国际电工委员会(IEC)第61技术委员会(TC 61):家用及类似用途电器的安全关于采用可编程电子电路的电器功能安全的修订指南文件。本指南文件由 TC 61/MT 23 工作组依据 2021 年期间的会议讨论进行了更新。该文件取代了于 2017 年 9 月 8 日发布的旧版文件 61/2586E/INF。Introduction: Edition 6.0 of IEC 60335-1 specifies a methodology for the achievement of functional safety of household and similar electrical appliances that rely on programmable safety related electronic circuits to achieve this. The appliance being installed, used and maintained in accordance with the instructions provided by the manufacturer, the use being under both normal and abnormal conditions of operations. IEC 60335-1 第 6.0 版规定了一种方法论,旨在确保依赖可编程安全相关电子电路来实现安全的家用及类似用途电器达到功能安全要求。该电器应按照制造商提供的说明书进行安装、使用和维护,且涵盖正常及非正常操作条件下的使用情况。In developing this methodology TC 61/MT23 took into account the guidance given in IEC/TS 61000-1-2: ELECTROMAGNETIC COMPATIBILITY (EMC) – Part 1-2: General – Methodology for the achievement of the functional safety of electrical and electronic equipment with regard to electromagnetic phenomena; IEC 61508-3, Functional safety of electrical/electronic/ programmable electronic safety related systems – Part 3: Software requirements; and Annex H in IEC 60730-1: Automatic controls for household and similar use – Part 1: General requirements. 在制定本方法论的过程中,TC 61/MT 23 参考了以下标准文件中的相关指导:IEC/TS 61000-1-2《电磁兼容性(EMC)— 第1-2部分:总则 — 电气电子设备在电磁现象方面的功能安全实现方法》;IEC 61508-3《电气/电子/可编程电子安全相关系统的功能安全 — 第3部分:软件要求》;IEC 60730-1《家用及类似用途自动控制器 — 第1部分:通用要求》中的附录 H。Edition 6.0 of IEC 60335-1 considers the influence of the electromagnetic environment on appliances; however, it does not take into consideration electromagnetic phenomena generated internally by the appliance itself. These have to considered as part of the appliance design process. In general it assumes that all components related to functional safety will fail at some stage during the life of the appliance and it defines requirements to be met for safety related software. IEC 60335-1 第 6.0 版考虑了电磁环境对电器的影响,但未涵盖电器自身内部产生的电磁现象。此类内部电磁现象须纳入电器设计过程予以考量。该版本总体假定:所有与功能安全相关的部件均可能在电器使用寿命期间的某一阶段发生故障,并据此规定了安全相关软件必须满足的要求。The requirements specified in clause 19 of IEC 60335-1 and for the parts 2 in clauses 20, 22, 24, 32 if specified, are considered based on different risks and the resulting measures to control errors if they occur or to avoid them during the development as mentioned in IEC 61508. The test specifications for these clauses form the validation procedure against which the design is confirmed. IEC 60335-1 第19 章的规定,以及第 2 部分标准中可能涉及的 20、22、24、32 章的规定,均基于不同的风险等级制定,并参照 IEC 61508 的要求,提出了在开发过程中控制或避免错误的相应措施。针对这些章节的测试规范构成了设计确认的验证程序。评论:需要软件评估了,除了19章异常测试的保护,还需要考虑20章机械危险,22章结构章节,以及24章元件章节,以及32章UV泄漏软件保护以及part 2 标准的一些特殊要求。Whenever those measures should be applied under the conditions specified in the subclauses of 20, 22, 24 or 32, it will be specified in future amendments of parts 2. Any modification to a programmable safety related electronic circuit including its software (see 22.46), requires that the validation procedure be repeated if the modification could influence the previous validation. 若需在 20、22、24 或 32 章的特定分条款规定的条件下应用上述措施,将在未来第 2 部分标准的修正案中予以明确规定。任何对已通过验证的可编程安全相关电子电路(含其软件,参见 22.46)的修改,若该修改可能影响原有验证结果,则必须重新执行验证程序。Programmable electronic components using software in functions to comply with clause 19 and in general for the parts 2 in clauses 20, 22, 24, 32 if specified, shall be designed to comply with the measures of table R.1. Parts 2 may require for certain hazardous functions that software shall be designed to comply with the measures of table R.2. For functions or appliances not covered by a part 2 the application of table R.1 or R.2 shall be based on a risk assessment.用于满足第 19 章要求的功能中、以及通常第 2 部分标准中 20、22、24 或 32 章(如适用)要求的功能中所使用的带软件可编程电子元件,其设计应符合表 R.1 的措施要求。针对某些危险功能,第 2 部分标准可要求相关软件的设计必须符合表 R.2 的措施要求。对于未被第 2 部分标准覆盖的功能或器具,表 R.1 或 R.2 的应用应基于风险评估来确定。评论:某些特殊危险功能,比如燃气功能安全,必须按照R.2表格的措施要求实施C类评估。The requirements for the software design and verification process has been taken from IEC 61508 and adapted to the needs of IEC 60335 as given in Annex R. clause R.3. It is also important for software designers to apply their engineering experience as well as additional measures as given in IEC 61508-3 e.g. module test and integration test to the software evaluation process for further reduction of hidden software faults/errors. Software cannot always be proven to be totally error free. 软件设计与验证过程的要求源自 IEC 61508,并已结合 IEC 60335 的具体需求进行了适应性调整,详见附录 R 第 R.3 条。软件设计人员同样需依托工程经验,并将 IEC 61508-3 中规定的附加措施(如模块测试与集成测试)融入软件评估流程,以进一步降低潜在软件故障/错误。软件无法被绝对证明为完全无缺陷。Not every detail of the safety related measures is applicable to every individual appliance. This is recognized by clause 5.3 of IEC 60335-1 where it is stated that – If it is evident from the construction of the appliance that a particular test is not applicable, the test is not carried out. 并非每一项安全相关措施都适用于所有具体器具。IEC 60335-1 第 5.3 条承认了这一原则,其中规定:– 如果根据器具的结构构造可以明确判定某项特定试验不适用,则无需进行该项试验。In general 19.13 is the compliance criteria for the requirements given in clause 19. Some subclauses within clause 19 have their own compliance criteria. In such cases a PEC shall ensure compliance with such clauses. The compliances criteria for the additional fault in 19.11.3 is in any case 19.13 and not the compliance criteria of the original clause. Additional requirements specified in 19.1 and 19.11 have to be taken into account if relevant for the test result. 通常,第 19.13 条是判定第 19 章要求符合性的准则。但第 19 章内的某些分条款有其独立的符合性判定准则;在此类情况下,可编程电子电路(PEC)应确保符合这些条款的要求。无论何种情况,19.11.3 中附加故障的符合性判定准则均为第 19.13 条,而非原条款自身的符合性判定准则。若 19.1 和 19.11 中规定的附加要求与测试结果相关,则必须予以考虑。The amount of fault modes for microprocessors and integrated circuits given in 19.11.2 f) may, due to the complexity of the internal structure of such a component, result in an excessive amount of testing. A complete evaluation is practically not feasible, especially in conjunction with measures to control errors (see Annex R, R.1 and R.2) in the microprocessor and integrated circuits. Therefore, the fault mode can be considered as follows: For microprocessor and integrated circuits (IC) evaluated by Annex R only the following failures are considered: – The short circuit of: • any two adjacent terminals • each terminal to the IC-supply, if applicable • each terminal to the IC-ground, if applicable – All possible combinations of stuck-at failure at the output of more than one IC terminal at a time. NOTE 1 Components such as thyristors and triacs are not subjected to fault condition f). 鉴于微处理器及集成电路的内部结构高度复杂,19.11.2 f) 条所列出的故障模式数量可能导致测试工作量过大,实际上难以完成全面评估,尤其是当涉及微处理器和集成电路的错误控制措施(见附录 R、R.1 和 R.2)时。因此,可按以下方式界定需考虑的故障模式:对于经附录 R 评估的微处理器和集成电路(IC),仅考虑以下失效情况:– 以下部位的短路:• 任意两个相邻端子之间• 各端子与 IC 电源之间(如适用)• 各端子与 IC 地之间(如适用)– 多个 IC 端子输出端同时发生的所有可能固定失效组合。注 1:晶闸管及双向可控硅等元件不适用于 f) 条所述的故障条件。评论:此点可以作为微处理器和集成电路(IC)相关失效的重要依据,具体可以参考以前的公众号:安规速递! 家电功能安全的电子元件FEMA失效分析The effects of electromagnetic phenomena relating to the performance of the appliance are covered by other standards such as CISPR 14-2, Electromagnetic compatibility – Requirements for household appliances, electric tools and similar apparatus – Part 2: Immunity – Product family standard. 电器性能相关的电磁现象影响已由其他标准予以规范,例如 CISPR 14-2《电磁兼容性 — 家用电器、电动工具及类似器具的要求 — 第2部分:抗扰度 — 产品族标准》评论:如果由于外部电磁场干扰比如CISPR14-2/EN55014-2 影响到产品的异常工作,并且由相关的软件进行了保护,则需要考虑软件评估! 此条款类似EN 298 非芯片IC内部引起故障即外部故障(电磁场引起)的系统处于锁定状态时,失效第一重/第二重故障的FEMA 分析,具体见公众号:安规速递! 燃气具燃烧控制器故障失效分析(一)安规速递! 燃气具燃烧控制器故障失效分析(二)In IEC 60335-1, the compliance criteria showing successful mitigation of the effects of electromagnetic phenomena relating to the safety of the appliance are: – The appliance shall not undergo a dangerous malfunction, and there shall be no failure of protective electronic circuits if the appliance is still operable. – Appliances tested with an electronic switch in the off position, or in the stand-by mode, shall not become operational or if they become operational, not result in a dangerous malfunction. IEC 60335-1 中,用以证明已成功消除电磁现象对电器安全影响的符合性判定准则如下:– 器具不得发生危险故障;若器具仍可运行,其保护电子电路不得失效。– 对于处于断开位置或待机模式的电子开关所控制的器具,不得自行启动;若发生自行启动,不得导致危险故障。评论:器具即使处于电磁干扰,系统也能正常运行,或者运行不会造成危险故障,包括机械保护比如硬件温度保险丝/电路保险丝保护,都可以认为电磁场对器具影响不大。It is necessary to draft an individual test plan for each appliance design to be assessed. The test plan should include the information specified in the individual sections of IEC 61000-4, Electromagnetic compatibility (EMC) – Part 4: Testing and measurement techniques, that detail the electromagnetic phenomena to be applied, and the plan should be included in the test report. Reference can be made to Tables 1 to 3 below for guidance on application of the Clause 19 tests that may be applicable. 有必要为每一款待评估的器具设计单独制定测试计划。该测试计划应包含 IEC 61000-4《电磁兼容性(EMC)— 第 4 部分:试验和测量技术》各章节中规定的信息,详细列明拟施加的电磁现象,且该计划应纳入测试报告中。关于第 19 章可能适用的试验项目的应用指导,可参考下文表 1 至表 3。In order to help prepare the test plan and to help reduce the amount of testing, the manufacturer should supply information such as circuit diagrams, expected effect of open/short circuiting of components, details of IC constructions, and data sheets ofelectronic components such as electronic power switching devices including any associated heat sinks.为协助制定测试计划并减少测试工作量,制造商应提供相关信息,例如电路图、元器件开路/短路的预期影响、集成电路构造详情,以及电子元器件(包括任何相关的散热器)的数据手册,如电子功率开关器件。Special consideration in the parts 2 will be given to the effects of voltage dips and interruptions on cooking appliances where unintentional restart of a cooking cycle may cause a fire hazard第 2 部分标准将重点关注电压暂降和中断对烹饪器具的影响,因为烹饪周期的非预期重启可能引发火灾危险。评论:1)如果在19.2到19.10, 19.14, 19.11.2 测试时,由PEC保护电子电路动作,则需要按照19.11.2 a)到g)单一故障条件失效,然后重复19.2到19.10, 19.14, 19.11.2;说白了,就说电子电路包括芯片程序是认为不可靠的,必须要重复失效之后再进行评估;2)如果在19.2到19.10, 19.14, 19.11.2 (但是不包括19.6或19.11.3 )测试时,有PEC保护电子电路动作,则需要考虑PEC 是否由于外部电磁场变化(19.11.4 EMP 测试)而不能保护器具异常工作。3)19.11.4 EMP 电磁场测试,是要求器具通额定电压,器具处于电子断开或者电子待机的情况去测试,看器具是否会受到EMP测试,不满足19.13的要求。Exemptions 豁免条件The EM Phenomena testing according to the second sentence of 19.11.4 need not be applied to appliances complying with the following condition even if they incorporate an “Electronic disconnection” or ”Stand-by mode”. An unintentional operation does not cause any hazards taken into account careless use of the appliance during evaluation of the resulting effects. 即使器具采用了“电子断开”或“待机模式”,若符合以下条件,则无需执行 19.11.4 第二句规定的电磁现象测试:非预期操作不会导致任何危险(包括在评估时考虑的用户疏忽使用场景)。Examples of careless use of appliances while connected to the supply are: – storage of vacuum cleaners. Typically they have high power motors, there is no locked rotor test and no test for blocking the cooling vent of the motor because they are attended appliances – storage of a toaster in a kitchen cupboard or placing a hand-held hair dryer on textiles such as bedding or towels – placing a fork in a kitchen machine, the danger being that it could be forcefully ejected if the machine starts unexpectedly or it could block the mechanism. 连接电源时的器具疏忽使用示例如下:– 吸尘器存放:此类器具通常配备大功率电机,因属有人看管类器具,故不进行堵转测试,也不对电机冷却通风口的堵塞情况进行测试。– 烤面包机存放于厨柜内,或将手持式吹风机放置在床单、毛巾等纺织品上。– 将餐叉放入厨房料理机中——危险在于,若机器意外启动,餐叉可能被强力弹出或导致机械卡阻。Software 软件For many years the traditional protective devices used in appliances have been electromechanical/thermal devices. With the introduction of functional safety using programmable electronic circuits, TC 61/MT23 has carefully considered the type of faults that the software should handle so as to give a level of safety equivalent to conventional functional safety techniques. 多年来,家电中使用的传统保护装置一直是机电/热动式装置。随着采用可编程电子电路的功能安全技术的引入,TC 61/MT 23 工作组已审慎考量了软件应处理的故障类型,旨在提供与传统功能安全技术等效的安全水平。For appliances in the scope of the 60335-series that require programmable safety related electronic circuits, the software must contain measures to control faults according table R.1. This means that the software structure covers single fault conditions as required in general by IEC 61140, Protection against electric shock – Common aspects for installation and equipment, and IEC Guide 104, The preparation of safety publications and the use of basic safety publications and group safety publications.对于 60335 系列标准范围内、且需要采用可编程安全相关电子电路的器具,其软件必须包含符合表 R.1 要求的故障控制措施。这意味着软件架构需涵盖 IEC 61140《电击防护 — 装置和设备的通用要求》及 IEC 指南 104《安全出版物的编制及基础安全出版物与群组安全出版物的使用》中总体上所要求的单一故障条件Nevertheless there might be integrated functions or technologies, or household appliances that – due to their functionality or chemo-physical character – would require extended measures to cover high potential hazards. Under these circumstances the software shall have measures to control faults according table R.2. This means that the software structure can handle double fault conditions. 尽管如此,某些集成功能、技术或家用电器,可能因其功能性或化学物理特性而存在较高潜在风险,因而需要采取扩展措施加以管控。在此类情形下,软件应具备符合表 R.2 要求的故障控制措施。这意味着软件架构须能够处理双重故障条件In IEC 60335-1, software controlling normal operation (Clause 11) is considered to be functional software that does not require validation. 在 IEC 60335-1 中,用于控制正常操作(第 11 章)的软件被视为功能性软件,无需进行验证。评论: 1)11章,控制的器具正常工作软件,为功能性软件,不用进一步评估; 2)19章,20章,22章,24章,32 章,控制的器具异常保护软件(包括温升,机械伤害,UV化学辐射等伤害),则需要考虑功能软件评估,一般属于B类,按照Table R.1评估;3) 一些特殊场合,比如燃气功能安全(燃烧不充分,燃气爆炸等),则需要按照Table R.2 C类等级来评估,欧洲采用EN298, EN13611等标准类似手段进行评估。To allow for the validation of safety related software, the documentation of such software used in the appliance should be provided with the appliance submitted for assessment. This documentation should include a description of the safety system philosophy, the control flow, data flow and timings. Programming documentation should be supplied in the programming design language used by the manufacturer. There should be a clear relationship between the various parts of the documentation. For example, the interconnections of process, hardware and the labeling used in software documentation. If a manufacturer provides documentation of the analytical measures taken during the development stage of the hardware and software, this documentation can be used by the third party assessment body as part of the assessment procedure. It will also aid in revalidation of any future software modifications that are made. 为便于对安全相关软件进行验证,随同送审器具一并提交的软件文档应包含以下内容:安全系统理念描述、控制流、数据流及时序说明。编程文档应采用制造商所使用的程序设计语言提供。各文档部分之间应建立明确的关联关系,例如工艺流程、硬件与软件文档中所用标识之间的互联关系。若制造商提供硬件和软件开发阶段所采取的分析措施的相关文档,第三方评估机构可将该文档用作评估流程的组成部分。此举亦有助于未来对软件的任何修改进行重新验证。1 Some Design Measures to avoid errors 避免错误的部分设计措施In addition to the requirement of the standard the following measures should be taken as part of the development process for further reduction of hidden software faults/errors. 除标准要求外,还应将以下措施作为开发过程的组成部分,以进一步降低潜在软件故障/错误。1.1 Design and coding standards 设计与编码规范Coding standards as developed by the software design team should specify programming practice, proscribe unsafe language features, and specify procedures for source code documentation as well as for data naming conventions. Program design and coding standards should be consequently used during software design and maintenance. 软件设计团队制定的编码规范应规定编程实践要求,禁止使用不安全的语言特性,并明确源代码文档编制规程及数据命名约定。在软件设计与维护过程中,应持续遵循程序设计与编码规范。2 Testing 测试2.1 Module design (software system design, software module design and coding) 模块设计(软件系统设计、软件模块设计与编码)A test concept with suitable test cases should be defined based on the module design specification. Each software module should be tested as specified within the test concept. Test cases, test data and test results should be documented. Code verification of a software module by static means includes such techniques as software inspections, walk-throughs, static analysis and formal proof. Code verification of a software module by dynamic means includes functional testing, white-box testing and statistical testing. It is the combination of both types of evidence that provides assurance that each software module satisfies its associated specification. Examples of Techniques / Measures can be found in Table 4.应基于模块设计规范制定包含适用测试用例的测试方案。每个软件模块均应按测试方案的规定进行测试,并对测试用例、测试数据及测试结果进行记录归档。软件模块的静态代码验证应包含软件审查、走查、静态分析及形式化证明等技术。软件模块的动态代码验证应包含功能测试、白盒测试及统计测试等方法。唯有结合上述两类验证证据,方可确保各软件模块满足其相关规范要求。相关技术与措施示例可参见表 4。2.2 Software integration testing 软件集成测试A test concept with suitable test cases should be defined based on the architecture design specification. 应基于架构设计规范制定包含适用测试用例的测试方案。The software shall be tested as specified within the test concept. Test cases, test data and test results shall be documented. 软件应按测试方案的规定进行测试,并对测试用例、测试数据及测试结果进行记录归档。Examples of Techniques / Measures can be found in Table 5.相关技术与措施示例可参见表 5。3 Other Items 3.1 Tools, programming languages 工具与编程语言Equipment used for software design, verification and maintenance, such as design tools, programming languages, translators and test tools, should be qualified appropriately, and should be shown to be suitable for purpose in manifold applications. 用于软件设计、验证及维护的设备(如设计工具、编程语言、转换工具及测试工具)应经过适当鉴定,并证实其在多种应用中适用。They are generally assumed to be suitable if they comply with “increased confidence from use” according to IEC 61508-7:2010, C.4.4.若符合 IEC 61508-7:2010 中 C.4.4 条关于“使用中增强的信心”的要求,通常即视为适用。原创不易,欢迎大家在阅读时发表评论,点赞关注本公众号,你的关注是我前进最大动力!
夜雨聆风
国际电工委员会(IEC)
