ISO/DIS 22201-2
(Main)Lifts (elevators), escalators and moving walks -- Programmable electronic systems in safety related applications
Lifts (elevators), escalators and moving walks -- Programmable electronic systems in safety related applications
Ascenseurs, escaliers mécaniques et trottoirs roulants -- Systèmes électroniques programmables dans les applications liées à la sécurité
General Information
RELATIONS
Buy Standard
Standards Content (sample)
DRAFT INTERNATIONAL STANDARD
ISO/DIS 22201-2
ISO/TC 178 Secretariat: AFNOR
Voting begins on: Voting terminates on:
2016-01-04 2016-04-04
Lifts (elevators), escalators and moving walks —
Programmable electronic systems in safety related
applications —
Part 2:
Escalators and moving walks (PESSRAE)
Ascenseurs, escaliers mécaniques et trottoirs roulants — Systèmes électroniques programmables dans les
applications liées à la sécurité —Partie 2: Escaliers mécaniques et trottoirs roulants
ICS: 91.140.90
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 22201-2:2015(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO 2015
---------------------- Page: 1 ----------------------
ISO/DIS 22201-2:2015(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – All rights reserved
---------------------- Page: 2 ----------------------
ISO DIS 22201-2:2015(E)
Contents Page
Foreword ........................................................................................................................................................................................................................................ iv
Introduction..................................................................................................................................................................................................................................v
1 Scope ................................................................................................................................................................................................................................. 1
2 Conformance............................................................................................................................................................................................................. 2
3 Normative references ...................................................................................................................................................................................... 2
4 Terms and definitions ..................................................................................................................................................................................... 3
5 Symbols and abbreviated terms ........................................................................................................................................................... 6
6 Requirements .......................................................................................................................................................................................................... 6
6.1 General ........................................................................................................................................................................................................... 6
6.2 Extended application of this International Standard ............................................................................................ 7
6.3 Safety function SIL requirements ........................................................................................................................................... 7
6.4 SIL relevant and non-SIL relevant safe state requirements ............................................................................. 9
6.5 Implementation and demonstration requirements for verification of SIL compliance........ 13
Annex A (normative) Techniques and measures to implement, verify, and maintainSIL compliance .....................................................................................................................................................................................................14
Annex B (informative) Applicable escalator and moving walk codes, standards, and laws ....................17
Annex C (informative) Example of risk reduction decision table........................................................................................23
Bibliography .............................................................................................................................................................................................................................24
© ISO 2013 – All rights reserved iiiCopyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 3 ----------------------ISO DIS 22201-2:2015(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2. www.iso.org/directivesAttention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received. www.iso.org/patentsAny trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.The committee responsible for this document is ISO/TC 178, Lifts, escalators and moving walks.
ISO 22201 consists of the following parts, under the general title Lifts (elevators), escalators and moving
walks — Programmable electronic systems in safety-related applications:— Part 1: Lifts (elevator) (PESSRAL)
— Part 2: Escalators and moving walks (PESSRAE)
— Part 3: Life cycle guideline for programmable electronic systems related to PESSRAL and PESSRAE
[Technical Report]iv © ISO 2013 – All rights reserved
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 4 ----------------------ISO DIS 22201-2:2015(E)
Introduction
Systems comprised of electrical and/or electronic elements have been used for many years to perform
safety functions in most application sectors. Computer-based systems, generically referred to as
programmable electronic systems, are being used in many application sectors to perform non-safety
functions and, increasingly, to perform safety functions. If computer system technology is to be effectively
and safely exploited, it is essential that those responsible for making decisions have sufficient guidance
on the safety aspects on which to make these decisions. In most situations, safety is achieved by a number
of protective systems that rely on many technologies (for example mechanical, hydraulic, pneumatic,
electrical, electronic, programmable electronic). Any safety strategy must therefore consider not only
all the components within an individual system (for example sensors, controlling devices and actuators)
but also all the safety-related elements making up the total combination of safety-related systems.
This International Standard is based upon the guidelines provided in the generic International Electro-
technical Commission (IEC) Standard IEC 62061 and Comité Européen de Normalisation (CEN) Standard
EN 115-1:2008.The requirements given in this International Standard recognize the fact that the product family covers a
total range of escalators and moving walks used in residential buildings, offices, hospitals, hotels,
industrial plants, etc. This International Standard is the product family standard for escalators and
moving walks and takes precedence over all aspects of the generic standard.This International Standard sets out the product specific requirements for systems comprised of
programmable electronic element that are used to perform safety functions in escalators and moving
walks. This International Standard has been developed in order that consistent technical and
performance requirements and rational be specified for Programmable Electronic System in Safety-
Related Application for Escalators and moving walks (PESSRAE).Risk analysis, terminology, and technical solutions have been considered taking into account the
methods of the IEC 61508 series of standards. The risk analysis of each safety function specified in
Ta ble 1 resulted in the classification of electric safety functions applied to PESSRAE. Ta bles 1 and 2 give
the safety integrity level and functional requirements, respectively, for each electric safety function.
The safety integrity levels (SIL) specified in this International Standard may also be applied to other
technologies used to satisfy the safety functions specified in this International Standard.
Harmonization with national escalator and moving walk norms:Application of this International Standard:
The application of this International Standard is intended to be by reference within a national escalator
and moving walk norm such as escalator and moving walk codes, standards, or laws. There are three
reasons for this.— To allow selective reference by national norms to specific escalator and moving walk safety functions
described in this International Standard. Not all escalator and moving walk safety functions
identified in this International Standard are called out in every national norm.— To allow for future harmonization of national norms with escalator and moving walk safety
functions identified in this International Standard. Because there exist some differences in the
requirements for fulfilment of the safety objective of national escalator and moving walk norms and
in national practice of escalator and moving walk use and maintenance, there are instances where
the requirements for escalator and moving walk safety functions described in this International
Standard are based on the consensus work and agreement by the ISO committee responsible for this
International Standard. National bodies may choose to selectively harmonize with those escalator
and moving walk safety functions that differ in the requirements called for by the existing national
norm in future norm revisions.— To allow for the application of this International Standard where escalator and moving walk safety
functions are new or deviate from those specified in this International Standard. More and more,
© ISO 2013 – All rights reserved v
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 5 ----------------------ISO DIS 22201-2:2015(E)
national escalator and moving walk legislations are moving to performance based requirements.
For this reason the development of new or different escalator and moving walk safety functions
can be foreseen in product specific applications. For those who require escalator and moving walk
safety functions that are new or different from those specified in this International Standard,
this International Standard provides a verifiable method to establish the necessary level of safety
integrity for those functions.vi © ISO 2015 – All rights reserved
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 6 ----------------------INTERNATIONAL STANDARD ISO DIS 22201-2:2015(E)
Lifts (elevators), escalators and moving walks —
Programmable electronic systems in safety related
applications —
Part 2:
Escalators and moving walks (PESSRAE)
1 Scope
1.1 This International Standard is applicable to the product family of escalators and moving walks used
in residential buildings, offices, hospitals, hotels, industrial plants, etc. This International Standard covers
those aspects that need to be addressed when programmable electronic systems are used to carry out electric
safety functions for escalators and moving walks (PESSRAE). This International Standard is applicable
for escalator and moving walk safety functions that are identified in escalator and moving walk codes,
standards, or laws that reference this International Standard for PESSRAE application. The safety integrity
levels (SILs) specified in this International Standard are understood to be valid for PESSRAE application in
the context of the referenced escalator and moving walk codes, standards, and laws in Annex B.
1.2 This International Standard is also applicable for the application of PESSRAE that are new or deviate
from those described in this International Standard.1.3 The requirements of this International Standard regarding electrical safety/protective devices
are such that it is not necessary to take into consideration the possibility of a failure of an electric
safety/protective device complying with all the requirements of this International Standard and other
relevant standards.In particular, this International Standard:
a) uses safety integrity levels (SIL) for specifying the target failure rate for the safety functions to be
implemented by the PESSRAE;b) specifies the requirements for achieving safety integrity for a function but does not specify who is
responsible for implementing and maintaining the requirements (for example, designers, suppliers,
owner/operating company, contractor); this responsibility is assigned to different parties according
to safety planning and national regulations;c) applies to PE systems used in escalator and moving walk applications that meet the minimum
requirements of a recognized escalator and moving walk standards such as EN 115, ASME
A17.1/CSA B44, or escalator and moving walk laws such as The Japan Building Standard Law
Enforcement Order For Elevator and Escalator;d) defines the relationship between this International Standard and IEC 61508 and defines the
relationship between this International Standard and the EMC Standard for Escalators and moving
walks on immunity, ISO 22200;e) outlines the relationship between escalator and moving walk safe y functions and their safe-
state conditions;f ) applies to phases and activities that are specific to design of hardware and software but not those
phases and activities which occur post design, for example sourcing and manufacturing;
© ISO 2015 – All rights reserved 1
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 7 ----------------------ISO DIS 22201-2:2015(E)
h) provides requirements relating to the hardware and software safety validation;
i) establishes the safety integrity levels for specific escalator and moving walk safety functions;
j) specifies techniques/measures required for achieving the specified safety integrity levels;
k) defines a maximum level of performance (SIL 3) which can be achieved for a PESSR-AE according to
this International Standard and defines a minimum level of performance (SIL 1).1.4 This International Standard does not cover:
a) hazards arising from the PE systems equipment itself such as electric
shock etc.;
b) the concept of fail-safe that may be of value when the failure modes are well defined and the level
of complexity is relatively low. The concept of fail-safe was considered inappropriate because of the
full range of complexity of PESSR-AE that are within the scope of this International Standard;
c) other relevant requirements necessary for the complete application of a PESSR-AE in a escalator and
moving walk safety function such as system integration specifications, temperature and humidity,
the mechanical construction, mounting and labelling of switches, actuators, or sensors that contain
PESSR-AE. These requirements are to be carried out in accordance with the national escalator and
moving walk norm that references this International Standard.d) foreseeable misuse involving security threats related to malevolent or unauthorized action. In cases
where a security threat analysis needs to be considered this standard may be used, provided the
specified SIL has been reassessed.3 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
IEC 61508-1:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 1: General RequirementsIEC 61508-2:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
IEC 61508-3:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 3: Software requirementsIEC 61508-4:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems —Part 4: Definitions and abbreviations
IEC 61508-5:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 5: Example of methods for the determination of Safety Integrity Levels
ISO 22200, Electromagnetic compatibility — Product family standard for lifts, escalators and moving
walks — ImmunityIEC 62061, Safety of machinery – Functional safety of safety-related electrical, electronic and
programmable electronic control systems2 © ISO 2015 – All rights reserved
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 8 ----------------------ISO DIS 22201-2:2015(E)
4 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 61508-4 apply, except that the
definitions in this International Standard take precedence over those in the generic standard.
4.1non-SIL relevant safe-state requirement
required response to the actuation of a SIL rated safety function where the function performing this
response is not required to be SIL ratedNote 1 to entry: See Figure 4 and Ta ble 2.
4.2
programmable electronic
based on computer technology which may be comprised of hardware, software, and of input
and/or output unitsNOTE This term covers microelectronic devices based on one or more central processing units
(CPUs) together with associated memories, etc.EXAMPLE The following are all programmable electronic devices:
– microprocessors;
– micro-controllers;
– programmable controllers;
– field programmable gate array (FPGA);
– application specific integrated circuits (ASICs);
– programmable logic controllers (PLCs);
– other computer-based devices (for example smart sensors, transmitters, actuators).
4.3programmable electronic system
PE systems
system for control, protection or monitoring based on one or more programmable electronic devices,
including all elements of the system such as power supplies, sensors and other input devices, data
highways and other communication paths, and actuators and other output devicesNote 1 to entry: See Figure 1.
Note 2 to entry: A PE systems may perform functions that fulfil requirements for SIL rated and non-SIL rated
function(s). The SIL rating of a function is only required to consider that portion of PE systems that perform the SIL
relevant functional requirements.© ISO 2015 – All rights reserved 3
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 9 ----------------------ISO DIS 22201-2:2015(E)
Extent of PE
Communications
systems Input interfaces Output interfaces
(for example, A-D (for example, D-A
Converters) Converters)
Programmable
electronics (PE)
(see note)
Output devices/final
Input devices
elements
(for example, sensors)
(for example, actuators)
IEC 32 45/02
NOTE The programmable electronics are shown centrally located but could exist at several places in the PE
systems.Figure 1 — Basic PE systems
structure
4.4
Programmable Electronic Systems in Safety-Related Applications for Escalators and moving walks
PESSR-AEapplication of a software-based PE systems in a safety-related system for escalators and moving walks
4.5proof test
periodic test performed to detect dangerous hidden failures in a safety-related system so that, if necessary, a
repair can restore the system to an “as new” condition or as close as practical to this condition.
NOTE 1 In this standard the term “proof test” is used but it is recognised that a synonymous term is “periodical test”.
NOTE 2 The effectiveness of the proof test will be dependent both on failure coverage and repair effectiveness. In practice detecting 100%
of the hidden dangerous failures is not easily achieved for other than low-complexity E/E/PE safety-related systems. This should be the
target. As a minimum, all the safety functions which are executed are checked according to the E/E/PE system safety requirements
specification. If separate channels are used, these tests are done for each channel separately. For complex elements, an analysis may
need to be performed in order to demonstrate that the probability of hidden dangerous failure not detected by proof tests is negligible over
the whole life duration of the E/E/PE safety related system.NOTE 3 A proof test needs some time to be achieved. During this time the E/E/PE safety related system may be inhibited partially or
completely. The proof test duration can be neglected only if the part of the E/E/PE safety related system under test remains available in
case of a demand for operation or if the EUC is shut down during the test.NOTE 4 During a proof test, the E/E/PE safety related system may be partly or completely unavailable to respond to a demand for
operation. The MTTR can be neglected for SIL calculations only if the EUC is shut down during repair or if other risk measures are put in
place with equivalent effectiveness.4.6
safety circuit
total combination of safety devices that fulfil all or a group of escalator and moving walk safety functions
Note 1 to entry: See Figure 24 © ISO 2015 – All rights reserved
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 10 ----------------------ISO DIS 22201-2:2015(E)
Safety Device 1 Safety Device 2
Function 1 Function 2
All or a group of
required safety
functions (see
Table 1)
Safety Device n Safety Device (n + 1)
Function n Function (n + 1)
Figure 2 — Safety circuit
4.7
safety device
part of the safety-related system, including necessary control circuits, that has been designated to
achieve, in its own right, an escalator and moving walk safety function and may consist of PE system
elements and non-PE system elementsNote 1 to entry: See Figure 3 and Ta ble 1.
PE system elements Non- PE system
elements
Figure 3 — Safety Device
4.8
safety function
function to be implemented by a safety-related system, which is intended to achieve or maintain a safe-
state of the escalator and moving walk, with respect to a specific hazardous event
Note 1 to entry: See Ta ble 1.Note 2 to entry: A safety function may include non-SIL relevant requirements, see Ta ble 2.
4.9safety-related system
consists of one or more safety devices performing one or more safety functions that may be based
on programmable electronic (PE), electrical, electronic and/or mechanical elements of the
escalator and moving walkNote 1 to entry: The term includes all the hardware, software and supporting services (for example, power
supplies) necessary to carry out the specified safety function (sensors, other input devices, final elements
(actuators) and other output devices are therefore included in the safety-related system).
© ISO 2015 – All rights reserved 5
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 11 ----------------------ISO DIS 22201-2:2015(E)
4.10
safety integrity level
SIL
discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety
functions to be allocated to the programmable electronic safety-related system, where safety integrity
level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest. The SIL is
indicative of a failure rate that includes all causes of failures (both random hardware failures and
systematic failures), which lead to an unsafe state, for example hardware failures, software induced
failures and failures due to electrical interferenceNote 1 to entry: In the context of this International Standard, SIL 3 is the highest safety integrity level that is
applied to escalators and moving walks.4.11
SIL Relevant Safe-State Requirement
part of the safety-related system where the specified SIL of the function is required to be met
Note 1 to entry: See Figure 4 and Ta ble 2.Non-SIL relevant
SIL relevant safe-state
safe-state requirement(s)
requirement(s)
Figure 4 — Escalator and moving walk safety function
4.12
...
DRAFT INTERNATIONAL STANDARD
ISO/DIS 22201-2
ISO/TC 178 Secretariat: AFNOR
Voting begins on: Voting terminates on:
2016-01-04 2016-04-04
Lifts (elevators), escalators and moving walks —
Programmable electronic systems in safety related
applications —
Part 2:
Escalators and moving walks (PESSRAE)
Ascenseurs, escaliers mécaniques et trottoirs roulants — Systèmes électroniques programmables dans les
applications liées à la sécurité —Partie 2: Escaliers mécaniques et trottoirs roulants
ICS: 91.140.90
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 22201-2:2015(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO 2015
---------------------- Page: 1 ----------------------
ISO/DIS 22201-2:2015(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – All rights reserved
---------------------- Page: 2 ----------------------
ISO DIS 22201-2:2015(E)
Contents Page
Foreword ........................................................................................................................................................................................................................................ iv
Introduction..................................................................................................................................................................................................................................v
1 Scope ................................................................................................................................................................................................................................. 1
2 Conformance............................................................................................................................................................................................................. 2
3 Normative references ...................................................................................................................................................................................... 2
4 Terms and definitions ..................................................................................................................................................................................... 3
5 Symbols and abbreviated terms ........................................................................................................................................................... 6
6 Requirements .......................................................................................................................................................................................................... 6
6.1 General ........................................................................................................................................................................................................... 6
6.2 Extended application of this International Standard ............................................................................................ 7
6.3 Safety function SIL requirements ........................................................................................................................................... 7
6.4 SIL relevant and non-SIL relevant safe state requirements ............................................................................. 9
6.5 Implementation and demonstration requirements for verification of SIL compliance........ 13
Annex A (normative) Techniques and measures to implement, verify, and maintainSIL compliance .....................................................................................................................................................................................................14
Annex B (informative) Applicable escalator and moving walk codes, standards, and laws ....................17
Annex C (informative) Example of risk reduction decision table........................................................................................23
Bibliography .............................................................................................................................................................................................................................24
© ISO 2013 – All rights reserved iiiCopyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 3 ----------------------ISO DIS 22201-2:2015(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2. www.iso.org/directivesAttention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received. www.iso.org/patentsAny trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.The committee responsible for this document is ISO/TC 178, Lifts, escalators and moving walks.
ISO 22201 consists of the following parts, under the general title Lifts (elevators), escalators and moving
walks — Programmable electronic systems in safety-related applications:— Part 1: Lifts (elevator) (PESSRAL)
— Part 2: Escalators and moving walks (PESSRAE)
— Part 3: Life cycle guideline for programmable electronic systems related to PESSRAL and PESSRAE
[Technical Report]iv © ISO 2013 – All rights reserved
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 4 ----------------------ISO DIS 22201-2:2015(E)
Introduction
Systems comprised of electrical and/or electronic elements have been used for many years to perform
safety functions in most application sectors. Computer-based systems, generically referred to as
programmable electronic systems, are being used in many application sectors to perform non-safety
functions and, increasingly, to perform safety functions. If computer system technology is to be effectively
and safely exploited, it is essential that those responsible for making decisions have sufficient guidance
on the safety aspects on which to make these decisions. In most situations, safety is achieved by a number
of protective systems that rely on many technologies (for example mechanical, hydraulic, pneumatic,
electrical, electronic, programmable electronic). Any safety strategy must therefore consider not only
all the components within an individual system (for example sensors, controlling devices and actuators)
but also all the safety-related elements making up the total combination of safety-related systems.
This International Standard is based upon the guidelines provided in the generic International Electro-
technical Commission (IEC) Standard IEC 62061 and Comité Européen de Normalisation (CEN) Standard
EN 115-1:2008.The requirements given in this International Standard recognize the fact that the product family covers a
total range of escalators and moving walks used in residential buildings, offices, hospitals, hotels,
industrial plants, etc. This International Standard is the product family standard for escalators and
moving walks and takes precedence over all aspects of the generic standard.This International Standard sets out the product specific requirements for systems comprised of
programmable electronic element that are used to perform safety functions in escalators and moving
walks. This International Standard has been developed in order that consistent technical and
performance requirements and rational be specified for Programmable Electronic System in Safety-
Related Application for Escalators and moving walks (PESSRAE).Risk analysis, terminology, and technical solutions have been considered taking into account the
methods of the IEC 61508 series of standards. The risk analysis of each safety function specified in
Ta ble 1 resulted in the classification of electric safety functions applied to PESSRAE. Ta bles 1 and 2 give
the safety integrity level and functional requirements, respectively, for each electric safety function.
The safety integrity levels (SIL) specified in this International Standard may also be applied to other
technologies used to satisfy the safety functions specified in this International Standard.
Harmonization with national escalator and moving walk norms:Application of this International Standard:
The application of this International Standard is intended to be by reference within a national escalator
and moving walk norm such as escalator and moving walk codes, standards, or laws. There are three
reasons for this.— To allow selective reference by national norms to specific escalator and moving walk safety functions
described in this International Standard. Not all escalator and moving walk safety functions
identified in this International Standard are called out in every national norm.— To allow for future harmonization of national norms with escalator and moving walk safety
functions identified in this International Standard. Because there exist some differences in the
requirements for fulfilment of the safety objective of national escalator and moving walk norms and
in national practice of escalator and moving walk use and maintenance, there are instances where
the requirements for escalator and moving walk safety functions described in this International
Standard are based on the consensus work and agreement by the ISO committee responsible for this
International Standard. National bodies may choose to selectively harmonize with those escalator
and moving walk safety functions that differ in the requirements called for by the existing national
norm in future norm revisions.— To allow for the application of this International Standard where escalator and moving walk safety
functions are new or deviate from those specified in this International Standard. More and more,
© ISO 2013 – All rights reserved v
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 5 ----------------------ISO DIS 22201-2:2015(E)
national escalator and moving walk legislations are moving to performance based requirements.
For this reason the development of new or different escalator and moving walk safety functions
can be foreseen in product specific applications. For those who require escalator and moving walk
safety functions that are new or different from those specified in this International Standard,
this International Standard provides a verifiable method to establish the necessary level of safety
integrity for those functions.vi © ISO 2015 – All rights reserved
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 6 ----------------------INTERNATIONAL STANDARD ISO DIS 22201-2:2015(E)
Lifts (elevators), escalators and moving walks —
Programmable electronic systems in safety related
applications —
Part 2:
Escalators and moving walks (PESSRAE)
1 Scope
1.1 This International Standard is applicable to the product family of escalators and moving walks used
in residential buildings, offices, hospitals, hotels, industrial plants, etc. This International Standard covers
those aspects that need to be addressed when programmable electronic systems are used to carry out electric
safety functions for escalators and moving walks (PESSRAE). This International Standard is applicable
for escalator and moving walk safety functions that are identified in escalator and moving walk codes,
standards, or laws that reference this International Standard for PESSRAE application. The safety integrity
levels (SILs) specified in this International Standard are understood to be valid for PESSRAE application in
the context of the referenced escalator and moving walk codes, standards, and laws in Annex B.
1.2 This International Standard is also applicable for the application of PESSRAE that are new or deviate
from those described in this International Standard.1.3 The requirements of this International Standard regarding electrical safety/protective devices
are such that it is not necessary to take into consideration the possibility of a failure of an electric
safety/protective device complying with all the requirements of this International Standard and other
relevant standards.In particular, this International Standard:
a) uses safety integrity levels (SIL) for specifying the target failure rate for the safety functions to be
implemented by the PESSRAE;b) specifies the requirements for achieving safety integrity for a function but does not specify who is
responsible for implementing and maintaining the requirements (for example, designers, suppliers,
owner/operating company, contractor); this responsibility is assigned to different parties according
to safety planning and national regulations;c) applies to PE systems used in escalator and moving walk applications that meet the minimum
requirements of a recognized escalator and moving walk standards such as EN 115, ASME
A17.1/CSA B44, or escalator and moving walk laws such as The Japan Building Standard Law
Enforcement Order For Elevator and Escalator;d) defines the relationship between this International Standard and IEC 61508 and defines the
relationship between this International Standard and the EMC Standard for Escalators and moving
walks on immunity, ISO 22200;e) outlines the relationship between escalator and moving walk safe y functions and their safe-
state conditions;f ) applies to phases and activities that are specific to design of hardware and software but not those
phases and activities which occur post design, for example sourcing and manufacturing;
© ISO 2015 – All rights reserved 1
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 7 ----------------------ISO DIS 22201-2:2015(E)
h) provides requirements relating to the hardware and software safety validation;
i) establishes the safety integrity levels for specific escalator and moving walk safety functions;
j) specifies techniques/measures required for achieving the specified safety integrity levels;
k) defines a maximum level of performance (SIL 3) which can be achieved for a PESSR-AE according to
this International Standard and defines a minimum level of performance (SIL 1).1.4 This International Standard does not cover:
a) hazards arising from the PE systems equipment itself such as electric
shock etc.;
b) the concept of fail-safe that may be of value when the failure modes are well defined and the level
of complexity is relatively low. The concept of fail-safe was considered inappropriate because of the
full range of complexity of PESSR-AE that are within the scope of this International Standard;
c) other relevant requirements necessary for the complete application of a PESSR-AE in a escalator and
moving walk safety function such as system integration specifications, temperature and humidity,
the mechanical construction, mounting and labelling of switches, actuators, or sensors that contain
PESSR-AE. These requirements are to be carried out in accordance with the national escalator and
moving walk norm that references this International Standard.d) foreseeable misuse involving security threats related to malevolent or unauthorized action. In cases
where a security threat analysis needs to be considered this standard may be used, provided the
specified SIL has been reassessed.3 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
IEC 61508-1:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 1: General RequirementsIEC 61508-2:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
IEC 61508-3:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 3: Software requirementsIEC 61508-4:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems —Part 4: Definitions and abbreviations
IEC 61508-5:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 5: Example of methods for the determination of Safety Integrity Levels
ISO 22200, Electromagnetic compatibility — Product family standard for lifts, escalators and moving
walks — ImmunityIEC 62061, Safety of machinery – Functional safety of safety-related electrical, electronic and
programmable electronic control systems2 © ISO 2015 – All rights reserved
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 8 ----------------------ISO DIS 22201-2:2015(E)
4 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 61508-4 apply, except that the
definitions in this International Standard take precedence over those in the generic standard.
4.1non-SIL relevant safe-state requirement
required response to the actuation of a SIL rated safety function where the function performing this
response is not required to be SIL ratedNote 1 to entry: See Figure 4 and Ta ble 2.
4.2
programmable electronic
based on computer technology which may be comprised of hardware, software, and of input
and/or output unitsNOTE This term covers microelectronic devices based on one or more central processing units
(CPUs) together with associated memories, etc.EXAMPLE The following are all programmable electronic devices:
– microprocessors;
– micro-controllers;
– programmable controllers;
– field programmable gate array (FPGA);
– application specific integrated circuits (ASICs);
– programmable logic controllers (PLCs);
– other computer-based devices (for example smart sensors, transmitters, actuators).
4.3programmable electronic system
PE systems
system for control, protection or monitoring based on one or more programmable electronic devices,
including all elements of the system such as power supplies, sensors and other input devices, data
highways and other communication paths, and actuators and other output devicesNote 1 to entry: See Figure 1.
Note 2 to entry: A PE systems may perform functions that fulfil requirements for SIL rated and non-SIL rated
function(s). The SIL rating of a function is only required to consider that portion of PE systems that perform the SIL
relevant functional requirements.© ISO 2015 – All rights reserved 3
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 9 ----------------------ISO DIS 22201-2:2015(E)
Extent of PE
Communications
systems Input interfaces Output interfaces
(for example, A-D (for example, D-A
Converters) Converters)
Programmable
electronics (PE)
(see note)
Output devices/final
Input devices
elements
(for example, sensors)
(for example, actuators)
IEC 32 45/02
NOTE The programmable electronics are shown centrally located but could exist at several places in the PE
systems.Figure 1 — Basic PE systems
structure
4.4
Programmable Electronic Systems in Safety-Related Applications for Escalators and moving walks
PESSR-AEapplication of a software-based PE systems in a safety-related system for escalators and moving walks
4.5proof test
periodic test performed to detect dangerous hidden failures in a safety-related system so that, if necessary, a
repair can restore the system to an “as new” condition or as close as practical to this condition.
NOTE 1 In this standard the term “proof test” is used but it is recognised that a synonymous term is “periodical test”.
NOTE 2 The effectiveness of the proof test will be dependent both on failure coverage and repair effectiveness. In practice detecting 100%
of the hidden dangerous failures is not easily achieved for other than low-complexity E/E/PE safety-related systems. This should be the
target. As a minimum, all the safety functions which are executed are checked according to the E/E/PE system safety requirements
specification. If separate channels are used, these tests are done for each channel separately. For complex elements, an analysis may
need to be performed in order to demonstrate that the probability of hidden dangerous failure not detected by proof tests is negligible over
the whole life duration of the E/E/PE safety related system.NOTE 3 A proof test needs some time to be achieved. During this time the E/E/PE safety related system may be inhibited partially or
completely. The proof test duration can be neglected only if the part of the E/E/PE safety related system under test remains available in
case of a demand for operation or if the EUC is shut down during the test.NOTE 4 During a proof test, the E/E/PE safety related system may be partly or completely unavailable to respond to a demand for
operation. The MTTR can be neglected for SIL calculations only if the EUC is shut down during repair or if other risk measures are put in
place with equivalent effectiveness.4.6
safety circuit
total combination of safety devices that fulfil all or a group of escalator and moving walk safety functions
Note 1 to entry: See Figure 24 © ISO 2015 – All rights reserved
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 10 ----------------------ISO DIS 22201-2:2015(E)
Safety Device 1 Safety Device 2
Function 1 Function 2
All or a group of
required safety
functions (see
Table 1)
Safety Device n Safety Device (n + 1)
Function n Function (n + 1)
Figure 2 — Safety circuit
4.7
safety device
part of the safety-related system, including necessary control circuits, that has been designated to
achieve, in its own right, an escalator and moving walk safety function and may consist of PE system
elements and non-PE system elementsNote 1 to entry: See Figure 3 and Ta ble 1.
PE system elements Non- PE system
elements
Figure 3 — Safety Device
4.8
safety function
function to be implemented by a safety-related system, which is intended to achieve or maintain a safe-
state of the escalator and moving walk, with respect to a specific hazardous event
Note 1 to entry: See Ta ble 1.Note 2 to entry: A safety function may include non-SIL relevant requirements, see Ta ble 2.
4.9safety-related system
consists of one or more safety devices performing one or more safety functions that may be based
on programmable electronic (PE), electrical, electronic and/or mechanical elements of the
escalator and moving walkNote 1 to entry: The term includes all the hardware, software and supporting services (for example, power
supplies) necessary to carry out the specified safety function (sensors, other input devices, final elements
(actuators) and other output devices are therefore included in the safety-related system).
© ISO 2015 – All rights reserved 5
Copyright by ISO. Reproduced by ANSI with permission of and under license from ISO.
Licensed to committee members for further standardization only. Downloaded 3/26/2013 2:01 PM. Not for additional sale or distribution.
---------------------- Page: 11 ----------------------ISO DIS 22201-2:2015(E)
4.10
safety integrity level
SIL
discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety
functions to be allocated to the programmable electronic safety-related system, where safety integrity
level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest. The SIL is
indicative of a failure rate that includes all causes of failures (both random hardware failures and
systematic failures), which lead to an unsafe state, for example hardware failures, software induced
failures and failures due to electrical interferenceNote 1 to entry: In the context of this International Standard, SIL 3 is the highest safety integrity level that is
applied to escalators and moving walks.4.11
SIL Relevant Safe-State Requirement
part of the safety-related system where the specified SIL of the function is required to be met
Note 1 to entry: See Figure 4 and Ta ble 2.Non-SIL relevant
SIL relevant safe-state
safe-state requirement(s)
requirement(s)
Figure 4 — Escalator and moving walk safety function
4.12
...
PROJET DE NORME INTERNATIONALE
ISO/DIS 22201-2
ISO/TC 178
Secrétariat: AFNOR
Début de vote:
Vote clos le:
2016-01-04
2016-04-04
Ascenseurs, escaliers mécaniques et trottoirs roulants —
Systèmes électroniques programmables dans les
applications liées à la sécurité —
Partie 2:
Escaliers mécaniques et trottoirs roulants (PESSRAE)
Lifts (elevators), escalators and moving walks — Programmable electronic systems in safety related
applications —Part 2: Escalators and moving walks (PESSRAE)
ICS: 91.140.90
CE DOCUMENT EST UN PROJET DIFFUSÉ POUR
OBSERVATIONS ET APPROBATION. IL EST DONC
SUSCEPTIBLE DE MODIFICATION ET NE PEUT
ÊTRE CITÉ COMME NORME INTERNATIONALE
AVANT SA PUBLICATION EN TANT QUE TELLE.
OUTRE LE FAIT D’ÊTRE EXAMINÉS POUR
ÉTABLIR S’ILS SONT ACCEPTABLES À DES
FINS INDUSTRIELLES, TECHNOLOGIQUES ET
COMMERCIALES, AINSI QUE DU POINT DE VUE
DES UTILISATEURS, LES PROJETS DE NORMES
INTERNATIONALES DOIVENT PARFOIS ÊTRE
CONSIDÉRÉS DU POINT DE VUE DE LEUR
POSSIBILITÉ DE DEVENIR DES NORMES
POUVANT SERVIR DE RÉFÉRENCE DANS LA
RÉGLEMENTATION NATIONALE.
Numéro de référence
LES DESTINATAIRES DU PRÉSENT PROJET
ISO/DIS 22201-2:2016(F)
SONT INVITÉS À PRÉSENTER, AVEC LEURS
OBSERVATIONS, NOTIFICATION DES DROITS
DE PROPRIÉTÉ DONT ILS AURAIENT
ÉVENTUELLEMENT CONNAISSANCE ET À
FOURNIR UNE DOCUMENTATION EXPLICATIVE. ISO 2016
---------------------- Page: 1 ----------------------
ISO/DIS 22201-2:2016(F)
ISO DIS 22201-2:2015(F)
Sommaire
Page
Avant-propos ................................................................................................................................................................... 4
Introduction..................................................................................................................................................................... 5
1 Domaine d’application ........................................................................................................................................ 7
2 Références normatives ....................................................................................................................................... 8
3 Termes et définitions .......................................................................................................................................... 9
4 Symboles et termes abrégés .......................................................................................................................... 13
5 Exigences ............................................................................................................................................................... 13
5.1 Généralités ................................................................................................................................................... 13
5.2 Application étendue de la présente Norme internationale ....................................................... 14
5.3 Exigences SIL pour les fonctions de sécurité ................................................................................... 14
5.4 Exigences d’état de sécurité soumises ou non à un SIL ............................................................... 16
5.5 Exigences de mise en œuvre et de démonstration pour la vérification dela conformité au SIL ............................................................................................................................................... 21
Annex A (normative) Techniques et mesures de mise en œuvre, de vérification etde maintien de la conformité au SIL .................................................................................................................... 22
Annex B (informative) Codes, normes et lois applicables sur les escaliers mécaniques
et trottoirs roulants ................................................................................................................................................... 25
Annex C (informative) Exemple de tableau de décisions visant à réduire les risques ..................... 34
Bibliographie ................................................................................................................................................................ 35
DOCUMENT PROTÉGÉ PAR COPYRIGHT© ISO 2016, Publié en Suisse
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni utilisée
sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie, l’affichage sur
l’internet ou sur un Intranet, sans autorisation écrite préalable. Les demandes d’autorisation peuvent être adressées à l’ISO à
l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2016 – Tous droits réservés © ISO 2015 – Tous droits réservés 3
---------------------- Page: 2 ----------------------
ISO DIS 22201-2:2015(F)
Sommaire
Page
Avant-propos ................................................................................................................................................................... 4
Introduction..................................................................................................................................................................... 5
1 Domaine d’application ........................................................................................................................................ 7
2 Références normatives ....................................................................................................................................... 8
3 Termes et définitions .......................................................................................................................................... 9
4 Symboles et termes abrégés .......................................................................................................................... 13
5 Exigences ............................................................................................................................................................... 13
5.1 Généralités ................................................................................................................................................... 13
5.2 Application étendue de la présente Norme internationale ....................................................... 14
5.3 Exigences SIL pour les fonctions de sécurité ................................................................................... 14
5.4 Exigences d’état de sécurité soumises ou non à un SIL ............................................................... 16
5.5 Exigences de mise en œuvre et de démonstration pour la vérification dela conformité au SIL ............................................................................................................................................... 21
Annex A (normative) Techniques et mesures de mise en œuvre, de vérification etde maintien de la conformité au SIL .................................................................................................................... 22
Annex B (informative) Codes, normes et lois applicables sur les escaliers mécaniques
et trottoirs roulants ................................................................................................................................................... 25
Annex C (informative) Exemple de tableau de décisions visant à réduire les risques ..................... 34
Bibliographie ................................................................................................................................................................ 35
© ISO 2015 – Tous droits réservés 3---------------------- Page: 3 ----------------------
ISO DIS 22201-2:2015(F)
Avant-propos
L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes
nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est en
général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude a le droit
de faire partie du comité technique créé à cet effet. Les organisations internationales, gouvernementales
et non gouvernementales, en liaison avec l’ISO participent également aux travaux. L’ISO collabore
étroitement avec la Commission électrotechnique internationale (IEC) en ce qui concerne la
normalisation électrotechnique.Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier de prendre note des différents
critères d’approbation requis pour les différents types de documents ISO. Le présent document a été
rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2
(voir www.iso.org/directives).L’attention est appelée sur le fait que certains des éléments du présent document peuvent faire l’objet de
droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable de
ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant les
références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de l’élaboration
du document sont indiqués dans l’Introduction et/ou dans la liste des déclarations de brevets reçues par
l’ISO (voir www.iso.org/brevets).Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un
engagement.Le comité chargé de l’élaboration du présent document est l’ISO/TC 178, Ascenseurs, escaliers mécaniques
et trottoirs roulants.L’ISO 22201 comprend les parties suivantes, présentées sous le titre général Ascenseurs, escaliers
mécaniques et trottoirs roulants — Systèmes électroniques programmables dans les applications liées à la
sécurité :— Partie 1 : Ascenseurs (PESSRAL)
— Partie 2 : Escaliers mécaniques et trottoirs roulants (PESSRAE)
— Partie 3 : Lignes directrices pour le cycle de vie des systèmes électroniques programmables liés
à PESSRAL et PESSRAE [Rapport technique]4 © ISO 2015 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO DIS 22201-2:2015(F)
Introduction
Les systèmes constitués d’éléments électriques et/ou électroniques sont employés depuis de nombreuses
années dans la plupart des secteurs d'application en vue d'assurer des fonctions de sécurité. Les systèmes
informatisés, généralement appelés systèmes électroniques programmables, sont utilisés dans de
nombreux secteurs d'application afin de remplir des fonctions qui ne sont pas liées à la sécurité, mais aussi,
de plus en plus fréquemment, pour assurer des fonctions de sécurité. Lorsqu'une technologie informatique
doit être exploitée efficacement et en toute sécurité, il est essentiel que les décisionnaires soient
suffisamment informés sur les aspects liés à la sécurité avant de prendre toute décision les concernant.
Dans la plupart des cas, la sécurité est obtenue en utilisant plusieurs systèmes de protection qui s’appuient
sur de nombreuses technologies (par exemple, mécaniques, hydrauliques, pneumatiques, électriques,
électroniques et électroniques programmables). Toute stratégie de sécurité doit donc tenir compte non
seulement de tous les composants d’un système individuel (par exemple, capteurs, dispositifs de contrôle
et actionneurs), mais aussi des éléments relatifs à la sécurité, qui constituent alors l’ensemble complet des
systèmes relatifs à la sécurité.La présente Norme internationale s’appuie sur les lignes directrices de la norme générique IEC 62061 de
la Commission électrotechnique internationale (IEC) et de la norme EN 115‐1:2008 du Comité européen
de normalisation (CEN).Les exigences de la présente Norme internationale admettent que la famille de produits couvre une
gamme complète d’escaliers mécaniques et de trottoirs roulants utilisés dans les bâtiments résidentiels,
les bureaux, les hôpitaux, les hôtels, les bâtiments industriels, etc. La présente Norme internationale est
la norme de la famille de produits « escaliers mécaniques et trottoirs roulants » et prévaut sur tous les
aspects de la norme générique.La présente Norme internationale fixe les exigences particulières aux produits destinés aux systèmes
constitués d’un élément électronique programmable, utilisés pour assurer des fonctions de sécurité dans
des escaliers mécaniques et des trottoirs roulants. Elle a été élaborée afin de spécifier des exigences
techniques et de performance homogènes ainsi qu'une justification pour les systèmes électroniques
programmables utilisés dans les applications liées à la sécurité des escaliers mécaniques et des trottoirs
roulants (PESSRAE).L’analyse de risques, la terminologie et les solutions techniques tiennent compte des méthodes de la série
de normes IEC 61508. L’analyse de risques de chaque fonction de sécurité spécifiée au Tableau 1 a permis
d’établir la classification des fonctions électriques de sécurité appliquée aux PESSRAE. Les Tableaux 1
et 2 indiquent le niveau d’intégrité de sécurité et les exigences fonctionnelles correspondant à chaque
fonction électrique de sécurité.Les niveaux d’intégrité de sécurité (SIL) définis dans la présente Norme internationale peuvent
également s’appliquer à d’autres technologies utilisées pour assurer les fonctions de sécurité spécifiées
dans la présente Norme internationale.Harmonisation avec les documents normatifs nationaux relatifs aux escaliers mécaniques et trottoirs
roulants :© ISO 2015 – Tous droits réservés 5
---------------------- Page: 5 ----------------------
ISO DIS 22201-2:2015(F)
Application de la présente Norme internationale :
La présente Norme internationale est destinée à être appliquée au moyen d’une référence dans un
document normatif national relatif aux escaliers mécaniques et trottoirs roulants, tel qu'un code, une
norme ou une loi concernant les escaliers mécaniques et trottoirs roulants. Il y a trois raisons à cela :
— afin de permettre aux documents normatifs nationaux de se référer de manière sélective à certaines
fonctions de sécurité des escaliers mécaniques et trottoirs roulants décrits dans la présente Norme
internationale. Tous les documents normatifs nationaux ne font pas référence à toutes les fonctions
de sécurité des escaliers mécaniques et trottoirs roulants identifiées dans la présente Norme
internationale ;— afin de permettre une harmonisation future des documents normatifs nationaux avec les fonctions
de sécurité des escaliers mécaniques et trottoirs roulants identifiées dans la présente Norme
internationale. Compte tenu des écarts qui existent entre, d'une part, les exigences de respect de
l’objectif de sécurité des documents normatifs nationaux relatifs aux escaliers mécaniques et
trottoirs roulants et, d'autre part, la pratique à l’échelle nationale en matière d’utilisation et de
maintenance des escaliers mécaniques et trottoirs roulants, dans certains cas, les exigences définies
par la présente Norme internationale pour les fonctions de sécurité des escaliers mécaniques et
trottoirs roulants sont le résultat d’un consensus et d’un accord obtenu au sein du comité ISO
responsable de l’élaboration de la présente Norme internationale. S’agissant des futures révisions de
documents normatifs, les organismes nationaux sont susceptibles de décider de n’harmoniser que
certaines des fonctions de sécurité des escaliers mécaniques et trottoirs roulants, à savoir celles pour
lesquelles les exigences établies par le document normatif national existant sont différentes ;
— afin de permettre l’application de la présente Norme internationale en cas de développement de
fonctions de sécurité des escaliers mécaniques et trottoirs roulants nouvelles ou différentes de celles
spécifiées dans la présente Norme internationale. Les législations nationales relatives aux escaliers
mécaniques et trottoirs roulants s’appuient de plus en plus sur des exigences basées sur les
performances. Pour cette raison, le développement de fonctions de sécurité nouvelles ou différentes
pour les escaliers mécaniques et trottoirs roulants peut être prévu dans le cadre d’applications
particulières aux produits. Si des fonctions de sécurité des escaliers mécaniques et trottoirs roulants
nouvelles ou différentes de celles définies dans la présente Norme internationale s’avèrent
nécessaires, la présente Norme internationale fournit une méthode vérifiable permettant d’établir le
niveau d’intégrité de sécurité requis pour ces fonctions.6 © ISO 2015 – Tous droits réservés
---------------------- Page: 6 ----------------------
ISO DIS 22201-2:2015(F)
Ascenseurs, escaliers mécaniques et trottoirs roulants— Systèmes
électronique programmables dans les applications liées à la
sécurité — Partie 2 : Escaliers mécaniques et trottoirs roulants
(PESSRAE)
1 Domaine d’application
1.1 La présente Norme internationale s’applique à la famille de produits « escaliers mécaniques et
trottoirs roulants » utilisés dans les bâtiments résidentiels, les bureaux, les hôpitaux, les hôtels, les
bâtiments industriels, etc. Elle couvre les aspects dont il faut tenir compte lorsque des systèmes
électroniques programmables sont utilisés pour assurer des fonctions électriques de sécurité pour les
escaliers mécaniques et trottoirs roulants (PESSRAE). La présente Norme internationale s’applique aux
fonctions de sécurité des escaliers mécaniques et trottoirs roulants identifiées dans les codes, normes et
lois relatifs aux escaliers mécaniques et trottoirs roulants qui font référence à la présente Norme
internationale pour l’application des PESSRAE. Les niveaux d’intégrité de sécurité (SIL) définis dans la
présente Norme internationale sont considérés comme valables pour l’application des PESSRAE dans le
cadre des codes, normes et lois relatifs aux escaliers mécaniques et trottoirs roulants référencés dans
l’Annexe B.1.2 La présente Norme internationale vaut également pour l’application de PESSRAE nouveaux ou
qui divergent de ceux décrits dans la présente Norme internationale.1.3 Les exigences de la présente Norme internationale concernant les dispositifs de
protection/sécurité électrique sont telles qu’il n’est pas nécessaire de prendre en compte l’éventualité
d’une défaillance d’un dispositif de protection/sécurité électrique conforme à toutes les exigences de la
présente Norme internationale et des autres normes applicables.En particulier, la présente Norme internationale :
a) utilise les niveaux d’intégrité de sécurité (SIL) pour spécifier le taux de défaillance cible pour les
fonctions de sécurité que doit remplir le PESSRAE ;b) spécifie les exigences pour garantir l’intégrité de sécurité d’une fonction, mais ne précise pas qui est
le responsable de la mise en œuvre et du maintien du respect des exigences (par exemple,
concepteurs, fournisseurs, propriétaire/société exploitante, sous‐traitant) ; cette responsabilité est
du ressort de diverses parties, selon le plan de sécurité et la réglementation nationale ;
c) s’applique aux systèmes PE utilisés dans des applications d’escaliers mécaniques et trottoirs roulants
conformes aux exigences minimales d’une norme relative aux escaliers mécaniques et trottoirs
roulants reconnue, telle que l’EN 115, l’ASME A17.1/CSA B44, ou de la législation sur les escaliers
mécaniques et trottoirs roulants, telle que l’ordonnance d’exécution de la Building Standard Law (loi
japonaise sur les normes de construction) pour les ascenseurs et escaliers mécaniques ;
d) définit la relation entre la présente Norme internationale et la série de normes IEC 61508, ainsi que
la relation entre la présente Norme internationale et la norme de compatibilité électromagnétique
relative à l’immunité des escaliers mécaniques et trottoirs roulants, l’ISO 22200 ;
e) explique la relation entre les fonctions de sécurité des escaliers mécaniques et trottoirs roulants et
leurs conditions d’état sûr ;© ISO 2015 – Tous droits réservés 7
---------------------- Page: 7 ----------------------
ISO DIS 22201-2:2015(F)
f) s’applique aux phases et activités propres à la conception des matériels et des logiciels, mais non aux
phases et activités postérieures à la conception, par exemple l’approvisionnement et la fabrication ;
h) fournit les exigences relatives à la validation de sécurité des matériels et des logiciels ;
i) définit les niveaux d’intégrité de sécurité pour des fonctions de sécurité particulières des escaliers
mécaniques et trottoirs roulants ;j) spécifie les techniques/mesures requises pour atteindre les niveaux d’intégrité de sécurité spécifiés ;
k) définit un niveau de performance maximum (SIL 3) qui peut être atteint par un PESSRAE selon la
présente Norme internationale, ainsi qu’un niveau de performance minimum (SIL 1).
1.4 La présente Norme internationale ne traite pas :a) des dangers impliqués par les systèmes PE eux‐mêmes, tels que choc électrique, etc. ;
b) du concept de sécurité intégrée, qui peut s’avérer utile lorsque les modes de défaillance sont bien
définis et le niveau de complexité est relativement bas. Le concept de sécurité intégrée a été
considéré comme inapproprié en raison de la grande complexité des PESSRAE qui relèvent du
domaine d’application de la présente Norme internationale ;c) d’autres exigences pertinentes nécessaires à la mise en œuvre complète d’un PESSRAE dans une
fonction de sécurité d’escalier mécanique et trottoir roulant, telles que des spécifications
d’intégration du système, la température et l’humidité, la construction mécanique, le montage et
l’étiquetage des interrupteurs, actionneurs ou capteurs avec PESSRAE. Ces exigences doivent être
satisfaites conformément au document normatif national relatif aux escaliers mécaniques et trottoirs
roulants qui fait référence à la présente Norme internationale ;d) du mauvais usage prévisible impliquant des menaces pour la sécurité liées à des actes de
malveillance ou des actions non autorisées. Dans les cas où une analyse des menaces pour la sécurité
doit être envisagée, la présente norme peut être utilisée, à condition que le SIL spécifié soit réévalué.
2 Références normativesLes documents ci‐après, dans leur intégralité ou non, sont des références normatives indispensables à
l’application du présent document. Pour les références datées, seule l’édition citée s’applique. Pour les
références non datées, la dernière édition du document de référence s’applique (y compris les éventuels
amendements).IEC 61508‐1:2010, Sécurité fonctionnelle des systèmes électriques/électroniques/électroniques
programmables relatifs à la sécurité — Partie 1 : Exigences généralesIEC 61508‐2:2010, Sécurité fonctionnelle des systèmes électriques/électroniques/électroniques
programmables relatifs à la sécurité — Partie 2 : Exigences pour les systèmesélectriques/électroniques/électroniques programmables relatifs à la sécurité
IEC 61508‐3:2010, Sécurité fonctionnelle des systèmes électriques/électroniques/électroniques
programmables relatifs à la sécurité — Partie 3 : Exigences concernant les logiciels
8 © ISO 2015 – Tous droits réservés---------------------- Page: 8 ----------------------
ISO DIS 22201-2:2015(F)
IEC 61508‐4:2010, Sécurité fonctionnelle des systèmes électriques/électroniques/électroniques
programmables relatifs à la sécurité — Partie 4 : Définitions et abréviationsIEC 61508‐5:2010, Sécurité fonctionnelle des systèmes électriques/électroniques/électroniques
programmables relatifs à la sécurité — Partie 5 : Exemples de méthodes pour la détermination des niveaux
d’intégrité de sécuritéISO 22200, Compatibilité électromagnétique — Norme pour la famille de produits : ascenseurs, escaliers
mécaniques et trottoirs roulants — ImmunitéIEC 62061, Sécurité des machines — Sécurité fonctionnelle des systèmes de commande électriques,
électroniques et électroniques programmables relatifs à la sécurité3 Termes et définitions
Pour les besoins du présent document, les termes et définitions donnés dans l’IEC 61508‐4 s’appliquent, mais
les définitions de la présente Norme internationale prévalent sur celles de la norme générique.
3.1exigence d’état de sécurité non soumise à un SIL
réponse requise à l’activation d’une fonction de sécurité soumise à un SIL, pour laquelle la fonction
qui assure cette réponse n’a pas besoin de répondre à un SILNote 1 à l’article : Voir la Figure 4 et le Tableau 2.
3.2
électronique programmable
reposant sur une technologie informatique qui peut comprendre des matériels, des logiciels et des unités
d’entrée et/ou de sortieNote 1 à l’article : Ce terme inclut les dispositifs micro‐électroniques basés sur une ou plusieurs unités
centrales (CPU) associées à des mémoires, etc.EXEMPLE Les éléments suivants sont tous des dispositifs électroniques programmables :
— microprocesseurs ;— microcontrôleurs ;
— contrôleurs programmables ;
— réseau de portes programmables in situ (FPGA) ;
— circuits intégrés à application spécifique (ASIC) ;
— automates programmables industriels (API) ;
— autres dispositifs basés sur la technologie informatique (par exemple, capteurs, transmetteurs, actionneurs
intelligents).© ISO 2015 – Tous droits réservés 9
---------------------- Page: 9 ----------------------
ISO DIS 22201-2:2015(F)
3.3
système électronique programmable
système PE
système de commande, de protection ou de surveillance reposant sur un ou plusieurs dispositifs
électroniques programmables. Ce terme recouvre tous les éléments du système, tels que l'alimentation,
les capteurs et les autres dispositifs d’entrée, les autoroutes de données et les autres voies de
communication, ainsi que les actionneurs et les autres dispositifs de sortieNote 1 à l’article : Voir la Figure 1.
Note 2 à l’article : Un système PE peut assurer des fonctions qui satisfont aux exigences d’une ou plusieurs fonctions
soumises ou non à un SIL. La classification SIL d’une fonction est uniquement nécessaire pour prendre en compte
la partie du système PE qui satisfait aux exigences fonctionnelles soumises à un SIL.
IEC 32 45/02Légende
1 Etendue d’un système PE
2 Interfaces d’entrée (par exemple, convertisseurs analogue‐numérique)
3 Communications
4 Interfaces de sortie (par exemple, convertisseurs numérique‐analogique)
5 Electronique programmable (PE) (Voir NOTE)
6 Dispositifs d’entrée (par exemple, capteurs)
7 Dispositifs de sortie / élements terminaux (par exemple, actionneurs)
NOTE L’électronique programmable est présentée de façon centrale, mais elle peut se situer à différents
emplacements du système PE.Figure 1 — Structure de base d’un système PE
3.4
système électronique programmable dans les applications liées à la sécurité des escaliers
mécaniques et trottoirs roulantsPESSRAE
utilisation d’un système PE basé sur un logiciel dans un système relatif à la sécurité et destiné aux
escaliers mécaniques et trottoirs roulants3.5
essai périodique
essai périodique destiné à détecter les défaillances dangereuses cachées d’un système relatif à la sécurité
de sorte que, si nécessaire, une réparation puisse rétablir le système dans une condition « comme neuf »
ou dans une condition aussi proche que possible de celle‐ci10 © ISO 2015 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO DIS 22201-2:2015(F)
Note 1 à l’article : La présente norme utilise le terme « essai périodique », mais il est admis qu’« essai
d’épreuve » est un terme synonyme.Note 2 à l’article : L’efficacité de l’essai périodique dépend à la fois de la couverture des défaillances et de
l’efficacité de la réparation. Dans la pratique, il n’est pas facile de détecter 100 % des défaillances dangereuses
cachées pour des systèmes autres que les systèmes E/E/PE relatifs à la sécurité de faible complexité. Il convient de
viser cet objectif. Au minimum, toutes les fonctions de sécurité qui sont exécutées sont contrôlées selon la
spécification des exigences de sécurité des systèmes E/E/PE. Si des canaux distincts sont utilisés, ces essais sont
réalisés séparément pour chacun des canaux. Pour des éléments complexes, il peut se révéler nécessaire d’effectuer
une analyse pour démontrer que la probabilité de défaillance dangereuse cachée, non détectée par des essais
périodiques, est négligeable pendant toute la durée de vie du système E/E/PE relatif à la sécurité.
Note 3 à l’article : La réalisation d’un essai périodique nécessite un certain temps. Durant cette période, le
système E/E/PE relatif à la sécurité peut être partiellement ou totalement inhibé. Il est possible de ne pas tenir
compte de la durée de l’essai périodique uniquement si la partie soumise à essai du système E/E/PE relatif à la
sécurité reste disponible, en cas de sollicitation de fonctionnement ou si l'équipement commandé est arrêté pendant
l’essai.Note 4 à l’article : Pendant un essai périodique, le système E/E/PE relatif à la sécurité peut être
partiellement ou totalement indisponible pour réagir à une sollicitation de fonctionnement. La MTTR (durée
moyenne de réparation) peut ne pas être prise en compte pour les calculs de SIL uniquement si l'équipement
commandé est arrêté pendant la réparation ou si des dispositifs externes de réduction du risque sont installés et
présentent une efficacité équivalente.3.6
circuit de sécurité
combinaison de l’ensemble
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.