Nelson QuintanaThanks to microcomputer-based control electronics, consumer white goods and home appliances are easier and more convenient to use, work better and are more energy efficient. But what if something in the circuitry goes wrong? Compliance to the IEC 60730-1 Standard is mandatory for such products sold in Europe. Although obtaining certification complicates the system design process and increases development costs, it stamps products with a mark of quality and corporate responsibility.

In appliances with control systems based on microcontrollers (MCUs), solutions for safety issues often can be implemented economically in software. The MCU can periodically check all features affecting safe operation. Leading appliance manufacturers are finding it advantageous to build control solutions that maximize the use of software to achieve safety compliance. Thus, they are asking MCU suppliers to provide cost-effective measures for meeting IEC 60730-1 requirements that are implemented predominantly in software. Some IC makers have responded well to this request, developing new or enhanced MCUs and support tools. System engineers should recognize and analyze pertinent design factors in their component evaluations, because by making optimum choices they can simplify, facilitate and reduce the cost of obtaining certificates of compliance for new appliance designs.

Implementing the Required Test Routines
One example of the safety-compliance related MCU measures that have been developed is a series of low-level software routines or utilities from Renesas. These routines allow customers to achieve the level of demonstrable safety required to comply with Annex H of the Standard, which deals with control systems using software. The code can be added to existing application software to reduce the cost of an appliance’s bill of materials and accelerate the certification process. The routines are applicable for all products affected by the IEC 60730-1 Standard, including equipment classified as ‘Class C’ (control functions intended to prevent special hazards). Importantly, they also apply to appliances affected by the UL1998 safety standard of North America.  

The low-level routines implement a process of ‘software checking software’. Although this approach may seem like a paradox, the extra code does cover the essential elements cited in the IEC 60730-1 Standard—when, that is, they are executed in an MCU with a combination of enhanced peripherals such as a particularly robust Watchdog Timer (WDT).

The WDT plays an important role in this compliance solution because the safe operation of the appliance depends heavily on the correct execution of the MCU’s algorithm. For Class-B products, there are four requirements for the WDT: the use of a separate time-based oscillator, the inability to disable the WDT register through software, the generation of a hardware-based reset (not a maskable interrupt), and the provision of a ‘safe’ I/O state following initialization and/or a hardware reset. For Class-C equipment, the Standard calls for the mandatory use of an external WDT chip, as well as a second MCU that provides both hardware and software redundancy and enables one WDT to verify the operation of the other.

Checking the Status of the MCU
The MCU must go through specific tests following start-up and thereafter while the appliance is running to ensure that correct system operation is maintained. These include CPU and RAM tests; ROM/flash tests; clock tests, and peripheral tests. Figure 1 illustrates an MCU controlling an electric motor system and lists eight key IEC 60730-1 Class B test requirements, along with the faults and errors the tests are supposed to find. (The requirements and details of these tests [typical test methods, timing, etc.] are beyond the scope of this article.)

Figure 1: Key IEC 60730-1 Class-B requirements. Tests must verify proper operation of the CPU, interrupts, system clock, ROM, RAM, I/O peripherals, and analog interfaces.

As previously mentioned, some MCU makers now offer low-level routines that provide the test coverage necessary for compliance. The routines Renesas has developed are available as source code. They can be quickly integrated into existing software because their syntax has been fully checked against the MISRA coding standard. After being integrated into the appliance’s application software, these routines can be called whenever necessary during product operation.

One such low-level routine is a RAM test that uses the industry-recognized March-C and March-X algorithms. The March-C test is used at start-up, but the March-X test can be executed at any time to detect RAM failures such as ‘stuck-at’, ‘transition’, ‘coupling’ and ‘address decode’ faults. Data in RAM is preserved by copying it to a buffer storage area before the March-X test routine executes.

ROM/Flash tests employ cyclic redundancy checking, which recognizes all single-bit errors and a high percentage of multi-bit errors. The CRC values used as checksums can be calculated in software using either a look-up table or bit shifting; the former requires more code space than the latter, but requires fewer CPU cycles. However, some MCUs, such as M16C chips, have a dedicated CRC-calculation circuit that can generate a CRC value for one byte of data in two machine cycles.

Routines for performing CPU tests for safety compliance must access specific registers: general purpose, flag/status, program counter, etc. Therefore, they must be written in the assembly language of the MCU architecture. Since the assembly language test routines that Renesas offers comply with all other C function calls, they can be treated the same as any normal C function, without the need for extra register-preservation steps. If this were not the case, incorporating this test functionality could increase the application software by as much as 20KB, which may drive the design requirement to a 16/32-bit MCU.

Optimizing MCUs for IEC 60730-1 Compliance
Since specific test routines can be devised to verify safe system operation, it follows directly that those companies that design MCUs can use this information to enhance their existing MCU hardware or design improved on-chip functions that are more likely to pass the tests. Such features give upgraded MCUs a significant edge in appliance designs.

To provide some perspective on what can be done to optimize safety, Figure 2 shows types of enhanced MCU functions that facilitate obtaining IEC 60730-1 certification. CRC blocks are useful for ROM/Flash and communications tests. Advanced oscillation circuits with multiple internal/external clock options can be used for clock frequency and I/O peripheral tests. Numerous timers with versatile functionality are ideal for testing interrupts and I/O peripherals. Features such as an output-port level-detection function simplify the I/O self-tests, while enhanced analog circuits can assist with the testing of blocks such as analog-to-digital converters.

Figure 2: MCU features that aid tests for IEC 60730-1 compliance. Many hardware and firmware elements have been created or enhanced by Renesas to help ensure the safety of home appliances and white go

Other useful hardware features include improved analog/digital circuits for tests of clock frequency, and robust communication interfaces such as LIN and CAN for communication tests. Optimized device-specific firmware eases tests of the CPU, ROM and RAM. Figure 3 highlights the compliance-testing related features built into Renesas’ MCU families.

Making Optimum MCU Selections for Compliant Appliances
System engineers seeking to choose the best MCUs for IEC 60730-1 compliant appliance designs should search for devices with on-chip hardware functions that allow low-level software routines to implement most of the required safety features. In addition, they should consider MCUs from leading manufacturers that offer software routines and support tools, products and services that can help speed-up the certification process. In particular, embedded designers should look for microcomputers and code that previously have been certified by compliance organizations such as VDE (Europe) and UL (U.S.).

Figure 3: IEC 60730-1 compliance-related features of Renesas MCU families.

Renesas offers VDE-tested routines for MCUs designed for appliance applications such as the devices in the R8C and SuperH families. Such test routines include CPU, RAM and ROM self-test functions that have been developed for all products within the family, making them very flexible and easy to use. Engineers can obtain this code, along with application notes and the actual VDE certificate, through the Renesas website:
Renesas is constantly working with major compliance organizations to certify new MCU devices, as well as optimized routines that address the need for safer household appliances.