Product Safety: Requirements and Methods

Definitions. A fire enclosure is part of the equipment designed to minimize the spread of fire. Fire emanating from a point source is usually assumed to fall vertically within a 5° cone whose apex is that point. A chimney can fulfill the requirements of a fire enclosure. A mechanical enclosure is part of the equipment intended to prevent injury to an operator due to mechanical or other physical hazards. An electrical enclosure is any part of the equipment that prevents contact with parts at hazardous voltage, current, or energy levels. None of these must enclose the entire product. Sometimes a rectangular metal plate is all that is required to eliminate or contain the hazard.

The Perfect Enclosure—Fixed. This all-metal enclosure will provide a perfect mechanical, electrical, and fire enclosure. Therefore, the most important considerations are the amount of fuel that it contains, the temperature, the electrical contact between internal sources and the outer surface, and whether its surface is hazardous.

Fuel is limited by ensuring that no plastic part inside the enclosure has a flammability rating worse than UL 94-V2. Use the steel-ball and force tests to confirm that creepage and clearance distances are compliant, even when the 250-N force or the 800-N step tests distort the outer surface of the enclosure. Check that external edges of the enclosure will neither cut nor scratch skin, nor damage electrical insulation. Finally confirm that external temperatures are within the maximums given for contact.

The Perfect Enclosure—Freestanding. The enclosure is now free to move but must not topple (during transit or when someone leans against or steps upon it). Check compliance by testing that the equipment does not topple if subjected to the 10° tilt, a force of 20% of its mass (up to 250 N), and the 800-N step test.

The Nonmetallic Fire Enclosure. For equipment that is fixed or weighs more than 18 kg, the fire enclosure must be UL 94-5V; for equipment that is not fixed and weighs less than 18 kg, the flammability rating of the fire enclosure may be only UL 94-V1.

Incorporating a Mains Inlet Socket. Provided that the inlet socket (or similar component) has an appropriate IEC component approval, the component will usually maintain the integrity of the fire enclosure. The mechanical strength of the component may also need to be considered, so conduct an impact test on the component. A steady force test (30 N is a typical force) should be applied to ensure that components do not yield under pressure to expose hazardous live or moving parts. Where plastic parts are involved, this test is repeated at the relevant maximum temperature defined by this standard. (Some materials become flexible at elevated temperatures, and it is not uncommon for plastic parts to fail this test at elevated temperatures.)

Incorporating a Cathode-Ray Tube. Select a CRT that has appropriate European approval and complies with IEC 65.

Adding Holes, Apertures, and Openings. Holes should not be located above hazardous bare parts (because a short circuit could occur if something conductive was dropped in), or under components that require a fire enclosure (because fire could escape). If holes are permitted, the maximum hole sizes are contained within the relevant standard.

Ensure that the flammability of the plastic is the same as or better than that required by the fire enclosure to ensure that internal fire hazards are contained. There may be strict rules for openings for ventilation and cable entries, so check the relevant standard for the detailed requirements: do consider combining requirements for a number of standards to improve the safety of the product (e.g., many computer monitors designed to meet EN 60950 also comply with the test chain requirement in EN 60065).

Cable Entry into a Fire Enclosure. For conduit entry, the fire enclosure should be preserved if the conduit and fixing hardware are all metal. For a cable entry strain-relief grommet, some standards will accept flammability ratings as low as UL 94-HB. However, while this rating is acceptable if the gland is mounted outside of the fire enclosure, it may be better to specify glands with the (highest) UL 94-5V flammability rating. These glands will be suitable for all enclosures and will reduce the likelihood of the wrong part being fitted. Labyrinth entry comprises a system of gaps with baffle plates designed to ensure that molten or burning material is contained within the fire enclosure.

Adding Doors and Panels. If a door (or panel) has a lock that requires a key or a tool, then internal parts are considered service accessible. The door should be opened to the worst possible position to conduct the toppling tests (250 N and 800 N) because the extra leverage provided by the door, or racks, may cause the equipment to topple.

Components That Require a Fire Enclosure. These include all wound components, open contacts of relays and switches, certain types of wiring, resistors, semiconductor devices, fuses, and other overcurrent protection or current-limiting devices. These components should be mounted above a fire enclosure because molten or burning material emitted from these components will fall under gravity. Most standards allow for them to fall by as much as 5° from the vertical plane. To achieve this, make a vertical projection of the component, and where this 5° shadow strikes, place a fire enclosure.

Internal Components. Before adding components and subassemblies, investigate the circuits to discover which of the components can become hot during normal use and under single-fault conditions. (Abnormal testing, under single-fault conditions, is vital to understanding potential fire and other hazards. This analysis and testing will make up a significant portion of the product safety test plan.)

It is important to note that few standards provide a useful definition of what constitutes hot. This is partially due to the fact that the ignition point of materials differs. Therefore, designers may first need to employ due diligence in determining a strategy for this analysis and investigation. As a general rule, locate things that get hot, or that emit molten or burning material, at least 13 mm clear of the sides of enclosures and the more-flammable parts. (Parts with flammability ratings of less than UL 94-V1 should be separated from potential ignition sources by a distance of at least 13 mm.)

Adding Nonflammable Liquids. The design must accommodate overfilling. In particular, no spillage can create an electrical or other hazard. A typical overfilling test would entail pouring an additional 15% of the total capacity over a period of 1 minute. Make sure that the system cannot build up excessive pressure.

Adding Flammable Liquids. Minimize the volume and select a liquid with a high flash point. Typically no more than 5 liters or an 8-hour supply should be used. Hydraulic or lubricant should have a flash point greater than 149°C; other liquids will generally have a flash point greater than 60°C. Do not allow the liquid to be pressurized to the point where it could become atomized and potentially explosive. Seal the reservoir and test the internal atmosphere (typical limits are less than 25% of the explosive limit).

Components That Do Not Require a Fire Enclosure. The enclosure may, under certain conditions, not need to meet the requirements of a fire enclosure. These circumstances usually rely upon a limited lower source. This will typically require that the maximum current, supplied by a safety extra low voltage (SELV) source, will be limited to 200 mA. Although a limited lower source can provide a useful technique to avoid the need for (expensive) fire enclosures, note that even 200 mA can provide up to 12 W of power. Even this relatively low power can produce a significant temperature rise within small components.  

Connection to External Power Sources

Designing a product can suddenly become many times more difficult when it is connected to mains power or even battery eliminators or in-cord or socket-mounted power supplies. To simplify the issues involved, it is best to break down some of the safety issues and analyze how they are affected by the three principal methods of bringing mains power into the equipment. This discussion will also consider the application of external battery eliminators and other power sources.

Mains Voltage. Within the European Union, this is a nominal 230 V ac, 50 Hz.

Input Current. This is the maximum current that the equipment is likely to take.

Input Power. This is the maximum power that the equipment is likely to take. This unit may cause confusion when looking at the sum voltage times current, which seldom equals the watts consumed by the equipment.

Rating Label. Supplying rating information and manufacturer's details is a mandatory requirement.

ELV. Extra low voltage is typically less than 60 V dc with only one level of protection from hazardous voltage: not safe for operators to touch.

SELV. Safety extra low voltage is typically less than 60 V dc with two levels of protection from hazardous voltage. If the current and energy levels are high, then SELV can present an energy hazard.

SELVEL. Safety extra low voltage energy limited is typically SELV and may be as little as 15 W. The standards generally accept that an operator may come into contact with this voltage without risk.

Hazardous Voltage. This refers to anything that is not SELV or connected to safety earth ground.

Hazardous Energy. Typically, this is anything greater than 8 A, 20 J, or 240 VA; please note that some requirements have significantly lower limits.

Earth Leakage Current. This is the current that flows through the safety earth ground conductor under normal operating conditions. This is generally caused by reactive elements within EMC filters and from stray resistive effects. It is the fault current that may be expected to pass through the operator if the safety earth ground on the equipment fails. For domestic or type A connectors, the maximum limit is generally 3.5 mA.

General Considerations. Although it may be considered reasonable to warn service personnel of potential hazards and to install safety devices such as disconnect devices and short-current protection, it is not reasonable to expect service personnel to deduce any safety limitation of the equipment that must be addressed. Nor is it reasonable for operator safety to depend solely upon understanding and compliance with warnings. Manufacturers have a duty to provide sufficient information to ensure that the installation and use are safe. They also have a duty to ensure that the operator of the equipment is protected under conditions of reasonable use, foreseeable misuse, and single-fault conditions.

Among the conditions that must be considered is the earth leakage current. This must be less than 3.5 mA for all equipment that has a type A (domestic) connector. Permanently connected equipment or equipment connected via type B (industrial) connectors may exceed this limit under certain circumstances. This detail is particularly important for system integrators where the combined earth leakage current of individual items may significantly exceed the 3.5 mA limit.

If the earth leakage current exceeds 3.5 mA, then the use of domestic type A plugs is prohibited, and either an industrial type B plug must be fitted or the equipment must be permanently connected. Warnings must be added, and the wiring must comply with minimum size requirements. In most applications, it is essential to provide the mains plug as part of the equipment. This must be suitable for the country of intended use. Ensure that abnormal testing takes into account the overload protection available. Many continental supplies are protected by 16-A circuit breakers. Make sure the power cord is capable of carrying the fault current.

There are occasions where U.S. NEMA-type plugs are used within rack-mounted equipment. In addition to the obvious issues about the voltage rating, there is also a risk that the operator may contact hazardous voltages on these types of plugs.

Permanently Connected. This equipment is usually fixed permanently within the building (e.g., wall mounted) or is sufficiently bulky that it cannot be readily moved. It is accompanied by installation instructions and is not intended to be installed by the user but by a trained service engineer. Within Europe it is acceptable for service safety instructions and warnings to be provided in English: use words that are clear, precise, and unambiguous. (The only exception to this is Canada where safety information must be in English and in French.) If the equipment requires a safety earth ground, then that should be clearly stated in the instructions and in the equipment labeling.

Wiring terminals must be suitable for the application. Allow for access to make the connection and to check that the connection has been made correctly (e.g., that connection is to the correct terminal and that strands of copper are not bridging the terminals).

The equipment should contain a suitable disconnect device, as well as overload and short-circuit protection. In many instances it will not be possible to estimate what the maximum short-circuit current may be. Therefore, clearly state the need for any additional external, protective, or disconnect devices that must be installed. Provide sufficient information to allow service personnel to fit a suitable device in the correct location. It is unreasonable to expect an installation engineer to deduce this information. The designers are aware of the equipment's limitations, and it is therefore their responsibility to provide sufficient information to ensure that the installation and use are safe.

Fixed Power Cords. Providing a fixed power cord will avoid some of the consideration that must be made for permanently connected equipment. It does bring into play a number of other factors. Consider the strain relief of the power cord. This is often overlooked, and only a careful selection of a suitable grommet and good manufacturing controls can ensure compliance.

Consider what happens when the power cord is replaced. Are there special tools, crimps, or other parts required to ensure that safety is preserved? If replacement of the power cord is reasonably foreseeable, then, under the LVD, designers have a duty of care to provide service instructions or warnings.

Detachable Power Cords. This method of connection provides a great deal of flexibility to the producer. Detachable cords allow individual power cords to be supplied for each country of use with minimum documentation and instructions for users. However, detachable cords require careful consideration of where the equipment may be used. The LVD uses the phrase "reasonable use and foreseeable misuse" as a warning to consider how safety could be compromised.

Other questions include: Will the equipment be sold in other countries (including by importers or system integrators)? Will it be supplied with other power cords? What protection will be in place? If it requires a 3-A fuse or circuit breaker to protect the equipment or its input, then this must be provided in the equipment or specified in the instructions and to all potential resellers.

Does protection rely on a fused mains plug or the polarization of the connector? Some continental plugs are not polarized, enabling live and neutral to be transposed. If the short-circuit protection is supplied by the mains (typically a 16-A circuit breaker), then it may be necessary to fit inlet fuses in the live and neutral.

ELV. When powering equipment from an extra low voltage source, the operator must be prevented from contacting conductive parts of the power source. Generally, external ELV conductors should be covered by basic plus reinforced insulation rated for the maximum mains voltage of the equipment (e.g., reinforced, or basic plus supplementary, insulation rated at 300 V for equipment designed to operate at 230 V).

SELV. If the equipment is powered from a remote safety extra-low-voltage source such as batteries or a power outlet from other equipment, the voltage levels are likely to be safe to touch, but do not make assumptions about the current or the energy levels. Depending upon the SELV source, it may be possible to draw many tens (or even thousands) of amps under fault conditions. The hazards can range from fire to local burns from metal objects such as jewelry or watchbands.

Even though equipment may be powered by SELV, it can still fall within the scope of the LVD. Ask the question, "Is it reasonable to place an unsafe product on the market?" If it is not, then "How do I know that the product is safe unless I review and test it for product safety?"

SELVEL. Some SELV sources are limited in the energy that they can provide. This may be by the inherent design of the transformer or by the use of fuses. These outputs are known as safety extra-low-voltage energy limited, and the levels to which they are limited define whether they are safe for service personnel or operators to contact. Hazardous levels are, generally, defined as 60 V, 8 A, 20 J, and 240 VA; however, this limit varies between countries (50 VA and 15 VA are also quoted as the maximum energy that an operator may contact. Check local regulations before starting the design. The use of SELVEL is also important in reducing the degree, complexity, and cost of carrying out the prescribed abnormal tests. Equipment that relies upon a 3-A fused and polarized mains plug may become a fire hazard if connected via a nonpolarized connector protected by a 16-A circuit breaker. If in doubt, test. Remember that instructions and warnings form part of the product.  

Internal Power Supplies and Energy Sources

It may be impossible to avoid exposing an operator to contact with parts carrying electrical current. There are obvious, although at times confusing, requirements for what are generally deemed to be safe. This discussion starts with the black and white areas and then works toward the various shades of gray. This is a useful technique to remember when faced with uncertainty. Invent an extreme case, consider the essential aspects, and then analyze the problem in the context of each point raised.

Black and White Issues. Consider a metal enclosure that has no safety earth ground connection that could become live under single-fault conditions. Consider the consequences of not having even basic insulation between the enclosure and the mains supply. Many proprietary rack systems fail to offer a reliable earthing system and quite a few units are supplied with push-on, pull-off–type connectors that are used for safety earth ground connections. These can easily become detached and safety earth ground lost. The correct type of connectors to use are positive-locking push connectors. Another common noncompliance is a combined application of mechanical fixing with safety earth ground using the same hardware. The combined use is prohibited by most safety standards.

The Gray Areas. Some subtle noncompliances are the most difficult to assess. Most information technology equipment contains a ribbon cable in contact with equipment wiring carrying 230 V. Is this acceptable? It is certainly not clever (particularly from the EMC perspective), but it can be compliant with most LVD standards provided that the ribbon cable is rated 300 V and provides supplementary insulation between the SELV signals and hazardous voltage.

Fortunately, most of the ribbon cable available is rated at 300 V, so it is becoming more difficult to get this wrong, but examples of inadequately rated cable in contact with basic insulation do exist. The risk is that a single failure in that basic insulation will apply 230 V to the SELV conductors within the ribbon cable. This is because the ribbon cable insulation is not rated for mains voltage and therefore does not exist when 230 V is applied to it. Therefore the SELV circuits and all associated outputs become live.

This failure can usually be seen in badly designed PC power supplies in which the SELV connection to the cooling fan is allowed to contact the exposed tags at the rear of the IEC connectors. If this basic insulation fails, then all of the PC outputs—mouse, keyboard, modem, printer, and LAN—could become live.

Now consider a design that combines plastic moldings and metal parts that cannot be reliably connected to safety earth ground. This is acceptable except in positions where basic insulation comes into contact with these conductive parts. Under these circumstances, a single fault will allow the operator-accessible, unearthed conductive part to become live.

Operator-Contactable Parts. Battery eliminators provide good illustrations of the basic principles. Considerations include: Is reinforced or double insulation in place? Is the construction reliable under single-fault conditions? Can the operator contact excessive energy or current? Those providing an energy-limited output of less than 50 VA are generally deemed not to present a hazard; however, if more power can be drawn under single-fault or short-circuit conditions, there is a risk of a burn.

High-Fault Currents. Where several batteries can be charged in parallel and one of the batteries is removed, there can sometimes be a risk of currents in excess of 100 A being drawn (from the remaining cells) from the exposed connections. Within the area of industrial controls, it is not unusual to find sense circuitry from PCBs routed from 1-mm-wide copper track via 1-A equipment wire and eventually to an energy source capable of providing several thousand amps. A short circuit on the PCB may cause this sense wire to rapidly overheat and cause a fire. Alternatively, it may destroy the insulation of the wire carrying a hazardous voltage. In some cases the consequential faults may be a greater hazard than the original one that causes them.

The Audio Industry. The audio industry has its own unique requirements and restrictions. The use of 4-mm banana plugs was once widespread. Although these are now explicitly prohibited within the European Union (EU), audio magazines contain extensive advertisements for these types of lead and connections.

The use of microphone-type jack sockets has grown to include their use as loudspeaker connections and similar applications for which they were never originally intended. While some of these new uses are merely noncompliant with the LVD, others can be potentially lethal. For example, consider a midrange hi-fi system with a 22,000-mF capacitor charged to 80 V. This is a stored energy of more than 50 J and could, under single-fault conditions, deliver the full 80 V, a hazardous voltage and energy to the output. Now, do the sums for a high-power unit or one giving a line output.

Confusion or Contradiction? It is important to understand the principles of safety as they are applied by the new approach directives and through the plethora of standards. Some of the detailed requirements may at first appear contradictory. For instance, in EN 60204-1, "Safety of Machinery—Electrical Equipment of Machines," section 6.2.3 prohibits operator contact with voltages greater than 60 V. In contrast to this, EN 60950, "Safety of Information Technology Equipment, Including Electrical Business Equipment," permits the operator to make direct contact with voltages in excess of 20,000 V.

At first, this may appear to be a contradiction, but there is a valid justification for this: the maximum current that can flow through the body is limited so that the risk is defined and controlled. An example of this technology is a touch-sensitive light dimmer. When the metal plate is touched, a slight sensation of roughness is felt. This is due to the small electric current, fed from the mains, that passes through the body.

This is safe because the current is so small that it does not cause harm. The same is true if the limited current source is supplied from 100 V, 1000 V, or 1 million V. The construction of these limited current sources requires very careful design and manufacturing controls, but they are practical and achievable.

This method of protecting the operator from the effects of hazardous voltages can be extremely useful and should not cause concern (provided that the design and implementation are in compliance with the standard). Perhaps the only reserve should be the high-energy, high-current, and low-voltage source as allowed by some of the other harmonized standards. SELV at 240 VA is permitted in some countries.

Another example is a mains portable TV set that has connections only to live and neutral. To provide radio-frequency coupling for the receiver, there is a small capacitor from the receiver to the mains (neutral or live). Consider a single failure in this component: a short circuit could make all of the television circuitry (and its aerial) live.

Terminations. The considerations for terminations are the creepage distance between the hazardous and SELV terminals before and after wiring or crimp connectors are fitted. To be suitable throughout all of the EU, these terminations must provide reinforced insulation (8-mm minimum). Using the same terminal strip as the mains input may require that all of the outputs are treated as hazardous voltages. This would prohibit their connection to any information technology system or any other operator-contactable output. It may also require that all wiring and external components be protected by basic (or even reinforced) insulation. It is important that producers understand their legal duty to supply details of any such limitation or precautions with the product. Failure to do so may make them personally liable to criminal prosecution under the LVD.  

Conclusion

Product safety requires that designers not only determine which standards must be met but also examine a number of different methods to determine the appropriate solution to ensure that their products comply. In addition to the physical and mechanical considerations, it is crucial that designers review all internal and external power sources that will affect the design of the product.  

Gregg Kervill trained in product safety while working for Digital Equipment Corp. before founding GK Consultants in 1993. Kervill consults for European organizations such as the UK Department of Trade and Industry. For more information, visit http://www.gkcl.com