, compliant with the ISO/TS 16949 standard, is a set of

interrelated activities dedicated to transform customer specification and market or industry domain requirements

into a semiconductor device and all its associated elements (package, module, sub-system, application,

hardware, software and documentation), qualified respecting ST internal procedures and able to be manufactured

using ST internal or subcontracted technologies.

Figure 1. presents a summary of the STMicroelectronics product-development process.

UM1845

STM32F2 Series microcontroller development process

UM1845 - Rev 4 page 5/108

Figure 1. STMicroelectronics product development process

· Key characteristics and

requirements related to future

uses of the device

· Industry domain(s), specific

customer requirements and

definition of controls and tests

needed for compliance

· Product target specification

and strategy

· Project manager

appointment to drive product

development

· Evaluation of the

technologies, design tools

and IPs to be used

· Design objective

specification and product

validation strategy

· Design for quality techniques

(DFD, DFT, DFR, DFM, …)

definition

· Architecture and positioning

to make sure the software

and hardware system

solutions meet the target

specification

· Product approval strategy

and project plan

· Semiconductor design

development

· Hardware and application

development

· Software development

· Analysis of new product

specification to forecast

reliability performance

· Reliability plan, reliability

design rules, prediction of

failure rates for operating life

test using Arrhenius’s law and

other applicable models

· Use of tools and

methodologies such as

APQP, DFM, DFT, DFMEA,

FMKM

· Detection of potential

reliability issues and solution

to overcome them

· Assessment of Engineering

Samples (ES) to identify the

main potential failure

mechanisms

· Statistical analysis of

electrical parameter drifts for

early warning in case of fast

parametric degradation (such

as retention tests)

· Failure analysis on failed

parts to clarify failure modes

and mechanisms and identify

the root causes

· Physical destructive analysis

on good parts after reliability

tests when required

· Electrostatic discharge (ESD)

and latch-up sensitivity

measurement

· Successful completion of

the product qualification

plan

· Secure product deliveries

on advanced technologies

using stress methodologies

to detect potential weak

parts

· Successful completion of

electrical characterization

· Global evaluation of new

product performance to

guarantee reliability of

customer manufacturing

process and final application

of use (mission profile)

· Final disposition for product

test, control and monitoring

1 Conception 3 Qualification

2 Design &

validation

UM1845

STMicroelectronics standard development process

UM1845 - Rev 4 page 6/108

3Reference safety architecture

This section reports the details of the STM32F2 Series safety architecture.

3.1 Safety architecture introduction

The STM32F2 Series microcontroller analyzed in this document can be used as a compliant item within different

safety applications.

The aim of this section is to identify such compliant item and therefore to define the context of the analysis in

terms of assumptions with respect to a reference concept definition. This concept definition includes therefore

reference safety requirements as also assumptions on the design external to the defined compliant item.

As a consequence of compliant item approach, the goal is not to provide an exhaustive hazard and risk analysis

of the system around the microcontroller, but rather to list the system-related information considered during the

analysis. Such information include - among others - application related assumptions for dangerousness factors,

frequency of failures and diagnostic coverage already guaranteed by the application.

3.2 Compliant item

This section includes all the information related to the definition of the compliant item, including its usage in

different safety architecture schemes.

3.2.1 Definition of the compliant item

According to IEC 61508:1 clause 8.2.12, a compliant item is any item (for example an element) on which a claim

is being made with respect to the clauses of IEC 61508 series. With respect to its user, at the end of its

development the compliant item must be described by a safety manual.

In this document, the compliant item is defined as a system including one or two STM32 microcontrollers (MCU)

(see Figure 2.). The communication bus is directly or indirectly connected to sensors and actuators.

Figure 2. Definition of the compliant item

Remote

controller

Remote

controller

Remote

controller

Remote

controller

Sensor

Actuator

Processing element

Compliant item

STM

MCU(s)

Other components might be related to the compliant item, like the external HW components needed to guarantee

either the functionality of the STM32F2 Series (external memory, clock quartz etc) or its safety (for example the

external watchdog, voltage supervisors).

Defined compliant item can be classified as “element” according IEC61508-4, 3.4.5.

3.2.2 Safety functions performed by the compliant item

In essence, the compliant item architecture can be represented as composed by the following processes

performing the safety function or part of it:

• Input processing elements (PEi) reading safety related data from the remote controller connected to the

sensor(s) and transferring them to the following computation elements;

UM1845

Reference safety architecture

UM1845 - Rev 4 page 7/108

• Computation processing elements (PEc) performing the algorithm required by the safety function and

transferring the results to the following output elements;

• Output processing elements (PEo) transferring safety related data to the remote controller connected to the

actuator;

• In the case of the 1oo2 architecture, a further voting processing element (PEv) can be present;

• Processes external to the compliant item are considered to guarantee safety integrity, such as a watchdog

(WDTe) and voltage monitors (VMONe).

The role of the PEv and of the external processes WDTe and VMONe is clarified in the sections where the CoU

(definition of safety mechanism) are detailed:

• WDTe: refer to Independent watchdog – VSUP_SM_2, Control flow monitoring in application software –

CPU_SM_1,

• VMONe: refer to Supply Voltage Monitoring – VSUP_SM_1.

In summary, STM32F2 Series microcontrollers support the implementation of end user safety functions composed

by three operations:

• Safe acquisition of safety related data from input peripheral(s).

• Safe execution of application software program and safe computation of related data.

• Safe transfer of results or decisions to output peripheral(s).

Claims on the compliant item and computation of safety metrics are done with respect to these three basic

operations.

According to above reported definition for implemented safety functions, the compliant item i.e. the element can

be regarded as type B (as per IEC61508-2, 7.4.4.1.2 definition). Despite accurate, exhaustive and detailed failure

analysis has been done for STM32F2 Series, this device has to be considered intrinsically complex and therefore

type B classification is appropriate.

Two main safety architecture are therefore identified: 1oo1 (using one MCU) and 1oo2 (using two MCUs).

3.2.3 Reference safety architectures - 1oo1

In 1oo1 reference architecture (shown in below Figure 3.) the safety integrity of the compliant item is guaranteed

by the combination of STM32F2 Series internal processes (implemented safety mechanisms) and external

processes WDTe and VMONe.

Target for 1oo1 reference architecture is SIL2.

Figure 3. 1oo1 reference architecture

PEc Actuators

WDTe

Sensors

VMONe

PEoPEi

PEd

UM1845

Compliant item

UM1845 - Rev 4 page 8/108

3.2.4 Reference safety architectures - 1oo2

1oo2 reference architecture (shown in below Figure 4.) is composed by two separate channels, each of them

implemented in the same way of 1oo1 reference architecture. Safety integrity of each channel is guaranteed by

the combination of STM32F2 Series internal processes (implemented safety mechanisms) and external

processes WDTe and VMONe. Safety integrity of overall compliant item is guaranteed by the external voter PEv

allowing to claim HFT=1. Achievement of higher safety integrity levels as per IEC61508-2 Table 3 is therefore

possible. Appropriate separation between the two channels (including power supply separation) should be

implemented in order to avoid huge impact of common-cause failures (refer to Section 4.2 Dependent failures

analysis). βD computation is anyway required.

Target for 1oo2 reference architecture is SIL3.

Figure 4. 1oo2 reference architecture

Actuators

Sensors

VMONe

PEc PEoPEi

PEd

WDTeVMONe

PEv

PEc PEoPEi

PEd

WDTe

UM1845

Compliant item

UM1845 - Rev 4 page 9/108

3.3 Assumed requirements

This section collects all assumptions done during the safety analysis of STM32F2 Series microcontrollers

3.3.1 Assumed safety requirements

The concept specification, the hazard and risk analysis, the overall safety requirement specification and the

consequent allocation has determined the requirements for the compliant item (ASR: assumed safety

requirements) listed here below.

Caution: It is the end user’s responsibility to check the compliance of the final application with these assumptions.

ASR1: The compliant item can be used for four kinds of safety functions mode of operations according part 4,

3.5.16:

• A continuous mode or high-demand SIL3 safety function (CM3), or

• A low-demand SIL3 safety function (LD3), or

• A continuous mode or high-demand SIL2 safety function (CM2), or

• A low-demand SIL2 safety function (LD2).

ASR2: The compliant item is used to implement a safety function allowing a time budget of 10 ms (worst case) for

the STM32 MCU to detect and react to a failure. That time corresponds to the portion of the Process Safety Time

allocated to STM32F2 Series MCUs (“STM32xx Series duty” in the figure below) in error reaction chain at system

level.

Figure 5. Allocation and target for STM32 PST

System-level PST

MCU detection FW reaction SW reaction Actuator reaction

STM32xx Series duty End user duty ….

ASR3: The compliant item is used in a safety function that can be continuously powered-on for a time higher than

8 hours. It is assumed to not require any proof test and the lifetime of the product is considered to be not less than

10 years.

ASR4: It is assumed that only one safety function is performed or if many, all functions are classified with the

same SIL and therefore they are not distinguishable in terms of their safety requirements.

ASR5: In case of multiple safety functions implementations, it is assumed that end user is responsible to

guarantee their needed mutual independence.

ASR6: It is assumed that there are no “non-safety related” functions implemented in application software and

coexisting with the safety functions.

ASR7: It is assumed that the implemented safety function(s) is not depending on STM32F2 Series MCU transition

to and from a low-power state.

ASR8: The local safe state of the compliant item is the one in which either:

• SS1: the application software is informed by the presence of a fault and a reaction by the application

software itself is possible

• SS2: the application software cannot be informed by the presence of a fault or the application software is not

able to execute a reaction (1)

1. The end user must take into account that random hardware failures affecting the STM32 can compromise the MCU

capability of operating properly (for example failure modes affecting the program counter prevent the correct execution of

software).

UM1845

Assumed requirements

UM1845 - Rev 4 page 10/108

Other manuals for STM32F2 Series

Table of contents

Popular Microcontroller manuals by other brands

AMS

AMS AS7261 Demo Kit user guide

Novatek

Novatek NT6861 manual

Espressif Systems

Espressif Systems ESP8266 SDK AT Instruction Set

Nuvoton

Nuvoton ISD61S00 ChipCorder Design guide

STMicrolectronics

STMicrolectronics ST7 Assembler Linker user manual

Texas Instruments

Texas Instruments Chipcon CC2420DK user manual

Lantronix

Lantronix Intrinsyc Open-Q 865XR SOM user guide

NEC

NEC 78GK0S/K 1+ Series Application note

Mikroe

Mikroe SEMITECH N-PLC Click Application note

Intel

Intel Agilex user guide

Cypress

Cypress CY4607 HX2VL quick start guide

DIGITAL-LOGIC

DIGITAL-LOGIC MICROSPACE manual

Texas Instruments

Texas Instruments TMS320F2837 D Series Workshop Guide and Lab Manual

CYPRES

CYPRES CY14NVSRAMKIT-001 user guide

Texas Instruments

Texas Instruments INA-DUAL-2AMP-EVM user guide

Espressif Systems

Espressif Systems ESP8266EX Programming guide

Abov

Abov AC33M8128L user manual

Laird

Laird BL654PA user guide