Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 62733-2015: Programmable Components in Electronic Lamp Controlgear Safety Requirements
General and Safety Requirements for Embedded Software in Lighting Systems
1. Introduction and Background
IEC 62733-2015, prepared by SC 34C (Auxiliaries for lamps) of IEC TC 34, provides essential safety requirements for programmable components — including microcontrollers, embedded software, and their associated hardware — used within electronic lamp controlgear (ballasts and LED drivers). As lighting products increasingly adopt digital control, the traditional “two means of protection” safety principle, historically implemented through purely hardware methods (e.g., basic insulation plus supplementary insulation, or basic insulation combined with fuse disconnection), now extends to software-based protective functions. This standard bridges the gap between traditional hardware-oriented safety standards (IEC 61347 series) and the reality of software-controlled lighting systems.
Tip: IEC 62733 is based on well-established functional safety concepts from IEC 60730-1 (automatic electrical controls) and IEC 60335-1 (household appliances), adapted specifically for electronic lamp controlgear. Engineers familiar with those standards will find the risk assessment framework familiar.
2. Risk Assessment and Classification
2.1 Risk Assessment Methodology
The standard requires manufacturers to perform a systematic risk assessment for the programmable component. The risk assessment considers two key parameters: frequency of occurrence and risk severity. These parameters are combined to classify risks into four categories according to a risk matrix derived from IEC 61508-5.
| Risk Class | Definition | Action Required |
|---|---|---|
| I | Intolerable risk | Must be reduced, cannot proceed |
| II | Undesirable risk | Reduction required unless impractical |
| III | Tolerable risk with review | Acceptable with documented justification |
| IV | Acceptable risk | No further action needed |
2.2 Tolerable Risk Specification
An important requirement (Clause 5.2) is the specification of tolerable risk. The manufacturer must document the criteria by which risks are judged acceptable. This documentation forms part of the overall safety case for the lamp controlgear and must be maintained throughout the product lifecycle. Per the 2017 corrigendum, the reference to this clause was corrected from the erroneous “5.1” to the correct “5.2”.
Warning: The standard requires that two means of protection must be realized independently. If a programmable component provides one means of protection, the other must be provided through independent hardware (e.g., a thermal fuse or hardware watchdog). Never rely on software alone for both protective measures.
3. Software Requirements and Evaluation
3.1 Software Architecture Requirements (Annex A)
The normative Annex A specifies detailed software evaluation requirements, organized into several key areas:
- Architecture requirements — The software architecture must be modular, with clear separation between safety-related and non-safety-related functions
- Fault/error handling — Two comprehensive tables (A.1 and A.2) define general and specific fault/error conditions that the software must detect and handle
- Semi-formal methods — Table A.3 specifies the required level of semi-formal documentation (state diagrams, flow charts, decision tables)
- Design and coding standards — Table A.6 mandates the use of structured programming, coding standards, and avoidance of unsafe language constructs
3.2 Fault Conditions to be Considered
| Fault Category | Examples | Required Response |
|---|---|---|
| CPU faults | Register corruption, program counter errors | Watchdog timer reset |
| Memory faults | RAM bit flips, ROM checksum errors | Periodic checksum verification |
| Clock faults | Oscillator failure, clock frequency drift | Frequency monitoring, fail-safe state |
| Communication faults | Data corruption, message timeout | CRC verification, retry mechanism |
| Sensor/actuator faults | ADC failure, output short circuit | Plausibility checking, safe shutdown |
Engineering Insight: For LED driver designs, one of the most critical programmable safety functions is overtemperature protection. The software must monitor temperature through an NTC thermistor and reduce output current or shut down before the controlgear exceeds its rated maximum temperature. IEC 62733 requires that this protective function be validated using both FMEA and FTA analysis (Annex B). The fault tree analysis should consider common-cause failures that could disable both the software protection and the independent hardware protection simultaneously.
4. EMC Immunity Requirements
Clause 8 requires that programmable components maintain safe operation under specified electromagnetic disturbances. Unlike conventional lamp controlgear where EMC failures might cause flicker or reduced output (annoying but not dangerous), a programmable component under EMC stress could malfunction and disable safety functions. The standard requires testing to IEC 61547 with particular attention to conducted and radiated RF disturbances that could corrupt the microcontroller’s operation.
Critical: One often-overlooked requirement is that the software must detect and safely handle transient EMC events. If a power-line transient causes the microcontroller to reset, the software must ensure a safe restart sequence that does not produce hazardous output conditions. The restart delay should be intentional (not instantaneous) to prevent rapid on-off cycling that could damage the LED load or cause thermal stress.
5. Frequently Asked Questions
Q1: Is IEC 62733 mandatory for all LED drivers with microcontrollers?
A: The standard applies when programmable components are used and their malfunction could lead to a safety hazard. Not all LED drivers have software-based safety functions — some use programmable components only for dimming protocols (DALI, 0-10V) while safety relies on independent hardware. In such cases, IEC 62733 may not be required, but the manufacturer’s risk assessment must justify this decision.
Q2: How does IEC 62733 relate to IEC 61347?
A: IEC 62733 provides additional requirements specifically for programmable components within the scope of IEC 61347. The base requirements of IEC 61347-1 and relevant part 2 standards still apply. IEC 62733 extends these with software-specific safety requirements.
Q3: What documentation is required for compliance?
A: The standard requires: risk assessment documentation (including FMEA/FTA), software architecture specification, module design specifications, coding standards documentation, test reports, and software safety validation records. See Annex A, Tables A.3-A.7 for detailed documentation requirements.
