

# STM32WL series UL/CSA/IEC 60730-1/60335-1 self-test library user guide

## Introduction

This document applies to the X-CUBE-CLASSB self-test library set for the STM32WL series dual-core microcontrollers that include Arm® Cortex®-M0+ and M4 cores. Order code X-CUBE-CLASSB-WL.

Safety has an essential role in electronic applications. The level of safety requirements for components is steadily increasing and, manufacturers of electronic devices include many new technical solutions in their designs. Techniques for improving safety are continuously evolving, and are regularly incorporated into updated versions of the safety standards.

The current safety recommendations and requirements are specified in worldwide standards issued by various authorities. These include: the international electro-technical commission (IEC), Underwriters laboratories (UL), and the Canadian standards association (CSA) authorities.

Compliance, verification, and certification are the focus of the certification institutes. These include: the German TUV and VDE (mostly operating in Europe), and the UL and the CSA (targeting mainly the USA and Canadian markets).

Standards related to safety requirements have a very wide scope. These safety standards cover many areas such as: classification, methodology, materials, mechanics, labeling, hardware, and software testing. Here, the target is just compliance with the software requirements when testing programmable electronic components, which form a specific part of the safety standards. These requirements are exceptionally subject of any change when a new upgrade of the standard is released. Also, there is significant similarity across commonly oriented safety standards that concern the testing of generic parts of microcontrollers, such as the *CPU* or memories.

The library presented in this document is based on a partial subset of testing modules developed and applied by ST to satisfy the stringent IEC 61508 industrial safety standard requirements. These modules are adapted to fulfill the IEC 60730 standard targeting household safety. That is why this new library adopts a different delivery format to that was used for previous releases. This format is derived from the industrial safety library, which is currently delivered as a black box pre-compiled object with no sources but with a clear outer interface definition. The advantage of this immutable solution is that it is compilation tool-chain agnostic. It is also independent of any other firmware such as *HAL*, *LL*, or *CMSIS* layer. This solution prevents unexpected compilation results when source code files previously verified on older versions of the library are re-compiled later by any newer compiler version or combined with the latest firmware drivers. This is generally a common practice.

Table 1. Applicable product

| Part number   | Order code       |
|---------------|------------------|
| X-CUBE-CLASSB | X-CUBE-CLASSB-WL |





# 1 General information

# 1.1 Purpose and scope

This document applies to the X-CUBE-CLASSB self-test library set dedicated for STM32WL series dual-core microcontrollers that embed an Arm® Cortex®-M0+ and an Arm® Cortex®-M4. This X-CUBE-CLASSB-WL expansion package provides includes two application-independent software test libraries, one dedicated to Arm® Cortex®-M0+ and one dedicated to Arm® Cortex®-M4 to comply with the UL/CSA/IEC 60730-1 safety standard. The UL/CSA/IEC 60730-1 safety standard targets the safety of automatic electrical controls used in association with household equipment and similar electronic applications.

The main purpose of this software library is to facilitate and accelerate:

- user software development
- certification processes for applications which are subject to the associated requirements and certifications.

The X-CUBE-CLASSB-WL expansion package runs on the both the Cortex®-M0+ and Cortex®-M4 embedded in the STM32WL series dual-core microcontrollers.

arm

Note: Arm is a registered trademark of Arm limited (or its subsidiaries) in the US and/or elsewhere.

The version of the application-independent software test libraries, self-test libraries, available in the X-CUBE-CLASSB-WL expansion package (and associated to this manual), STL\_Lib\_cm0plus.a and STL Lib cm4.a files, is V4.0.0

# 1.2 Reference documents

- [1] UM2814, STM32WL Series safety manual dedicated for applications targeting industrial safety
- [2] AN4435, Guidelines for obtaining UL/CSA/IEC 60730-1/60335-1 Class B certification in any STM32 application dedicated to older versions of this library

UM3191 - Rev 1 page 2/62



## 2 STM32Cube overview

### 2.1 What is STM32Cube?

STM32Cube is an STMicroelectronics original initiative to improve designer productivity significantly by reducing development effort, time, and cost. STM32Cube covers the whole STM32 portfolio.

STM32Cube includes:

- A set of user-friendly software development tools to cover project development from conception to realization, among which are:
  - STM32CubeMX, a graphical software configuration tool that allows the automatic generation of C initialization code using graphical wizards
  - STM32CubeIDE, an all-in-one development tool with peripheral configuration, code generation, code compilation, and debug features
  - STM32CubeCLT, an all-in-one command-line development toolset with code compilation, board programming, and debug features
  - STM32CubeProgrammer (STM32CubeProg), a programming tool available in graphical and command-line versions
  - STM32CubeMonitor (STM32CubeMonitor, STM32CubeMonPwr, STM32CubeMonRF, STM32CubeMonUCPD), powerful monitoring tools to fine-tune the behavior and performance of STM32 applications in real time
- STM32Cube MCU and MPU Packages, comprehensive embedded-software platforms specific to each microcontroller and microprocessor series (such as STM32CubeWL for the STM32WL series), which include:
  - STM32Cube hardware abstraction layer (HAL), ensuring maximized portability across the STM32 portfolio
  - STM32Cube low-layer APIs, ensuring the best performance and footprints with a high degree of user control over hardware
  - A consistent set of middleware components such as RTOS, FAT file system, LoRaWAN<sup>®</sup>, Sub-GHz PHY, Sigfox<sup>™</sup>, KMS, secure engine, and mbed-cryptoRTOS, USB, and graphics
  - All embedded software utilities with full sets of peripheral and applicative examples
- STM32Cube Expansion Packages, which contain embedded software components that complement the functionalities of the STM32Cube MCU and MPU Packages with:
  - Middleware extensions and applicative layers
  - Examples running on some specific STMicroelectronics development boards

# 2.2 How does this software complement STM32Cube?

The software expansion package extends STM32Cube by a middleware component to manage specific software-based diagnostics.

The package provides a generic starting point to help a user to build and finalize application specific safety solutions. It consists of:

- *STL*: the self-test library. This provides a binary and some source code to manage the execution of generic safety tests for the microcontroller. The *STL* is a standalone unit, which runs independently from any STM32 software. It collects the self-tests for generic components of the microcontroller.
- User application: This is an *STL* integration example based on a set of STM32Cube drivers extending the *STL* by an application specific test. This part is delivered as full source code to be adapted or extended by calling of additional application specific modules defined by end user. The example can be used for the library testing including artificial failing support of all the provided modules.

UM3191 - Rev 1 page 3/62



## 3 STL overview

The following *STL* overview is exactly the same for the Arm<sup>®</sup> Cortex<sup>®</sup>-M0+ and for the Arm<sup>®</sup> Cortex<sup>®</sup>-M4. There is a dedicated *STL* library for the Arm<sup>®</sup> Cortex<sup>®</sup>-M0+ running on the Arm<sup>®</sup> Cortex<sup>®</sup>-M0+, and a dedicated *STL* library for the Arm<sup>®</sup> Cortex<sup>®</sup>-M4 running on the Arm<sup>®</sup> Cortex<sup>®</sup>-M4.

The *STL* is an application-independent software test library released by STMicroelectronics. The aim is to provide the implementation of a relevant subset of safety mechanisms required by the "Class B" related safety standards applicable to STM32WL series dual-core microcontrollers. The *STL* is an *HAL / LL* independent library, dedicated to these dual-core microcontrollers. The *STL* is a compilation tool chain-agnostic, so any standard C-compiler can compile it.

The *STL* is an autonomous software. It executes, on application-demand, selected tests to detect hardware issues, and reports the outcomes to the application.

The *STL* is delivered partly in object code (for the library itself) and partly in source code for the user interface definitions and the user parameter settings.

### 3.1 Architecture overview

The *STL* dedicated for the Arm<sup>®</sup> Cortex<sup>®</sup>-M0+ core tests the Arm<sup>®</sup> Cortex<sup>®</sup>-M0+ and its embedded memories. The *STL* dedicated for the Arm<sup>®</sup> Cortex<sup>®</sup>-M4 core tests the Arm<sup>®</sup> Cortex<sup>®</sup>-M4 and its embedded memories. As shown in the figure below, a system architecture with an end-user application integrating the *STL* is composed of:

- User application (indicated in light blue)
- User parameters (indicated in light blue)
- STL scheduler (indicated in yellow): directly accessible by the user application via user APIs (not going through HAL / LL)
- STL internal test modules: called by the STL scheduler (not visible to the user application).

The STL status information returned to the user application at API level (summarized in Table 2) is:

- Function return value collects result of internal defensive programming checks.
- Test module result value stores the test result information. This partially corresponds to internal status of the module (see Section 7.3 State machines).

UM3191 - Rev 1 page 4/62





Figure 1. STL architecture

The STL also allows the developer to:

Use the artificial-failing feature. The developer can check the application behavior by forcing the *STL* to return a requested test-result value. This feature is available through the specific user API.

The safety concept for STM32WL dual-core microcontrollers imposes additional requirements to the individual execution of the *STL*. An example how to exchange the *STL* results between the two CPUs via HSEM peripheral is provided at the integration project example. Refer to the STM32WL dual-core self-test library set safety manual [1] for guidance.

# 3.2 Supported products

The *STL* runs on the STM32WL series dual-core microcontrollers featuring the same design and integration of the Arm®Cortex®-M0+ and the Arm®Cortex®-M4 cores and their associated embedded memories.

UM3191 - Rev 1 page 5/62



# 4 STL description

This section describes basic information on the functionality and performance of the *STL*. The section also summarizes restrictions and mandatory actions to be followed by the end user.

# 4.1 STL functional description

Some test modules can temporarily mask interrupts. For more details, refer to Section 4.2.5 STL interrupt masking time and to Section 4.3.5 Interrupt management.

### 4.1.1 Scheduler principle

The scheduler is the API module needed by the user application to execute the STL.

The main scheduler:

- Must be initialized before being used
- Manages:
  - The initialization and deinitialization of the applied test modules
  - The configuration of the applied test modules
  - The reset of the applied test modules.
- Controls the execution of an applied test sequence (API calls)
- Manages "artificial failing" used for user debug and integration tests.
- Ensures the integrity of critical internal data structures via their specific checksums.

The scheduler controls the execution of the following tests:

- *CPU* tests: no specific initialization or configuration procedures of the *CPU* test module are required before any *CPU* test execution (see Section 7.2 User APIs and Figure 11).
- Flash memory tests operate on the content of the dedicated configuration structures defining subsets of the
  memory to be tested (see Section 7.1 User structures). These structures must be filled by the end user and
  the content maintained during both configuration and execution of the flash memory test. The test module
  initialization and configuration procedures are mandatory before any flash memory test execution, see
  Section 7.2 User APIs and Figure 12.
- RAM memory tests operate on the content of the dedicated configuration structures defining subsets of the memory to be tested (see Section 7.1 User structures). These structures must be filled by the end user and the content maintained during both configuration and execution of the RAM test. RAM test module initialization and configuration procedures are mandatory before RAM test execution, see Section 7.2 User APIs and Figure 13.

The *STL*, via the scheduler *API*, is called by the user in polling mode. The *STL* can be called under an interrupt context, but reentrance is forbidden. In such cases, the *STL* behavior cannot be guaranteed.

The user application has to consider all the returned information from the *STL*, provided via a specific predefined data structure collecting status information. See details in the following table.

UM3191 - Rev 1 page 6/62

Legend: STL User



| STL information                         | Value              | Description                                                                                                 |
|-----------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------|
|                                         | STL_OK             | Scheduler function successfully executed                                                                    |
| Function return value <sup>(1)</sup>    | STL_KO             | Scheduler defensive programming error (in this case the test result is not relevant)                        |
|                                         | STL_PASSED         | Test passed                                                                                                 |
|                                         | STL_PARTIAL_PASSED | Used only for memory testing, when test is passed, but end of memory configuration has not yet been reached |
| Test module result value <sup>(2)</sup> | STL_FAILED         | Hardware error detection by test module                                                                     |
|                                         | STL_NOT_TESTED     | Test not executed                                                                                           |
|                                         | STL_ERROR          | Test module defensive programming error                                                                     |

Table 2. STL return information

- 1. Refer to STL Status t definition in Section 7.1 User structures.
- 2. See STL\_TmSTatus\_t in Section 7.1 User structures.

The user application repeatedly applies the call control scheme illustrated in the following figure to program a sequence of API function calls and so handle the order of the test modules execution.



Figure 2. Single test control call architecture

### Scheduler and interrupts

The scheduler can be interrupted at any time.

## 4.1.2 CPU Arm® core tests

The *STL* includes the *CPU* test modules listed below, together with a generic description (for information only) of the test capability:

- TM1L: implements a light test pattern of general-purpose registers
- TM7: implements the pattern and functional tests of both stack pointers: MSP, and PSP
- TMCB: implements test of the APSR status register.

## Caution:

The *STL CPU* tests are partitioned in separated test modules. This is not intended to allow partial execution of the overall available *CPU TM*s. It is intended as a support feature to allow better *CPU* test scheduling in the enduser applications, for example timing constraints. By default, all available *TM*s are assumed to be executed.

UM3191 - Rev 1 page 7/62



# CPU Arm® core tests and interrupts

The CPU test modules are interruptible at any time. The TM7 one only applies masking interrupt during the smallest data granularity time. Refer to Section 4.3.5 Interrupt management for detailed information on CPU TM7 interrupt management.

#### **Dual-core information**

The STL\_ENABLE\_IT flag can either be activated individually on the Arm®Cortex®-M4 or Arm®Cortex®-M0+, or simultaneously on both Arm®Cortex® cores.

### 4.1.3 Flash memory tests

### **Principles**

The flash test concerns the embedded flash memory of STM32WL series.

The following structures must be respected to provide correct configuration of the flash memory test.

- Block: a contiguous area of 4 bytes (FLASH BLOCK SIZE), hard coded by STL.
- Section: a contiguous area of 1024 bytes (FLASH\_SECTION\_SIZE), hard coded by the STL. This has no
  link with the memory physical sector. The memory is partitioned in sections. The first section starts at the
  first address of the memory, and the following sections are contiguous with each other.
  The user must ensure proper calculation and placement of the CRC checksum for each section that is to
  be checked during the memory integrity test.
- Binary (named 'user program' in Figure 4): a contiguous area of code provided by the compiler. It starts at the beginning of a section. It usually ends with an incomplete section when the binary area size is not a multiple of the section size. In all cases, the binary must be 32-bit aligned (see ST CRC tool information below).
- Subset: a contiguous area of sections defined by the user. The user application can define one subset or several subsets. A subset has to be defined within a binary area. Its start address has to be aligned with the beginning of a section. It can only include sections with the corresponding precalculated CRC values. When the last section of a subset is the last part of the binary, the section may be incomplete. The user application has to align the end of the subset with the end address of the binary area. If a set of complete sections is tested exclusively, the subset end address has to be aligned with the end of the last-tested section.

The subset is calculated as follows:

Subset size = K \* FLASH\_SECTION\_SIZE + L \* FLASH\_BLOCK\_SIZE where:

- K is an integer greater than 0.
- 0 ≤ L < (FLASH\_SECTION\_SIZE / FLASH\_BLOCK\_SIZE) when L > 0 the last section of a binary is incomplete.

The user application defines single or multiple subsets as well as their associated test sequences.

The STL implements a test of the flash memory with the following principles (based on actual content of the user configuration structures):

- Tests are performed on sections of one or more subsets defined by the user application.
- Tests are performed either in a row (one shot) or partially in a single atomic step for a number of sections
  defined by the user application.
- Test results are based on a *CRC* comparison between the computed *CRC* value (calculated during test execution) and an expected *CRC* value (calculated before software binary flashing).

The mandatory steps (for the user application) to perform flash memory tests are:

- Test initialization
- Configuration of one or more subsets
- Execution of the test.

Once all subsets are tested, the user needs to reset the flash memory test module to perform the test again.

In the case of an STL\_ERROR / STL\_FAILED test result, the test module is stuck at the failed memory subset. In this case, deinitalize, initialize and reconfigure the flash memory test prior to running it again.

UM3191 - Rev 1 page 8/62



## **Expected CRC precalculation**

The flash memory test is based on the built-in hardware *CRC* unit or software *CRC*, which is configurable by a flag. The default configuration is with the hardware *CRC*. To use the software *CRC*, the flag STL\_SW\_CRC must be enabled as defined in step 3 in Section 5.5.2 Steps to build an application from scratch. The *CRC* is a 32-bit *CRC* compliant with IEEE 802.3.

Part of the flash memory is reserved for the *CRC* dedicated area, the size of which depends on the flash memory size. This area has a field format where each flash memory section has sufficient reserved space to store a 32-bit *CRC* pattern. The user must ensure that valid *CRC* patterns are calculated and stored in the fields for all the sections to be tested. This is shown in Figure 3.

One expected *CRC* value is precalculated for each contiguous section of a binary, from binary start to binary end. This means that the number of testable sections depends on the binary size. Commonly, the binary area is not aligned with the section size. In that case, the *CRC* check value of the last incomplete section is precalculated and tested exclusively over the section part that overlays the binary area.

## Preconditions:

- The user program areas have to start at the beginning of a section
- The boundaries of the user program areas must be 32-bit aligned.
- Depending on total flash memory size and on user program size, last program data and first CRC data may
  be both stored in the same flash section (without any overlap). In that case, the CRC must be computed on
  the user program data only, see example 3 in ..

#### ST CRC tool information

ST provides a *CRC* precalculation tool. This tool is available as a single feature inside the STM32CubeProgrammer (see Section 6.2.2 *CRC* tool set-up), which automatically fills the binary with padding bits (0x00 pattern) for a 32-bit alignment.

UM3191 - Rev 1 page 9/62



Flash memory

Figure 3. Flash memory test: CRC principle

CRC value (32-bit)

Flash memory section (1 Kbyte)

DT49041V2





Figure 4. Flash memory test: CRC use cases versus program areas

Use case descriptions illustrated in Figure 4:

- Example 1: the user program starts at the ROM\_START address, so CRCs are stored from the CRC START address.
- Example 2: the user program starts at the beginning of a section, but not at ROM\_START. The stored *CRC*s start at the right address of the *CRC* area.
- Example 3: the user program uses the full program area, so the last program data and the first *CRC* data are both stored in the same memory section (without any overlap).
- Example 4: the user program is defined in three separated areas. This requires three separated areas for the CRC data.

### CRC start address computation:

- Real calculation:
   CRC\_START address = (uint32\_t \*)(ROM\_END 4 \* (ROM\_END + 1 ROM\_START)/(FLASH\_SECTION\_SIZE) + 1); with FLASH\_SECTION\_SIZE = 1024
- Textual translation:
   CRC\_START = ROM\_END (CRC size in bytes) \* (number of the memory sections) + 1

## Flash memory test and interrupts

Flash memory *TM* is interruptible at any time.

UM3191 - Rev 1 page 11/62



#### **Dual-core information**

Each core has a dedicated flash area. The above flash memory test information applies to each core. This means that:

- There is a dedicated *CRC* area for the Arm<sup>®</sup>Cortex<sup>®</sup>-M0+ binary and a dedicated *CRC* area for the Arm<sup>®</sup>Cortex<sup>®</sup>-M4 binary.
- The flag STL\_SW\_CRC can be activated either individually on Arm®Cortex®-M0+ or on Arm®Cortex®-M4, or simultaneously on both Arm®Cortex® cores.

See STL user constraints in Section 4.3.4 CRC resources.

### 4.1.4 RAM tests

#### **Principles**

The RAM test concerns the embedded SRAM memories of STM32WL series.

The following structures must be respected to provide correct configuration of the RAM test.

- Block: a contiguous area of 16 bytes (RAM\_BLOCK\_SIZE), hard coded by the *STL* (no link with the memory physical sectors).
- Section: a contiguous area of 128 bytes (RAM\_SECTION\_SIZE), hard coded by the STL.
- Subset: a contiguous area, with the size being a multiple of two blocks and with a 32-bit aligned start address. A subset size is not necessarily a multiple of the section size, because the last part of a subset can be less than one section.
- Subset size = N \* RAM\_SECTION\_SIZE + 2 \* M \* RAM\_BLOCK\_SIZE, where:
  - N is an integer ≥ 0
  - M is an integer 0 ≤ M < 4, when M > 0, the size of the last partial subset not aligned with section size.

The user application defines single or multiple subsets as well as their associated test sequences.

The *STL* implements a RAM memory test with the following principles (based on actual content of the user configuration structures):

- RAM tests are performed on RAM blocks defined by the user application
- RAM tests are performed either in a row (one shot), or partially in a single atomic step for a number of sections defined by the user application
- The test implementation is based on the March C- algorithm

The mandatory steps (for the user application) to perform RAM tests are:

- Initialization of RAM test
- Configuration of one or more RAM subsets
- Execution of the RAM test

Once all subsets are tested, the application must reset the RAM test module in order to perform the test again. In the case of an STL\_ERROR / STL\_FAILED test result, the test module is stuck in the failed memory subset. In this case, deinitialize, initialize and reconfigure the RAM prior to running the test again.

### **RAM** test and interrupts

The RAM *TM* is interruptible at any time except during the execution of the smallest data granularity block as defined in Section 4.2.5 STL interrupt masking time. This is when the STM32 interrupts and Cortex® exceptions with configurable priority are temporarily masked by default. Refer to Section 4.3.5 Interrupt management for detailed information on interrupt management during RAM March-C tests.

## March C- test principle and memory backup principle

The RAM test is based on a March C- algorithm where memory is overwritten by specific patterns and then read back in a specific orders. To restore the initial memory content, a backup process is enabled by default. At this case, the user must allocate a specific backup area that is also tested by the March C- test. The backup process can be optionally disabled if it is not required. Refer to Section 4.3.8 RAM backup buffer for detailed information on the buffer control and allocation.

UM3191 - Rev 1 page 12/62



Available RAM for subset configuration

RAM\_END@

RAM\_END@

Figure 5. RAM test: usage

## **Dual-core information**

The above RAM test information applies to each core, and means that:

• The STL\_ENABLE\_IT compilation switch can be activated either individually on the Arm®Cortex®-M4 or on Arm®Cortex®-M0+, or simultaneously on both Arm®Cortex® cores.

RAM\_START@

• The STL\_DISABLE\_RAM\_BCKUP\_BUF compilation switch can be activated either individually on the Arm®Cortex®-M4 or on Arm®Cortex®-M0+, or simultaneously on both Arm®Cortex® cores.

See Section 4.3 STL user constraints in RAM test.

# 4.2 STL performance data

The data is obtained with the following test set-up:

- STL library compilation details, described in Application: compilation process.
- Projects for performance tests are compiled with IAR Embedded Workbench<sup>®</sup> for Arm<sup>®</sup> (EWARM) toolchain v9.30.1
- Compiled software configuration with:
  - HCLK clock set to 48 MHz for both Arm<sup>®</sup>Cortex<sup>®</sup>-M0+ and Arm<sup>®</sup>Cortex<sup>®</sup>-M4 cores
  - Flash memory latency set to two wait states
  - NUCLEO-WL55JC1 (MB1389 Rev E )

## 4.2.1 STL execution timings

A summary of the *STL* execution timings when an optimal default *STL* settings are applied is shown in the following table. The measurements for each *API* are detailed in Section 8 STL: execution timing details.

UM3191 - Rev 1 page 13/62



Table 3. Arm®Cortex®-M0+ STL execution timings, clock at 48 MHz

| Tested<br>module | Conditions                                                |                  | Result in<br>µs |
|------------------|-----------------------------------------------------------|------------------|-----------------|
| CPU              | TM1L, TM7, TMCB                                           |                  | 170             |
|                  | Default configuration /CTI_CW_CDC not analyzed            | 1 Kbyte tested   | 79              |
| Flash            | Default configuration (STL_SW_CRC not enabled)            | 17 Kbytes tested | 1016            |
| memory           | OTH OWN ODD                                               | 1 Kbyte tested   | 465             |
|                  | STL_SW_CRC enabled                                        | 17 Kbytes tested | 7641            |
|                  | Default configuration (neither                            | 128 bytes tested | 175             |
| RAM              | STL_DISABLE_RAM_BCKUP_BUF, nor STL_ENABLE_IT are enabled) | 32 Kbytes tested | 37522           |

Table 4. Arm®Cortex®-M4 STL execution timings, clock at 48 MHz

| Tested<br>module | Conditions                                                |                  | Result in<br>µs |
|------------------|-----------------------------------------------------------|------------------|-----------------|
| CPU              | TM1L, TM7, TMCB                                           |                  | 125             |
|                  | Default configuration (CTL CW CDC not analysed)           | 1 Kbyte tested   | 74              |
| Flash            | Default configuration (STL_SW_CRC not enabled)            | 17 Kbytes tested | 807             |
| memory           | CT OW CD                                                  | 1 Kbyte tested   | 351             |
|                  | STL_SW_CRC enabled                                        | 17 Kbytes tested | 5658            |
|                  | Default configuration (neither                            | 128 bytes tested | 140             |
| RAM              | STL_DISABLE_RAM_BCKUP_BUF, nor STL_ENABLE_IT are enabled) | 32 Kbytes tested | 28999           |

# 4.2.2 STL code and data size

The STL code and data sizes are detailed in the following table.

Table 5. Arm®Cortex®-M0+ STL code size and data size (in bytes)

| Configuration                              | Module                            | Flash memory code | Flash<br>memory RO-<br>data | R/W<br>data |
|--------------------------------------------|-----------------------------------|-------------------|-----------------------------|-------------|
| STL_SW_CRC not enabled,                    | stl_user_param_template_cm0plus.o | -                 | 4                           | 44          |
| and STL_DISABLE_RAM_BCKUP _BUF not enabled | stl_util_cm0puls.o                | 294               | 4                           | 8           |
|                                            | STL_Lib_cm0plus.a                 | 4656              | 1443                        | 184         |
| STL SW CRC enabled, and                    | stl_user_param_template_cm0plus.o | -                 | 4                           | 44          |
| STL_DISABLE_RAM_BCKUP                      | stl_util_cm0puls.o                | 150               | 2                           | 4           |
| _BUF not enabled                           | STL_Lib_cm0plus.a                 | 4656              | 1444                        | 184         |

Table 6. Arm®Cortex®-M4 STL code size and data size (in bytes)

| Configuration             | Module                        | Flash memory code | Flash memory<br>RO-data | R/W<br>data |
|---------------------------|-------------------------------|-------------------|-------------------------|-------------|
| STL_SW_CRC not enabled,   | stl_user_param_template_cm4.o | -                 | 6                       | 44          |
| and STL_DISABLE_RAM_BCKUP | stl_util_cm4.o                | 286               | -                       | 8           |
| _BUF not enabled          | STL_Lib_cm4.a                 | 4712              | 1456                    | 184         |

UM3191 - Rev 1 page 14/62



| Configuration                                 | Module                        | Flash memory code | Flash memory<br>RO-data | R/W<br>data |
|-----------------------------------------------|-------------------------------|-------------------|-------------------------|-------------|
| STL_SW_CRC enabled, and STL_DISABLE_RAM_BCKUP | stl_user_param_template_cm4.o | -                 | 6                       | 44          |
|                                               | stl_util_cm4.o                | 150               | -                       | 4           |
| _BUF not enabled                              | STL_Lib_cm4.a                 | 4712              | 1456                    | 184         |

### 4.2.3 STL stack usage

The minimum stack-available space required by the STL to execute available APIs is 200 bytes.

## 4.2.4 STL heap usage

The STL never uses dynamic allocation, therefore the heap size is independent of the STL.

# 4.2.5 STL interrupt masking time

The STM32 interrupts, and Cortex® exceptions with configurable priority, are masked multiple times by the *STL* during the execution of *CPU* TM7 and RAM tests. As shown in the following table, the maximum interrupt masking time is obtained for a RAM test.

Table 7. Cortex®-M0+ STL maximum interrupt masking information

| Tested module | Duration (max) in μs | Steps                                                                                                                                                |
|---------------|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
|               |                      | Each execution of STL_SCH_RunRamTM function performs a series of interrupt masking during partial steps of the test at the following time durations: |
| RAM 16        |                      | <ul> <li>16 μs for backup buffer +</li> <li>13 μs for the first RAM block to be tested</li> </ul>                                                    |
|               |                      | • 15 μs for each middle RAM block to be tested <sup>1</sup>                                                                                          |
|               |                      | • 13 μs for the last RAM block to be tested                                                                                                          |
| TM7           | 11                   | Masked twice for 11 μs                                                                                                                               |

<sup>1.</sup> Number of RAM blocks (multiple of two RAM\_BLOCK\_SIZE is required) involved with each RAM test execution depends on content of user structures (size of defined subset(s) versus atomic step – see Section 4.1.4 RAM tests).

Table 8. Cortex®-M4 STL maximum interrupt masking information

| Tested module | Duration (max)<br>in μs | Steps                                                                                                                                                |  |
|---------------|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|--|
|               |                         | Each execution of STL_SCH_RunRamTM function performs a series of interrupt masking during partial steps of the test at the following time durations: |  |
| RAM           | 13                      | <ul> <li>13 μs for backup buffer +</li> <li>11 μs for the first RAM block to be tested</li> </ul>                                                    |  |
|               |                         | <ul> <li>12 μs for each middle RAM block to be tested <sup>1</sup></li> <li>11 μs for the last RAM block to be tested</li> </ul>                     |  |
| TM7           | 9                       | Masked twice for 9 μs                                                                                                                                |  |

## 4.3 STL user constraints

The end user needs to consider interference between the application and the *STL*. The consequences of ignoring this are possible false *STL* error reporting, and/or application software execution issues.

Accordingly, to prevent any interference the application software and the *STL* integration must comply with each constraint listed in this section.

UM3191 - Rev 1 page 15/62



#### 4.3.1 Dual-core STL constraints

The *STL* relies on HW resources, RCC (see Section 4.3.3 RCC resources) and CRC (see Section 4.3.4 CRC resources), shared between the Arm<sup>®</sup>Cortex<sup>®</sup>-M0+ and Arm<sup>®</sup>Cortex<sup>®</sup>-M4 cores. This implies that applications running on each core must correctly manage these hardware resources to avoid conflicts.

For example, this is done using the semaphore (HSEM) as shown in the applications delivered in the release package to demonstrate the *STL* execution.

### 4.3.2 Privileged-level

The *CPU* TM7 and the RAM TM must be executed with privileged-level Arm<sup>®</sup>Cortex<sup>®</sup>-M0+ and Arm<sup>®</sup>Cortex<sup>®</sup>-M4 cores, in order to be able to modify certain core registers (for example the PRIMASK register).

### 4.3.3 RCC resources

During *STL* execution, the RCC is configured to always provide a clock to the *CRC* hardware module during *STL* initialization and optionally during *STL* Flash test module execution. This means that:

- when the STL returns, it restores the user RCC clock setting (enabled or disabled) for the CRC
- the user application should be careful when configuring the RCC during STL execution by saving/restoring the STL settings.

#### **Dual-core information**

In view of the above, when the user application runs on the same core as the *STL*, attention should be given to the RCC configuration. Moreover, even when the user application and the *STL* run on different cores, the *STL* might report false errors if one core updates the CRC clock setting in the RCC configuration while the other core executes *STL* tests. This constraint between the two cores can be removed by using SW CRC as described in Section 4.3.4 CRC resources, except for the STL\_SCH\_Init function, for which the HW CRC is used by default.

#### 4.3.4 CRC resources

The STM32 CRC hardware module is used during STL execution in two different cases:

- During execution of *STL* initialization (function STL\_SCH\_Init): The use of the *CRC* hardware module in this phase cannot be modified by the application software, so the STL\_SW\_CRC flag has no impact during execution of the STL\_SCH\_Init function.
- During execution of the flash memory test module, the application can choose between hardware and software calculation of the CRC checksums by means of the STL\_SW\_CRC flag. By default, hardware CRC is used (the STL\_SW\_CRC flag is disabled).

The use of hardware CRC means that:

- Before calling the STL, the user application must save the complete hardware CRC module configuration.
   The user configuration has to be restored after the STL execution.
- During the *STL* execution, the hardware *CRC* module is configured and used for *STL* needs (the user application must save/restore the *STL* settings when using the module outside of *STL* execution).

#### **Dual-core information**

In view of the above, when the user application runs on the same core as the *STL*, attention should be given to the HW CRC configuration. Moreover, even when the user application and the *STL* runs on different cores, the *STL* might report false errors if one core updates the HW CRC setting while the other core executes *STL* tests. Activation of the STL\_SW\_CRC flag can be used as a solution to avoid conflict on HW resources (RCC and CRC) at the core or between them, except for the STL\_SCH\_Init function, for which the HW CRC is used by default. The STL\_SW\_CRC flag can be activated either individually on the Arm®Cortex®-M0+ or Arm®Cortex®-M4 or on both simultaneously.

### 4.3.5 Interrupt management

#### **Dual-core information**

The STL disables STM32 interrupts and  $Cortex^{®}$  exceptions with configurable priority only on the core that runs the STL.

UM3191 - Rev 1 page 16/62



### Escalation mechanism - Arm® Cortex® behavior reminder

When the *STL* disables STM32 interrupts, and Cortex<sup>®</sup> exceptions with configurable priority, remember that an Arm<sup>®</sup> Cortex<sup>®</sup> escalation to HardFault might occur. In this case, the HardFault handler is called instead of the fault handler.

### **Interrupt and CPU TM7**

By default, the STM32 interrupts and Cortex<sup>®</sup> exceptions with configurable priority are temporarily masked during the *CPU* TM7 execution within smallest data granularity (a few instruction blocks), except if the user application activates the STL\_ENABLE\_IT compilation switch (see Section 5.5.2 Steps to build an application from scratch). If the STL\_ENABLE\_IT flag is activated, the correct STL CPU TM7 behavior is not guaranteed. The end user is responsible for managing interferences between the *STL* and its application software that could lead the *STL* to generate false test error reporting or not to detect hardware failures.

#### **Interrupt and RAM March C-tests**

By default, the STM32 interrupts and Cortex<sup>®</sup> exceptions with configurable priority are masked during the *RAM* March C- tests, except if the user application activates the STL\_ENABLE\_IT compilation switch (see Section 5.5.2 Steps to build an application from scratch).

If the STL\_ENABLE\_IT flag is activated:

- The correct STL RAM test behavior is not guaranteed, as the application may overwrite the STL-tested RAM content during its interrupt treatment. The end user is responsible for managing interferences between the STL and its application software that could lead the STL to generate false RAM test error reporting.
- The behavior of the user application software can be compromised. Wrong data may be read or used from *RAM* locations that are being modified by the *STL* March C- test.

## Interrupt and general purpose registers

During *STL* execution, the application must save and restore the general-purpose registers in the STM32 interrupt and Cortex<sup>®</sup> exception with configurable priority service routine to ensure correct *STL* behavior and prevent any false error reporting.

## How STL masks the interrupts

To mask the interrupts, the *STL* sets the PRIMASK register bit to 1. Setting this bit to 1 boosts the current execution priority to 0, preventing the activation of all exceptions with configurable priority. Thus when the current execution priority is boosted to a particular value, all exceptions with a lower or equal priority are masked.

## 4.3.6 DMA

The application must manage the DMA to avoid unwanted accesses to the RAM bank during the *STL* March C-test. In this case:

- DMA writes can disturb the STL test causing false error reporting
- DMA reads can return wrong data due to STL overwrites to DMA dedicated RAM sections.

### 4.3.7 Supported memories

The STL memory tests provided (Flash TM and RAM TM) must only be executed on STM32 internal embedded memories.

## 4.3.8 RAM backup buffer

The backup process is enabled by default during RAM tests to preserve the RAM content. The user must then reserve a specific area for the RAM backup buffer at compilation time which must be allocated outside RAM subset configuration. There is only one RAM backup buffer defined for the test. The RAM backup buffer area is also tested by the March C- algorithm each time a RAM run test is called (prior to any subset defined by the user is tested).

UM3191 - Rev 1 page 17/62



The backup process can be optionally disabled either permanently by activating the compilation switch STL\_DISABLE\_RAM\_BCKUP\_BUF (see Section 5.5.2 Steps to build an application from scratch) or temporarily suppressed by specific control sequence (see note below). In this case, it is the resposibility of the end-user to guarantee that the application software does not consume data destroyed by the March C- test. This option can be used to speed up testing of those RAM areas where users do not need to preserve the memory content.

Note:

For a temporary suppression of the RAM backup buffer, the user must follow a set sequence:

- 1. Change the STL\_pRamTmBckUpBuf variable value to overwrite it by NULL, while keeping a backup of the original value (default value stored by the STL).
- 2. The RAM test must then be restarted. To do so the user can use one of the APIs which force the RAM test into either RAM IDLE or RAM INIT state (see state diagrams in Section 7.3 State machines).

To remove the backup suppression, the user must perform the same steps as above while restoring the default value of STL pRamTmBckUpBuf to its original value and reinitialize the RAM test.

#### **Dual-core information**

The user application of one core should be careful to define RAM subsets with RAM addresses either:

- Not shared with the other core
- Shared with the other core, in which case the other user application must not modify the content of the shared RAM subset addresses during STL execution. This option is not recommended because of its potential complexity.

# 4.3.9 Memory mapping

Due to the RAM test module and March C method design, the user must ensure that the "read only" data of the *STL* is located in the flash memory. This must be done via a proper adaptation of the associated linker file . The examples below are for EWARM and STM32CubeIDE.

#### **EWARM** .icf file adaptation example

```
place in ROM region { readonly };
```

#### STM32CubeIDE.ld file adaptation example

```
.rodata : {
.....
} >ROM
```

Note:

Usually the default configuration locates "read only" data in flash memory.

#### 4.3.10 Processor mode

The *STL CPU* TM7 must be executed in thread mode in order to set the active stack pointer to the process stack pointer. If the *STL* is not executed in thread mode, the *CPU* TM7 returns STL\_ERROR.

## 4.4 End-user integration tests

This section describes the mandatory tests to be executed by the end user during the verification phase. These tests guarantee that the *STL* is correctly integrated in the application software.

## 4.4.1 Test 1: correct STL execution

The end user must use the expected function-return value and the expected test-module result value (see Section 7.2 User APIs) to check that each planned diagnostic function has been correctly executed. This concerns both the test modules execution and all their configuration actions.

UM3191 - Rev 1 page 18/62



# 4.4.2 Test 2: correct STL error-message processing

The end user must check that any error information produced by the *STL* function-return and test-module result values is correctly interpreted as unexpected behavior, and correctly handled in its application software. Error information refers to values different to the expected value, see Section 7.2 User APIs). During the verification, the artificial-failing feature must be used to emulate the generation of incorrect test-module result values related to associated individual software diagnostics (*CPU* tests, RAM test, flash memory test), for each of the individual functions used.

This process cannot be considered as an exhaustive simulation of actual *CPU* failures on real devices but rather a testing interface of the implemented *API*s.

Note:

Some certifying bodies may require exhaustive simulation to demonstrate STL capability to capture corruption of STM32 registers or memories injected intentionally during debugging the STL code. To perform these tests is practically impossible for any end user due to STL object delivery format. This specific testing was done for all the provided TMs during the STL certification process and its passing is recorded at internal test reports and guaranteed by the valid certificate issued for this ST firmware.

UM3191 - Rev 1 page 19/62



# 5 Package description

This section details the X-CUBE-CLASSB-WL expansion package content and its correct use.

## 5.1 General description

X-CUBE-CLASSB-WL is a software expansion package for STM32WL series dual-core microcontrollers.

It provides a complete solution that helps end customers to build a safety application:

- An application-independent software test library is available:
  - partly as object code: STL\_Lib\_cm0plus.a and STL\_Lib\_cm4.a, the library itself
  - partly as source file: stl user param template cmxxx.c and stl util cmxxx.c
  - with two sets of three header files: stl\_stm32\_hw\_config\_cmxxx.h, stl\_user\_api\_cmxxx.h,
     and stl util cmxxx.h
- A user application example, available as source code.

X-CUBE-CLASSB-WL has been ported on the products listed in Section 3.2 Supported products.

The software expansion package includes a sample application that the developer can use to start experimenting with the code. It is provided as a zip archive containing both source code and library.

The following integrated development environments are supported:

- IAR Embedded Workbench<sup>®</sup> for Arm<sup>®</sup> (EWARM)
- Keil<sup>®</sup> microcontroller development kit (MDK-ARM)
- STM32CubeIDE.

## 5.2 Architecture

The components of the X-CUBE-CLASSB-WL expansion package are illustrated in Figure 6.

STL sample application
Application level

Self-test library (STL)
Middleware level

Board support package (BSP)
HW abstraction layer (HAL)

CMSIS

Drivers

Figure 6. Software architecture overview

## 5.2.1 STM32Cube HAL

The *HAL* driver layer provides a simple, generic, multi-instance set of *API*s (application programming interfaces) to interact with the upper layers (application, libraries, and stacks).

It comprises generic and extension *APIs*. It is directly built around a generic architecture and allows the layers that are built upon, such as the middleware layer, to implement their functionalities without dependencies on the specific hardware configuration of a given microcontroller.

This structure improves the library code re-usability and guarantees an easy portability to other devices.

UM3191 - Rev 1 page 20/62

2

Legend:

STI



# 5.2.2 Board support package (BSP)

The software package needs to support the peripherals on the STM32 boards, apart from the MCU. This software is included in the board support package (BSP). This is a limited set of *API*s that provides a programming interface for some specific board components, such as the LED and the user button.

### 5.2.3 STL

A significant part of the *STL*, available at middleware level, is a black box that manages the software-based diagnostic test. It is independent from the *HAL*, *BSP*, and *CMSIS*, even if the *STL* integration example relies on some *HAL* drivers.

### 5.2.4 User application example

The example shows how to integrate a possible sequence of the *STL* test module calls into an application when adopting different IDEs, verify the returns of the *APIs*, and emulate their failure responses artificially. Additionally, a specific module for testing the clock system by applying a monitoring method compliant with the "*Class B*" standard requirements is included with a full source code to extend the available library set. It demonstrates how the library can be extended by specific tests or modules entirely defined by the end user.

The example also shows a possible way to differentiate between the overall initial startup test and the sequence of partial tests performed periodically during application runtime.

## 5.2.5 STL integrity

The integrity of the STL content is ensured by hash SHA-256.

UM3191 - Rev 1 page 21/62



## 5.3 Folder structure

A top-level view of the structure is shown in Figure 7.

Figure 7. Project file structure



DT724

UM3191 - Rev 1 page 22/62



## 5.4 APIs

### 5.4.1 Compliance

## Interface compliance

The library part of the *STL*, not delivered in source code, has been compiled with IAR Embedded Workbench® for Arm v9.30.1. The compilation is done with --aeabi and --guard\_calls compilation options to fulfill AEABI compliance as described in "AEABI compliance" of the EWARM help section.

This library can be compiled by any standard version of the EWARM compiler.

## Safety guidelines

To fulfill the safety guidelines compliance as described in the IAR Embedded Workbench® safety guide (advice 2.1-1, 2.2-5, 2.4-1a and 5.4-3) and the Keil® safety manual (§4.9.2), the compliance is done with --strict, --remarks, --require prototypes and --no unaligned access compilation options.

## Library compliance

The library part of the STL (not delivered in source code) is compliant with C standard library ISO C99. It has been compiled with the IAR<sup>TM</sup> option. Language C dialect = C99.

## Arm® compiler C toolchain vendor/version independency

The STL user API refers only to the "uint32 t" and "enum" C types:

- "uint32 t" C type is a fixed type size of 32 bits according to C standard C99
- "enum" C type size, according to C standard C99, is defined by the implementation. It must be able to represent the values of all the enumeration members. In the *STL* interface, the enum type values are unsigned integers, smaller than or equal to (2<sup>32</sup> 1). The user must ensure that the enum type value can hold a 32-bit value.

Even if an Arm® compiler C toolchain introduces a compatibility break on some items between versions other than uint32 t or enum types and report a warning, there it is no impact on *STL* behavior.

#### 5.4.2 Dependency

The STL library calls the memset standard C library function.

Furthermore, the IAR<sup>™</sup> EWARM toolchain compiler is used to compile the *STL* library. This compiler may, under some circumstances, call the following standard C library functions: memcpy, memset, and memclr. This behavior is intrinsic to the IAR<sup>™</sup> EWARM toolchain compiler. It is not possible to disable or avoid it.

As a result, when linking the *STL* library the user must ensure that these standard C library functions are defined. The user can use either the functions provided by the toolchain or the user ones.

### 5.4.3 Details

Detailed technical information about the available *API*s can be found in Section 7.2 User APIs, where the functions and parameters are described.

## 5.5 Application: compilation process

## 5.5.1 Steps to build a delivered STL example

- 1. Install the STMicroelectronics *CRC* tool (see Section 6.2.2 *CRC* tool set-up) or other *CRC* tool that generate an adequate structure necessary for proper execution of the flash test.
- 2. Select a project example and open it.
- 3. For each target configuration, STM32WL55JC1\_Nucleo\_CM0PLUS and STM32WL55JC1\_Nucleo\_CM4, launch the build that compiles the binary and post build command invokes *CRC* tool to calculate and allocate the *CRC* results. In case of error, check the *CRC* tool path. For details see Section 5.5.2 Steps to build an application from scratch.

UM3191 - Rev 1 page 23/62



- 4. Load the two coupled binaries.
- Execute the example code.

Boot the board and check the result. LED1 shows the status of *STL* running on Arm<sup>®</sup>Cortex<sup>®</sup>-M0+, LED2 on Arm<sup>®</sup>Cortex<sup>®</sup>-M4:

- LED toggle regularly: test result is as expected.
- LED toggle irregularly: there is an error.

If any test returns a failure result, the LED flashes once every 2 sec. If the *STL* detects a defense programming error, the LED flashes once every 4 sec.

The FailSafe\_Handler procedure is then called with a parameter keeping the identification code of the failed module

Note:

The codes definitions are given in the stl\_user\_api\_cmxxx.h file, in the case of a defensive programing failure, the DEF\_PROG\_OFFSET is added to the module code.

### 5.5.2 Steps to build an application from scratch

To build an application from scratch, follow the steps listed below:

- 1. Create new application project with a suitable directory structure and with all the appropriate packages. Use STM32CubeMX tool to make it automatically.
- 2. If any automated include options of the *STL* in the project is not supported by the STM32CubeMX tool, copy and paste the content of the ...Middleware\ST\CM0PLUS and ...Middleware\ST\CM4 directories from the delivered *STL* example into the application project directories structure on Arm®Cortex®-M0+ and Arm®Cortex®-M4 cores. Refer to Section 5.3 Folder structure. In this case, modify the project setting manually while following the next steps:
  - Add all the STL source files located at the SRC directories into both CM0PLUS and CM4 projects.
  - Assign the INC directories as additional directories to be included in both CM0PLUS and CM4 projects.
  - Force the linker to include the library object files located at the LIB directories as additional libraries.

Note:

This second step is necessary only when no automatic including option is supported by the CubeMX tool else it is fully performed by the tool - then there is no need for any manual intervention as described above - user can leave them out and continue by Step 3

- 3. If needed, add the next optional preprocessor compilation switches at both project settings:
  - Option to enable STL\_DISABLE\_RAM\_BCKUP\_BUF, if the RAM backup buffer is not used (in this
    case the RAM data of the tested subsets are destroyed). If not activated, the RAM backup buffer is
    used by default. In such cases, the "backup\_buffer\_section" section must be defined in the linker
    scatter file.
  - Option to enable STL\_SW\_CRC: this is where the user application selects the software CRC. If not
    activated, the hardware CRC calculation is used by default.
  - Option to enable STL\_ENABLE\_IT: this is where the user application enables the STM32 interrupts
    during the CPU TM7, and RAM test. If not activated, the interrupts are masked during these tests. See
    Section 4.3.5 Interrupt management and Section 4.1.4 RAM tests.
- 4. Check the configuration of the flash memory density.

  It is mandatory to set the correct range of the memory for the project at 
  stl\_user\_param\_template\_cmxxx.c file. Update the STL\_ROM\_END\_ADDR there especially to 
  ensure coherency with the associated linker scatter file and the CRC tool script (see step 6.).
- 5. Develop the user STL flow control. It is done by implementing the proper sequence of API calls repeated at periodical cycles, as required by the defined safety task.
  It is mandatory to ensure a proper filling of all the associated user structures to control the memory tests and apply a correct check of the STL return information. Refer to Section 7 STL: User APIs and state machines.
- 6. Apply the *CRC* tool to build the *CRC* area content necessary for the *CRC* calculation for both the projects. Refer to Section 6.2.2 *CRC* tool set-up. Execute a proper command line of the STM32CubeProgrammer. This can be done automatically within the compilation process by invoking the IDE post build feature action as seen in Figure 8 and Figure 9.
- 7. Compile, load, and execute the binary.

Artificial failing APIs can be used to debug a correct behavior of the programmed STL flow if the STL detects a hardware failure.

UM3191 - Rev 1 page 24/62





Figure 8. IAR<sup>™</sup> post-build actions screenshot

Figure 9. CRC tool command line



Note:

The CLI command line is example for Arm<sup>®</sup>Cortex<sup>®</sup>-M4 core. It has to be adapted accordingly in the project for Arm<sup>®</sup>Cortex<sup>®</sup>-M0+ e.g.: STM32\_Programmer\_CLI.exe -sl "\$PROJ\_DIR\$/CM0Plus\_Out/Exe/CM0Plus\_Project.out" 0x08020000 0x08040000 0x400.

UM3191 - Rev 1 page 25/62



# 6 Hardware and software environment setup

# 6.1 Hardware setup

The STM32 Nucleo boards provide an affordable and flexible way for users to try out new ideas and build prototypes with any STM32 microcontroller lines. The ARDUINO® connectivity support and ST morpho headers make it easy to expand the functionality of the STM32 Nucleo open development platform with a wide choice of specialized expansion boards. The STM32 Nucleo board does not require any separate probe as it integrates the ST-LINK/V2-1 debugger/programmer. The STM32 Nucleo boards comes with the STM32 comprehensive software HAL library together with various packaged-software examples.

Details about the STM32 Nucleo boards are available from the http://www.st.com/stm32nucleo web page.



Figure 10. STM32 Nucleo board example

The following components are needed:

- NUCLEO-WL55JC1 (MB1389 Rev E ) development board
- USB type A to Micro-B USB cable to connect the development board to the PC.

# 6.2 Software setup

This section lists the minimum requirements for the developer to set up the SDK, to run the sample scenario, and to customize applications.

## 6.2.1 Development tool-chains and compilers

Select one of the IDEs supported by the STM32Cube software expansion package.

Read the system requirements and setup information provided by the selected IDE provider.

Check the projects Release\_Notes.html file inside the release package, and refer to the chapter *IDE* compatibility, if it exists.

UM3191 - Rev 1 page 26/62



## 6.2.2 CRC tool set-up

ST provides a *CRC* tool, available as a single feature inside the STM32CubeProgrammer, used for flash memory testing. Other *CRC* tools can be used, provided they fulfill the requirements detailed in Expected CRC precalculation.

Tool installation procedure:

- 1. Select STM32CubeProgrammer on the dedicated web page available on www.st.com
- 2. Install the package.

The easiest way is to add the tool path in the environment variable (computer administration rights are required). If not, the path must be added directly in the project for compilation, in the post-build option.

UM3191 - Rev 1 page 27/62



# STL: User APIs and state machines

# 7.1 User structures

The structures are defined in stl\_user\_api\_cm0plus.h and stl\_user\_api\_cm4.h. It is forbidden to change the content of these files.

Structures detailed hereafter are copies of the stl\_user\_api\_cm0plus.h and stl\_user\_api\_cm4.h content:

```
typedef enum
 STL_OK = STL_OK_DEF, /* Scheduler function successfully executed */
  STL KO = STL KO DEF /* Scheduler function unsuccessfully executed
                          (defensive programming error, checksum error). In this case
                           the STL TmStatus t values are not relevant */
} STL Status t; /* Type for the status return value of the STL function execution */
typedef enum
 STL PASSED = STL PASSED DEF, /* Test passed. For Flash/RAM, test is passed and end of
                                    configuration is also reached */
  STL PARTIAL PASSED = STL PARTIAL PASSED DEF, /* Used only for RAM and Flash testing.
                                        Test passed, But end of Flash/RAM
                                                    configuration not yet reached */
 STL FAILED = STL FAILED DEF, /* Hardware error detection by Test Module */
  STL NOT TESTED = STL NOT TESTED DEF, /* Initial value after a SW init, SW config,
                                           SW reset, SW de-init or value when Test Module
                                           not executed */
  STL ERROR = STL ERROR DEF /* Test Module unsuccessfully executed (defensive programing
                                check failed) */
} STL TmStatus t; /* Type for the result of a Test Module */
typedef enum
 STL_CPU_TM1L_IDX = OU, /* CPU Arm Core Test Module 1L index */
 STL_CPU_TMTL_IDX, /* CPU Arm Core Test Module 7 index */
STL_CPU_TMCB_IDX, /* CPU Arm Core Test Module Class B index */
STL_CPU_TM_MAX /* Number of CPU Arm Core Test Modules */
} STL CpuTmxIndex t; /* Type for index of CPU Arm Core Test
                            Modules */
typedef struct STL MemSubset struct
  uint32 t StartAddr; /* start address of Flash or RAM memory subset */
 uint32 t EndAddr; /* end address of Flash or RAM memory subset */
  struct STL MemSubset struct *pNext; /* pointer to the next Flash or RAM memory subset
                                          - to be set to NULL for the last subset */
} STL MemSubset t; /* Type used to define Flash
                      or RAM subsets to test */
typedef struct
  STL MemSubset t *pSubset; /* Pointer to the Flash or RAM subsets to test */
  uint32 t NumSectionsAtomic; /* Number of Flash or RAM sections to be tested
                                   during an atomic test */
} STL MemConfig t; /* Type used to fully define Flash or RAM test configuration */
typedef struct
 {\tt STL\_TmStatus\_t~aCpuTmStatus[STL\_CPU\_TM\_MAX];~/*~Array~of~forced~status~value}
                                                    for CPU Test Modules */
 STL TmStatus t FlashTmStatus; /* Forced status value for Flash Test Module */
 STL_TmStatus_t RamTmStatus; /* Forced status value for RAM Test Module */
} STL_ArtifFailingConfig_t; /* Type used to force Test Modules status to a specific
                                value for each STL Test Module */
```

UM3191 - Rev 1 page 28/62



## 7.2 User APIs

The following APIs are declared in the files stl\_user\_api\_cm0plus.h and stl\_user\_api\_cm4.h. It is forbidden to change the content of these files.

#### Caution:

For pointers defined by the user application and used as *STL API* parameters, the user application must set valid pointers, maintain pointer availability, and check the pointer integrity. The *STL* does not copy the pointer content, and accesses directly to the memory addresses defined by the application.

This applies during the overall *STL* execution. For example, the pointers to access the content of structures that keep the configuration of the memory tests must be maintained. They are still used by the STL\_SCH\_run\_xxx functions, even if they are not always part of the input parameter list when an *API* associated with these tests is called.

For more details about proper *API* sequence calls see Section 7.3 State machines and Section 7.6 Test examples.

### 7.2.1 Common API

The following sections present details on common APIs.

### 7.2.1.1 STL SCH Init

<u>Description:</u> initializes the scheduler. It can be used at any time to reinitialize the scheduler (it resets all tests).

<u>Declaration:</u> STL Status t STL SCH Init(void).

Table 9. STL\_SCH\_Init input information

| Allowed states | Parameters |
|----------------|------------|
| CPU TMx: all   |            |
| Flash TM: all  | -          |
| RAM TM: all    |            |

Table 10. STL\_SCH\_Init output information

|        | STL_Status_t return value                                             | - Returned state            |  |
|--------|-----------------------------------------------------------------------|-----------------------------|--|
| Value  | Comments                                                              |                             |  |
|        |                                                                       | CPU TMx: CPU_TMx_CONFIGURED |  |
| STL_OK | Function successfully executed                                        | Flash TM: FLASH_IDLE        |  |
|        |                                                                       | RAM TM: RAM_IDLE            |  |
| STL_KO | Source of defensive programming error:  • STL internal data corrupted | No state change             |  |

Additional information: there is no specific CPU initialization function for CPU test modules.

Note: This function uses hardware CRC as explained in Section 4.3.4 CRC resources.

# 7.2.2 CPU Arm® core testing APIs

#### 7.2.2.1 STL SCH RunCpuTMx

Description: runs one of the CPU test modules.

<u>Declaration:</u> STL\_Status\_t STL\_SCH\_RunCpuTMx(STL\_TmStatus\_t \*pSingleTmStatus) where TMx can be one of TM1L, TM7 or TMCB.

UM3191 - Rev 1 page 29/62



# Table 11. STL\_SCH\_RunCpuTMx input information

| Allowed states     | Parameters       |             |
|--------------------|------------------|-------------|
| Allowed States     | Value            | Comments    |
| CPU_TMx_CONFIGURED | *pSingleTmStatus | See Caution |

Table 12. STL\_SCH\_RunCpuTMx output information

| STL_Status_t return value |                                                                                                          | *pSingleTmStatus output |                                                                                                                                                                                      | Returned state     |
|---------------------------|----------------------------------------------------------------------------------------------------------|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------|
| Value                     | Comments                                                                                                 | Value Comments          |                                                                                                                                                                                      | Returned State     |
|                           |                                                                                                          | STL_PASSED              | -                                                                                                                                                                                    |                    |
|                           |                                                                                                          | STL_FAILED              | -                                                                                                                                                                                    |                    |
| STL_OK                    | Function successfully executed                                                                           | STL_ERROR               | Source of defensive programming error:  STL internal data corrupted  Software is not executed with privileged level for CPU TM7  Software is not executed in thread mode for CPU TM7 | CPU_TMx_CONFIGURED |
| STL_KO                    | Possible source of defensive programming error:  • pSingleTmStatus = NULL  • STL internal data corrupted | Not relevant            | Value must not be used                                                                                                                                                               | No state change    |

# 7.2.3 Flash memory testing APIs

# 7.2.3.1 STL\_SCH\_InitFlash

<u>Description:</u> initializes flash memory test.

Declaration: STL\_Status\_t STL\_SCH\_InitFlash(STL\_TmStatus\_t \*pSingleTmStatus)

Table 13. STL\_SCH\_InitFlash input information

| Allowed states   | Parameters       |          |  |
|------------------|------------------|----------|--|
| Allowed states   | Value            | Comments |  |
| FLASH_IDLE       |                  |          |  |
| FLASH_INIT       | *pSingleTmStatus | Caution  |  |
| FLASH_CONFIGURED |                  |          |  |

Table 14. STL\_SCH\_InitFlash output information

| STL_Status_t return value |                                                                                                          | *pSingleTmSta  | Returned state         |                 |
|---------------------------|----------------------------------------------------------------------------------------------------------|----------------|------------------------|-----------------|
| Value                     | Comments                                                                                                 | Value          | Comments               | Returned state  |
| STL_OK                    | Function successfully executed                                                                           | STL_NOT_TESTED | -                      | FLASH_INIT      |
| STL_KO                    | Possible source of defensive programming error:  • pSingleTmStatus = NULL  • STL internal data corrupted | Not relevant   | Value must not be used | No state change |

UM3191 - Rev 1 page 30/62



# 7.2.3.2 STL\_SCH\_ConfigureFlash

Description: configures the flash memory test.

 $\underline{\underline{Declaration:}} \ \underline{STL\_Status\_t} \ \underline{STL\_SCH\_ConfigureFlash(STL\_TmStatus\_t} \ \ \underline{*pSingleTmStatus}, \\ \underline{STL\_MemConfig\_t} \ \ \underline{*pFlashConfig)}$ 

Table 15. STL\_SCH\_ConfigureFlash input information

| Allowed states | Parameter        |                             |                                                                                                       |                                                                                                                                                                      |  |  |
|----------------|------------------|-----------------------------|-------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| Allowed states | Value            | Comments                    |                                                                                                       |                                                                                                                                                                      |  |  |
|                | *pSingleTmStatus | See Caution                 |                                                                                                       |                                                                                                                                                                      |  |  |
|                |                  | Pointer to the flash memory | y configuration. See                                                                                  | Caution.                                                                                                                                                             |  |  |
|                |                  | Field                       | Comments                                                                                              |                                                                                                                                                                      |  |  |
|                |                  |                             | Caution                                                                                               | sh memory subset. See nnot overlap with the CRC                                                                                                                      |  |  |
|                |                  |                             | Field                                                                                                 | Comments                                                                                                                                                             |  |  |
|                | *pFlashConfig    | *pSubset                    | StartAddr                                                                                             | Start subset address in bytes     Cannot be lower than ROM_START and higher than CRC_START address                                                                   |  |  |
| FLASH_INIT     |                  |                             | EndAddr                                                                                               | <ul> <li>End subset address in bytes</li> <li>Cannot be lower than ROM_START and higher than CRC_START address</li> <li>Needs to be higher than StartAddr</li> </ul> |  |  |
|                |                  |                             | *pNext                                                                                                | <ul> <li>Pointer to next flash<br/>memory subset. See<br/>Caution</li> <li>Must be set to NULL<br/>for the last subset</li> </ul>                                    |  |  |
|                |                  | NumSectionsAtomic           | <ul> <li>tested during</li> <li>Set to 1, as itest)</li> <li>If the value is sections in a</li> </ul> | ash memory sections to be an atomic test minimum (one section per s higher than the number of II subsets, all flash memory tested in one pass                        |  |  |

UM3191 - Rev 1 page 31/62

Table 16. STL\_SCH\_ConfigureFlash output information

| STL_Status_t return value |                                                                                                                                 | *pSingleTmStatus output |                                                                                                                               | Returned state   |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------|-------------------------|-------------------------------------------------------------------------------------------------------------------------------|------------------|
| Value                     | Comments                                                                                                                        | Value                   | Comments                                                                                                                      | Returned State   |
|                           |                                                                                                                                 | STL_NOT_TESTED          | -                                                                                                                             | FLASH_CONFIGURED |
| STL_OK                    | Function successfully executed                                                                                                  | STL_ERROR               | Possible source of defensive programming error:  State not allowed  Wrong configuration detected  STL internal data corrupted | No state change  |
| STL_KO                    | Possible source of defensive programming error:  • pSingleTmStatus = NULL  • pFlashConfig = NULL  • STL internal data corrupted | Not relevant            | Value must not be used                                                                                                        | No state change  |

Additional information: in the case of a return value set to STL\_KO or \*pSingleTmStatus set to STL\_ERROR, the flash memory configuration is not applied.

## 7.2.3.3 STL\_SCH\_RunFlashTM

<u>Description:</u> runs flash memory test.

<u>Declaration:</u> STL\_Status\_t STL\_SCH\_RunFlashTM(STL\_TmStatus\_t \*pSingleTmStatus)

Table 17. STL\_SCH\_RunFlashTM input information

| Allowed states   | Parameters       |             |  |
|------------------|------------------|-------------|--|
| Allowed States   | Value            | Comments    |  |
| FLASH_CONFIGURED | *pSingleTmStatus | See Caution |  |

UM3191 - Rev 1 page 32/62



Table 18. STL\_SCH\_RunFlashTM output information

|        | STL_Status_t return value *pSingleTmStatus output                                                        |                    | tatus output                                                                                                             | Returned state   |
|--------|----------------------------------------------------------------------------------------------------------|--------------------|--------------------------------------------------------------------------------------------------------------------------|------------------|
| Value  | Comments                                                                                                 | Value              | Comments                                                                                                                 | - Returned State |
|        |                                                                                                          | STL_PASSED         | -                                                                                                                        | FLASH_CONFIGURED |
|        |                                                                                                          | STL_PARTIAL_PASSED | -                                                                                                                        | FLASH_CONFIGURED |
|        |                                                                                                          | STL_FAILED         | -                                                                                                                        | FLASH_CONFIGURED |
|        |                                                                                                          | STL_NOT_TESTED     | All subsets are already tested                                                                                           | FLASH_CONFIGURED |
| STL_OK | Function successfully executed                                                                           | STL_ERROR          | Possible source of defensive programming error:  State not allowed  Configuration corrupted  STL internal data corrupted | No state change  |
| STL_KO | Possible source of defensive programming error:  • pSingleTmStatus = NULL  • STL internal data corrupted | Not relevant       | Value must not be used                                                                                                   | No state change  |

# 7.2.3.4 STL\_SCH\_ResetFlash

<u>Description:</u> resets flash memory test.

 $\underline{\textbf{Declaration:}} \; \texttt{STL\_Status\_t} \; \; \texttt{STL\_SCH\_ResetFlash} \; (\texttt{STL\_TmStatus\_t} \; \; *\texttt{pSingleTmStatus})$ 

Table 19. STL\_SCH\_ResetFlash input information

| Allowed states   | Parameters       |             |  |
|------------------|------------------|-------------|--|
| Allowed States   | Value            | Comments    |  |
| FLASH_CONFIGURED | *pSingleTmStatus | See Caution |  |

Table 20. STL\_SCH\_ResetFlash output information

| S      | TL_Status_t return value                                                                                 | *pSingleTmStatus output |                                                                                                                          | Returned state   |
|--------|----------------------------------------------------------------------------------------------------------|-------------------------|--------------------------------------------------------------------------------------------------------------------------|------------------|
| Value  | Comments                                                                                                 | Value                   | Value Comments                                                                                                           |                  |
|        |                                                                                                          | STL_NOT_TESTED          | Configuration successfully applied                                                                                       | FLASH_CONFIGURED |
| STL_OK | Function successfully executed                                                                           | STL_ERROR               | Possible source of defensive programming error:  State not allowed  Configuration corrupted  STL internal data corrupted | No state change  |
| STL_KO | Possible source of defensive programming error:  • pSingleTmStatus = NULL  • STL internal data corrupted | Not relevant            | Value must not be used                                                                                                   | No state change  |

Additional information

UM3191 - Rev 1 page 33/62



- Once all subsets are tested, the user needs to reset the test module to perform the flash memory test again.
- In the case of a return value set to STL\_KO or \*pSingleTmStatus set to STL\_ERROR, the flash memory reset is not applied.

## 7.2.3.5 STL\_SCH\_DelnitFlash

Description: deinitializes flash memory test.

<u>Declaration:</u> STL\_Status\_t STL\_SCH\_DeInitFlash(STL\_TmStatus\_t \*pSingleTmStatus)

Table 21. STL\_SCH\_DelnitFlash input information

| Allowed states   | Parameters       |             |  |
|------------------|------------------|-------------|--|
| Allowed States   | Value            | Comments    |  |
| FLASH_IDLE       |                  |             |  |
| FLASH_INIT       | *pSingleTmStatus | See Caution |  |
| FLASH_CONFIGURED |                  |             |  |

Table 22. STL\_SCH\_DelnitFlash output information

| STL_Status_t return value |                                                                                                          | *pSingleTmStatus output |                        | Returned state  |
|---------------------------|----------------------------------------------------------------------------------------------------------|-------------------------|------------------------|-----------------|
| Value                     | Comments                                                                                                 | Value                   | Comments               | Neturneu State  |
| STL_OK                    | Function successfully executed                                                                           | STL_NOT_TESTED          | -                      | FLASH_IDLE      |
| STL_KO                    | Possible source of defensive programming error:  • pSingleTmStatus = NULL  • STL internal data corrupted | Not relevant            | Value must not be used | No state change |

# 7.2.4 RAM testing APIs

## 7.2.4.1 STL\_SCH\_InitRam

<u>Description:</u> initializes the RAM test.

<u>Declaration:</u> STL\_Status\_t STL\_SCH\_InitRam(STL\_TmStatus\_t \*pSingleTmStatus).

Table 23. STL\_SCH\_InitRam input information

| Allowed states | Parameters       |             |  |
|----------------|------------------|-------------|--|
| Allowed States | Value            | Comments    |  |
| RAM_IDLE       |                  |             |  |
| RAM_INIT       | *pSingleTmStatus | See Caution |  |
| RAM_CONFIGURED |                  |             |  |

Table 24. STL\_SCH\_InitRam output information

| STL_Status_t return value |                                                                                                          | *pSingleTmStatus output |                        | Returned state  |  |
|---------------------------|----------------------------------------------------------------------------------------------------------|-------------------------|------------------------|-----------------|--|
| Value                     | Comments                                                                                                 | Value                   | Comments               | Returned State  |  |
| STL_OK                    | Function successfully executed                                                                           | STL_NOT_TESTED          | -                      | RAM_INIT        |  |
| STL_KO                    | Possible source of defensive programming error:  • pSingleTmStatus = NULL  • STL internal data corrupted | Not relevant            | Value must not be used | No state change |  |

UM3191 - Rev 1 page 34/62



# 7.2.4.2 STL\_Status\_t STL\_SCH\_ConfigureRam

<u>Description:</u> Description: configures the RAM test.

 $\underline{\underline{Declaration:}} \ \mathtt{STL\_Status\_t} \ \mathtt{STL\_SCH\_ConfigureRam} \\ (\mathtt{STL\_TmStatus\_t} \ \mathtt{*pSingleTmStatus}, \\ \mathtt{STL\_MemConfig\_t} \ \mathtt{*pRamConfig})$ 

Table 25. STL\_SCH\_ConfigureRam input information

|                | Parameter        |                                                          |                                                                                                                                                                                                                                                       |                                                                                                                                                                                                                                                      |  |
|----------------|------------------|----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Allowed states | Value            | Comments                                                 |                                                                                                                                                                                                                                                       |                                                                                                                                                                                                                                                      |  |
|                | *pSingleTmStatus | See Caution                                              |                                                                                                                                                                                                                                                       |                                                                                                                                                                                                                                                      |  |
|                | *pRamConfig      | This pointer contains the RAM configuration. See Caution |                                                                                                                                                                                                                                                       |                                                                                                                                                                                                                                                      |  |
|                |                  | Field                                                    | Comments                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                      |  |
|                |                  |                                                          | <ul> <li>Pointer to RAM subset. See Caution</li> <li>A subset cannot overlap with the RAM backup buffer if defined</li> </ul>                                                                                                                         |                                                                                                                                                                                                                                                      |  |
|                |                  |                                                          | Field                                                                                                                                                                                                                                                 | Comments                                                                                                                                                                                                                                             |  |
| RAM_INIT       |                  |                                                          | StartAddr                                                                                                                                                                                                                                             | <ul> <li>Start subset address in bytes</li> <li>Start address must be 32-bit aligned</li> <li>RAM subset must be inside RAM area</li> <li>Cannot be lower than RAM_START and higher than RAM_END address</li> </ul>                                  |  |
|                |                  | *pSubset                                                 | EndAddr                                                                                                                                                                                                                                               | <ul> <li>End subset address in bytes</li> <li>Higher than StartAddr</li> <li>Cannot be lower than RAM_START and higher than RAM_END address</li> <li>Subset size (EndAddr-StartAddr) needs to be multiple of 2 * RAM_BLOCK_SIZE, 32 bytes</li> </ul> |  |
|                |                  |                                                          | *pNext                                                                                                                                                                                                                                                | <ul> <li>Pointer to next RAM subset. See Caution</li> <li>Must be set to NULL for the last subset</li> </ul>                                                                                                                                         |  |
|                |                  | NumSectionsAtomic                                        | <ul> <li>Number of RAM sections to be tested during an atomic test</li> <li>Set to 1, as minimum (one section per test)</li> <li>If the value is higher than the number of sections in all subsets, all RAM subsets are tested in one pass</li> </ul> |                                                                                                                                                                                                                                                      |  |

UM3191 - Rev 1 \_\_\_\_\_\_ page 35/62



Table 26. STL\_SCH\_ConfigureRam output information

| STL_Status_t return value |                                                                                                                               | *pSingleTmStatus output |                                                                                                                               | Returned state  |
|---------------------------|-------------------------------------------------------------------------------------------------------------------------------|-------------------------|-------------------------------------------------------------------------------------------------------------------------------|-----------------|
| Value                     | Comments                                                                                                                      | Value                   | Comments                                                                                                                      | Returned State  |
|                           |                                                                                                                               | STL_NOT_TESTED          | -                                                                                                                             | RAM_CONFIGURED  |
| STL_OK                    | Function successfully executed                                                                                                | STL_ERROR               | Possible source of defensive programming error:  State not allowed  Wrong configuration detected  STL internal data corrupted | No state change |
| STL_KO                    | Possible source of defensive programming error:  • pSingleTmStatus = NULL  • pRamConfig = NULL  • STL internal data corrupted | Not relevant            | Value must not be used                                                                                                        | No state change |

Additional information: in the case of a return value set to STL\_KO or \*pSingleTmStatus set to STL\_ERROR, the RAM configuration is not applied.

# 7.2.4.3 STL\_SCH\_RunRamTM

Description: runs the RAM test.

Declaration: STL\_Status\_t STL\_SCH\_RunRamTM(STL\_TmStatus\_t \*pSingleTmStatus)

Table 27. STL\_SCH\_RunRamTM input information

| Allowed states | Parameters Parameters Parameters |             |  |
|----------------|----------------------------------|-------------|--|
| Allowed States | Value                            | Comments    |  |
| RAM_CONFIGURED | *pSingleTmStatus                 | See Caution |  |

UM3191 - Rev 1 page 36/62



Table 28. STL\_SCH\_RunRamTM output information

| ST     | L_Status_t return value                                                                                  | *pSingleTmStatus output |                                                                                                                          | Returned state  |  |
|--------|----------------------------------------------------------------------------------------------------------|-------------------------|--------------------------------------------------------------------------------------------------------------------------|-----------------|--|
| Value  | Comments                                                                                                 | Value                   | Comments                                                                                                                 | Returned State  |  |
|        |                                                                                                          | STL_PASSED              | -                                                                                                                        | RAM_CONFIGURED  |  |
|        |                                                                                                          | STL_PARTIAL_PASS<br>ED  | -                                                                                                                        | RAM_CONFIGURED  |  |
|        |                                                                                                          | STL_FAILED              | -                                                                                                                        | RAM_CONFIGURED  |  |
|        |                                                                                                          | STL_NOT_TESTED          | All subsets are already tested                                                                                           | RAM_CONFIGURED  |  |
| STL_OK | Function successfully executed                                                                           | STL_ERROR               | Possible source of defensive programming error:  State not allowed  Configuration corrupted  STL internal data corrupted | No state change |  |
| STL_KO | Possible source of defensive programming error:  • pSingleTmStatus = NULL  • STL internal data corrupted | Not relevant            | Value must not be used                                                                                                   | No state change |  |

# 7.2.4.4 STL\_Status\_t STL\_SCH\_ResetRam

<u>Description:</u> resets the RAM test.

Declaration: STL\_Status\_t STL\_SCH\_ResetRam(STL\_TmStatus\_t \*pSingleTmStatus)

Table 29. STL\_SCH\_ResetRam input information

| Allowed states | Parameters       |             |  |  |
|----------------|------------------|-------------|--|--|
| Allowed States | Value            | Comments    |  |  |
| RAM_CONFIGURED | *pSingleTmStatus | See Caution |  |  |

Table 30. STL\_SCH\_ResetRam output information

| STI    | L_Status_t return value                                                                                  | *pSingleTm     | Returned state                                                                                                           |                 |
|--------|----------------------------------------------------------------------------------------------------------|----------------|--------------------------------------------------------------------------------------------------------------------------|-----------------|
| Value  | Comments                                                                                                 | Value          | Comments                                                                                                                 | Neturneu state  |
|        |                                                                                                          | STL_NOT_TESTED | Configuration successfully applied                                                                                       | RAM_CONFIGURED  |
| STL_OK | Function successfully executed                                                                           | STL_ERROR      | Possible source of defensive programming error:  State not allowed  Configuration corrupted  STL internal data corrupted | No state change |
| STL_KO | Possible source of defensive programming error:  • pSingleTmStatus = NULL  • STL internal data corrupted | Not relevant   | Value must not be used                                                                                                   | No state change |

UM3191 - Rev 1 page 37/62



#### Additional information

- Once all subsets are tested, the user needs to reset the test module to perform the RAM test again.
- In the case of a return value set to STL\_KO or \*pSingleTmStatus set to STL\_ERROR, the RAM reset is not applied.

### 7.2.4.5 STL SCH DelnitRam

Description: deinitializes the RAM test.

Declaration: STL\_Status\_t STL\_SCH\_DeInitRam(STL\_TmStatus\_t \*pSingleTmStatus)

Table 31. STL\_SCH\_DelnitRam input information

| Allowed states | Parameters Parameters Parameters |             |  |  |
|----------------|----------------------------------|-------------|--|--|
| Allowed States | Value                            | Comments    |  |  |
| RAM_IDLE       |                                  | See Caution |  |  |
| RAM_INIT       | *pSingleTmStatus                 |             |  |  |
| RAM_CONFIGURED |                                  |             |  |  |

Table 32. STL\_SCH\_DelnitRam output information

| ST     | L_Status_t return value                                                                                  | *pSingleTmStatus output |                        | Returned state  |
|--------|----------------------------------------------------------------------------------------------------------|-------------------------|------------------------|-----------------|
| Value  | Comments                                                                                                 | Value                   | Comments               | Neturneu state  |
| STL_OK | Function successfully executed                                                                           | STL_NOT_TESTED          | -                      | RAM_IDLE        |
| STL_KO | Possible source of defensive programming error:  • pSingleTmStatus = NULL  • STL internal data corrupted | Not relevant            | Value must not be used | No state change |

# 7.2.5 Artificial-failing APIs

### 7.2.5.1 STL\_SCH\_StartArtifFailing

<u>Description:</u> sets artificial-failing configuration and starts artificial-failing feature.

Declaration: STL\_Status\_t STL\_SCH\_StartArtifFailing(const STL\_ArtifFailingConfig\_t
\*pArtifFailingConfig)

Table 33. STL\_SCH\_StartArtifFailing input information

| Allowed states     | Parameters Parameters Parameters |                 |  |  |
|--------------------|----------------------------------|-----------------|--|--|
| Allowed States     | Value                            | Comments        |  |  |
| CPU TMx:           |                                  |                 |  |  |
| CPU_TMx_CONFIGURED |                                  |                 |  |  |
| Flash TM:          |                                  |                 |  |  |
| FLASH_IDLE         |                                  |                 |  |  |
| FLASH_INIT         | *pArtifFailingConfig             | No state change |  |  |
| FLASH_CONFIGURED   |                                  | Ů               |  |  |
| RAM TM             |                                  |                 |  |  |
| RAM_IDLE           |                                  |                 |  |  |
| RAM_INIT           |                                  |                 |  |  |
| RAM_CONFIGURED     |                                  |                 |  |  |

UM3191 - Rev 1 page 38/62



Table 34. STL\_SCH\_StartArtifFailing output information

| STL_Status_t<br>return value | Comments                                                                                                                                                     | Output              | Comments        |
|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|-----------------|
| STL_OK                       | Function successfully executed                                                                                                                               |                     |                 |
| STL_KO                       | Possible source of defensive programming error:  partifFailingConfig = NULL  configured values are not set for each test module  STL internal data corrupted | No output parameter | No state change |

Additional information: All the following *API* calls are executed normally except if the *STL\_Status\_t* return value is set to STL\_OK, the test module status (\*pSingleTmStatus, \*pTmListStatus) is forced to a configured value.

# 7.2.5.2 STL\_SCH\_StopArtifFailing

Description: stops the artificial-failing feature.

Declaration: STL\_Status\_t STL\_SCH\_StopArtifFailing(void)

Table 35. STL\_SCH\_StopArtifFailing input information

| Allowed states                                                           | Parameters         |                 |  |  |
|--------------------------------------------------------------------------|--------------------|-----------------|--|--|
| Allowed States                                                           | Value              | Comments        |  |  |
| CPU TMx: • CPU TMx CONFIGURED                                            |                    |                 |  |  |
| Flash TM:                                                                |                    |                 |  |  |
| <ul><li>FLASH_IDLE</li><li>FLASH_INIT</li><li>FLASH_CONFIGURED</li></ul> | No input parameter | No state change |  |  |
| RAM TM                                                                   |                    |                 |  |  |
| <ul><li>RAM_IDLE</li><li>RAM_INIT</li><li>RAM_CONFIGURED</li></ul>       |                    |                 |  |  |

Table 36. STL\_SCH\_StopArtifFailing output information

| STL_Status_t return value | Comments                                                                       | Output              | Comments        |  |
|---------------------------|--------------------------------------------------------------------------------|---------------------|-----------------|--|
| STL_OK                    | Function successfully executed                                                 |                     |                 |  |
| STL_KO                    | Possible source of defensive programming error:  • STL internal data corrupted | No output parameter | No state change |  |

# 7.3 State machines

Each  $\mathit{CPU}$  test module has its own state machine diagram linked to the  $\mathit{CPU}$  test  $\mathit{API}$ s.

UM3191 - Rev 1 page 39/62

### CPU test APIs

Figure 11. State machine diagram - CPU test APIs



DT69947V1

UM3191 - Rev 1 page 40/62



# Flash memory test APIs

STL\_SCH\_DeInitFlash() STL\_SCH\_InitFlash() STL\_SCH\_Init() STL\_SCH\_Init() STL\_SCH\_InitFlash() STL\_SCH\_ConfigureFlash() FLASH\_IDLE STL\_SCH\_Init() FLASH\_INIT STL\_SCH\_DeInitFlash() STL\_SCH\_InitFlash() SCH\_IDLE STL\_SCH\_ResetFlash()<sup>(1)</sup> FLASH\_ CONFIGURED STL\_SCH\_DeInitFlash() STL\_SCH\_Init() Return of STL\_SCH\_RunFlash M() **SW** reset

Figure 12. State machine diagram - flash memory test APIs

Note (1): Once all subsets are tested, the user needs to reset the flash memory test module to perform the test again.

FLASH\_R UNNING

UM3191 - Rev 1 page 41/62

DT69948V1

STL\_SCH\_RunFlashTM()



#### RAM test APIs

STL\_SCH\_DeInitRam() STL\_SCH\_InitRam() STL\_SCH\_Init() STL\_SCH\_Init() STL\_SCH\_InitRam() STL\_SCH\_ConfigureRam() RAM IDLE STL\_SCH\_Init() RAM\_INIT STL\_SCH\_DeInitRam() STL\_SCH\_InitRam() SCH IDLE STL\_SCH\_DeInitRam() CONFIGÜRED STL SCH Init() STL\_SCH\_ResetRam()<sup>(1)</sup> Return of STL\_SCH\_RunRam 1M() SW reset STL SCH RunRamTM() **RAM** RUNNING DT69949V

Figure 13. State machine diagram - RAM test APIs

Note (1): Once all subsets are tested, the user needs to reset the RAM test module to perform the test again.

#### 7.4 API usage and sequencing

The user application must:

- Maintain the availability and integrity of pointers passed as parameters during the tests. The STL does not copy the pointer content, and accesses directly the memory addresses defined by the application.
- Check the status of function return value (STL Status t), before checking the test result  $({\tt STL\_TmStatus\_t} \ or \ {\tt STL\_TmListStatus\_t}). \ See \ the \ example \ in \ the \ delivered \ applications.$

The APIs run independently of each other and therefore can be called in any order.

Only APIs dedicated to the configuration and initialization of the memories tests must be called before any execution of these tests is applied. See Section 7.3 State machines for more details.

The test flow is simplified, all the tests are now executed from C-code. All the modules are common and suitable for both startup and runtime testing. Differentiation between startup and runtime tests can be performed by proper sequencing and configuration of test modules. After application reset, common practice is to perform a full initial sequence including the complete set of tests executed over all the memory areas before the application starts. This sequence is defined in following order:

- All the CPU tests
- Complete tests of nonvolatile memory integrity 2.
- Functional test overall for the available space of volatile memories including the area especially dedicated to the stack

Note:

Temporarily suppressing of the memory content backup can be applied to speed up initial testing of huge RAM areas where user does not need to preserve the memory content during this test. For more details see Section 4.3.8 RAM backup buffer. Functional test is not executed over areas containing program code and data when the code is executed from RAM.

Specific customer tests 4.

UM3191 - Rev 1 page 42/62



Later, at runtime, the order of the tests can be changed and executed in more relaxed way. The memory regions under tests can be reduced. The test process can even be dynamically modified with prior focus on those areas where the most recently executed safety related code and data are stored. This is especially the case when considering factors like:

- Available application process safety time
- System overall performance
- · Concrete status of the application

# 7.5 User parameters

In addition to parameters set directly inside the *API*s, there are few parameters to be customized in the stl\_user\_param\_template\_cm4.c and stl\_user\_param\_template\_cm0plus.c files. They are located in the code, with the following comments:

```
/* customisable */
```

Extract from stl user param template cm4.c:

```
/* Flash configuration */
#define STL_ROM_START (0x0800000U) /* customizable */
#define STL_ROM_END (0x0801FFFFU) /* customizable */
```

Extract from stl\_user\_param\_template\_cm0plus.c:

```
/* Flash configuration */
#define STL_ROM_START (0x08020000UL) /* customizable */
#define STL_ROM_END_ADDR (0x0803FFFFUL) /* customizable */
```

The customization depends upon the STM32 product and the user choice.

```
/* TM RAM Backup Buffer configuration */
....
/* User shall locate the buffer in RAM */
/* The RAM backup buffer is placed in "backup_buffer_section". */
/* "backup_buffer_section" section is defined in scatter file */
```

The customizing depends on the user choice.

The remaining user parameters are defined by flags, and can be checked in the following core associated files:

- stl\_user\_param\_template.cmxxx.c: use of RAM backup buffer or not
- stl util.cmxxx.c: use of software or hardware CRC computation
- stl\_stm32\_hw\_config.cmxxx.h: if CRC hardware is used, choose the right CRC IP configuration according to the STM32 device

Refer to Section 5.5.2 Steps to build an application from scratch for the flag configuration check.

UM3191 - Rev 1 page 43/62

# 7.6 Test examples

Figure 14. Test flow example



DT70600\

UM3191 - Rev 1 page 44/62



# 7.7 Details of testing examples

# 7.7.1 Flash memory test flow example

Section 7.7.3 Test example figures shows an example of flash memory test flow handling:

- Use of two flash memory subsets
- Use of functions
  - STL\_SCH\_RunFlashTM  $\rightarrow$  only the flash memory test module is executed
  - STL\_SCH\_ResetFlash
- Function return value
- Flash memory test module result value: pSingleTmStatus → in this case, it contains the result of the flash memory test

# 7.7.2 RAM test flow example

Figure 16 shows an example of RAM test flow handling:

- Use of two RAM subsets
- Use of functions:
  - STL\_SCH\_RunRAMTM  $\rightarrow$  only the RAM test module is executed
  - STL\_SCH\_ResetRam
- Function return value
- RAM test module result value:  $pSingleTmStatus \rightarrow in this case$ , it contains the result of the RAM memory test

UM3191 - Rev 1 page 45/62

# 7.7.3 Test example figures



Figure 15. Flash memory test flow example





Figure 16. RAM test flow example





# 8 STL: execution timing details

The data in the following table is obtained with the test set-up described in Section 4.2 STL performance data

Table 37. Cortex®-M0+ integration tests

| Test                   | Duratio      | n (in μs)    | Tested memory      |
|------------------------|--------------|--------------|--------------------|
| lest                   | Hardware CRC | Software CRC | rested memory      |
| STL_SCH_InitFlash      | 11           | 11           | -                  |
| STL_SCH_ConfigureFlash | 17           | 17           | -                  |
| STL_SCH_RunFlashTM     | 1016         | 7641         | 17408 bytes tested |
| STL_SCH_InitRam        | 11           | 11           | -                  |
| STL_SCH_ConfigureRam   | 19           | 19           | -                  |
| STL_SCH_RunRamTM       | 37521        | 37521        | 32768 bytes tested |
| STL_SCH_RunCpuTM1L     | 113          | 113          | -                  |
| STL_SCH_RunCpuTM7      | 42           | 42           | -                  |
| STL_SCH_RunCpuTMCB     | 15           | 15           | -                  |

Table 38. Cortex®-M4 integration tests

| Test                   | Duration (in μs) |              | Tested memory      |  |
|------------------------|------------------|--------------|--------------------|--|
| 1621                   | Hardware CRC     | Software CRC | rested memory      |  |
| STL_SCH_InitFlash      | 9                | 9            | -                  |  |
| STL_SCH_ConfigureFlash | 14               | 14           | -                  |  |
| STL_SCH_RunFlashTM     | 807              | 5658         | 17408 bytes tested |  |
| STL_SCH_InitRam        | 9                | 9            | -                  |  |
| STL_SCH_ConfigureRam   | 14               | 14           | -                  |  |
| STL_SCH_RunRamTM       | 28999            | 29042        | 32768 bytes tested |  |
| STL_SCH_RunCpuTM1L     | 78               | 80           | -                  |  |
| STL_SCH_RunCpuTM7      | 35               | 35           | -                  |  |
| STL_SCH_RunCpuTMCB     | 12               | 12           | -                  |  |

UM3191 - Rev 1 page 48/62



# 9 Application-specific tests not included in ST firmware self-test library

The user must focus on all the remaining required tests covering application specific *MCU* parts not included in the ST firmware library:

- Test of analog parts (ADC/DAC, multiplexer)
- Test of digital I/O
- External addressing
- External communication
- Timing and interrupts
- System clock frequency measurement.

Note:

The clock frequency measurement is not an integrated part of the STL package. The clock testing module is provided as open source within STL integration example to demonstrate the capability of implementing additional user defined testing modules which can be included at the STL flow. For more details refer to Section 9.5 Extension capabilities STL library.

A valid solution for these components is strongly dependent on application and device-peripheral capability. The application must follow as precisely as possible the suggested testing principles from the very early stages of its design.

Very often this method leads to redundancy at both hardware and software levels.

Hardware methods can be based on:

- Multiplication of inputs and/or outputs
- Reference point measurement
- Loop-back read control at analog or digital outputs such as DAC, PWM, GPIO
- Configuration protection.

Software methods can be based on:

- Repetition in time, multiple acquisitions, multiple checks, decisions, or calculations made at different times or performed by different methods
- Data redundancy (data copies, parity check, error correction/detection codes, checksum, protocol)
- Plausibility check (valid range, valid combination, expected change, or trend)
- Periodicity and occurrence checks (flow and occurrence in time controls)
- Periodic checks of correct configuration (for example, read back the configuration registers).

# 9.1 Analog signals

Measured values must be checked for consistency and verified by measurements performed on other redundant channels. Free channels can be used for reading some reference voltages with testing of analog multiplexers used in the application. The internal reference voltage must also be checked.

Some STM32 microcontroller devices feature two (or even three) independent *ADC* blocks. To ensure the reliability of the results, perform several conversions on the same channel using two different *ADC* blocks for security reasons. The results can be obtained using either:

- Multiple acquisitions from one channel
- Compare redundant channels followed by an averaging operation.

Here are some tips for testing the functionality of analog parts at STM32 microcontroller devices.

UM3191 - Rev 1 page 49/62



#### **ADC** input pin disconnection

The ADC input pin disconnection can be tested by applying additional signal source on the tested pin.

- Some STM32 microcontroller devices feature internal pull-down or pull-up resistor activation facilities on the analog input. They can also feature a free pin with DAC functionality or a digital GPIO output. Any one of these pins can be used as a known reference input to the ADC.
- Some STM32 microcontroller devices feature a routing interface. This interface can be used for internal connection between pins to make:
  - testing loop-back
  - additional signal injection
  - duplicate measurement at some other independent channel.

Note:

The user must prevent any critical voltage injection into an analog pin. This can happen when digital and analog signals are combined and different power levels are applied to analog and digital parts ( $V_{DD} > V_{DDA}$ ).

#### Internal reference voltage and temperature sensor (VBAT for some devices)

- Ratio between these signals can be verified within the allowed ranges.
- Additional testing can be performed where the V<sub>DD</sub> voltage is known.

#### ADC clock

Measurement of the ADC conversion time (by timers) can be used to test the independent ADC clock functionality.

#### **DAC** output functionality

Free ADC channels can be used to check if the DAC output channel is working correctly.

The routing interface can be used when connecting the ADC input channel and the DAC output channel.

#### **Comparator functionality**

Comparison between known voltage and *DAC* output or internal reference voltage can be used for testing comparator output on another comparator input.

Analog signal disconnection can be tested by pull-down or pull-up activation on a tested pin and comparing this signal with the *DAC* voltage as reference on another comparator input.

#### Operational amplifier

Functionality can be tested forcing (or measuring) a known analog signal to the operational amplifier (*OPAMP*) input pin, and internally measuring the output voltage with the *ADC*. The input signal to the *OPAMP* can be also measured by *ADC* (on another channel).

# 9.2 Digital I/Os

Class B tests must detect any malfunction on digital I/Os, too. It could be covered by plausibility checks together with some other application parts. For example, change of an analog signal from the temperature sensor must be checked when heating/cooling digital control is switched on/off. Selected port bits can be locked by applying the correct lock sequence to the lock bit in the GPIOx\_LCKR register. This action prevents unexpected changes to the port configuration. Reconfiguration is only possible at the next reset sequence in this case. In addition, the bit banding feature can be used for atomic manipulation of the SRAM and peripheral registers.

## 9.3 Interrupts

Occurrence in time and periodicity of events must be checked. Different methods can be used; one of them uses a set of incremental counters where every interrupt event increments a specific counter. The values in the counters are then cross-checked periodically with other independent time bases. The number of events occurred within the last period depends upon the application requirements.

The configuration lock feature can be used to secure the timer register settings with three levels controlled by the TIMx\_BDTR register. Unused interrupt vectors must be diverted into a common error handler. Polling is preferable for non-safety relevant tasks if possible to simplify an application interrupt scheme.

UM3191 - Rev 1 page 50/62



### 9.4 Communication

Data exchange during communication sessions must be checked while including redundant information in the data packets. Parity, sync signals, CRC check sums, block repetition, or protocol numbering can be used for this purpose. Robust application software protocol stacks like TCP/IP give higher level of protection, if necessary. Periodicity and occurrence in time of the communication events together with protocol error signals has to be checked permanently.

The user can find more information and methods in product-dedicated safety manuals.

## 9.5 Extension capabilities STL library

This framework version features a significantly easier and more flexible implementation than the previous versions of this *STL* library (see Section 1.2 Reference documents) which allows for an easier extension. Even with the new applied format, the framework keeps the same set of self-testing methods to comply with the IEC 60730 standard which are already implemented by previous versions of the library:

- Test of registers at CPU TMs
- 32-bit CRC calculation compatible with STM32 HW CRC unit at Flash TM
- March C test respecting physical address order of the RAM TM
- Timer triggered by LSI to check system clock frequency of the clock *TM* defined at *STL* integration example

The main improvements of the new framework version are:

- Module oriented
- Supports partial testing
- Based on configuration and parametrizing structures
- No differentiation between startup and runtime test modules
- CRC calculation support based on a format provided by the STM32CubeProgrammer command-line feature
- Pre-compiled and fixed object code format of key generic modules
- No dependency of the generic modules execution on drivers or compilers
- Error handling includes reporting of defensive programing results
- Artificial failure control feature to verify the proper integration of the modules with no need for additional instrumentation code
- Easy extension by additional application specific modules.

An example of an additional specific test module implementation is available in the firmware package integration example. A specific test module based on the cross check measurement method of two independent clock sources is delivered as open source format together with the firmware package integration example. This module must be adapted by the end user to take into account specific dependencies on the configuration of the applied clock system.

This module uses the same measurement principle already applied in previous versions of the library. The hardware used for the frequency comparison must initially be configured (Channel 1 of TIM16 triggered by LSI) to invoke clock measurement before the associated API is called. This hardware configuration is done at the end of  $STL_Init()$  procedure in the main.c file. The API is written to use interface compatibility with the regular APIs integrated in the STL so the same format is applied in its declaration:

```
STL_Status_t STL_SCH_RunClockTest(STL_TmStatus_t *pSingleTmStatus)
```

The parameter that is passed during this function call acts as a pointer to the clock module measurement status, and the function itself provides a STL\_KO vs STL\_OK return status as well as do the regular *STL* modules if defensive programing fails. If the clock measurement hardware is active and the new period value updated by the last measurement cycle (set to 8 consecutive LSI periods) is found at the expected interval (defined by macros CLK\_LimitLow and CLK\_LimitHigh), the module measurement status value is changed into STL\_PASSED. If not it is set to STL\_FAILED as per the regular *API* modules. This is also the case when artificial failing of the module is invoked.

In a similar way, the user can integrate the following modules. For example, any stack hardening techniques like stack boundary area check or implementing watchdog testing and servicing is no longer included at this new package by default. The source code of these tests is available in older versions of this library see [2]. Refer to [1] for additional information about the commonly recognized safety methods that are not specifically required by the household standard. They may be useful to improve the user application robustness.

UM3191 - Rev 1 page 51/62



#### **Dual-core information**

The integration example provides full source code of additional support of communication and synchronization between *STL*s running in parallel on two embedded cores, too. The provided solution fully corresponds to the one applied at previous versions of the library (for more details see [2]). The two cores communicate via embedded hardware semaphore system unit (HSEM) to cross check each other activity and testing status. Both cores monitor HSEM events by interrupts and process occupancy checks of three dedicated channels to see the *STL* correct ongoing status reciprocally. The implemented checks prevent potential HW CRC unit resource conflict during parallel initialization of both the *STL*s, too (refer to STL\_SCH\_Init function call in Section 4.3.4 CRC resources).

UM3191 - Rev 1 page 52/62



# 10 Compliance with IEC, UL, and CSA standards

The pivotal IEC standards are IEC 60730-1 and IEC 60335-1, harmonized with UL/CSA 60730-1 and UL/CSA 60335-1 starting from the 4th edition. Previous UL/CSA editions use references to the UL1998 standard in addition.

The standards are updated at regular intervals. The range of all the regulations collected in the standards is very large; the sections that concern the requirements for software self-tests of generic parts of microcontrollers is very specific. In most cases, the provided updates do not impact these specific parts of the standard at all. Therefore, an obsolete certification can still comply and stay valid for newer editions of the standard.

The relevant detailed conditions required are defined in:

- Annexes Q and R of the IEC 60335-1 norm
- Annex H of the IEC 60730-1 norm.

Three classes are defined by the IEC 60730-1:2010 H.2.22 they are:

- Class A: control functions that are not intended to be relied upon for the safety of the application.
- Class B: control functions that are intended to prevent an unsafe state of the controlled equipment. Failure
  of the control function does not directly lead to a hazardous situation.
- Class C: control functions that are intended to prevent special hazards such as explosion or which failure could directly cause a hazard in the appliance.

For a programmable electronic component applying a safety protection function, the IEC 60335-1 standard requires incorporation of software measures to control fault and error conditions specified in tables R.1 and R.2:

- Table R.1 summarizes general conditions comparable with requirements given for Class B level
- Table R.2 summarizes specific conditions comparable with requirements given for Class C level.

Requirements for Class B level software, which is the subject of this user manual, are defined to prevent hazards if another fault occurs elsewhere in the appliance. In this case, the self-test software is run on the appliance after a failure. An accidental software fault occurring during a safety-critical routine execution does not necessarily result in a hazard due to another applied redundant software procedure or hardware protection function required at this level.

There is no such hardware protection required in Class C level counting that whatever fault at safety-critical software can result in a potential hazard. To comply with this level, more robust testing is required than the one usually applicable to standard industrial microcontrollers like the STM32. An acceptable solution usually leads to the implementation of specific hardware redundancy at system level, like dual channel structures.

For more information on more stringent test methods, refer to the industrial documentation [1].

IEC 60730-1 defines the set of applicable architectures acceptable for the design of Class B control functions:

- Single channel with functional test. A single CPU executes the software control functions as required. A
  functional test is performed as the software starts. It guarantees that all critical features work properly.
- Single channel with periodic self-test. A single CPU executes the software control functions. Embedded
  periodic tests check the various critical functions of the system without impacting the performance of the
  planned control tasks.
- Dual channel (homogeneous or diverse) with comparison. The software is designed to execute control
  functions (identically or differently) on two independent CPUs. Both CPUs compare internal signals for fault
  detection when executing any safety-critical task.

Note: This structure is recognized to comply with Class C level also. A common principle is that whatever method complies with Class C automatically complies with Class B.

An overview of the methods applied by *STL* and their references to the standards are listed on the table below. The *STL* is focused on generic components of the microcontroller reused at all applications. The test of the other parts is under the end-user responsibility as their testing is mostly application specific and can be achieved effectively at the planning stage of the system design. Refer to Section 9 Application-specific tests not included in ST firmware self-test library for more information on how to handle these application-specific tests.

UM3191 - Rev 1 page 53/62



Table 39. IEC 60335-1 components covered by the X-CUBE-CLASSB library by methods recognized by IEC-60730-1

|                                       | _                                                                        |         | _                                         |                                                  |                                                                                                                                                                |                                                                                                                                                                                             |
|---------------------------------------|--------------------------------------------------------------------------|---------|-------------------------------------------|--------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Component of 60335-1: Ann             | of Table R.1 (IEC<br>ex R)                                               | Class B | References to<br>IEC 60730-1:<br>Annex H) | Fault/error                                      | Safety method applied at X-CUBE-CLASSB                                                                                                                         | Note                                                                                                                                                                                        |
|                                       | 1.1 CPU registers                                                        | ×       | H.2.16.5<br>H.2.16.6<br>H.2.19.6          | Stuck at                                         | Periodic run of the <i>STL</i><br>TM1L, TM7, and TMCB<br>CPU test modules                                                                                      | Functional pattern test of the <i>CPU</i> registers,(general-purpose R0-R12, special-purpose main and process stack pointers R13, program status APSR and CONTROL registers) <sup>(1)</sup> |
| 1. CPU                                | 1.2 Instruction decoding and execution                                   |         |                                           | N/A                                              |                                                                                                                                                                | Not required for Class B                                                                                                                                                                    |
|                                       | 1.3 Program counter                                                      | x       | H.2.18.10.2<br>H.2.18.10.4                | Stuck at                                         | N/A<br>End-user responsibility                                                                                                                                 | Logical and time slot program sequence monitoring, implementation of watchdogs                                                                                                              |
|                                       | 1.4 Addressing                                                           |         |                                           | N/A                                              |                                                                                                                                                                | Not required for Class B                                                                                                                                                                    |
|                                       | 1.5 Data path instruction decoding                                       |         |                                           | N/A                                              |                                                                                                                                                                | Not required for Class B                                                                                                                                                                    |
| 2. Interrupt handling and execution   |                                                                          | х       | H.2.18.10.4<br>H2.18.18                   | No interrupt<br>or too<br>frequent<br>interrupts | Handshake of results is applied at the interrupt associated with a clock cross-check measurement module                                                        | End-user responsibility for the other interrupts implemented at application                                                                                                                 |
| 3. Clock                              |                                                                          | x       | H.2.18.10.1<br>H.2.18.10.4                | Wrong<br>frequency                               | Periodic run of clock<br>cross-check module.<br>Added at open source<br>format as a user specific<br>test module within the<br>firmware integration<br>example | Clock cross-check measurement<br>done between two independent<br>clock sources (system clock and<br>LSI)                                                                                    |
|                                       | 4.1 Invariable memory                                                    | ×       | H.2.19.3.1<br>H.2.19.3.2<br>H.2.19.8.2    | All single bit faults                            | Periodic execution of the<br>STL FlashTM test module                                                                                                           | ECC enable under end-user responsibility <sup>(2)</sup>                                                                                                                                     |
| 4. Memory                             | 4.2. Variable memory                                                     | X       | H.2.19.6<br>H.2.19.8.2                    | DC fault                                         | Periodic execution of the STL RamTM test module                                                                                                                | ECC or parity enable under end-<br>user responsibility <sup>(2)</sup>                                                                                                                       |
| •                                     | 4.3 Addressing<br>(relevant for<br>variable and<br>invariable<br>memory) | х       | H.2.19.8.2                                | Stuck at                                         | -                                                                                                                                                              | Tested indirectly by execution of the applied memory test modules                                                                                                                           |
|                                       | 5.1 Data                                                                 | Х       | H.2.19.8.2                                | Stuck at                                         | -                                                                                                                                                              | ECC enable under end-user                                                                                                                                                                   |
| 5. Internal data path                 | 5.2 Addressing                                                           | Х       | H.2.19.8.2                                | Wrong address                                    | -                                                                                                                                                              | responsibility <sup>(2)</sup>                                                                                                                                                               |
| 6. External communication             |                                                                          | х       | -                                         | -                                                | N/A<br>End-user responsibility                                                                                                                                 | -                                                                                                                                                                                           |
| 7. I/O peripher                       | ту                                                                       | x       | -                                         | -                                                | N/A<br>End-user responsibility                                                                                                                                 | -                                                                                                                                                                                           |
| 8. Monitoring devices and comparators |                                                                          |         | N/A                                       |                                                  | Not required for Class B                                                                                                                                       |                                                                                                                                                                                             |
| 9. Custom chi                         | ps                                                                       | Х       | -                                         | -                                                | N/A                                                                                                                                                            | -                                                                                                                                                                                           |
|                                       |                                                                          |         |                                           |                                                  |                                                                                                                                                                |                                                                                                                                                                                             |

<sup>1.</sup> CPU registers L14 and L15 are tested indirectly via defensive programming methods.

UM3191 - Rev 1 page 54/62

<sup>2.</sup> For availability and functionality of concrete embedded hardware safety feature, refer to the product user and safety manual.



# **Revision history**

Table 40. Document revision history

| Date        | Version | Changes          |
|-------------|---------|------------------|
| 03-Aug-2023 | 1       | Initial release. |

UM3191 - Rev 1 page 55/62



# **Glossary**

ADC analog to digital converter

**AEABI** Arm® embedded application binary interface

API application programing interface

APSR CPU status register

BSP board support package

Class B

middle level of regulations targeting safety for home appliances (UL/CSA/IEC 60730-1/60335-1)

**CMSIS** common microcontroller software interface standard

**CPU** central processing unit

CRC cyclic redundancy check

**DAC** digital to analog conveter

DCache data cache

**FPU** floating-point unit

GPIO general purpose input output

**HAL** hardware abstraction level

ICache instruction cache

**IDE** integrated development environment

**LL** low layer

MCU microcontroller unit

MPU memory protection unit

MSP main stack pointer

**OPAMP** operational amplifier

**PSP** process stack pointer

PWM pulse width modulation

**RAM** random access memory

**SDK** software development kit

STL self-test library

TM test module

UM3191 - Rev 1 page 56/62



# **Contents**

| 1 | Gen | eral info | ormation                                     | .2  |
|---|-----|-----------|----------------------------------------------|-----|
|   | 1.1 | Purpos    | se and scope                                 | . 2 |
|   | 1.2 | Refere    | nce documents                                | . 2 |
| 2 | STM | 32Cube    | overview                                     | .3  |
|   | 2.1 | What is   | s STM32Cube?                                 | . 3 |
|   | 2.2 | How do    | oes this software complement STM32Cube?      | . 3 |
| 3 | STL | overvie   | w                                            | .4  |
|   | 3.1 |           | ecture overview                              |     |
|   | 3.2 |           | rted products                                |     |
| 4 |     |           | otion                                        |     |
| • | 4.1 | _         | nctional description                         |     |
|   | 4.1 | 4.1.1     | Scheduler principle                          |     |
|   |     | 4.1.2     | CPU Arm® core tests                          |     |
|   |     | 4.1.3     | Flash memory tests                           |     |
|   |     | 4.1.4     | RAM tests                                    |     |
|   | 4.2 |           | erformance data                              |     |
|   |     | 4.2.1     | STL execution timings                        |     |
|   |     | 4.2.2     | STL code and data size                       |     |
|   |     | 4.2.3     | STL stack usage                              |     |
|   |     | 4.2.4     | STL heap usage                               |     |
|   |     | 4.2.5     | STL interrupt masking time                   | 15  |
|   | 4.3 | STL us    | ser constraints                              | 15  |
|   |     | 4.3.1     | Dual-core STL constraints                    | 16  |
|   |     | 4.3.2     | Privileged-level                             | 16  |
|   |     | 4.3.3     | RCC resources                                | 16  |
|   |     | 4.3.4     | CRC resources                                | 16  |
|   |     | 4.3.5     | Interrupt management                         | 16  |
|   |     | 4.3.6     | DMA                                          | 17  |
|   |     | 4.3.7     | Supported memories                           | 17  |
|   |     | 4.3.8     | RAM backup buffer                            | 17  |
|   |     | 4.3.9     | Memory mapping                               | 18  |
|   |     | 4.3.10    | Processor mode                               |     |
|   | 4.4 |           | ser integration tests                        |     |
|   |     | 4.4.1     | Test 1: correct STL execution                |     |
|   |     | 4.4.2     | Test 2: correct STL error-message processing | 19  |



| 5 | Pacl | Package description      |                                            |    |  |
|---|------|--------------------------|--------------------------------------------|----|--|
|   | 5.1  | Gener                    | ral description                            | 20 |  |
|   | 5.2  | Archite                  | ecture                                     | 20 |  |
|   |      | 5.2.1                    | STM32Cube HAL                              | 20 |  |
|   |      | 5.2.2                    | Board support package (BSP)                | 21 |  |
|   |      | 5.2.3                    | STL                                        | 21 |  |
|   |      | 5.2.4                    | User application example                   | 21 |  |
|   |      | 5.2.5                    | STL integrity                              | 21 |  |
|   | 5.3  | Folder                   | r structure                                | 22 |  |
|   | 5.4  | APIs                     |                                            | 23 |  |
|   |      | 5.4.1                    | Compliance                                 | 23 |  |
|   |      | 5.4.2                    | Dependency                                 | 23 |  |
|   |      | 5.4.3                    | Details                                    | 23 |  |
|   | 5.5  | Applic                   | cation: compilation process                | 23 |  |
|   |      | 5.5.1                    | Steps to build a delivered STL example     | 23 |  |
|   |      | 5.5.2                    | Steps to build an application from scratch | 24 |  |
| 6 | Hard | lware a                  | and software environment setup             |    |  |
|   | 6.1  | Hardw                    | vare setup                                 | 26 |  |
|   | 6.2  | Softwa                   | are setup                                  | 26 |  |
|   |      | 6.2.1                    | Development tool-chains and compilers      | 26 |  |
|   |      | 6.2.2                    | CRC tool set-up                            | 27 |  |
| 7 | STL  | : User A                 | APIs and state machines                    |    |  |
|   | 7.1  | User structures          |                                            |    |  |
|   | 7.2  | User A                   | APIs                                       | 29 |  |
|   |      | 7.2.1                    | Common API                                 | 29 |  |
|   |      | 7.2.2                    | CPU Arm® core testing APIs                 | 29 |  |
|   |      | 7.2.3                    | Flash memory testing APIs                  |    |  |
|   |      | 7.2.4                    | RAM testing APIs                           |    |  |
|   |      | 7.2.5                    | Artificial-failing APIs                    | 38 |  |
|   | 7.3  | State                    | machines                                   | 39 |  |
|   | 7.4  | API usage and sequencing |                                            |    |  |
|   | 7.5  |                          | parameters                                 |    |  |
|   | 7.6  | -                        | examples                                   |    |  |
|   | 7.7  |                          | s of testing examples                      |    |  |
|   |      | 7.7.1                    | Flash memory test flow example             |    |  |
|   |      | 7.7.2                    | RAM test flow example                      |    |  |
|   |      | 7.7.3                    | Test example figures                       |    |  |
|   |      |                          |                                            | _  |  |



| 8    | STL: execution timing details |                                                                          |    |  |  |  |
|------|-------------------------------|--------------------------------------------------------------------------|----|--|--|--|
| 9    | App                           | Application-specific tests not included in ST firmware self-test library |    |  |  |  |
|      | 9.1                           | Analog signals                                                           | 49 |  |  |  |
|      | 9.2                           | Digital I/Os                                                             | 50 |  |  |  |
|      | 9.3                           | Interrupts                                                               | 50 |  |  |  |
|      | 9.4                           | Communication                                                            | 51 |  |  |  |
|      | 9.5                           | Extension capabilities STL library                                       | 51 |  |  |  |
| 10   | Com                           | npliance with IEC, UL, and CSA standards                                 | 53 |  |  |  |
| Rev  | ision                         | history                                                                  | 55 |  |  |  |
| Glo  | ssary                         |                                                                          | 56 |  |  |  |
| List | of tal                        | bles                                                                     | 60 |  |  |  |
| List | of fig                        | ıures                                                                    | 61 |  |  |  |



# **List of tables**

| Table 1.               | Applicable product                                                                               | 1    |
|------------------------|--------------------------------------------------------------------------------------------------|------|
| Table 2.               | STL return information                                                                           | . 7  |
| Table 3.               | Arm®Cortex®-M0+ STL execution timings, clock at 48 MHz                                           | . 14 |
| Table 4.               | Arm®Cortex®-M4 STL execution timings, clock at 48 MHz                                            | . 14 |
| Table 5.               | Arm®Cortex®-M0+ STL code size and data size (in bytes)                                           | . 14 |
| Table 6.               | Arm®Cortex®-M4 STL code size and data size (in bytes)                                            | . 14 |
| Table 7.               | Cortex®-M0+ STL maximum interrupt masking information                                            | . 15 |
| Table 8.               | Cortex®-M4 STL maximum interrupt masking information                                             | . 15 |
| Table 9.               | STL_SCH_Init input information                                                                   | 29   |
| Table 10.              | STL_SCH_Init output information                                                                  | 29   |
| Table 11.              | STL_SCH_RunCpuTMx input information                                                              | 30   |
| Table 12.              | STL_SCH_RunCpuTMx output information                                                             |      |
| Table 13.              | STL_SCH_InitFlash input information                                                              |      |
| Table 14.              | STL_SCH_InitFlash output information                                                             |      |
| Table 15.              | STL_SCH_ConfigureFlash input information                                                         |      |
| Table 16.              | STL_SCH_ConfigureFlash output information                                                        |      |
| Table 17.              | STL_SCH_RunFlashTM input information                                                             |      |
| Table 18.              | STL_SCH_RunFlashTM output information                                                            |      |
| Table 19.              | STL_SCH_ResetFlash input information                                                             |      |
| Table 20.              | STL_SCH_ResetFlash output information                                                            |      |
| Table 21.              | STL_SCH_DeInitFlash input information                                                            |      |
| Table 22.              | STL_SCH_DeInitFlash output information                                                           |      |
| Table 23.              | STL_SCH_InitRam input information                                                                |      |
| Table 24.              | STL_SCH_InitRam output information                                                               |      |
| Table 25.              | STL_SCH_ConfigureRam input information                                                           |      |
| Table 26.              | STL_SCH_ConfigureRam output information                                                          |      |
| Table 27.<br>Table 28. | STL_SCH_RunRamTM input information                                                               |      |
|                        | STL_SCH_RunRamTM output information                                                              |      |
| Table 29.<br>Table 30. | STL_SCH_ResetRam output information                                                              |      |
| Table 30.              | STL SCH DelnitRam input information                                                              |      |
| Table 31.              | STL_SCH_DelnitRam output information                                                             |      |
| Table 33.              | STL_SCH_StartArtifFailing input information                                                      |      |
| Table 34.              | STL_SCH_StartArtifFailing output information                                                     |      |
| Table 35.              | STL_SCH_StopArtifFailing input information                                                       |      |
| Table 36.              | STL_SCH_StopArtifFailing output information                                                      |      |
| Table 37.              | Cortex®-M0+ integration tests                                                                    |      |
| Table 38.              | Cortex®-M4 integration tests                                                                     |      |
| Table 39.              | IEC 60335-1 components covered by the X-CUBE-CLASSB library by methods recognized by IEC-60730-1 |      |
| Table 40.              | Document revision history                                                                        |      |
| I WANTO TO.            |                                                                                                  |      |

UM3191 - Rev 1 page 60/62





# **List of figures**

| Figure 1.  | STL architecture                                      | . 5 |
|------------|-------------------------------------------------------|-----|
| Figure 2.  | Single test control call architecture                 | 7   |
| Figure 3.  | Flash memory test: CRC principle                      | 10  |
| Figure 4.  | Flash memory test: CRC use cases versus program areas | 11  |
| Figure 5.  | RAM test: usage                                       | 13  |
| Figure 6.  | Software architecture overview                        |     |
| Figure 7.  | Project file structure                                | 22  |
| Figure 8.  | IAR <sup>™</sup> post-build actions screenshot        | 25  |
| Figure 9.  | CRC tool command line                                 | 25  |
| Figure 10. | STM32 Nucleo board example                            | 26  |
| Figure 11. | State machine diagram - CPU test APIs                 | 40  |
| Figure 12. | State machine diagram - flash memory test APIs        | 41  |
| Figure 13. | State machine diagram - RAM test APIs                 | 42  |
| Figure 14. | Test flow example                                     | 44  |
| Figure 15. | Flash memory test flow example                        | 46  |
| Figure 16. | RAM test flow example                                 | 47  |



#### **IMPORTANT NOTICE - READ CAREFULLY**

STMicroelectronics International NV and its affiliates ("ST") reserve the right to make changes corrections, enhancements, modifications, and improvements to ST products and/or to this document any time without notice.

This document is provided solely for the purpose of obtaining general information relating to an ST product. Accordingly, you hereby agree to make use of this document solely for the purpose of obtaining general information relating to the ST product. You further acknowledge and agree that this document may not be used in or in connection with any legal or administrative proceeding in any court, arbitration, agency, commission or other tribunal or in connection with any action, cause of action, litigation, claim, allegation, demand or dispute of any kind. You further acknowledge and agree that this document shall not be construed as an admission, acknowledgment or evidence of any kind, including, without limitation, as to the liability, fault or responsibility whatsoever of ST or any of its affiliates, or as to the accuracy or validity of the information contained herein, or concerning any alleged product issue, failure, or defect. ST does not promise that this document is accurate or error free and specifically disclaims all warranties, express or implied, as to the accuracy of the information contained herein. Accordingly, you agree that in no event will ST or its affiliates be liable to you for any direct, indirect, consequential, exemplary, incidental, punitive, or other damages, including lost profits, arising from or relating to your reliance upon or use of this document.

Purchasers should obtain the latest relevant information on ST products before placing orders. ST products are sold pursuant to ST's terms and conditions of sale in place at the time of order acknowledgment, including, without limitation, the warranty provisions thereunder.

In that respect, note that ST products are not designed for use in some specific applications or environments described in above mentioned terms and conditions

Purchasers are solely responsible for the choice, selection, and use of ST products and ST assumes no liability for application assistance or the design of purchasers' products.

Information furnished is believed to be accurate and reliable. However, ST assumes no responsibility for the consequences of use of such information nor for any infringement of patents or other rights of third parties which may result from its use. No license, express or implied, to any intellectual property right is granted by ST herein.

Resale of ST products with provisions different from the information set forth herein shall void any warranty granted by ST for such product.

ST and the ST logo are trademarks of ST. For additional information about ST trademarks, refer to www.st.com/trademarks. All other product or service names are the property of their respective owners.

Information in this document supersedes and replaces information previously supplied in any prior versions of this document.

© 2023 STMicroelectronics - All rights reserved

UM3191 - Rev 1 page 62/62