ISO/IEC TR 14762:2001

TECHNICAL ISO/IEC
REPORT
TR 14762
First edition
2001-01
Information Technology –
Home Control Systems –
Guidelines for functional safety

Reference number
TECHNICAL ISO/IEC
REPORT – TYPE 3
TR 14762
First edition
2001-01
Information Technology –
Home Control Systems –
Guidelines for functional safety

 ISO/IEC 2001
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any
means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the publisher.
ISO/IEC Copyright Office Case postale 56 CH-1211 Genève 20 Switzerland
PRICE CODE
F
For price, see current catalogue

– 2 – TR 14762  ISO/IEC:2001(E)

CONTENTS
Page
FOREWORD . 3

INTRODUCTION .4

Clause
1 Scope . 5

1.1 User environment . 5

1.2 Hazards . 5
1.3 Conditions . 6
1.4 Possible protection measures . 6
2 Reference documents . 6
3 Definitions and abbreviations . 7
3.1 Definitions . 7
3.2 Abbreviations. 7
4 General guidelines for the product committees. 7
5 Guidelines referring to installation. 8
6 Case by case requirements. 8
6.1 Message types. 8
6.2 Physical medium openness. 9
6.3 Degree of hazard of devices and applications . 10
6.4 Safety requirements. 10
6.5 Case dependent requirements . 11
Annex A – Some examples. 13
Bibliography . 15

TR 14762  ISO/IEC:2001(E) – 3 –

INFORMATION TECHNOLOGY –
HOME CONTROL SYSTEMS –
GUIDELINES FOR FUNCTIONAL SAFETY

FOREWORD
1) ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) form
the specialized system for worldwide standardization. National bodies that are members of ISO or IEC

participate in the development of International Standards through technical committees established by the

respective organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental,

in liaison with ISO and IEC, also take part in the work.
2) In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1. Draft International Standards adopted by the joint technical committee are circulated to national
bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national
bodies casting a vote.
3) Attention is drawn to the possibility that some of the elements of this technical report may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC and ISO technical committees is to prepare International Standards. In
exceptional circumstances, a technical committee may propose the publication of a technical
report of one of the following types:
• type 1, when the required support cannot be obtained for the publication of an
International Standard, despite repeated efforts;
• type 2, when the subject is still under technical development or where, for any other reason,
there is the future but not immediate possibility of an agreement on an International Standard;
• type 3, when the technical committee has collected data of a different kind from that which
is normally published as an International Standard, for example ‘state of the art’.
Technical reports of types 1 and 2 are subject to review within three years of publication to
decide whether they can be transformed into International Standards. Technical reports of
type 3 do not necessarily have to be reviewed until the data they provide are considered to be
no longer valid or useful.
ISO/IEC 14762, which is a technical report of type 3, was prepared by subcommittee 25:
Interconnection of information technology equipment, of ISO/IEC joint technical committee 1:
Information technology.
This document which is purely informative is not to be regarded as an International Standard.
Comments on the content of this document should be sent to IEC Central Office.

This publication has been drafted in accordance with the ISO/IEC Directives, Part 3.

– 4 – TR 14762  ISO/IEC:2001(E)

INTRODUCTION
This technical report gives guidance to the product committees, so that they can specify

products using home control systems. It gives guidance on the default actions a device should

take when it loses network access, and on the definition of the “safe” state of the product.

Verb forms such as “should” are used because a technical report is informative and should

not contain requirements. However, if safety is to be achieved, compliance with the statement

is compulsory.
TR 14762  ISO/IEC:2001(E) – 5 –

INFORMATION TECHNOLOGY –
HOME CONTROL SYSTEMS –
GUIDELINES FOR FUNCTIONAL SAFETY

1 Scope
This technical report gives guidelines for functional safety of electrically-controlled devices

intended to be integrated in a home control system (HCS), as defined in IEC Guide 110.

These guidelines also apply to similar equipment having home and/or building control
functions. Any reference to HCS includes similar equipment, such as sensors and activators
for security and energy management.
1.1 User environment
This technical report is concerned with the safety of persons, surroundings, livestock and
domestic animals. It includes personal protection against electric shock, effects of excessive
temperature, radiation, explosion, implosion, mechanical stability and moving parts, as well as
protection against fire. It covers safety both in homes and non-industrial buildings. (See IEC
Guide 104.)
This technical report specifies requirements intended to ensure safety for the user and
layperson who may come into contact with the equipment and, where specifically stated, for
service personnel (see clause 1 of IEC 60950).
An HCS should comply with the requirements for functional safety indicated in this report. In
addition, the individual equipment integrated into an HCS should comply with relevant product
safety standards.
1.2 Hazards
Application of this technical report is intended to prevent injury or damage due to any of the
following hazards that could result from malfunction or failure of an HCS:
• electric shocks;
 energy hazards;
 fire;
 mechanical and heat hazards;
 radiation hazards;
 chemical hazards.
Included is safety in homes and non-industrial buildings for persons, surroundings, livestock
and domestic animals.
– 6 – TR 14762  ISO/IEC:2001(E)

1.3 Conditions
This technical report covers all conditions of normal use and fault conditions.

Foreseeable misuse should be taken into consideration; however, sabotage, force majeure

and intentional damage are excluded.

After abnormal operation or in a fault condition, a device should not interfere with the safety of

the HCS and should remain safe for the user as defined in the relevant product safety

standard. It is not required that the device should still be in full working order.

1.4 Possible protection measures
The following measures are suggested:
 measures to prevent an HCS from interfering with the safety of a device connected to the
HCS;
 measures to ensure that a malfunction or a failure of an HCS does not impair the safety
level of devices integrated into the system;
 measures to prevent a device integrated into an HCS from interfering with the safety of
the HCS, or other devices connected to the HCS.
Some examples of such measures are
– appropriate installation of a device,
– adequate electrical safety of interface modules,
– control of HCS access,
– verification of safety critical information,
– safe mode of a device in the event of a malfunction or a failure of the HCS.
Relevant information should be given within installation or operation manuals (or instruction
sheets).
2 Reference documents
IEC Guide 104, The preparation of safety publications and the use of basic safety publications
and group safety publications
IEC Guide 110, Home control systems – Guidelines relating to safety

IEC Guide 112:2000, Guide on the safety of multimedia equipment
IEC 60065:1998, Audio, video and similar electronic apparatus – Safety requirements
IEC 60364 (all parts), Electrical installation of buildings
IEC 60950, Safety of information technology equipment
IEC 61508 (all parts), Functional safety of electrical/electronic/programmable electronic
safety-related systems
TR 14762  ISO/IEC:2001(E) – 7 –

3 Definitions and abbreviations

3.1 Definitions
For the purpose of this technical report the definitions of IEC Guide 110 apply as well as the

following definition.
3.1.1
functional safety (for a home control system)

ability of a home control system to carry out the actions necessary to achieve and maintain an

appropriate level of safety both under normal conditions and when a fault or hazard occurs
[see IEC 61508-4]
3.2 Abbreviations
HCS: home control system
4 General guidelines for the product committees
For HCS products, the following applies.
 The existing measures and protection concepts incorporated in regulations and product
standards need to be taken into account.
 No part of a home control system should rely upon unconfirmed safety-critical
information. This applies equally to new and modified systems (extensions, changes of
configuration). (IEC Guide 110, 4.2.1.)
 The network or any other part of a home control system should not impair the safety of a
device; all safety aspects of regulations and the product standard of the device should be
complied with. Similarly, connection of an application device should not interfere with the
safety of the home control system. (IEC Guide 110, 4.2.2.)
 If a device relies upon an HCS for safe operation but cannot verify correct function of the
relevant parts of the HCS, the device should maintain an appropriate level of safety
independent of the HCS. (IEC Guide 110, 4.2.3.)
 An order or series of orders (even if incorrect or unexpected) received via the HCS
should not result in a hazard or damage the HCS product or the equipment controlled by
the HCS. These orders may cause the product not to operate at all or not to operate
properly, for example, by entering a “default” mode, provided it is in a safe mode.
 The manufacturer and/or installer should apply the relevant safety standards to the
installation of HCS, in particular IEC 60364 (containing the rules for the erection and
design of electrical installations), so as to ensure safety and proper functioning for the

use intended.
It is to be noted that the above recommendations can easily be taken into account by a
manufacturer of a product by integrating an HCS access that has a well-defined function (for
example dish-washer, toaster, etc.).
The above recommendations should not present difficulties for product manufacturers skilled
in the design and production of conventional forms of domestic appliances and similar
equipment that do not include HCS access.
Integration of an HCS access adds electrical safety requirements that have to be complied
with, but does not add new classes of potential safety hazards. In this case, the manufacturer
is expected to know about the existing safety measures for a non-HCS-connected device in
order to ensure the safety of this device.

– 8 – TR 14762  ISO/IEC:2001(E)

As an example, an oven integrating an HCS access may be unexpectedly switched on, either
over the HCS or locally by a child; this must be taken into account by the manufacturer in the

same way. The integration of the HCS access does not create a new hazard; however, it

affords another way of exposing an existing hazard, that of unintended operation.

5 Guidelines referring to installation

The above recommendations may not be sufficient in cases where the geographical

distribution or the combination of the device with other devices may lead to potential

functional safety hazards.
For example, a light in a staircase may lead to a safety hazard if unexpectedly switched off.
Similarly, a device used to switch on or off an electrical line or plug, operating independently
of the kind of load connected, may generate additional safety hazards, depending on the
equipment that is using the line or plug.
In these cases, the manufacturer should draw the attention of the installer and/or the user to
the installation and usage conditions and requirements.
 Installation of products should be done according to the manufacturer’s user and
installation manuals; these manuals should provide guidance for the installation,
configuration, extension and maintenance of such systems so that potential safety
problems are avoided.
 Installation of an HCS does not alter or diminish the need to comply with existing
regulations and guidelines. After the installation of a home control system or any HCS-
connected device, the electrical installation should still comply with the latest regulations
and state of the art. This should be stated in the product instructions.
 Relevant safety requirements apply to the connection of a home control system to a
public services network if the home control system includes an access point to such a
network.
If the system is to be installed in a building where some national or regional safety
requirements apply, the behaviour of the system should comply with these requirements. In
case of a fault, the system should default to a safe mode compatible with those requirements.
6 Case by case requirements
6.1 Message types
A primary consideration of safety relates to the messages sent on an HCS. The messages on

an HCS are intended to do one of a number of things as listed below.
a) Convey either information or instructions to a device; for example, “it is 22 °C in the
bedroom” or “turn off the kitchen heater.” The messages are generally about the real
world, that is, the world outside the HCS, and are intended to have an immediate effect on
the actions of other devices. These are the most common forms of messages on an HCS.
b) Change the state of a device by rendering either the whole or parts of the device
1)
inoperable, for example, taking it off-line.
c) Modify the performance of a device; for example, “don’t report temperature changes
smaller than 1 °C” or “send an alarm if the temperature of the swimming pool is below
16 °C". These messages modify the future performance of the system. These may be
regarded as configuration messages since they modify the way in which the target device
is configured.
———————
1)
These messages should not prejudice the safety of a system since it should not be necessary to rely on the
functioning of all network devices for safe operation.

TR 14762  ISO/IEC:2001(E) – 9 –

d) Modify the source or destination of messages; for example “in the future send details of

the temperature in the bedroom to the heater in the kitchen”. These are generally referred

2)
to as network management messages since they change the “shape” of the network.

3)
e) Modify the performance of the device by down-loading new application code.

The messages are listed above in increasing order of their potential impact on functional

safety. Reconfiguring the source and destination of communication can clearly create

hazards. For example, managing the network so that the left-hand door of a garage door

opener is no longer listening to its own safety system but to that of the adjacent right-hand

door can create serious hazards.

6.2 Physical medium openness
The second issue that affects the functional safety of an HCS system is the openness of the
sy
...