Functional safety packages

STM32 MCUs and MPUs

STM8 MCUs
“If only
I could speed up the design time
of safety-certified systems

This is where we come in

Free safety packages for STM32
and STM8 with an ecosystem of
ST Authorized Partners
 Achieve functional safety certification
with ST MCUs and MPUs
With its Functional Safety Packages based on robust built-in MCU/MPU safety
features, ST provides a comprehensive set of certified software libraries and
documentation for manufacturers to significantly reduce the development efforts,
time and cost to achieve functional safety standard certifications.
• SIL Functional Safety Package
for industrial IEC 61508 (STM32)

• ASIL Functional Safety Package

for automotive ISO 26262 (STM8A)

• Class B Functional Safety Package

for household electrical appliances
IEC 60335-1/60730-1 (STM32 & STM8)

3
 STM32 built-in safety features
• Dual watchdogs: Independent watchdog and system window watchdog
• Backup clock circuitry with clock security system (CSS)
• Supply monitoring (POR, BOR, PVD)
• I/O function locking
• PWM critical register protections with write-once registers (except on STM32L0/L1)
• Memory protection unit (MPU) with 8 or 16 regions to ensure data integrity from invalid behavior (except on STM32F0)
• Built-in safety features in Cortex-M cores (dual stack pointer, fault exceptions, debug module)

Other features C0 F0 F1 G0 F3 G4 F2/F4 H5 F7 H7 L0/L1 L4/L4+ L5 U5 WB WBA WL MP1

Nb of Hardware CRC unit 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2

Programmable polynomial in CRC
● (1)
● ● ● ● ● (1) ● ● ● ● ● ● ●
unit
Multiple Flash memory protection
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
levels
PWM stop on core lockup ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Parity bit for SRAM memory
● ● ● ● ● ● ● ● ● ●
(1bit/byte)
ECC (SECDED) for SRAM ● ● ●
(1) Depending on part number
ECC (SECDED) for Flash memory ● ● ● ● ● ● ● ● ● ●

4
SIL Functional Safety Package

5
 SIL functional safety package
for STM32
Reduce time and cost to build
STM32-based systems certified
to IEC 61508 industrial safety
standard

6
 SIL Functional Safety Package
for STM32

ST provides a complete,
certified offering to
- Lower project costs
- Reduce design
complexity
- Ease SIL certification
assessment

without Package with Package

7
 SIL functional safety for STM32
safety documentation
Safety manuals: detailed list of safety requirements
(conditions of use) and examples to guide STM32 users to
achieve safety integrity level certification in compliance with IEC
61508.
Available at STM32 series level for free download on
www.st.com/x-cube-stl

FMEA: detailed list of MCU/MPU failure modes and related

mitigation measures adopted
FMEDA: static snapshot reporting IEC 61508 failure rates,
computed at both MCU/MPU and basic function detail levels.
Available on demand at STM32 series level (*)(**) on
www.st.com/x-cube-stl
(*) submitted to NDA
(**) FMEDA snapshot is generated for a specific set of part numbers

8
SIL functional safety package for STM32
X-CUBE-STL self-test libraries
• Software-based diagnostic suite designed to detect random
hardware failures in safety-critical STM32 core components
(CPU + SRAM + Flash memory)
• Diagnostic coverage verified by state-of-the-art ST proprietary
fault injection methodology
• Application independent: can be potentially used in any end
customer application
• Compiler independent: delivered as object code
• Certified by TÜV Rheinland 1
• IEC 61508 SC3 compliant
• Provided with safety manual and user guide
Available on demand at STM32 series level²
www.st.com/x-cube-stl
(1) The original certificate and the updated list of certificated software versions can be downloaded from
TÜV Rheinland websites: www.fsproducts.com, www.certipedia.com
(2) submitted to NDA
9
 ST functional safety methodology

ST builds functional safety solutions for its STM32 Arm ® Cortex®-M microcontroller
family, including detailed and accurate safety analyses supported by verification
activities based on state-of-the-art fault injection methods.

STM32 Design Database

Proprietary state-of-
IEC 61508-compliant software IEC 61508-compliant safety
the-art fault injection
development analysis
methods

Certified STM32 Self-test Library STM32 Safety Documentation

X-CUBE-STL

10
 Achieve SIL2/SIL3 with STM32

Achievable with
single STM32
(1oo1 architecture)
SIL2 1oo1: 1 out of 1 MCU (no redundancy)

Achievable with
two STM32
(1oo2 architecture)
SIL3 1oo2 : 1 out of 2 MCUs (1 redundant system)

11
 STM32 Safety Concepts

STM32 MCU single Cortex-M core

Refer to STM32F0, F1, F2, F3, F4, F7, H7 single core, G0, G4, L0, L1,
L4/L4+, L5, U5 safety manuals for details
TÜV Rheinland single core certificate

STM32 MCU dual Cortex-M core

Refer to STM32H7 dual-core and STM32WL5x dual-core safety manuals for

details
TÜV Rheinland dual core certificate

STM32MP1 MPU dual Cortex-A7 and Cortex-M4

Refer to STM32MP1 safety manual for details

TÜV Rheinland dual core certificate

12
 STM32 MCU dual Cortex-M core Safety Concept

2 possible schemes for acquisition, execution and transfer of result

PEi1 PEc1
CPU1 PEo1 SF1(s) PEc1 PEc2
PEi12 PEi1 PEo1 SF(s)
CPU1 CPU2
PEc2 PEo2 SF2(s)
PEi2 CPU2

Individual scheme Collaborative scheme

Each CPU implement a specific The 2 CPUs collaborate for the
safety function, no collaboration implementation of the same safety function

PEi = input processing element

PEc = computation processing element
PEo = input processing element
SF(s) = on or multiple safety Functions More details in UM2840 STM32H7 dual-core safety manual 13
and UM2814 STM32WL5x dual-core safety manual
 STM32MP1 MPU dual Cortex-A7 and Cortex-M4
Safety Concept
Safety function implementation confined in Cortex-M4 real-time side

Non-Safe Partition Safe Partition

Execution of self-test library

(X-CUBE-STL for
STM32MP1)

The coexistence with non-safety

Cortex-A7 Cortex-M4
up to related software on Cortex-A7 (e.g.
209 MHz
800 MHz Linux) is possible
dedicated
RAM and
peripherals

Hardware and software-based separation

More details in UM2714 STM32MP1 Series safety manual 14
ASIL Functional Safety Package

15
 STM8A-SafeASIL
Functional Safety Package
Reduce time and cost to build ASIL A/B
STM8A-based systems certified to
ISO 26262 automotive functional Customer Development
safety standard
+
Specification for
Self-Test Library
Safety documentation

MCU Safety Features

Product Portfolio STM8A

Visit www.st.com/stm8safety
ST Quality foundations

16
 STM8A-SafeASIL
safety documentation
Safety manual: Detailed list of safety requirements and
examples to support STM8AF and STM8AL use in applications
that need to fulfill functional safety requirements as defined by
automotive safety integrity level ASIL B of ISO 26262.

Available for STM8AF and STM8AL series for free download on

www.st.com/stm8safety

FMEA: detailed list of MCU failure modes and related

mitigation measures adopted
FMEDA: static snapshot reporting ISO 26262 failure
rates, computed at both MCU / basic function detail
levels.
Available on demand for STM8AF and STM8AL (*)
Ask your local ST contact.

17
(*) submitted to NDA
 STM8A-SafeASIL
specification for self-test library

AN5482
full list of detailed safety requirements enabling STM8AF and STM8AL
users to realize, in the framework of their ISO26262-compliant software
development process, the software Self-test Library required by STM8AF or
STM8AL Safety Manual to support application up to ASIL B.
The quality of the specification document allows its direct use in a development
process compliant to ISO26262-6 requirements.
The specification includes the evidences and rationales behind the generation of
the safety requirements for the completeness of end-user safety case.
Application independent: can be used in potentially any end-user application.

on demand for STM8AF and STM8AL series(*)

Ask your local ST contact
(*) submitted to NDA

18
CLASS B Functional Safety Package

19
 ClassB functional safety
package for STM32 and STM8 MCUs
Reduce time and cost to build • Certified ST self-test libraries
STM32 & STM8 based systems • Optimized code
certified to IEC 60335-1 and
60730-1 household electrical • Safety manuals (guidelines and
appliance safety standards. examples)

• For STM32: Support of

IAR™ EWARM, Keil® MDK-ARM, and
STM32CubeIDE

• Worldwide standards coverage

(IEC, UL, and CSA)

20
 ClassB functional safety
package for STM32 and STM8 MCUs

Package name X-CUBE-CLASSB STM8-SafeClassB

STM32 Series covered V2.2.0 - STM32F0, F1, F3, F2, F4, F7,
STM32L0, L1, L4 STM8AF
V2.3.0 - STM32G0, G4, WB, H7 single core STM8AL
V2.4.0 - STM32L5 STM8L
V3.0.0, 3.0.1 - STM32H7 dual core STM8S
V4.0.0 – STM32U5, STM32C0, STM32G0
Supported development IAR Embedded Workbench®, ARM KEIL®, IAR Embedded Workbench®,
environments STM32CubeIDE Cosmic®
Certification
UL@2016-2021 UL & VDE@2018

IEC 60335-1 and 60730-1

IEC, UL and CSA
international standards coverage
Safety manual (guidelines) AN4435 AN3181

21
 ClassB safety manuals

Guidelines and examples

for STM32 and STM8 users
to achieve Class B certification
in compliance with IEC 60335-1 and 60730-1.

22
Functional Safety Packages summary

23
 Functional Safety Packages
for STM32 & STM8 MCUs

MCU support STM32 STM8A STM32 STM8

Achievable IEC, UL, CSA

IEC 61508 ISO 26262 60335-1
safety standards 60730-1

Certification

• Safety Documentation
• Safety Documentation • Self-Test Library • Safety Documentation • Safety Documentation
Package content • Self-Test Libraries specification • Self-Test Libraries • Self-Test Libraries

Package name X-CUBE-STL STM8A-SafeASIL X-CUBE-CLASSB STM8-SafeCLASSB

24
Functional Safety Ecosystem

25
 Get support from ST authorized partners

Reduce your project time and cost

Safety HW & SW
Validation Certification
Requirements Design

Functional Safety expertise

26
 Functional safety authorized partners
Engineering,
Embedded Software consulting,
development or Training
Software Development Tools
design services

27
 ARM

Arm Compiler for Functional Safety

28
 ARM

Arm FuSa RTS: Run-Time System for Functional Safety

29
 Embedded Office

5 Steps to Your Safety Platform

Long-term Maintenance
Active functional safety management,
workshops and training
5
Pre-Certification
Harmonize safety manuals, certify
4 remaining parts, assessment with authority

Setup Safety Platform

Integrate software components
and realize missing parts
3
Select Software
ST Microcontroller & Embedded Office
2 products or whatever the system needs

Safety Concept
Analyze system needs and 1
provide a safety concept

30
 Embedded Office

5 Steps to Your Safety Platform

Safety & Cyber Security Engineers

TÜV Rheinland certified engineers

300+ Successful Customer Projects

Aerospace, Industrial, Automotive, Rail, Medical

70+ Satisfied Customers Worldwide

Products, Development Services, Mentoring

Certified Software Components

Safety RTOS, Safety AddOns, HW Selftests

31
 embeX

Development of Turn-Key Certified Products

System Engineering
Main Industrial
Sectors
Software

Hardware

Mechanics

Certification

Production

Prod. Life Cycle

Management

More than 150 Experts - 20 years of Experience

32
 embeX

Recognized Company in Functional Safety Worldwide

• TÜV Rheinland awarded the first Functional Safety Management (FSM) certificate with the highest
maturity level (5) to embeX

• Offering
• Development of certified turnkey safety products and subsystems
• Transfer of development processes and know-how to customers
• Consulting

33
 embeX

Cyber Security is an essential Prerequisite for Safety

Thus, embeX offers:

• Risk Analysis
• Consultancy
• Developments achieving SIL 3 (IEC 61508) and SL 4 (IEC 62443)
• Verification including pen tests and fuzzing

Further information:
https://www.embex-engineering.com/en/competencies-technologies/safety-security/

34
 IAR Systems

IAR Embedded Workbench for safety-critical applications

35
 Innotec

Our obsession is SafeWare Engineering!

36
 MESCO

Our range of services: Factory & Process Automation

37
 MESCO

Our offering: Your success is our driving force

38
 MESCO

MESCO Safety Design Packages

ST solutions

39

Azure RTOS Functional Safety
Azure RTOS ThreadX & ThreadX SMP
A high-performance real-time
operating system
Azure RTOS FileX
An embedded FAT file system that
offers optional fault tolerant features
Azure RTOS USBX
A USB stack that provides host,
device, and on-the-go support
Microsoft
Azure RTOS NetX and NetX Duo
A TCP/IP IPv4/IPv6 embedded network stack
that includes cloud connectivity and IPsec and
TLS/DTLS security protocols​
Azure RTOS GUIX Studio and GUIX
A complete design environment and run-time to
create and maintain 2D graphical user interfaces
40
 Microsoft

Azure RTOS Functional Safety

• ThreadX, FileX, GUIX, NetX Duo, USBX pre-certified by TUV to IEC 61508 SIL 4,
IEC 62304 Class C, ISO 26262 ASIL D, EN 50128 SW-SIL 4, UL 1998, UL/IEC
60730, UL/IEC 60335
• Azure RTOS pre-certification covers generic C code
• Same source code whether or not certification is needed
• Pre-certification artifacts are licensed separately

41
 NewTec

NTSafetySolutions

42
 NewTec

NTSafeFlex STM32

Reduce cost and time-to-market of your safety

application development with NTSafeFlex STM32
evaluation board and Safety Software Library

• The board is based on two STM32G070 with additional Software

Library for functional safety solutions up to SIL 3 and PLe, Cat4.
• Typical applications: safety control logic, motor supervision,
general safety applications with low performance standards, etc.

43
 SCIOPTA

SCIOPTA RTOS

SAFE SCIOPTA RTOS is designed with safety in mind.

CERTIFIED SCIOPTA RTOS is certified according following standards: IEC61508 (SIL

3), EN50128/129 (SIL 3/4) and ISO26262 (ASIL D).

MIGRATION NON SAFE – SAFE SCIOPTA RTOS' certified API does not differ from the non-certified
version. All system call are certified.

FAST SCIOPTA RTOS is tailored to the specific CPU exploiting all its features
to provide short latencies, small overhead and determnistic execution.

SMALL SCIOPTA RTOS is designed to be compact and still offering a wide range
of system calls to enable almost any kind of application

DYNAMIC SCIOPTA RTOS can be used in a complete dynamic manner so that the
application can react on upcomming needs.

SCHEDULING SCIOPTA RTOS uses pre-emptive scheduling based on priorities and

round-robin scheduling with optional time slice.

EASY TO USE SCIOPTA RTOS hides many of the burden other RTOSs put on the
developer. A set of six system calls is sufficient for 80% of an
application

FUTURE PROOF SCIOPTA RTOS's asynchronous direct message passing fits perfect
future challenges like many-core SoCs or distributed systems.

USE CASES SCIOPTA RTOS is successfully used in different areas like Automotive,
Defense, Rail Way, Medical, Industrial Automation and Consumer
44
Electronics.

embOS-Safe
Deployed and proven in
several billion devices
▪ Medical embOS is deployed in
several billion devices and
▪ Industrial is a proven choice for
embedded products.
▪ Home Appliances It has been deployed in all
▪ Transportation kinds of applications, such
as home appliances, IoT,
▪ Automotive transportation, industrial,
medical or automotive.
▪ and more ..
SEGGER Microcontroller
More than 27 years of
continuous development
SEGGER started to offer
embOS in the early 90s as
a product and has
continued to develop the
RTOS and add device
support until today, It has
become the core for
SEGGER’s own products
as well as a multitude of
customer products.
Easy transition from
standard to certified
While any application
benefits from a reliable
operating environment, in
some cases, prove in form
of certification is required.
In markets where
certification might become
a requirement, embOS is
the ideal choice, as it uses
the same code base as
embOS-Safe making a later
conversion as easy as
possible.
embOS features
•Guarantees 100%
deterministic real-time
operation
•Highest performance with
lowest use of memory
•Powerful and easy to use
API
•Kernel awareness plugins
available
•Zero interrupt latency
•Cycle Precise System
Time
•MadeForSTM32
 SEGGER Microcontroller

embOS-Safe

Safety with Certificate Consistent interface Certification Kit One-Stop-Solution

TÜV Süd has verified the The Application The embOS-Safe The certified RTOS
embOS development Programming Interface certification kit includes all embOS-Safe is also
embOS is labelled process and confirms, (API) is unchanged in necessary documents, available for SEGGER's
that embOS-Safe is relation to embOS. including the IDE Embedded Studio,
MadeForSTM32 ideally suited as Therefore existing comprehensive embOS offering a one-stop-
fundamental component software parts can be (re- Safety Manual. solution. Naturally,
for safety products. )used easily. This helps to embOS-Safe is fully
embOS-Safe is certified use embOS-Safe in suited for usage with
for functional safety existing applications. SEGGER's extensive
according to IEC 61508 portfolio of outstanding
SIL 3 and IEC 62304 middleware, debug
Class C. probes and production
tools, too.
 Tuxera

Tuxera Certifiable SafeTCPIP™ Stack

A complete TCP/IP v4 stack for safety-critical automotive, industrial, or medical embedded systems. SafeTCPIP™ is developed to the ISO 26262
ASIL B standard, and mappable to other standards such as IEC 61508 and ISO 62304.
• The stack is suitable for integration into any system that requires a high level of safety-integrity
• Supports TCP, UDP, ARP, ICMP, IGMP, Socket, and Ethernet Interface
• Built with Tuxera's Software SEooC Development Process
• Advanced extra modules: IPsec/IKEv2, MACsec, MQTT, TLS, EAPol, SNMP, SSH, HTTP, FTP, NTP, EST, and many more
• CryptoCore™ software feature supports AES, Base64, ChaCha20, MD5, RSA, SHA, and others

• Supports STMicroelectronics STM32 microcontroller series

• Integrates with both RTOS and non-RTOS based systems

47
 Tuxera

SEooC: Reusing Embedded Software in Safety-Critical Systems

• SEooC is defined as a method for using software or hardware components in a

vehicle that were not originally designed for that specific project
• Developed to a safety standard, such as ISO 26262, which means that it is
developed with all the processes of a full software safety life cycle and within the
design constraints of a safety system
• “Safety” – indicates that this module is specifically developed in the context of a set of safety
requirements
• “Element” – indicates that this is a unit or module with a specific range of functionality
• “out of Context” – software components are developed to provide a specific function, with no
awareness of how the component will actually be used in the target system
• Tuxera is the first embedded software module vendor to use the SEooC approach to
build commercial software Elements, beginning with its SafeTCPIP product

• More information: https://www.tuxera.com/products/safetcpip/

48
 WITTENSTEIN high integrity systems

SAFERTOS®: safety critical RTOS

100% success rate SAFERTOS® is a pre-certified safety Real Time Operating

certifying with TÜV SÜD System (RTOS) for embedded processors. It delivers superior
across Industry sectors: performance and dependability, whilst utilizing minimal
resources.
SAFERTOS is a safety critical upgrade to FreeRTOS:
Industrial IEC 61508
• Based on the FreeRTOS functional model
• Rebuilt to comply with SIL 3 requirements
Automotive ISO 26262 • No open source code
SAFERTOS can be found in:
Medical IEC 62304/FDA 510K • Dialysis machines
• Prostheses
• Control systems found on trains
Railway EN 50128
• Safety critical servo controllers
• Industrial control systems and
many more
 WITTENSTEIN high integrity systems

SAFERTOS Support for ST

SAFERTOS supports:
SAFERTOS Supported Platforms
• X-CUBE-STL;
STM32F3, STM32F4, • STM32Cube embedded software;
ARM Cortex-M4 • STM32 SIL Functional Safety Package;
STM32L4
• Secure boot.
STM32F2, STM32F1,
ARM Cortex-M3
STM32L1, STM32W SAFERTOS Demos for ST are available:
• 30-days evaluation packages with full source
STM32F0 ARM Cortex-M0 code on request. Download Demos here.

STM32F7, H7 ARM Cortex-M7

Free White Paper:
ARM Cortex-M7 & Based on the X-CUBE-STL
STM32H7 Dual Core Functional Safety Package.
ARM Cortex-M4
Free to Download
50
 WITTENSTEIN high integrity systems

WITTENSTEIN high integrity systems standard offer

WITTENSTEIN high integrity systems (WHIS) are safety RTOS specialists, part of The WITTENSTEIN Group.
WHIS specialize high integrity and safety critical embedded systems design.

Royalty Free, Perpetual

SAFERTOS® Source Code Licensing
12 Months Free Support &
Design Maintenance
Safety
Assurance Middleware Tools
Components Smooth path to certification
Pack

WHIS also offer Board Support

Training & Support Packages, Training Courses and
more…
51
 Find out more at www.st.com/functionalsafety

© STMicroelectronics - All rights reserved.

ST logo is a trademark or a registered trademark of STMicroelectronics International NV or its affiliates in the EU and/or other countries.
For additional information about ST trademarks, please refer to www.st.com/trademarks.
All other product or service names are the property of their respective owners.