Safety guidelines for electronic controls explained

Meenakshi Sundaram -April 05, 2013

Today, the majority of automatic electronic controls for home appliance products use single-chip microcontrollers. Manufacturers develop real-time embedded firmware that executes in the MCU and provides hidden intelligence to control home appliances. MCU damage due to overheating, static discharge, too high of a voltage, and other factors can cause the appliance to enter an unknown or unsafe state.

The International Electrotechnical Commission (IEC) has developed safety standard IEC 60730-1 that covers mechanical, electrical, electronic, environmental endurance, EMC, and abnormal operation for home appliances.  Annex H: Requirements for Electronic Controls of the standard, which details test and diagnostic methods to ensure safe operation of embedded control hardware and software for home appliances, is discussed in this article.

Overview of Annex H
Annex H of the IEC 60730-1 standard classifies appliance software into the following categories (see Appendix B: “IEC 60730-1 Table H.11.12.7”):
  • Class A Control functions: These are not intended to be relied upon for the safety of the equipment. Examples are humidity controls, lighting controls, timers, and switches.
  • Class B Control functions: These prevent unsafe operation of controlled equipment. Examples are thermal cut-offs and door locks for laundry equipment. This is the more commonly required safety classification, and will be the focus of this article.
  • Class C Control functions: These are intended to prevent special hazards (i.e., an explosion caused by the controlled equipment). Examples are automatic burner controls and thermal cut-outs for closed, unvented water heater systems.

Large appliance products, such as washing machines, dishwashers, dryers, refrigerators, freezers, and cookers/stoves, tend to fall under Class B classification. (An exception is an appliance that might cause an explosion, such as a gas-fired controlled dryer, which falls under class C.)

Annex H of the standard lists various measures to detect electronic faults and the response to each of them. According to the standard, a manufacturer of automatic electronic controls must design software using one of the following structures:
  • Single-channel with functional test
  • Single-channel with periodic self test
  • Dual-channel without comparison

The dual-channel structure implementation is more costly because two CPUs (or two MCUs) are required. In addition, it is more complex because the two devices need to regularly communicate with each other. The single-channel structure with a functional test is most commonly implemented today. However, appliance manufacturers are moving to the single-channel structure with periodic self-test implementation to increase robustness.

Class B Requirements
The IEC60730-1 Class B Annex H Table H.11.12.7 lists the components that must be tested, depending on the software classification. Generally, each component has various measures to verify/test it, which provides flexibility for selecting a suitable measure for the device.
Class B compliance for single-channel structures requires manufacturers of electronic controls to test the components listed in the following table.

Table 1. Components required to be tested for single channel structures

CPU Self Test
This test covers the safety of all CPU/processor related registers (such as accumulator, flag register, and program counter) by testing whether the register has any stuck bits (e.g., a bit is stuck to either ‘0’ or ‘1’). A simple checkerboard test (where a checkerboard pattern is written to the register and read back for any mismatches) can be used to ensure the safety of basic data registers. A checkerboard test is a simple six-step test:

1.    Back up the register being tested
2.    Write 0x55 to the register
3.    Read the register and verify if it is 0x55
4.    Write 0xAA to the register
5.    Read the register and verify if it is 0xAA
6.    Restore the register

For special registers like flag registers, the condition which sets/clears the flag bit can be simulated and verified for any stuck at fault. For instance, the zero flag is set if the accumulator value becomes ‘0’ after an operation. To check this flag, first clear and check the zero flag, then write ‘0’ to the accumulator and read/confirm the zero flag is set.

The program counter register is part of the CPU register set. To test this register explicitly using a checkerboard test, the addresses of 0x5555 and 0xAAAA (for a 64 K Flash device) must be allocated exclusively for this test. However, this breaks the Flash into segments of memory which are now smaller in size. In order to avoid this code fragmentation and to ensure proper PC functioning, it is recommended to use a watch dog timer that can reset the system in case of any stuck PC value. Usually while programming a device, unused flash bytes are loaded with the opcode for the ‘halt’ instruction such that if, by corruption of the program counter, program execution moves to an undefined flash area, it halts and the watchdog resets the CPU.

>>>Next Page (on

Loading comments...

Write a Comment

To comment please Log In