SIST EN 62733:2015

SLOVENSKI STANDARD
01-september-2015
Programirljive komponente krmilja elektronske sijalke - Splošne in varnostne
zahteve
Programmable components in electronic lamp controlgear - General and safety
requirements
Programmierbare Bauteile von elektronischen Betriebsgeräten für Lampen - Teil 1:
Allgemeine und Sicherheitsanforderungen
Composants programmables dans les appareillages électroniques de lampes -
Exigences générales et exigences de sécurité
Ta slovenski standard je istoveten z: EN 62733:2015
ICS:
29.130.01 Stikalne in krmilne naprave Switchgear and controlgear
na splošno in general
29.140.99 Drugi standardi v zvezi z Other standards related to
žarnicami lamps
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN 62733
NORME EUROPÉENNE
EUROPÄISCHE NORM
June 2015
ICS 29.140.99
English Version
Programmable components in electronic lamp controlgear -
General and safety requirements
(IEC 62733:2015)
Composants programmables dans les appareillages Programmierbare Bauteile von elektronischen
électroniques de lampes - Exigences générales et Betriebsgeräten für Lampen - Teil 1: Allgemeine und
exigences de sécurité Sicherheitsanforderungen
(IEC 62733:2015) (IEC 62733:2015)
This European Standard was approved by CENELEC on 2015-06-11. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2015 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN 62733:2015 E
European foreword
The text of document 34C/1140/FDIS, future edition 1 of IEC 62733, prepared by SC 34C, "Auxiliaries for
lamps", of IEC TC 34, "Lamps and related equipment", was submitted to the IEC-CENELEC parallel vote
and approved by CENELEC as EN 62733:2015.
The following dates are fixed:
(dop) 2016-03-11
• latest date by which the document has
to be implemented at national level by
publication of an identical national
standard or by endorsement
• latest date by which the national (dow) 2018-06-11
standards conflicting with the
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such patent
rights.
Endorsement notice
The text of the International Standard IEC 62733:2015 was approved by CENELEC as a European
Standard without any modification.

Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
NOTE 1 When an International Publication has been modified by common modifications, indicated by (mod), the relevant EN/HD

applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year

IEC 61000-4-13 2002 Electromagnetic compatibility (EMC) -- Part EN 61000-4-13 2002
4-13: Testing and measurement techniques
- Harmonics and interharmonics including
mains signalling at a.c. power port, low
frequency immunity tests
+ A1 2009  + A1 2009
IEC 61347-1 -  Lamp controlgear - Part 1: General and EN 61347-1 -
safety requirement
IEC 61347-2 series Lamp controlgear EN 61347-2 series
IEC 61508-4 2010 Functional safety of EN 61508-4 2010
electrical/electronic/programmable electronic
safety-related systems -- Part 4: Definitions
and abbreviations
IEC 61508-5 2010 Functional safety of EN 61508-5 2010
electrical/electronic/programmable electronic
safety-related systems -- Part 5: Examples
of methods for the determination of safety
integrity levels
IEC 61508-7 2010 Functional safety of EN 61508-7 2010
electrical/electronic/programmable electronic
safety-related systems -- Part 7: Overview of
techniques and measures
IEC 61547 2009 Equipment for general lighting purposes - EN 61547 2009
EMC immunity requirements
IEC 62733 ®
Edition 1.0 2015-05
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Programmable components in electronic lamp controlgear – General and safety

requirements
Composants programmables dans les appareillages électroniques de lampes –

Exigences générales et exigences de sécurité

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 29.140.99 ISBN 978-2-8322-2668-1

– 2 – IEC 62733:2015 © IEC 2015

CONTENTS
FOREWORD . 4
INTRODUCTION . 6
1 Scope . 7
2 Normative references . 7
3 Terms and definitions . 7
4 General requirements . 10
5 Risk assessment . 11
5.1 General . 11
5.2 Specification of tolerable risk . 11
5.3 Documentation . 11
6 Requirements for abnormal operating and fault conditions . 12
6.1 Abnormal operating and fault conditions in the application of the electronic
lamp controlgear . 12
6.2 Fault conditions for the programmable component . 12
7 Requirements for software . 13
8 Requirements for EMC immunity. 13
Annex A (normative) Software evaluation . 15
A.1 General . 15
A.2 Protective programmable components using software . 15
A.3 Terms and definitions . 15
A.4 Requirements for the architecture . 22
A.5 Measures to avoid errors . 30
Annex B (informative) FTA and FMEA analysis . 34
B.1 FTA results . 34
B.2 FMEA results . 35
Annex C (informative) Guidance on the identification of a protective programmable
component . 37
Annex D (normative) Risk classification . 38
D.1 General . 38
D.2 Frequency of occurrence. 38
D.3 Risk severity . 38
D.4 Classification of risks . 39
Bibliography . 40

Figure B.1 – Example of a fault tree diagram . 35

Table A.1 – General fault/error conditions . 24
Table A.2 – Specific fault/error conditions . 26
Table A.3 – Semi-formal methods . 31
Table A.4 – Software architecture specification . 31
Table A.5 – Module design specification . 32
Table A.6 – Design and coding standards . 33
Table A.7 – Software safety validation . 33
Table D.1 – Frequency definition and categorization (from IEC 61508-5:2010 Annex C) . 38

IEC 62733:2015 © IEC 2015 – 3 –
Table D.2 – Risk severity definitions (from IEC 61508-5:2010, Annex C) . 38
Table D.3 – Safety risk classification . 39

– 4 – IEC 62733:2015 © IEC 2015

INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
PROGRAMMABLE COMPONENTS
IN ELECTRONIC LAMP CONTROLGEAR –
GENERAL AND SAFETY REQUIREMENTS

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62733 has been prepared by subcommittee 34C: Auxiliaries for
lamps, of IEC technical committee 34: Lamps and related equipment.
The text of this standard is based on the following documents:
FDIS Report on voting
34C/1140/FDIS 34C/1156/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
NOTE In this standard the following print types are used:
– Requirements proper: in Roman type.

IEC 62733:2015 © IEC 2015 – 5 –
– Test specifications: in Italic type.
– Explanatory matter: in smaller roman type.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
– 6 – IEC 62733:2015 © IEC 2015

INTRODUCTION
This International Standard provides safety requirements and test methods for programmable
components when in electronic lamp controlgear. It provides additional safety requirements
for electronic lamp controlgear containing programmable components to the requirements of
IEC 61347 series.
In general, the two means of protection safety principle is used for protection against hazards
such as electric shock. Consequently one single fault condition or abnormal operation of the
electrical equipment will not lead to a hazardous situation.
Until recent technology, two means of protection have been realized in traditional hardware.
Examples are the provision of basic insulation and supplementary insulation between
hazardous live parts and accessible parts, and provision of basic insulation combined by
disconnection of the mains supply by a fuse.
Nowadays however programmable components (with embedded software) may be used as a
measure to provide safety under normal conditions, single fault conditions and/or abnormal
operation.
Since the traditional lighting standards do not provide requirements for programmable
components, this standard has been drawn up.
This standard recognizes the internationally accepted level of protection against hazards such
as electrical, mechanical, thermal, fire and radiation of appliances when operated as in
normal use taking into account the manufacturer's instructions. It also covers conditions for
electromagnetic phenomena that can be expected in practice with influence on the operation
of the programmable component, for taking into account the way this can affect the safe
operation of the electronic lamp controlgear.
This first edition is based upon IEC 60730-1:2010 and IEC 60335-1:2010 and adapted for
electronic lamp controlgear
NOTE The terms and definitions and Tables A.1 and A.2 respectively of this standard are equivalent to terms and
definitions and Table R.1 and R.2 of IEC 60335-1:2010, and equivalent terms and definitions and Table H.1 (class
B and class C software) of IEC 60730-1:2010.

IEC 62733:2015 © IEC 2015 – 7 –
PROGRAMMABLE COMPONENTS
IN ELECTRONIC LAMP CONTROLGEAR –
GENERAL AND SAFETY REQUIREMENTS

1 Scope
This International Standard provides general and safety requirements for programmable
components used in products covered by IEC 61347.
The requirements of this standard are only applicable to the programmable components
(including its embedded software) in the electronic lamp controlgear. For other
electric/electronic circuits and their components in the electronic lamp controlgear, the
requirements of IEC 61347 series apply.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 61000-4-13:2002, Electromagnetic compatibility (EMC) – Part 4-13: Testing and
measurement techniques – Harmonics and interharmonics including mains signalling at a.c.
power port, low frequency immunity tests
IEC 61000-4-13:2002/AMD 1:2009
IEC 61347-1, Lamp controlgear – Part 1: General and safety requirements
IEC 61347-2 (all parts) , Lamp controlgear – Part 2: Particular requirements
IEC 61547:2009, Equipment for general lighting purposes – EMC immunity requirements
IEC 61508-4:2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 4: Definitions and abbreviations
IEC 61508-5:2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 5: Examples of methods for the determination of safety integrity levels
IEC 61508-7:2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 7: Overview of techniques and measures
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
central processing unit
CPU
part of a computing and controlling system that interprets and executes instructions
_____________
Relevant parts of the series depend on the context.

– 8 – IEC 62733:2015 © IEC 2015

Note 1 to entry: This note applies to the French language only.
3.2
programmable component
based on computer technology which comprised of hardware, software, and of input and/or
output units
EXAMPLE The following are all programmable components:
– microprocessors;
– micro-controllers;
– programmable controllers;
– application specific digital integrated circuits (ASICs with programmable part);
– programmable logic controllers (PLCs);
– other computer-based devices (for example smart sensors, transmitters, actuators).
Note 1 to entry: This term covers microelectronic devices based on one or more central processing units (CPUs)
together with associated memories, etc.
Note 2 to entry: The term programmable component is from ANSI/UL1998:2010, definition 2.39 [2].The definition
in ANSI/UL for programmable component is: “Any microelectronic hardware that can be programmed in the design
centre, the factory, or in the field. Here the term ‘programmable’ is taken to be ‘any manner in which one can alter
the software wherein the behaviour of the component can be altered.” This term covers microelectronic devices
based on one or more central processing units (CPUs) together with associated memories, etc.
[SOURCE: IEC 61508-4:2010, 3.2.12, modified — "Programmable electronic" is replaced by
"programmable component" which better describes that it is only a part of the controlgear.]
3.3
protective programmable component
PPC
programmable component that prevents a hazardous situation under abnormal operating
conditions, or programmable component for which none of the output signals can lead to a
hazardous situation
Note 1 to entry: This note applies to the French language only.
3.4
software
intellectual creation comprising the programs, procedures, data, rules and any associated
documentation pertaining to the operation of a data processing system
[SOURCE: IEC 61508-4:2010, 3.2.5, modified — The notes to entry are deleted.]
3.5
software code
code written by a programmer in a high-level computer language and readable by people but
not computers
3.6
safety software
part of the software that counteracts possible hazardous situations, which are created from
abnormal and/or fault conditions
Note 1 to entry: Software is independent of the medium on which it is recorded.
3.7
fault condition
condition as required by Clause 14 of IEC 61347-1 or its relevant Part 2

IEC 62733:2015 © IEC 2015 – 9 –
3.8
single fault condition
fault condition under normal operating condition of a single component or a device
[SOURCE: IEC 62368-1:2010, 3.3.7.10, modified]
3.9
normal operating
mode of operation that represents as closely as possible the most severe conditions of normal
use that can reasonably be expected
[SOURCE: IEC 62368-1:2010, 3.3.7.4, modified]
3.10
abnormal operating
temporary operating condition that is not a normal operating condition and is not a single fault
condition of the equipment itself
Note 1 to entry: An abnormal operating condition may be introduced by the equipment or by a person.
Note 2 to entry: The equipment, installation, instructions, and specifications should be examined to determine
those abnormal operating conditions that might reasonably be expected to occur.
Note 3 to entry: Faults that are the direct consequence of the abnormal operating condition are deemed to be a
single fault condition.
[SOURCE: IEC 62368-1:2010, 3.3.7.1, modified]
3.11
fault tree analysis
FTA
top down, deductive failure analysis method in which a hazardous or serious event is
analyzed using Boolean logic to combine a series of events causing this event
Note 1 to entry: The FTA technique represents a ‘top-down’ analysis technique. Annex B of IEC 61508-7:2010
provides information for the minimum setup for an FTA report.
3.12
failure modes and effects analysis
FMEA
analytical technique in which the failure modes of each hardware and software component are
identified and examined for their effects on the safety-related functions of the control
Note 1 to entry: The FMEA technique represents a ‘bottom-up’ analysis technique. Annex B provides information
for the minimum setup for an FMEA report.
[SOURCE: IEC 60730-1:2010, H.2.20.3, modified]
3.13
rated voltage
value of voltage assigned by the manufacturer to a component, device or equipment and to
which operation and performance characteristics are referred
Note 1 to entry: Equipment may have more than one rated voltage value or may have a rated voltage range.
Note 2 to entry: For three-phase supply, the phase-to-phase voltage applies.
[SOURCE: IEC 62368-1:2010, 3.3.10.4, modified]

– 10 – IEC 62733:2015 © IEC 2015

3.14
tolerable risk
risk level as defined in 5.1
3.15
intolerable risk
risk level which cannot be justified, except in extraordinary circumstances
3.16
acceptable risk
risk level that is broadly accepted in the society
3.17
ALARP
as low as is reasonably practicable
level of risk for a risk that falls between acceptable risk and intolerable risk and has to be
reduced to the lowest practicable level, bearing in mind the benefits resulting from its
acceptance and taking into account the practicability of any further reduction
Note 1 to entry: This note applies to the French language only.
Note 2 to entry: The specification of the level ALARP is described in Annex D.
Note 3 to entry: This definition is according to IEC 61508-5:1998, Annex B. In this standard it is used as one
possible variant of the tolerable risk.
3.18
injury
damage to the human body, less than 2 % incapacity, usually reversible and not usually
requiring hospital treatment
EXAMPLE Minor cuts, very minor fractures or minor burns or sprains.
3.19
serious injury
injury that directly or indirectly:
a) threatens life,
b) results in permanent impairment of a body function or permanent damage to a body
structure, or
c) necessitates medical or surgical intervention to prevent permanent impairment of a body
function or permanent damage to a body structure
3.20
hazardous situation
circumstance in which people, property or the environment are exposed to one or more
potential sources of physical injury or damage to the health of people, or damage to property
or the environment
4 General requirements
Software of programmable components within electronic lamp controlgear shall be so
designed and constructed that in normal use it operates without danger to the user or
surroundings.
A risk assessment shall be done to determine which parts of this standard are applicable. If
the risk assessment shows that the software built-in used to prevent the controlgear from
becoming unsafe, has a risk above the tolerable risk, then this standard is mandatory.

IEC 62733:2015 © IEC 2015 – 11 –
The focus of the risk assessment shall be the possible risks by the electronic controlgear
including the abnormal operation and fault conditions of the relevant Part 2 of IEC 61347.
5 Risk assessment
5.1 General
Possible risks by the controlgear shall be the focus of the risk assessment. The risk
assessment shall identify and classify known or reasonably foreseeable risks of a possible
malfunction of the software (including the risk originating from potential internal fault
conditions and abnormal operation of the controlgear described in the relevant Part 2 of
IEC 61347) under the assumption of expected use.
If the risk assessment shows that the software built-in to prevent the controlgear from
becoming unsafe, has a risk above the tolerable risk (and is not reduced by additional
hardware measures) then all parts of this standard are applicable.
If the risk assessment shows that the risk is tolerable then the controlgear does comply with
this standard. In this case only the parts relevant for describing the risk assessment of this
standard do apply. This means that the following parts of the standard do not apply:
Clauses 6, 7, 8 and Annexes A, B, C.
If the safety risk assessment for a programmable component results in being identified not as
a protective programmable component, or not evaluated as a protective programmable
component, then the component is exempted from software code.
5.2 Specification of tolerable risk
There are three ways to specify tolerable risk.
a) The risk is classified as tolerable if the effects by potential software malfunction are
mitigated by hardware measures (e.g. hardware over-temperature shut down) so that the
controlgear is prevented from becoming unsafe and if the hardware measures and the
controlgear comply with the IEC 61347 series. Alternatively a second PPC can be used to
mitigate a potential software malfunction as long as it is independent from the first PPC.
b) Alternatively a more general specification can be used.
1) The risk is tolerable if the risk of the controlgear with software has the same level as
that of a comparison controlgear where the respective safety relevant functions are
realised by hardware and which complies with the IEC 61347 series.
2) The goal is to verify a safety level of the controlgear (under assessment) having at
least the same level of safety as that of a comparison controlgear where the safety
relevant functions are realised by hardware and which complies with the IEC 61347
series. The comparison controlgear can be real or imagined, based on known
hardware controlgears (or parts of these controlgears) that comply with the IEC 61347
series.
c) An alternative way to specify the tolerable risk is provided by a general risk classification
described in Annex D. In this case the risk is tolerable if the risk is in the class ‘As low as
is reasonably practicable (ALARP)’ or lower.
5.3 Documentation
The risk assessment and results out of it shall be documented by the manufacturer.
For each risk addressed by this process, a risk description and a potential cause shall be
provided.
To document possible fault and failure modes a fault tree analysis (FTA) or a failure mode
and effect analysis (FMEA) can be used. Annex B provides information for the minimum setup

– 12 – IEC 62733:2015 © IEC 2015

for a FTA and FMEA analysis report. The FTA technique represents a ‘top down’ analysis
technique; the FMEA technique represents a ‘bottom up” analysis technique.
The documentation of the risk assessment can be checked to show compliance with this
standard.
6 Requirements for abnormal operating and fault conditions
6.1 Abnormal operating and fault conditions in the application of the electronic lamp
controlgear
The safety software shall be tested in the fault and abnormal conditions as given in the
relevant standard of the IEC 61347 series.
During and after the tests, the electronic lamp controlgear shall comply with the compliance
criteria of the relevant electronic lamp controlgear standard IEC 61347 series.
If a programmable component (PC) in the electronic lamp controlgear is provided to ensure
compliance with this clause, the software shall comply with the requirements in Clauses 7 and
8 of this standard for a protective programmable component (PPC).
A programmable component, identified not being a protective programmable component, or
not evaluated as a protective programmable component, is exempt from software code
evaluation. Annex C describes possible methods for the identification of protective
programmable components.
In case of PPC safety provisions, compliance with Clauses 7 and 8 makes the PPC robust so
that any potential failure in the PPC will not render the electronic lamp controlgear unsafe.
6.2 Fault conditions for the programmable component
For electronic lamp controlgear incorporating a programmable component the following fault
conditions for the programmable component are considered and, if necessary, applied one at
a time, consequential faults being taken into consideration.
a) Short circuit of functional insulation between adjacent programmable component terminals
if clearances or creepage distances are less than the values specified in the relevant
clause of IEC 61347-1.
NOTE 1 This is covered by 14.1 of IEC 61347-1.
b) Open circuit of any terminal of the programmable component.
NOTE 2 This is covered by 14.2 of IEC 61347-1.
c) If the software code is not accessible, alternatively, based upon the safety risk
assessment, the pins of the programmable component are brought to a state in which it is
expected that a safety issue could occur.
d) As an alternative for c) if the code is accessible, all outputs are considered for faults
occurring within the programmable component. If it can be shown based upon the safety
risk assessment that a particular output signal is unlikely to occur, then the relevant fault
is not considered. The relevant faults are neither considered and can be excluded if the
programmable component complies with the requirements in Clauses 7 and 8 of this
standard for protective programmable component.
A FTA or FMEA should be conducted to include the results of multiple steady-state conditions
to outputs and programmed bi-directional terminals for the purpose of identifying additional
fault conditions for consideration, likely or unlikely to occur.
NOTE 3 A not to disclose programmable component is evaluated by FTA/FMEA analysis on the output signals.

IEC 62733:2015 © IEC 2015 – 13 –
If FTA or FMEA determine that only specific and well-defined critical failure conditions can
occur, then a simulation or justification of the impact of the failure conditions during the
evaluation can be chosen as an alternative to individual tests.
Compliance is checked by inspection and appropriate tests if necessary.
During and after the tests, the electronic lamp controlgear shall comply with the compliance
criteria of 14.1, first paragraph, of IEC 61347-1 and relevant Part 2.
7 Requirements for software
Electronic lamp controlgear incorporating a protective programmable component the software
of the programmable component shall contain measures to control the fault/error conditions
specified in Table A.1. The fault/error evaluation includes the sensors and actuators that are
associated with the software safety function.
Table A.2 is to be used when the software contains measures to control the fault/error
conditions specified in Table A.2, when it is specified in the relevant Part 2 of IEC 61347 for
particular constructions or to address specific hazards.
Measures used for software to control the fault/error conditions specified in Table A.2 are
inherently acceptable for measures used for software to control the fault/error conditions
specified in Table A.1.
Compliance is checked by evaluating the software in accordance with the relevant
requirements of Annex A.
If the software is modified, the evaluation and relevant tests are repeated if the modification
influences the results of the test involving protective programmable components.
Software compliance is checked by inspection of the risk assessment and the relevant part of
the software and/or by carrying out appropriate tests of the electronic lamp controlgear.
Compliance check is in case of a protective programmable component or making use of the
exclusion of 6.2 d)
8 Requirements for EMC immunity
8.1 Electronic lamp controlgear incorporating a protective programmable component to
function correctly are subjected to the test B of 8.2, unless restarting at any point in the
operating cycle after interruption of operation due to a supply voltage dip will not result in a
hazard. The test is carried out after removal of all batteries and other components intended to
maintain the programmable component supply voltage during mains supply voltage dips,
interruptions and variations.
8.2 Electronic lamp controlgear incorporating a protective programmable component are
subjected to the tests for electromagnetic phenomena. The tests are carried out in the
operating condition valid for the protective programmable component, specified in Clause 6 of
this standard, if applicable.
With respect to electromagnetic phenomena, the EMC immunity tests shall be done according
IEC 61547.
In addition the following tests shall be performed:

– 14 – IEC 62733:2015 © IEC 2015

A. The electronic lamp controlgear is subjected to mains signals in accordance with
IEC 61000-4-13:2002/AMD1:2009, Table 11 with test level class 2 using the frequency
steps according to Table 10.
B. The electronic lamp controlgear is supplied at rated voltage and operated under normal
operation. After approximately 60 s, the power supply voltage is reduced to a level such
that the electronic lamp controlgear ceases to respond to user inputs or parts controlled
by the programmable component cease to operate, whichever occurs first. This value of
supply voltage is recorded. The electronic lamp controlgear is supplied at rated voltage
and operated under normal operation. The voltage is then reduced to a value of
approximately 10 % less than the recorded voltage. It is held at this value for
approximately 60 s and then increased to rated voltage. The rate of decrease and
increase in power supply voltage is to be approximately 10 V/s. The controlgear shall
remain safe. Unless the controlgear returns to normal operation, it shall enter a failsafe
mode.
8.3 During and after the tests, the electronic lamp controlgear shall comply with the
compliance criteria of Clause 14 of IEC 61347-1 and the relevant Part 2.
Additionally, the electronic lamp controlgear shall not undergo a dangerous malfunction, and
there shall be no failure of protective programmable components if the electronic lamp
controlgear is still operable.

IEC 62733:2015 © IEC 2015 – 15 –
Annex A
(normative)
Software evaluation
A.1 General
Protective programmable components require software incorporating measures to control the
fault/error conditions specified in Table A.1 or Table A.2 and shall be validated in accordance
with the requirements in this annex.
NOTE The definitions and Tables A.1 and A.2 are based on the definitions and Table H.1 (respectively for
equivalent class B and class C software) of IEC 60730-1:2010 that is, for the purpose of this annex, divided in two
tables, Table A.1 for general fault/error conditions and Table A.2 for specific fault/error conditions.
A.2 Protective programmable components using software
Protective programmable components requiring software incorporating measures to control
the fault/error conditions specified in Table A.1 or Table A.2 shall be constructed so that the
software does not impair compliance with the requirements of this standard.
Compliance is checked by the inspections and tests, according to the requirements of this
annex, and by examination of the documentation as required by this annex.
A.3 Terms and definitions
For the purposes of this annex, the following terms and definitions apply.
A.3.1
dual channel
structure which contains two mutually independent functional means to execute specified
operations
Note 1 to entry: Special provision may be made for control of common mode fault/errors. It is not required that the
two channels each be logarithmic or logical in nature.
[SOURCE: IEC 60730-1:2010, H.2.16.1]
A.3.2
dual channel (diverse) with comparison
dual channel structure containing two different and mutually independent functional means,
each capable of providing a declared response, in which comparison of output signals is
performed for fault/error recognition
[SOURCE: IEC 60730-1:2010, H.2.16.2]
A.3.3
dual channel (homogeneous) with comparison
dual channel structure containing two identical and mutually independent functional means,
each capable of providing a declared response, in which comparison of internal signals or
output signals is performed for fault/error recognition
[SOURCE: IEC 60730-1:2010, H.2.16.3]

– 16 – IEC 62733:2015 © IEC 2015

A.3.4
single channel
structure in which a single functional means is used to execute operations as specified
[SOURCE: IEC 60730-1:2010, H.2.16.4]
A.3.5
single channel with functional test
structure in which test data is introduced to the functional unit prior to its operation
A.3.6
single channel with periodic self-test
structure in which components of the control are periodically tested during operation
A.3.7
single channel with periodic self-test and monitoring
structure with periodic self-test in which independent means, each capable of providing a
declared response, monitor such aspects as safety-related timing, sequences and software
operations
A.3.8
full bus redundancy
fault/error control technique in which full redundant data and/or address are provided by
means of a redundant bus structure
[SOURCE: IEC 60730-1:2010, H.2.18.1.1]
A.3.9
multi-bit bus parity
fault/error control technique in which the bus is extended by two or more bits and these
additional bits are used for error detection
[SOURCE: IEC 60730-1:2010, H.2.18.1.2]
A.3.10
code safety
fault/error control techniques in which protection against coincidental and/or systematic errors
in input and output information is provided by the use of data redundancy and/or transfer
redundancy
Note 1 to entry: See also A.3.11 and A.3.12.
[SOURCE: IEC 60730-1:2010, H.2.18.2]
A.3.11
data redundancy
form of code safety in which the storage of redundant data occurs
[SOURCE: IEC 60730-1:2010, H.2.18.2.1]
A.3.12
transfer redundancy
form of code safety in which data is transferred at least twice in succession and then
compared
Note 1 to entry: This technique will recognize intermittent errors.
[SOURCE: IEC 60730-1:2010, H.2.18.2.2]

IEC 62733:2015 © IEC 2015 – 17 –
A.3.13
comparator
device used for fault/error control in dual channel structures by comparing data from the two
channels and initiates a declared response if a difference is detected
[SOURCE: IEC 60730-1:2010, H.2.18.3, modified — The note to entry is incorporated in the
definition.]
A.3.14
equivalence class test
systematic test intended to determine whether the instruction decoding and execution are
performed correctly
Note 1 to entry: The test data is derived from the CPU instruction specification
Note 2 to entry: Similar instructions are grouped and the input data set is subdiv
...