Overview of STM32/STM8 Functional Safety in the STM32 Ecosystem

STM32 has many built-in safety features, such as dual watchdogs, I/O port locking functions, and on-chip SRAM with various checksum methods. These serve as the hardware foundation for safety certifications required in various industries for electronic products built with STM32. To assist customers in quickly passing industry safety certifications, ST provides multiple functional safety design packages, which include documentation, safety libraries (some with full source code access), and examples using the safety libraries. Additionally, we have recorded training videos on Functional Safety Class B. During customer support, engineers have also compiled notes on experiences related to safety certification to share with everyone. Next, senior functional safety experts from STM32 will explain the latest ecosystem content surrounding STM32 functional safety.

As MCUs are increasingly used in home appliances and industrial products, they often take on safety-related functions. To ensure product safety and prevent serious risks due to random hardware failures and system faults, more and more industries require products to obtain relevant functional safety certification before they can be marketed.

For the following three major categories of safety standard certifications, ST provides corresponding functional safety design packages:

• SIL Functional Safety Design Package, targeting IEC61508 standards, covering STM32 series products.

• ASIL Functional Safety Design Package, targeting the automotive industry’s ISO26262 standards, supporting STM8AF series MCUs.

• Class B Functional Safety Design Package, targeting home appliance applications under IEC60335-1/60730-1 standards, covering STM32 and STM8 series products.

Users can reduce product development costs and shorten development times through these design packages. We refer to it as a “Functional Safety Design Package” rather than a “Functional Safety Software Package” because it includes both certified self-test libraries and various documents needed for users to develop and certify based on that self-test library. Of course, the specific contents provided by each functional safety design package will vary, which we will introduce in detail later.

Furthermore, to ensure the completeness of the information presented, we will also introduce the support situation for STM32 and STM8 together.

The self-test libraries and detection methods provided in the functional safety design packages are partly implemented through pure software and partly through hardware features provided by the MCU itself. The table above lists some of the built-in safety features of STM32 MCUs, such as:

• The watchdog can be used to monitor the program counter, resetting the device when the program counter runs away.

• The hardware CRC unit can be used for Flash verification.All STM32F7, H7, L4/L4+, G0, G4 series support programmable CRC polynomial coefficients; some models of STM32F0 and L0/L1 series also support programmable CRC polynomial coefficients.

• Through I/O function locking, the configuration parameters of I/O ports can be protected from accidental software modification; detailed explanations can be found in the “GPIO Lock Mechanism” section of the corresponding STM32 series reference manual.

• PWM critical register bit field protection, similar to I/O function locking, primarily ensures that the “brake” function operates normally and the configuration is not accidentally modified by software; detailed usage instructions can be found in the TIMx_BDTR register’s LOCK bit introduction in the corresponding STM32 series reference manual.

The aforementioned “brake” function aims to protect the power switch driven by PWM signals, ensuring that when a system fault occurs, this function can be triggered to turn off PWM output and ensure the system remains in a safe state. The input signal triggering the “brake” function can come from internal system-level faults detected by the MCU (such as clock failures detected by CSS, SRAM parity errors, etc.) or external signals connected to specific pins. Different STM32 series support different sources of input signals; please refer to the corresponding reference manual for specific usage. Some STM32 series also support the “core entering lockup state” as a trigger source for the “brake” function. The “core entering lockup state” means that when the MCU has entered a fault interrupt due to an error and then hits a fault condition in the fault interrupt service routine, it will enter a lockup state. For more detailed explanations regarding core lockup, please refer to the Cortex-M user guide. STM32 has many built-in safety features, and we won’t list them all here. Some are not utilized in the self-test libraries, but we can use them in applications based on specific needs. For instance, for RAM detection, the self-test library uses a software MarchC algorithm; if the MCU you choose supports parity or ECC SRAM, adding this hardware detection feature can further improve software operational safety. Additionally, peripherals like UART, I2C, CAN, etc., also have built-in protocol error detection and CRC verification functions that can be used for safety detection during their usage. We have not listed them all here; please refer to the relevant safety manuals.

For customers whose products need to pass SIL2/SIL3 certification, each STM32 MCU series provides an independent STM32 SIL functional safety design package, which includes: safety manuals and self-test libraries. By leveraging the hardware features provided by STM32, users can continue developing their own code that meets safety certification requirements using the safety manuals and self-test libraries.

Regarding the self-test libraries, it should be noted that the SIL self-test libraries provided by ST are only a subset of the safety mechanisms required for functional safety. Users can add the library files from the self-test library zip package to their actual projects; this self-test library already includes detection for CPU, FLASH, and SRAM, which are unrelated to specific applications. Users will also need to implement additional detection based on their actual project needs, referring to the safety mechanisms listed in the safety manual. For example, if interrupts or I2C are used, and they are related to safety functions, detection code should be added according to the contents of the safety manual for these two sections.

The purpose of the STM32 SIL functional safety design package is to assist STM32 customers in reducing project costs and complexity during the development of products that need to obtain IEC 61508 industrial safety standard certification, simplify the certification evaluation process, and shorten the time required for certification.