Today’s appliance designers must ensure with the utmost certainty that their design is safe and reliable. Typically, they ask questions such as, “Does my design meet the stringent safety standards like IEC60730 and IEC60335?”
During the design, a distinction is usually drawn between basic safety and functional safety. Basic safety generally refers to risk of fire, electric shock, or bodily injury. For example, one concern of basic safety in motorized appliances would be the effects of motor overheating and its thermal stress on the insulation of the motor windings.
The traditional way to keep motor windings and insulation from getting too hot was to use a temperature sensor in the motor. But such a solution costs money and adds complexity to the system. In addition, the temperature sensor should be recognized and approved by the certifying body. If the signal from the temperature sensor is processed by any software-defined algorithms in the control, then software standards also come into play.
Motor overheating may be caused by other failure modes, such as the loss of a phase, a locked rotor, or a heavy load. Detecting these failure modes first before they can lead to an overheat condition further reduces the risks.
Many times the detection of these conditions is carried out in software. If any part of the basic safety functions is performed by software, then IEC 60335-1 Annex R and IEC 60730-1 Annex H Class B software compliance may come into play.
Functional safety refers to the risk associated with normal operation of the product by the end user. Both IEC60730 and IEC60335 address a specific set of anomalies or abnormal operating conditions that can affect the mechanical, electrical, or electronic operation of appliances.
The first step in the design of an appliance automatic control system is to choose the target safety classification for the control. IEC60730/60335 divides the categories into three classes:
Class A: Products not intended to be relied upon for the safety of the equipment.
Class B: Prevents unsafe operation of the controlled equipment
Class C: Prevents special hazards.
Controls designated as Class A are deemed nonhazardous if the control system or operating software malfunctions. The IEC norm does not require the designer to implement system checks and the development of the automatic control system is simplified.
Class C products are typical of gas heater or products containing flammable or combustible material. These controls need redundant systems, such as additional sensors, to minimize hazardous situations.
However, the vast majority of products must comply with the Class B level. The automatic control system should include all of the elements to prevent unsafe operation without relying on the presence of an external redundant sensor or independent circuit.
For example, typical problems that washing machines and dishwashers face are related to reliable monitoring of motor speed and motor overheating. The safety consideration concerning the use of the product with an overheated motor or one driven “out of control” should be self-evident.
To comply with Class B specifications, the code in the automatic control system must detect possible malfunctions for the current sensors. For example, the circuitry should detect whether the sensing element has an open or short circuit.
The demand today is for dish washing machines with high washing efficiency, high energy efficiency, and low acoustic noise. Many times this leads to the use of a permanent magnet (PM) motor and a motor drive with sinusoidal output.
Early PM motors used Hall-effect sensors to monitor motor operation. But effective operation with Hall-effect devices required precise placement of the sensors. In addition, the reliability of Hall-effect devices drops as temperature climbs. Higher operating efficiencies and lower noise were possible using sensorless control techniques. Unfortunately, eliminating all sensors introduced other challenges when addressing safety issues.
For example, the user may open the main door of a dishwasher to add or remove dishes any time during the wash cycle. The inverter circuit controlling the main wash water circulator pump needs to ensure that the pump speed is low enough by the time the door is open to avoid spraying extremely hot water out of the washer. The software must be Class B compliant because the pump speed is determined by a software algorithm based on the inverter currents read by the current shunt.
Washing machine requirements are similar to those of dishwashers. Modern horizontal washing machines rely on software to release the door lock permitting access to the clothes in the washer. A drum that’s still rotating can create a hazard to the user’s arm. In this case, too, the software of the automatic control system must be Class B compliant.
Growing reliability demands and the pressure to keep costs low have pushed both basic and functional safety monitoring into software implemented features. However, integrating software safety algorithms into control systems still takes development time. Thus manufacturers are starting to supply these safety algorithms along with the motor control circuitry.
One such system is the IRMCK171 motor inverter controller by International Rectifier. Unlike traditional microcontrollers or DSPs, the IRMCK171 provides built-in closed-loop sensorless control using IR’s flexible Motion Control Engine (MCE) for PM motors as well as induction motors.
The IRMCK171 contains a co-integrated 60MIPS, 8-bit, 8051 microcontroller that enables application-layer software development. The 8051 operates almost independently of the MCE and does not compete for system resources such as interrupts or internal registers. An embedded Analog Signal Engine (ASE) integrates all the signal conditioning and conversion circuits required for single-current-shunt, sensor-less control of a PM motor.
Built into the chip is a one-time programmable (OTP) ROM-based monolithic mixed-signal IC that meets the standards of IEC 60335-1 Edition 4.2 – Class B.
Source-code libraries developed by IR let users design automatic control systems in compliance with today’s safety standards. End users can implement an IEC-compliant 8051 application with minimal effort. For example, the IRMCK171 Self-Test Library provides a set of function calls that perform 8051 power up and periodic self-tests or safety checks as required for IEC 60335-1 Annex R and IEC 60730-1 Annex H Class B software compliance.
The MCE processor also implements power up and periodic self-tests in firmware.
These tests are also required for IEC 60335-1 Annex R and IEC 60730-1 Annex H Class B software compliance and run in conjunction with the functions of the 8051 library. The MCE self-tests are built into firmware on the chip rather than being supplied in library form. As the MCE firmware is not user-modifiable, there is little risk of programming error for the tests.
The 8051 self-test library functions control and manage the MCE self-test functions automatically. Power up tests execute once at system startup (after power up or reset) to make sure the 8051 and MCE processors and memories are working properly. Periodic tests executed on a regular basis during normal runtimes affirm proper operation of system components, firmware, and application software.
By using these self-test libraries and firmware, engineers can simplify and shorten the cycle time obtaining Class B certification from regulator bodies, reducing overall development time