June 9, 2020
To improve the accessibility of our content, please find the audio version of this blog post.
Our Functional Safety initiative now includes documentation for nearly all our STM32 devices and the new X-CUBE-STL self-test libraries, thus creating the most extensive family of general-purpose microcontrollers capable of running in Safety Integrity Level 2 and 3 certified systems. The only MCUs currently missing are the STM32MP1, the STM32L5, and the STM32H7 dual-core, but X-CUBE-STL will support all of them by the end of the year. Additionally, we revamped our Functional Safety page to make it easier to find the various ST resources that will assist engineers looking to acquire industrial, automotive, or household electrical appliance certifications. It also lists the ST Authorized Partners providing real-time operating systems, development tools, engineering services, and training to ensure teams can cross the bridge from proof-of-concept to commercial product.
- Join Our Webinar on Functional Safety
The International Electrotechnical Commission defines safety as the “freedom from unacceptable risk of physical injury or of damage to the health of people.” When designing an embedded system, functional safety covers the various aspects of safety that depend on that system. For instance, in a manufacturing plant, functional safety ensures that the circuit controlling a robot fails gracefully instead of harming its operators. In a medical application, standards guarantee that users are aware of malfunctions by the use of an alarm, among other things, to prevent detrimental usage. And since our STM32 microcontrollers are everywhere, it was crucial for us to see that all of them had a straightforward path to IEC 61508 for industrial applications.
Before X-CUBE-STL: All the Documentation to Start Working on IEC 61508
The IEC 61508 governs functional safety for electrical and electronic systems in all sorts of industries and applications. However, many STM32 users seek the certification when working in an industrial setting where the risks are higher and the requirements more stringent. The first significant aspect of the standard is the safety life cycle. Before anything else, engineers must document all the steps and measures they will take to accomplish functional safety, from the very first design operations all the way to the product’s decommissioning. The process includes risk analysis, safety protocols and validations, maintenance, and many other aspects.
Our Functional Safety initiative is a great starting point for engineers because it provides a “safety manual” for all the STM32 microcontrollers, ensuring that they can begin working on defining the life-cycle of their product. The document is available to download on the ST page of each STM32 series and it describes the user’s responsibilities for installation and operations. The manuals focus on IEC 61508 compliance but can also help engineers looking to branch out to other safety certifications, such as ISO 13849, for safety machines. We provide a failure mode and effect analysis (FMEA), which lists all the MCU failure modes and how to mitigate them. We also offer a failure mode effect and diagnostic analysis (FMEDA), which is an extension of the former and which computes failure rates for the MCU and at the function level.
X-CUBE-STL: Self-Test Libraries to More Rapidly Obtain SIL 2 or SIL 3 Certifications
The second aspect of IEC 61508 is the assignment of a Safety Integrity Level or SIL. After a hazard analysis, which determines what can go wrong and how bad it can inflict damage on a person, or the environment, there’s a risk assessment to determine how often or how likely a hazard can potentially occur. From these analyses, functional safety standards draw safety requirements or SIL. There are four levels, the first one being the laxest and the fourth representing the strictest standard. SIL 4 is traditionally for railway or nuclear applications. SIL 1 is looser and tends to apply to code while SIL 2 and 3 are much more common in hardware designed for industrial applications, and the main difference between the two is the requirement to perform redundant measurements in SIL 3.
To start working toward SIL 2 or SIL 3 certifications, teams begin by selecting an STM32 with the hardware safety features that match their application’s requirement. For instance, all our MCUs have a dual watchdog, but only the STM32G0, STM32G4, STM32H7, STM32L4/L4+, and STM32L5 have ECC Flash memory, and out of them, only the STM32H7 has ECC SRAM, which is traditionally only a requirement for applications that necessitate a high-performance MCU.
Teams can also use the self-test libraries available in the X-CUBE-STL to start implementing failure detection mechanisms. For instance, they can help spot random failures in the CPU, the SRAM, or the Flash. The diagnostic capability of X-CUBE-STL is verified by fault injection methodology to improve the customers’ confidence in our solutions. To make these libraries more accessible, we offer them as object code, meaning that they can be integrated into potentially any application, and developers can use any compiler.
Functional Safety: The Unique Position of the STM32 and STM8 Families of MCUs
X-CUBE-STL exists within an ST ecosystem that aims to help engineers with a lot more certifications than simply IEC 61508. For instance, we updated our STM8A-SafeASIL with new safety documentation and self-test library specification. We do not provide the libraries themselves but a specifications including a set of requirements to implement them since this package primarily targets customers that will code their libraries themselves anyway. We also have packages for IEC 60335-1/60730-1, which target household electrical appliances. The X-CUBE-CLASSB is for STM32 MCUs, while the STM8-SafeCLASSB is for STM8. They both contain safety documentation and self-test libraries, as well as their source code. Since these certifications are a lot less stringent than IEC 61508, we offer the source code to help developers that are looking to study our implementations.
All these packages turn our STM32 and STM8 general-purpose microcontrollers into great candidates for the most complex protocols. Traditionally, MCUs aimed at these standards are custom products, which means that they are a lot more expensive and use hardware specifications that are sometimes more prohibitive in one way or another. ST’s approach is thus unique because we make these standards more accessible and provide an essential network of partners. As great as the documentation and self-test libraries are, we know that they represent only the first steps in a long process. Many teams often underestimate the difficulties associated with getting a certification, which is why we have ST Partners who know our devices and can ensure engineers cross the finish line by shipping a certified product.