Fail-safe planning

KNX Association
KNX ADVANCED COURSE

Table of Contents
1 General ......................................................................................................................3
2 Software Measures ....................................................................................................3
2.1 Cyclical Telegrams for Monitoring ......................................................................3
2.1.1 Parameterisation Example using a Wind Telegram ........................................4
2.2 Priority of a Telegram .........................................................................................5
2.3 Behaviour after Bus Voltage Recovery ...............................................................6
3 Hardware Measures for a Safe KNX Installation ........................................................8
3.1 Distributed System with Controllers ....................................................................8
3.2 Logic Modules and Visualisation in Connection with Couplers............................9
3.3 Multi-channel Switch Actuators ...........................................................................9
3.4 Benefits of Line Couplers .................................................................................10
3.5 Power Supply ...................................................................................................10
3.6 Power Supply in event of a Power Failure ........................................................10
4 Practical Example ....................................................................................................11
4.1 Cyclical Monitoring of 2 Lines using a Controller ..............................................11

Home and Building Management Systems KNX Association

Fail-safe planning Fail-safe planning_E0206b 2/11
KNX ADVANCED COURSE

1 General
Many KNX systems that are installed nowadays fulfil security-related functions. If these
types of applications are required, care should be taken to observe several points
regarding the software and hardware in order to make the KNX system fail-safe.
Examples of these types of requirements are
Alarm functions
Monitoring systems (windows, doors, ... )
Intruder and anti-theft alarm systems
Remote indication (telephone, web, ... )
Fire detectors
Water detectors
Control of devices and functions whose failure could result in damage (wind sensor for
shutters, rain sensor for skylights, central disconnection of the water in unused
buildings, …)

2 Software Measures
Actuators, sensors and controllers are available for implementing functions and must be
combined by the project engineer. During normal operation, telegrams are transmitted
dependent on events. If an event occurs, a telegram is generated and sent to the bus
system. If the sensor should no longer be in operation, it is possible to stop generating
telegrams which cause an action to be carried out. In the worst case, an “important”
telegram could be lost. To prevent this, it is possible to detect the failure of a telegram
and to signal in succession that a fault has occurred in the transmission.

2.1 Cyclical Telegrams for Monitoring

For safety-related reasons, it can be advisable to repeat telegrams at cyclic intervals to
guarantee that the output device is set to a defined switch position if the transmitting
device fails. A function that occurs frequently in KNX systems is the wind or rain alarm.
The method of operation of a wind sensor is described in the following section by way of
illustration.
The information that no wind is present (i.e. logical “0”) is sent cyclically by the sensor. If
the shutter actuator does not receive a safety telegram within the period defined by the
project engineer, the shutter is moved to the safety position. Movement, stop and step
commands are only carried out again if the wind sensor has sent the telegram “No wind
present”. It should be noted that only this information i.e. logical “0” should be sent
cyclically in the KNX system. The majority of shutter actuators carry out a movement
command on receipt of the telegram “Wind present” (logical “1”). If this telegram were
also to be sent cyclically, the drive motors could be damaged in the worst case.
When configuring this type of cyclical monitoring, it should be ensured that the monitoring
period (on the part of the actuator) should be set at 3 times the length of the cyclic period
of the sensor. In general, telegrams for cyclical sending should never be transmitted in
relatively short intervals as this could lead to an excessively high bus load. Normally, it
can be assumed that the new state will be sent immediately, if there is a change in the
state at the sensor.

Home and Building Management Systems KNX Association

Fail-safe planning Fail-safe planning_E0206b 3/11
KNX ADVANCED COURSE

2.1.1 Parameterisation Example using a Wind Telegram

The following diagrams show by way of example the parameterisation of a conventional
wind sensor which is connected to a binary input (Channel A).
A cyclic interval of 5 minutes has been set for the binary input. The actuator must receive
the information “No wind present” (“0”) within 15 minutes to prevent it from moving
automatically to the upper limit position.

Figure 1: ETS – Screenshot of a weather station (for instance Sensor input 1, limit value 1
Wind (54km/h))

Figure 2: ETS - Screenshot of a shutter actuator

Home and Building Management Systems KNX Association

Fail-safe planning Fail-safe planning_E0206b 4/11
KNX ADVANCED COURSE

The previously described method of operation can also of course be implemented using
switch actuators or controllers. To do so, a sensor or controller which is able to send a
telegram cyclically must be configured so that it continually retriggers a time switch or
staircase lighting function in the output device without the output device changing its
status. If information is lost (e.g. the power supply of a primary line fails), the output
device changes to the status that signals the alarm state. Using this method, it would be
possible to check from a central location whether all the line segments of a KNX system
are supplied with voltage. You would simply need to install a bus device in each segment
which sends a cyclical telegram and a device in a central location which evaluates this
information.

Figure 3: Sensor repeats cyclically

In event-controlled, distributed systems, the majority of security functions are based on

the repetition of telegrams, which the input device i.e. the sensor repeats cyclically.

2.2 Priority of a Telegram

A further step in enabling telegrams to be sent as quickly as possible is the setting of
priorities at the communication object. Normally, the appropriate priority levels are set by
the manufacturer. If however an application should require the priority levels to be
modified, they can be converted at the communication object in the ETS program.
The following priority levels are available:
Low operational priority
High operational priority
Alarm
System (used by ETS when downloading)

The following diagram indicates a weather station in which object 1 (Output Safety 2) has
been set to ‘Alarm’ priority. This setting firstly causes more logical “0s” to be sent in the
check byte of the telegram and the telegram immediately takes precedence over a device
with ‘Auto’ or ‘Normal’ priority. It should however be noted that you should not select the
same priority level for a large number of telegrams which could be transmitted at the
same time.

Home and Building Management Systems KNX Association

Fail-safe planning Fail-safe planning_E0206b 5/11
KNX ADVANCED COURSE

Figure 4: Priority of a telegram

Source Target Check

Control address address Length Useful data byte
field
Routing counter

8 bit 16 16 + 1 3 4 up to 16 x 8 8 bit

Figure 5: TP1 Telegram

2.3 Behaviour after Bus Voltage Recovery

An important point to note when checking the installation for the correct functionality is the
starting behaviour of the KNX system devices after bus voltage recovery e.g. after a
power failure. In most cases, it can be assumed that switch actuators retain their state
after bus voltage recovery or switch off the outputs. It is important to verify in particular
whether devices have been configured as normally closed contacts as opposed to
normally open contacts. For most devices, there is the option in the application program
to define the status in the line segment on voltage recovery.
If irrigation systems, pump controllers or device controllers which cause high operational
costs are implemented with the bus system, this point should be checked in detail and
form part of every acceptance protocol.
The installation of a conventional timing relay in parallel to the supply cable of the KNX
power supply is one of the safest options of establishing a voltage failure and resetting
controllers, setpoint values and states in an installation to an initial state. The timing relay
switches on with a delay (after approx. 30 seconds) and its contact is linked with a
channel of a KNX binary input. This binary input can then send a group address which
reports a power failure and creates defined initial states.
The following diagram represents the schematic configuration of this type of system.

Home and Building Management Systems KNX Association

Fail-safe planning Fail-safe planning_E0206b 6/11
KNX ADVANCED COURSE

Figure 6: Installation of a conventional timing relay in parallel to the supply cable of the KNX
power supply
In many installations, the requirement could be placed on the system to transfer different
group addresses with defined useful data into the KNX system on voltage recovery. A
controller must generally be used for this type of application. The controller must be able
to trigger in response to a telegram and to send the group addresses to the KNX system
with the corresponding values on receipt of this information.

Figure 7: Trigger in response to a telegram

Home and Building Management Systems KNX Association

Fail-safe planning Fail-safe planning_E0206b 7/11
KNX ADVANCED COURSE

3 Hardware Measures for a Safe KNX Installation

3.1 Distributed System with Controllers

Each bus device has its own authorisation and its own microprocessor. If a bus device
fails, all the other bus devices function without any interference. This applies to all direct
connections (e.g. sensor – actuator). If logic modules are used however between the
input device and the output device, the failure of this device means that data transfer
cannot take place.

Figure 8: Distributed system with controllers

The above should be noted in particular if the lighting can for example only be switched
via scene modules.
To be able to switch the lighting on and off after the failure of the scene module, it is
advisable to assign a central ON/OFF function for the room to at least one sensor and to
allocate this group address to the respective actuators.

Home and Building Management Systems KNX Association

Fail-safe planning Fail-safe planning_E0206b 8/11
KNX ADVANCED COURSE

3.2 Logic Modules and Visualisation in Connection with Couplers

In KNX systems that extend over several rooms, it is advisable to distribute the controllers
i.e. to position several modules. The fault tolerance is thereby increased. It also relieves
the load from the filter tables and the telegram traffic across the lines and areas is
reduced to a minimum.
If a visualisation program is present in a KNX system, it can take over logic functions and
sequence control in many cases. Products are also available on the market which support
basic programming languages which are similar to C or Pascal. It is of course also
possible to use the visualisation as a large controller. This is however not a good idea as
regards operational reliability, since a failure of the PC will lead to the functions in the
KNX system no longer being guaranteed. It is advisable in any case to connect the PC on
which the visualisation is installed to a UPS. In general however a control option should
always be provided next to the PC to ensure emergency operation. This can take the form
of a switch sensor or panel units for example.

3.3 Multi-channel Switch Actuators

When costing KNX systems, multi-channel switch actuators are being installed with
increasing frequency. These devices appear perhaps to be a good idea in most cases as
regards project costs but a possible disruption of the device means that several loads can
no longer be controlled in the event of a fault. This fact should also be considered when
planning a KNX system. If output devices are used however with many channels, it may
be advisable to select the assignment so that complete areas of the building are not
affected by the malfunction if a device fails (see the example).
The light strips are often placed on the switch actuators in sequence:

Switch actuator 1 Channel A Room 1 Light strip at door

Switch actuator 1 Channel B Room 1 Light strip at window

Switch actuator 2 Channel A Room 2 Light strip at door

Switch actuator 2 Channel B Room 2 Light strip at window

etc.

Home and Building Management Systems KNX Association

Fail-safe planning Fail-safe planning_E0206b 9/11
KNX ADVANCED COURSE

A failure of switch actuator 1 or 2 would mean that it would not be possible to switch any
loads throughout the room. It is advisable to select the following assignment if you have
the actuators available:

Switch actuator 1 Channel A Room 1 Light strip at door

Switch actuator 2 Channel A Room 1 Light strip at window

Switch actuator 1 Channel B Room 2 Light strip at door

Switch actuator 2 Channel B Room 2 Light strip at window

etc.

Should one of the two actuators now have a malfunction, both rooms are indeed affected
but at least one light strip would continue to operate per room.

3.4 Benefits of Line Couplers

The higher the number of line couplers that are installed in a system, the better the
structure and fault tolerance of the entire system. The filter tables must however be
commissioned properly to reduce the total number of telegrams in the KNX system, avoid
repeat telegrams and to guarantee the quickest possible transfer of information.
Fail-safe planning is considerably improved by the electrical isolation of both line
segments by a line coupler. Short circuits, overvoltage and other malfunctions can thus
be limited to a line segment. To avoid the build up of telegrams via controllers (telegrams
circulating via logic modules due to faulty programming) or repeat telegrams, the filter
tables should be loaded correctly into the couplers and configured.

3.5 Power Supply

A 640 mA power supply offers the opportunity in most cases to supply more than one line
segment with power. It must however be noted that 2 line segments can no longer be
operated if this power supply fails.

3.6 Power Supply in event of a Power Failure

There are two options for guaranteeing the operation of a line segment for a certain
period without a 230 V supply. Power supply units are available with a battery connection
which can buffer the KNX system for a certain period even after a total power failure. If a
12 V battery is used, it is moreover possible to control an alarm siren with a strobe light
via a switch actuator with floating contacts (see the chapter on “Security technology”).
In certain cases, many bus devices require a separate power supply. These include built-
in panels, PCs with a visualisation system running on them or telephone dialling devices
which are connected to telecommunication systems. The request is often made to enable
signals to be sent even after a failure of the 230 V supply. The supply voltage for the KNX
power supply can be connected e.g. via a UPS – Uninterruptible Power Supply. This
device ensures that the KNX installation continues to function for a certain period after a
mains failure. Other 230 V devices can of course also be connected via the UPS such as

Home and Building Management Systems KNX Association

Fail-safe planning Fail-safe planning_E0206b 10/11
KNX ADVANCED COURSE

telephone dialling devices, telephone systems and power supply units for 24 V binary
inputs which are often used to monitor window contacts. All these devices can also be
operated in most cases with a UPS. If several line couplers should be installed in a KNX
system, each line segment should be buffered.
If a monitoring system is implemented with KNX, it is advisable to connect all the sensors
and actuators that are required for alarm signalling to one line segment. This segment
can then be isolated from the rest of the system via a line coupler. This results in a saving
as only this line segment needs to be buffered.

4 Practical Example

4.1 Cyclical Monitoring of 2 Lines using a Controller

Configure a KNX system with 2 lines and a main line.
A device which is able to send cyclical telegrams is installed in each of the two secondary
lines. An output device (actuator, LED, display, visualisation...) should be installed on the
main line of the system which indicates whether bus voltage is present in line 1 or 2. You
require a controller whose application enables time switch operation.
Integrate a wind sensor into your system which acts on shutter actuators. This sensor
should move the shutter into the upper limit position when the limit value is exceeded.
The information of the cyclic wind telegram should also be represented on the main line
on the output device.
Consider whether it is a good idea to place the cyclical information at an OR gate and to
signal at one channel of an output device. Which problems could arise?

Home and Building Management Systems KNX Association

Fail-safe planning Fail-safe planning_E0206b 11/11