EN 50491-4-1:2012

SLOVENSKI STANDARD
01-maj-2012
1DGRPHãþD
SIST EN 50090-2-3:2005
Splošne zahteve za stanovanjske in stavbne elektronske sisteme (HBES) in
stavbne sisteme avtomatizacije in nadzora (BACS) - 4-1. del: Zahteve splošne
funkcionalne varnosti za proizvode, ki so namenjeni za vgradnjo v HBES in BACS
General requirements for Home and Building Electronic Systems, HBES and Building
Automation and Control Systems (BACS) - Part 4-1: General functional safety
requirements for products intended to be integrated in Building Electronic Systems
(HBES) and Building Automation and Control Systems (BACS)
Allgemeine Anforderungen an die Elektrische Systemtechnik für Heim und Gebäude
(ESHG) und an Systeme der Gebäudeautomation (GA) - Teil 4-1: Anforderungen an die
funktionale Sicherheit für Produkte, die für den Einbau in ESHG / GA vorgesehen sind
Exigences générales relatives aux systèmes électroniques pour les foyers domestiques
et les bâtiments (HBES) et aux Systèmes de Gestion Technique du Bâtiment (SGTB) -
Partie 4-1: Exigences générales de sécurité fonctionnelle pour les produits destinés à
être intégrés dans les systèmes HBES/SGTB
Ta slovenski standard je istoveten z: EN 50491-4-1:2012
ICS:
97.120 Avtomatske krmilne naprave Automatic controls for
za dom household use
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN 50491-4-1
NORME EUROPÉENNE
March 2012
EUROPÄISCHE NORM
ICS 97.120 Supersedes EN 50090-2-3:2005

English version
General requirements for Home and Building Electronic Systems (HBES)
and Building Automation and Control Systems (BACS) -
Part 4-1: General functional safety requirements for products intended to
be integrated in Building Electronic Systems (HBES) and Building
Automation and Control Systems (BACS)

Exigences générales relatives aux Allgemeine Anforderungen an die
systèmes électroniques pour les foyers Elektrische Systemtechnik für Heim und
domestiques et les bâtiments (HBES) et Gebäude (ESHG) und an Systeme der
aux Systèmes de Gestion Technique du Gebäudeautomation (GA) -
Bâtiment (SGTB) - Teil 4-1: Anforderungen an die funktionale
Partie 4-1: Exigences générales de Sicherheit für Produkte, die für den Einbau
sécurité fonctionnelle pour les produits in ESHG / GA vorgesehen sind
destinés à être intégrés dans les
systèmes HBES/SGTB
This European Standard was approved by CENELEC on 2012-02-20. CENELEC members are bound to
comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the CEN-CENELEC Management Centre or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and
notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia,
Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Management Centre: Avenue Marnix 17, B - 1000 Brussels

© 2012 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 50491-4-1:2012 E
Contents
Foreword . 3
Introduction . 4
1 Scope . 5
2 Normative references. 5
3 Terms and definitions. 5
4 General requirements . 8
4.1 General . 8
4.2 Method of establishment for the requirements . 8
5 Requirements for functional safety . 10
5.1 General . 10
5.2 Power feeding . 10
5.3 Environment . 11
5.4 Life time . 11
5.5 Reasonably foreseeable misuse . 11
5.6 Software and communication . 12
5.7 Remote operations . 13
Annex A (informative) Example of a method for the determination of safety integrity levels . 15
Annex B (informative) Hazards and development of necessary functional safety requirements . 17
Annex C (informative) Some examples of non safety related HBES /BACS applications . 23
Bibliography . 25
Figure
Figure A.1  Risk reduction - General concept . 15
Tables
Table 1  Requirements for avoiding inadvertent operations and possible ways to achieve them . 14
Table A.1  Example of risk classification of accidents . 16
Table A.2  Interpretation of risk classes . 16
Table B.1 . 17

– 3 – EN 50491-4-1:2012
Foreword
This document (EN 50491-4-1:2012) has been prepared by CLC/TC 205, "Home and Building Electronic
Systems (HBES)".
The following dates are fixed:
• latest date by which this document has to be
(dop) 2013-02-20
implemented at national level by publication of
an identical national standard or by
endorsement
• latest date by which the national standards
(dow) 2015-02-20
conflicting with this document have to
be withdrawn
This document supersedes EN 50090-2-3:2005.
EN 50090-2-3:2005:
- 3 Definitions
- 5.6 Software and communication
EN 50491-4-1 is part of the EN 50491 series, which comprises the following parts under the generic title
General requirements for Home and Building Electronic Systems (HBES) and Building Automation and
Control Systems (BACS):
- Part 1: General requirements
- Part 2: Environmental conditions
- Part 3: Electrical safety requirements
- Part 4-1: General functional safety requirements for products intended to be integrated in Building
Electronic Systems (HBES) and Building Automation and Control Systems (BACS)
- Part 5-1: EMC requirements, conditions and test set-up
- Part 5-2: EMC requirements for HBES/BACS used in residential, commercial and light industry
environment
- Part 5-3: EMC requirements for HBES/BACS used in industry environment
- Part 6-1: HBES installations  Installation and planning
- Part 6-3 HBES installations  Assessment and definition of levels [Technical Report]
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such patent rights.
This standard covers the Principle Elements of the Safety Objectives for Electrical Equipment Designed for
Use within Certain Voltage Limits (LVD - 2006/95/EC)

Introduction
Homes buildings and similar environments require various electronic devices for several application. These
devices when linked via a digital transmission network are called Home and Building Electronic System
(HBES) or Building Automation and Control System (BACS).
Examples of HBES/BACS applications are the management, of lighting, heating, energy water, fire alarms,
blinds, different forms of security, etc.
A HBES/BACS network may be based on different communication media as power line, twisted pair, coax
cable, radio frequency or infrared and may be connected to external networks like telephone, broad band,
television, power supply networks and alarm networks.
Several standards of this series serve to implement public interest matters, primarily as reflected in European
Commission Directives.
HBES/BACS products integrated in a HBES/BACS should be safe for the use in intended applications.
This European Standard specifies the general functional safety requirements for HBES/BACS following the
principles of the basic standard for functional safety EN 61508.
This European Standard identifies functional safety issues related to products and their installation. The
requirements are based on a risk analysis in accordance with EN 61508.
The intention of this European Standard is to allocate, as far as possible, all safety requirements for
HBES/BACS products in there life cycle.
This European Standard only addresses HBES/BACS products.
This European Standard is addressed to committees that develop or modify HBES /BACS product/system
standards or, where no suitable HBES/BACS product standards addressing functional safety exist, to
product manufacturers.
HBES/BACS products in this European Standard are for non-safety related applications. Additional
requirements for safety related HBES/BACS according to EN 61508 will be defined in part 4-2 of the
EN 50491 series.
– 5 – EN 50491-4-1:2012
1 Scope
This European Standard sets the requirements for functional safety for HBES/BACS products and systems,
a multi-application bus system where the functions are decentralised, distributed and linked through a
common communication process. The requirements may also apply to the distributed functions of any
equipment connected in a home or building control system if no specific functional safety standard exists for
this equipment or system.
The functional safety requirements of this European Standard apply together with the relevant product
standard for the device if any.
This European Standard is part of the EN 50491 series of standards.
This European Standard does not provide functional safety requirements for safety-related systems.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
EN 50491-2 General requirements for Home and Building Electronic Systems (HBES) and
Building Automation and Control Systems (BACS)  Part 2: Environmental
conditions
EN 50491-3 General requirements for Home and Building Electronic Systems (HBES) and
Building Automation and Control Systems (BACS)  Part 3: Electrical safety
requirements
EN 50491-5 (all parts) General requirements for Home and Building Electronic Systems (HBES) and
Building Automation and Control Systems (BACS)
EN 61508 (all parts) Functional safety of electrical/electronic/programmable electronic safety-related
systems
EN 61709:1998 Electronic components  Reliability  Reference conditions for failure rates and
stress models for conversion (IEC 61709:1996)
EN ISO 9000 Quality management systems  Fundamentals and vocabulary (ISO 9000)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
architecture
specific configuration of hardware and software elements in a system
[SOURCE: EN 61508-4:2010, definition 3.3.4]
3.2
authentication
means for certifying that the entity sending a message is what or who it purports to be and confirmation that
the message is identical to that which was sent
3.3
authorisation
mechanism to ensure that the entity or person accessing information, functions or services has the authority
to do so
3.4
disturbed communication
communication in which for any reason a message being communicated is incomplete, truncated, contains
errors or has the correct format but delivers information which is outside the range of expected parameters
for such a message
3.5
functional safety
freedom from unacceptable risk of harm due to the operation of an HBES/BACS, including that resulting
from:
1) normal operation,
2) reasonably foreseeable misuse,
3) failure,
4) temporary disturbances
Note 1 to entry: functional safety: part of the overall safety relating to the EUC and the EUC control system that depends on the correct
functioning of the E/E/PE safety-related systems and other risk reduction measures [SOURCE: EN 61508-4:2010, definition 3.1.12]
Note 2 to entry: Definition of IEC/TR 61000-2-1 and IEC/TS 61000-1-2 (IEC/TC 77) are taken into account.
3.6
Hamming distance
numbers of bits in which two binary codes differ
3.7
harm
physical injury or damage to the health of people either directly or indirectly as a result of damage to property
or to the environment
Note 1 to entry: harm: physical injury or damage to the health of people or damage to property or the environment [SOURCE:
EN 61508-4:2010, 3.1.1]
3.8
hazard
potential source of harm
[SOURCE: ISO/IEC Guide 51:1999, definition 3.5]
[SOURCE: EN 61508-4:2010, definition 3.1.2]
Note 1 to entry: The term includes danger to persons arising within a short time scale (for example, fire and explosion) and also those
that have a long-term effect on a person’s health (for example, release of a toxic substance).
3.9
hazardous event
situation which results in harm on normal operation or abnormal condition
Note 1 to entry: Whether or not a hazardous event results in harm depends on whether people, property or the environment are
exposed to the consequence of the hazardous event and, in the case of harm to people, whether any such exposed people can escape
the consequences of the event after it has occurred.
Note 2 to entry: Adapted from EN 61508-4:2010,definition 3.1.4.
3.10
HBES/BACS Home and Building Electronic Systems
multi-application bus system where the functions are decentrally distributed and linked through a common
communication process
Note 1 to entry: HBES is used in homes and buildings plus their surroundings. Functions of the system are e.g: switching, open loop
controlling, closed loop controlling, monitoring and supervising.
3.11
HBES/BACS product
product consisting of devices in the form of hardware, firmware, their associated software and configuration
tools, intended to be used in an HBES/BACS

– 7 – EN 50491-4-1:2012
3.12
product
device in the form of hardware, firmware, their associated software and configuration tools
3.13
product documentation
manufacturer's installation and operations literature as manufacturer's catalogue, leaflet and other printed or
electronic product information
3.14
safety related system
designated system that both
– implements the required safety functions necessary to achieve or maintain a safe state for the EUC, and
– is intended to achieve, on its own or with other E/E/PE safety-related systems and other technology risk
reduction measures, the necessary safety integrity for the required safety functions

Note 1 to entry: The term refers to those systems, designated as safety-related systems, that are intended to achieve, together with the
other risk reduction measures, the necessary risk reduction in order to meet the required tolerable risk.

Note 2 to entry: Safety-related systems are designed to prevent the EUC from going into a dangerous state by taking appropriate action
on detection of a condition which may lead to a hazardous event. The failure of a safety-related system would be included in the events
leading to the determined hazard or hazards. Although there may be other systems having safety functions, it is the safety-related
systems that have been designated to achieve, in their own right, the required tolerable risk. Safety-related systems can broadly be
divided into safety-related control systems and safety-related protection systems.

Note 3 to entry: Safety-related systems may be an integral part of the EUC control system or may interface with the EUC by sensors
and/or actuators. That is, the required safety integrity level may be achieved by implementing the safety functions in the EUC control
system (and possibly by additional separate and independent systems as well) or the safety functions may be implemented by separate
and independent systems dedicated to safety.

Note 4 to entry: A safety-related system may:
a) be designed to prevent the hazardous event (i.e. if the safety-related systems perform their safety functions then no harmful event
arises);
b) be designed to mitigate the effects of the harmful event, thereby reducing the risk by reducing the consequences;
c) be designed to achieve a combination of a) and b).

Note 5 to entry: A person can be part of a safety-related system. For example, a person could receive information from a programmable
electronic device and perform a safety action based on this information, or perform a safety action through a programmable electronic
device.
Note 6 to entry: A safety-related system includes all the hardware, software and supporting services (for example, power supplies)
necessary to carry out the specified safety function (sensors, other input devices, final elements (actuators) and other output devices
are therefore included in the safety-related system).

Note 7 to entry: A safety-related system may be based on a wide range of technologies including electrical, electronic, programmable
electronic, hydraulic and pneumatic.
3.15
risk
combination of the probability of occurrence of a harm and the severity of that harm
Note 1 to entry: For more discussion on this concept see Annex A of EN 61508-5:2010.
[SOURCE: EN 61508-4:2010, definition 3.1.6]
3.16
reasonably foreseeable misuse
use of a product, process or service in a way not intended by the supplier, but which may result from readily
predictable human behaviour
[SOURCE: EN 61508-4:2010, definition 3.1.14, ISO/IEC Guide 51:1999, definition 3.14]
3.17
safety function
function to be implemented by an E/E/PE safety-related system or other risk reduction measures, that is
intended to achieve or maintain a safe state for the EUC, in respect of a specific hazardous event
EXAMPLE Examples of safety functions include:

– functions that are required to be carried out as positive actions to avoid hazardous situations (for example switching off a motor); and
– functions that prevent actions being taken (for example preventing a motor starting).
[SOURCE: EN 61508-4:2010, definition 3.5.1]
3.18
EUC
Equipment Under Control
[SOURCE: EN 61508-4:2010, Table 1]
4 General requirements
4.1 General
Functional safety of a system relies upon both the performance of the network, and upon the performance of
the connected HBES /BACS products:
1) failure of either the network or any other part of HBES /BACS system shall not cause the system, the
products, or the controlled equipment to become unsafe;
2) whilst in operation, individual HBES /BACS products shall not rely solely upon the system for their safe
operation;
3) while in operation, the systems interaction of any product(s) with any other product(s) shall not result in
unsafe operation of the system.
4.2 Method of establishment for the requirements
4.2.1 General
For specification of the functional safety requirements the life-cycle used in EN 61508 was followed:
1) concept phase of products;
2) application environment;
3) identification of hazards and hazard events;
4) hazard and risk analysis, risk reduction measures;
5) realisation of risk reduction measures;
6) validation;
7) maintenance;
8) installation and commissioning;
9) decommissioning.
The Product Technical Committees and/or developers shall take the requirements of this European Standard
into account in the product safety requirements, but it is not necessary to go into the EN 61508 process itself.
4.2.2 HBES/BACS application environment
The HBES/BACS application environment is taken into account.

– 9 – EN 50491-4-1:2012
4.2.3 Sources of hazards
The following sources of hazards have been considered:
1) material and construction;
2) reliability;
3) normal operation;
4) unintentional interaction with other products;
5) interaction with other HBES/BACS products;
6) abnormal conditions;
7) foreseeable misuse, including the download of unauthorised and malicious code;
NOTE This includes unintentional software modifications.
8) life time;
9) environment.
4.2.4 Hazardous events
The following hazardous events have been taken into account for the analysis (the bus and mains
(230 V/400 V) have been considered):
1) power failure;
2) short circuit of bus line;
3) overvoltage on the bus line;
4) overvoltage on the mains;
5) insulation damage (temperature, surge, mechanical);
6) wrong connection;
7) over temperature;
8) fire;
9) mechanical shock, vibration;
10) corrosion;
11) electromagnetic disturbance;
12) disturbed communication;
13) pollution;
14) end of life time of a component/products;
15) reasonably foreseeable misuse;
16) software failure;
17) overload;
18) loss of reliability;
19) breakdown of material (mechanically);
20) inappropriate design/construction;
21) switching of damaged equipment and subsystems;
22) remote control;
23) command from two sources to one product (e.g. actuator);
24) system failures.
4.2.5 Derivation of requirements
The risk analysis has been carried out for each of the hazard events; see Annex B. The likelihood of the
event has been estimated and the risk class has been taken in account according to the method of Annex A.
In all cases where the evaluated risk classes indicate an unacceptable risk, risk reduction measures are
requested as well as the level of risk reduction effect and its validation. Some risk reduction measures are
proposed and what is usually covered by the relevant product standard is also indicated. If manufacturers
intend to develop HBES/BACS products/systems which exhibit hazardous events not covered by 4.2.4 the
risk analysis shall be carried out according to EN 61508.
5 Requirements for functional safety
NOTE Reference to the hazardous events of 4.2.4 are given within brackets ( ).
5.1 General
Analysis according to EN 61508 indicates that functional safety depends upon both the design and
manufacture of products and upon the appropriate use of the products in installations.
5.2 to 5.7 contain requirements for HBES/BACS products and for the provision of information necessary for
the proper installation, operation and maintenance of these products.
Compliance requirements are given for the products as necessary and verification of the provision of the
necessary information.
All referenced product tests are type tests.
The basis and reasons of the following requirements are shown in Annex B.
5.2 Power feeding
5.2.1 In case of power failure the products shall restart safely when power is restored. (1)
NOTE Safe restart can be performed by
– storing the status information and usage the information for rebuilding the functionality after power on,
– switching to a defined state of the product depending on the application of the products,
– calculation of the safe state based on the information available from the system (from a controller, if any and/or from each product),
– maintaining a sufficient power reserve (by providing an appropriate buffer time either in the product and/or in the Power Supply Unit)
to enable connected products to assume a safe state.
5.2.2 Marking and instructions of the products shall be designed to prevent the risk of wrong connections.
(3) (6)
The products shall be marked in a legible and durable manner.
Compliance shall be checked by inspection of the product documentation and if appropriate according to the
test of legible and durable markings in the relevant product standard.
5.2.3 The construction and design of a product shall prevent wrong connections. This may be supported
by appropriate grouping of connections. (6)
Compliance shall be checked by inspection of the product.

– 11 – EN 50491-4-1:2012
5.3 Environment
5.3.1 Products shall be designed for the working temperature appropriate to their maximum rated voltages
needed for the application environment and shall work properly in the specified temperature range. (7)
Compliance shall be checked by testing the product according to the relevant product standard and if this
does not exist to EN 50491-2 and the relevant basic safety standards.
5.3.2 The products and components shall be designed for resistance to abnormal heat and shall not
propagate fire. (8)
Compliance shall be checked by testing the product according to the relevant product standard and if this
does not exist to the relevant basic safety standards.
5.3.3 The products shall be designed to withstand the mechanical stress appropriate to the application(s).
(9)
Compliance shall be checked by testing the product according to the relevant product standard and if this
does not exist to EN 50491-2 and the relevant basic safety standards.
5.4 Life time
The products shall be designed for a defined useful lifetime according to EN 61709:1998, 5.2 and Annex A
or defined number of switching cycles under normal condition.
The datasheet shall give instructions for maintenance if required to reach the specified lifetime. (14)
Compliance shall be checked by inspection of the documentation.
5.5 Reasonably foreseeable misuse
5.5.1 The risk of accidental download of the wrong application software or parameters into the products
shall be minimised. (15)
NOTE The following measures may apply:
– design of the configuration tool;
– identification of products and comparison of their profiles by the network management;
– password;
– authentication;
– product documentation;
– training of installers/operators.
Compliance shall be checked by product test and/or inspection of the product documentation.
5.5.2 Proper configuration and related parameters shall be ensured. (15)
NOTE The following measures may apply:
– specification of parameter ranges;
– limited configuration possibilities for the end-user;
– access to configuration only for skilled persons (see EN 50090-2-1);
– consistency check by tools or by the installer;
– check of conformity with configuration.
Compliance shall be checked by check of conformity of existing with planed (intended) configuration.
5.5.3 Measures shall be provided for the detection and/or indication of missing or incompletely configured
products during the configuration process. (15)
NOTE The following measures may apply:
– design of the configuration tool;
– formal installation procedures.
Compliance shall be checked by product test or inspection of the product documentation.

5.6 Software and communication
5.6.1 The software development process shall comply with EN ISO 9000 or similar standards. (16)
Compliance shall be checked by inspection of the process documentation or of the corresponding
certificates.
5.6.2 Measures shall be provided to check for the proper operation of the product software and the
integrity of the configuration. If abnormal operation is detected, the product shall restore the correct values or
shall go to a defined state. (16)
Compliance shall be checked by inspection of the product software design documentation.
5.6.3 Measures, if required by the application, shall be provided inside the products to limit the traffic load
imposed on the communication medium. (12) (17)
NOTE The following measures may apply:
– limitation of cyclic transmission;
– limitation of the number of messages per time unit per product;
– limitation of polling cycles.
Compliance shall be checked by inspection of the product documentation and if possible by product testing.
5.6.4 The reception of messages from several sources shall not disturb the proper function of the product
and shall not cause hazards. (23)
NOTE The following measures may apply:
– check source address in case there is a hierarchy of the sources;
– apply the rule: first in, first out;
– apply the rule: last message wins;
– secure the process by finalising before new messages may change the behaviour;
– secure the process by stopping and restarting the process;
– secure the process by disabling and enabling the process.
Compliance shall be checked by inspection of the product documentation and if possible by product testing.
5.6.5 The products shall respond to a system reset (if any) by going to a defined state. (24)
Compliance shall be checked by inspection of the product documentation and if possible by product testing.
5.6.6 It shall be possible to restrict access to the manual configuration of system parameters. (24)
NOTE The following measures or exceptions may apply:
– use of a tool (hardware or software);
– use of password and/or authentication;
– ensure that unauthorised access is not possible;
– combination or sequence of actions;
– concealed means for configuration;
– except where manual configuration is explicitly detailed in its instruction manual (also the case for automatic configuration).
Compliance shall be checked by inspection of the product documentation and if possible by product testing.
5.6.7 Disturbed communication
5.6.7.1 The safe operation of a product shall be independent of the operation of other products in the
system or application. (12)
NOTE The following measures may apply:
– cyclic transmission;
– range checking of received variables.
Compliance shall be checked by inspection of the results of the product test or by inspection of the product
documentation.
...