STM32 Ecosystem Issue 6 - Overview of STM32/STM8 Functional Safety (I)

STM32 has many built-in safety attributes, such as dual watchdogs, I/O port lock functions, and on-chip SRAM with various verification methods. They are the hardware foundation for implementing electronic products built by STM32 and the safety certification required by various industries. In order to help customers quickly pass industry safety certification, ST provides multiple functional safety design packages, which include documents, safety libraries (some are fully open source), and routines for using safety libraries. In addition, we have also recorded training videos for functional safety Class B. Engineers also made work notes on their experience related to safety certification during customer support, and summarized them together to share with everyone. Next, STM32 senior functional safety experts will explain to you the latest ecosystem content of ST around STM32 functional safety.

As MCUs are increasingly used in home appliances and industrial products, they often also assume safety-related functions. In order to ensure the safety of products and prevent serious risks caused by random hardware failures and system failures, more and more industries require that products must obtain corresponding functional safety certification before they can be produced and put on the market.

ST provides corresponding functional safety design packages for the following three categories of safety standard certification:

• SIL functional safety design package, targeting IEC61508 standard, covers STM32 series products.

• ASIL functional safety design package, targeting ISO26262 standard for the automotive industry, supports STM8AF series MCUs.
  

• The Class B functional safety design package targets the IEC60335-1/60730-1 standards for home appliance applications and covers the STM32 and STM8 product series.

Through these design packages, users can reduce product development costs and shorten development time.
Here we call it a "functional safety design package" instead of a "functional safety software package" because it includes both a certified self-test library and various documents required for users to develop and certify based on the self-test library. Of course, the specific content provided by each functional safety design package will be different, which we will introduce in detail later.

In addition, in order to ensure the completeness of the content, we will introduce the support of STM32 and STM8 together later.

The self-test library provided in the functional safety design package and the detection methods in the safety manual are partially implemented by pure software, and partially by using the hardware properties provided by the MCU itself. The table above lists some of the built-in safety properties of the STM32 MCU, such as:

• The watchdog can be used to detect the program counter and reset the device when the program counter runs away;

• The hardware CRC unit can be used to verify the Flash. The STM32F7, H7, L4/L4+, G0, G4 series all support programmable CRC polynomial coefficients, and some models of the STM32F0 and L0/L1 series support programmable CRC polynomial coefficients;

• By locking the I/O function, you can protect the configuration parameters of the I/O port from being accidentally modified by the software. For detailed description, please refer to the "GPIO Lock Mechanism" section in the corresponding STM32 series reference manual;

• PWM key register bit field protection is similar to I/O function lock. It is mainly used to ensure the normal execution of the "brake" function and prevent the configuration from being accidentally modified by the software. For detailed instructions, please refer to the LOCK bit introduction of the TIMx_BDTR register in the corresponding STM32 series reference manual.

The "brake" function just mentioned is intended to protect the power switch driven by the PWM signal. That is, when a system fault occurs, this function can be triggered to turn off the PWM output and ensure that the system is in a safe state. The input signal that triggers the "brake" function can be either a system-level fault from within the MCU (such as clock failure detected by CSS, parity error of SRAM, etc.) or an external signal connected to a specific pin.

Different STM32 series support different sources of input signals. For specific use, please refer to the corresponding reference manual. Some STM32 series also support "core enters lockup state" as the trigger source of the "brake" function. "Core enters lockup state" means that when the MCU has entered the fault interrupt due to an error, the fault condition is violated in the fault interrupt service program, and then it will enter the lockup state. For a more detailed description of the kernel lockup, you can refer to the Cortex-M user guide. There

are many built-in security attributes in STM32, which are not listed here one by one. Some are not used in the self-test library, and we can also use them in the application according to specific needs. For example, for RAM detection, the software MarchC algorithm is used in the self-test library. If the MCU you choose supports SRAM with parity check or ECC, then adding this part of the hardware detection function can further improve the security of software operation. Some peripherals such as serial ports, I2C, CAN, etc. also have built-in protocol error detection, CRC check and other functions, which can be used for safety detection during the use of the peripherals. They are not listed here one by one, and you can refer to the relevant safety manual.

For customers whose products need to pass SIL2/SIL3 certification, each STM32 MCU series provides an independent STM32 SIL functional safety design package, which includes: safety manual and self-test library. Combined with the hardware functions provided by STM32, using the safety manual and self-test library, users can continue to develop their own code that meets the safety certification requirements.

Regarding the self-test library, it should be noted that the SIL self-test library provided by ST is only a subset of the safety mechanisms required to achieve functional safety. Users can add the library files in the self-test library compressed package to the actual project. The self-test library already includes the detection of CPU, FLASH and SRAM, which are not related to the specific application. Then the user must refer to the safety detection mechanism listed in the safety manual according to the needs of the actual project and implement other detections through code. For example, if interrupts or I2C are used and are related to safety functions, it is necessary to add detection code according to the contents of these two parts in the safety manual.

The purpose of the STM32 SIL functional safety design package is to help STM32 customers reduce project costs and complexity, simplify the certification assessment process, and shorten the time required for certification when developing products that need to obtain IEC 61508 industrial safety standard certification.