ISO 22201:2009

INTERNATIONAL ISO
STANDARD 22201
First edition
2009-01-15
Lifts (elevators) — Design and
development of programmable electronic
systems in safety-related applications for
lifts (PESSRAL)
Ascenseurs — Conception et mise au point des systèmes électroniques
programmables dans les applications liées à la sécurité des ascenseurs
(PESSRAL)
Reference number
©
ISO 2009
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2009 – All rights reserved

Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Conformance. 2
3 Normative references . 2
4 Terms and definitions. 3
5 Symbols and abbreviated terms . 6
6 Requirements . 6
6.1 General. 6
6.2 Extended application of this International Standard . 6
6.3 Safety function SIL requirements . 7
6.4 SIL-relevant and non-SIL-relevant safe-state requirements. 7
6.5 Implementation and demonstration requirements for verification of SIL compliance. 15
Annex A (normative) Techniques and measures to implement, verify and maintain SIL
compliance . 17
Annex B (informative) Applicable lift codes, standards and laws . 33
Annex C (informative) Example of a risk-reduction decision table. 43
Bibliography . 44

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 22201 was prepared by Technical Committee ISO/TC 178, Lifts, escalators and moving walks.

iv © ISO 2009 – All rights reserved

Introduction
The Working Group ISO/TC 178, WG8 has developed this International Standard as a result of ISO/TC 178
resolution 234/2004, document N 343. Systems comprised of electrical and/or electronic components have
been used for many years to perform safety functions in most application sectors. Computer-based systems,
generically referred to as programmable electronic systems (PES), are being used in many application sectors
to perform non-safety functions and, increasingly, to perform safety functions. In order to effectively and safely
exploit computer-system technology, it is essential that those responsible for making decisions have sufficient
guidance on the safety aspects on which to make these decisions. In most situations, safety is achieved by a
number of protective systems that rely on many technologies (for example mechanical, hydraulic, pneumatic,
electrical, electronic, programmable electronic). It is necessary that any safety strategy, therefore, consider
not only all the elements within an individual system (for example sensors, controlling devices and actuators)
but also all the safety-related subsystems making up the total combination of safety-related systems.
This International Standard is based upon the guidelines provided in the generic IEC 61508 series of
standards of the International Electro-technical Commission (IEC) and EN 81 (all parts) of the Comité
Européen de Normalisation (CEN).
The requirements given in this International Standard recognize the fact that the product family covers a total
range of passenger and goods/passenger lifts used in residential buildings, offices, hospitals, hotels,
industrial plants, etc. This International Standard is the product family standard for lifts and takes
precedence over all aspects of the generic standard.
This International Standard sets out the product specific requirements for systems comprised of
programmable electronic components and programmable electronic systems (PES) that are used to perform
safety functions in lifts. This International Standard has been developed in order that consistent technical and
performance requirements and rational be specified for programmable electronic systems in safety-related
applications for lifts (PESSRAL). Most of the specific measures in Clause A.2 have been copied from EN 81-1.
Risk analysis, terminology and technical solutions have been considered, taking into account the methods of
the IEC 61508 series of standards. The risk analysis of each safety function specified in Table 1 resulted in
the classification of electric safety functions applied to PESSRAL. Tables 1 and 2 give the safety integrity level
and functional requirements, respectively, for each electric safety function.
The safety-integrity levels (SIL) specified in this International Standard can also be applied to other
technologies used to satisfy the safety functions specified in this International Standard.
Within the context of the harmonization with national standards for lifts, the application of this International
Standard is intended to be by reference within a national standard lift such as lift codes, standards, or laws.
The reason for this is three-fold:
a) to allow selective reference by national standards to specific lift-safety functions described in this
International Standard; not all lift-safety functions identified in this International Standard are called out in
every national standard;
b) to allow for future harmonization of national standards with lift-safety functions identified in this
International Standard:
⎯ Because there exist some differences in the requirements for fulfilment of the safety objectives of
national lift standards and in national practice of lift use and maintenance, there are instances where
the requirements for lift-safety functions described in this International Standard are based on the
consensus work and agreement by the ISO committee responsible for this International Standard.
National bodies may chose to selectively harmonize with those lift-safety functions that differ in the
requirements called for by the existing national standard in future standard revisions.
⎯ It is important to note that more than 90 % of the safe-state requirements and more than 80 % of the
anticipated SIL requirements by the national standards referenced in this International Standard are
already harmonized with the requirements of the lift-safety functions specified in this International
Standard. The remainder is not harmonized for the reasons given above.
c) to allow for the application of this International Standard where lift-safety functions are new or deviate
from those specified in this International Standard. More and more, national lift legislations are moving to
performance-based requirements. For this reason, the development of new or different lift-safety
functions can be foreseen in product specific applications. For those who require lift-safety functions that
are new or different from those specified in this International Standard, this International Standard
provides a verifiable method to establish the necessary level of safety integrity for those functions.

vi © ISO 2009 – All rights reserved

INTERNATIONAL STANDARD ISO 22201:2009(E)

Lifts (elevators) — Design and development of programmable
electronic systems in safety-related applications for lifts
(PESSRAL)
1 Scope
This International Standard is applicable to the product family of passenger and goods/passenger lifts used in
residential buildings, offices, hospitals, hotels, industrial plants, etc. This International Standard covers those
aspects that it is necessary to address when programmable electronic systems are used to carry out electric
safety functions for lifts (PESSRAL). This International Standard is applicable for lift-safety functions that are
identified in lift codes, standards or laws that reference this International Standard for PESSRAL. The SILs
specified in this International Standard are understood to be valid for PESSRAL in the context of the
referenced lift codes, standards and laws in Annex B.
NOTE Within this International Standard, the UK term “lift” is used throughout instead of the US term “elevator”.
This International Standard is also applicable for PESSRAL that are new or deviate from those described in
this International Standard.
The requirements of this International Standard regarding electrical safety/protective devices are such that it is
not necessary to take into consideration the possibility of a failure of an electric safety/protective device
complying with all the requirements of this International Standard and other relevant standards.
In particular, this International Standard
a) uses safety integrity levels (SIL) for specifying the target failure measure for the safety functions
implemented by the PESSRAL;
b) specifies the requirements for achieving safety integrity for a function but does not specify who is
responsible for implementing and maintaining the requirements (for example, designers, suppliers,
owner/operating company, contractor); this responsibility is assigned to different parties according to
safety planning and national regulations;
c) applies to PES used in lift applications that meet the minimum requirements of a recognized lift standard
such as EN 81, ASME A17.1-2007/CSA B44-07, or lift laws such as the Japan Building Standard Law
Enforcement Order For Elevator and Escalator;
d) defines the relationship between this International Standard and IEC 61508 and defines the relationship
between this International Standard and the EMC standard for lifts on immunity, ISO 22200;
e) outlines the relationship between lift-safety functions and their safe-state conditions;
f) applies to phases and activities that are specific to design of software and related hardware but not to
those phases and activities that occur post-design, for example sourcing and manufacturing;
g) requires the manufacturer of the PESSRAL to provide instructions that specify what is necessary to
maintain the integrity of the PESSRAL (instruction manual) for the organization carrying out the assembly,
connections, adjustment and maintenance of the lift;
h) provides requirements relating to the software and hardware safety validation;
i) establishes the safety-integrity levels for specific lift-safety functions;
j) specifies techniques/measures required for achieving the specified safety-integrity levels;
k) provides risk-reduction decision tables for the application of PESSRALs;
l) defines a maximum level of performance (SIL 3) that can be achieved for a PESSRAL according to this
International Standard and defines a minimum level of performance (SIL 1).
This International Standard does not cover
⎯ hazards arising from the PES equipment itself, such as electric shock etc.;
⎯ the concept of fail-safe, which can be of value when the failure modes are well defined and the level of
complexity is relatively low; the concept of fail-safe is considered inappropriate because of the full range
of complexity of the PESSRAL that are within the scope of this International Standard;
⎯ other relevant requirements necessary for the complete application of a PESSRAL in a lift-safety function,
such as the mechanical construction, mounting and labelling of switches, actuators, or sensors that
contain the PESSRAL. It is necessary that these requirements be carried out in accordance with the
national lift standard that references this International Standard.
2 Conformance
To conform to this International Standard, it shall be shown that each of the requirements outlined in Clause 6
has been satisfied to the defined criteria and, therefore, the clause objective(s) has(have) been met.
3 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
IEC 61508-1:1999, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 1: General requirements
IEC 61508-2, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 2: Requirements for electrical/electronic/programmable/electronic safety-related systems
IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 3: Software requirements
IEC 61508-4, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 4: Definitions and abbreviations
IEC 61508-5, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 5: Example of methods for the determination of safety integrity levels
IEC 61508-7:2000, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 7: Overview of techniques and measures
ISO 22200, Electromagnetic compatibility — Product family standard for lifts, escalators and moving walks —
Immunity
IEC 60664-1:2007, Insulation coordination for equipment within low-voltage systems — Part 1: Principles,
requirements and tests
2 © ISO 2009 – All rights reserved

IEC 61249-2-1, Materials for printed boards and other interconnecting structures — Part 2-1: Reinforced base
materials, clad and unclad — Phenolic cellulose paper reinforced laminated sheets, economic grade, copper
clad
IEC 62326-1, Printed boards — Part 1: Generic specification
4 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 61508-4 and the following apply.
NOTE The definitions in this International Standard take precedence over those in the generic standard.
4.1
manually operated stopping device
stopping device that is intentionally, by human intervention, actuated and de-actuated (e.g. such as a toggle
switch, mushroom type, hand-operated switch)
4.2
non-manually operated stopping device
stopping device that is automatically actuated or de-actuated due to human intervention or detection
4.3
non-SIL-relevant safe-state requirement
required response to the actuation of an SIL-rated safety function where the function performing this response
is not required to be SIL rated
NOTE See Figure 4 and Table 2.
4.4
programmable electronic system
PES
system for control, protection or monitoring based on one or more programmable electronic devices, including
all elements of the system, such as power supplies, sensors and other input devices, data highways and other
communication paths, and actuators and other output devices
NOTE 1 See Figure 1.
NOTE 2 A PES may include elements that perform SI-rated requirements and non-SIL-rated requirements. The SIL
rating is only required for those elements that perform the SI-relevant functional requirements.
4.5
programmable electronic systems in safety-related applications for lifts
PESSRAL
application of a software based PES in a safety-related system for a lift
4.6
proof test
periodic test performed to detect failures in a safety-related system
NOTE Where separate channels are used, these tests are done for each channel separately.

Key
1 extent of PES
2 input interfaces (for example, D-A converters)
3 input devices (for example, sensors)
4 communications
5 programmable electronics (PEs)
6 output interfaces (for example, D-A converters)
7 output devices/final elements (for example, actuators)
a
The programmable electronics are shown centrally located but could exist at several places in the PES.
Figure 1 — Basic PES structure
4.7
safety chain
total combination of safety devices that fulfil all or a group of lift safety functions
NOTE See Figure 2.
Key
1 safety device 1, function 1
2 safety device 2, function 2
3 safety device n, function n
4 safety device (n + 1), function (n + 1)
a
All or a group of required list-safety functions; see Table 1.
Figure 2 — Safety chain
4 © ISO 2009 – All rights reserved

4.8
safety device
part of the safety-related system, including necessary control circuits, that is designated to achieve, in its own
right, a lift-safety function and that may consist of PES elements and non-PES elements
NOTE See Figure 3 and Table 1.

Key
1 PES elements
2 non-PES elements
Figure 3 — Safety device
4.9
safety function
function implemented by a safety-related system that is intended to achieve or maintain a safe state of the lift
with respect to a specific hazardous event
NOTE 1 See Table 1.
NOTE 2 A safety function may include non-SIL-relevant requirements; see Table 2.
4.10
safety-related system
one or more safety devices performing one or more safety functions that may be based on programmable
electronic systems (PES), electrical, electronic and/or mechanical elements of the lift
4.11
safety integrity level
SIL
discrete level (one out of a possible four) for specifying the safety-integrity requirements of the safety functions
allocated to the programmable electronic safety-related system, where safety-integrity level 4 has the highest
level of safety integrity and safety-integrity level 1 has the lowest
NOTE 1 The SIL is indicative of a failure rate that includes all causes of failures (both random hardware failures and
systematic failures) that lead to an unsafe state, for example hardware failures, software-induced failures and failures due
to electrical interference.
NOTE 2 In the context of this International Standard, SIL 3 is the highest safety integrity level that shall be applied to
lifts.
4.12
SIL-relevant safe-state requirement
part of the safety-related system where it is necessary that the specified SIL of the function be met
NOTE See Figure 4 and Table 2.

Key
1 SIL-relevant safe-state requirement(s)
2 non-SIL-relevant safe-state requirement(s)
Figure 4 — Lift-safety function
4.13
system reaction time
sum of the following two values:
a) time period between the occurrence of a fault in the PESSRAL and the initiation of the corresponding
action on the lift;
b) time period for the lift to respond to the action, maintaining a safe state.
5 Symbols and abbreviated terms
ETSL Emergency terminal speed limiting
ETS Emergency terminal stopping
PCB Printed circuit board
6 Requirements
6.1 General
6.1.1 Table 1 defines the safety-function names, the associated lift functional description, applicable lift type
and required SIL for the SIL-relevant part of the safety function. A lift is permitted to operate without
interruption when safety functions are not actuated.
NOTE Safety functions refer to those lift functions that are identified in codes, standards and laws that reference this
International Standard for PESSRAL. (See Table B.1.)
6.1.2 Table 2 defines the safe-state requirements when the safety functions in Table 1 are actuated. If a
safety function should actuate, the safety function shall cause the lift system to revert to the safe-state
conditions specified by the requirements of Table 2.
6.1.3 PESSRAL shall consider the reaction time of the lift to respond to the safety function and internal fault
detection in the time necessary to achieve the safe-state condition without hazard. Methods that fulfil internal
fault detection shall consider the necessary system reaction time required by the SIL (see example).
EXAMPLE If an internal fault is detected by comparison of data in a two-channel system within the time necessary to
meet the system's reaction time, then it is not necessary to complete a variable-memory range test within the system
reaction time because the safety integrity is verified by the two-channel design.
6.2 Extended application of this International Standard
6.2.1 General
The requirements in 6.2.2 to 6.2.4 are provided to verify SILs and safe-state conditions for lift-safety functions
that are new or deviate from the requirements provided in 6.3 and 6.4, or are referenced by codes and
standards not harmonized with the requirements of codes, standards or laws referenced in Table B.1.
6.2.2 Risk assessment
Where alternatives to the requirements of 6.3 and/or 6.4 are sought, methods for the determination of the
required safety-integrity level shall be performed in accordance with IEC 61508-5. The same methods shall be
used to establish the rationale for a new PESSRAL function and corresponding SIL or a revised PESSRAL
function and/or SIL that deviate from the requirements of 6.3 and 6.4. The mean target failure frequency for
the worst-case severity of the consequence of any single potential hazard scenario shall not exceed a
−7
frequency of 5 × 10 /year. See also Annex C.
6 © ISO 2009 – All rights reserved

6.2.3 Limits for specifying SIL for PESSRAL
Target failure measures required for specifying a PES in a lift-safety-related function shall be no less than
SIL 1 and no greater than SIL 3. If a target failure measure requires a SIL higher than SIL 3, consideration
should be given to redesigning the system such that the required target-failure measure is satisfied with SIL 3
or less. If an SIL lower than SIL 1 is required, a non-SIL-rated PES may be used but it shall not be classified
as a PESSRAL. No PESSRAL shall have a SIL of less than SIL 1 even if it is applied to a safety function
requiring less than SIL 1.
Applications that require the use of a single safety function of safety integrity level 4 are not typically required
in the lift industry. Such applications shall be avoided because of the difficulty of achieving and maintaining
such high levels of performance throughout the life cycle of the safety device. If the analysis results in a safety
integrity level of 4 or higher being assigned to a lift-safety function, consideration shall be given to changing
the process design in such a way that it becomes more inherently safe or by adding additional layers of
protection. These enhancements can, perhaps, then reduce the safety-integrity-level requirements for the lift-
safety function. If the safety-integrity level cannot be reduced, the target failure measure for the safety function
shall be distributed across multiple PESSRAL of SIL 3 or less that are sufficiently independent and certified in
the application.
6.2.4 Safe-state requirements
For lift-safety functions that are new or differ from those specified in 6.3 and 6.4, the designer shall identify the
safe-state requirements in a manner similar to that in which they are described in Table 2.
6.3 Safety function SIL requirements
Table 1 provides the required SIL for each lift safety function. For further information, see Table B.1.
6.4 SIL-relevant and non-SIL-relevant safe-state requirements
Table 2 provides the required response of the lift to the lift safety functions of Table 1 and the SIL and non-SIL
relevant requirements for each response from actuation of that function. An “X” indicates the response is
required for the safe-state condition when the safety function actuates or where the PESSRAL detects an
internal fault condition. See corresponding notes where a numerical note reference value is used in place of
an “X” for further clarification of the required response.

Table 1 — Safety function SIL requirements
Id. number Lift-safety function Functional description Lift type SIL
application
1 Check final stopping limit Detects that fewer than 1,5 turns of rope remain Positive drive 1
positive drive on the sheave or when the car has not reached (winding drum)
top or bottom travel limit in the shaft and or that
the rope is unwinding in the reverse direction
2 Check tension, Detects loss of tension in the suspension means Positive drive 2
suspension means (e.g. rope or chain) (winding drum)
hydraulic
3 Check for running motor Detects loss of motor generator running condition Traction 1
generator
4 Check tension, Detects loss of tension in the compensation Traction 3
compensation means means
5 Check compensation tie- Detects if the travel limits have been exceeded Traction 3
down for the compensation tie-down means (anti-
rebound)
6 Check motor field running Detects loss of DC hoist motor field running Traction 1
current current
7 Check tension, final limit Detects loss of tension in the means for the Traction 1
linkage linkage of transmission of car position for the final hydraulic
limit
8 Check tension, ETSL Detects loss of tension in the means for the Traction 2
linkage linkage of transmission of car position for
emergency terminal speed limiting (ETSL)
9 Check fully retracted Detects if working platform is fully retracted All 3
working platform
10 Check manually operated Detects if a manually operated stopping device All 3
stopping device (e.g. emergency stop switch) is actuated as
a
(a,b,c,…i)
applicable at car-top, pit, pulley room, docking
operation, passenger/goods (freight) in-car, in-
car, machine remote from the motion controller
disconnect, machine spaces, control spaces,
machine rooms, control rooms, equipment
inspection and test access panels and inspection
station
b
Check non-manually Detects if non-manually operated stopping device All 1
10(i).1
operated stopping device (e.g. switch) is actuated as applicable at pulley
room
b
Check non-manually Detects if non-manually operated stopping device All 2
10(a,d,g,h).2
operated stopping device (e.g. switch) is actuated as applicable at
passenger/goods (freight) in-car, pit, machinery
spaces, equipment inspection, emergency and
test panels
b
Check non-manually Detects if non-manually operated stopping device All 3
10(e).3
operated stopping device (e.g. switch) is actuated as applicable at
inspection station
11 Check car safety gear Detects if car safety gear has actuated All 1
12 Check car over-speed  Detects car speed exceeding maximum limit set All 2
(manual reset) prior to or up to governor tripping speed; requires
manual reset
13 Check reset of governor Detects if the governor is not in the reset position All 3
(manual type)
8 © ISO 2009 – All rights reserved

Table 1 (continued)
Id. number Lift-safety function Functional description Lift type SIL
application
14 Check tension in governor Detects loss of tension in the governor rope or car All 3
rope (or equivalent) safety rope
15 Check car over-speed Detects car speed exceeding the maximum limit All 2
(automatic reset set prior to or up to governor tripping speed; may
permitted) be automatically reset
16 Check final limit Detects if car exceeds the final limit All 1
(automatic or inspection)
17 Check for emergency Detects insufficient speed reduction in terminal Traction 2
terminal speed limit zone where reduced stroke buffers are applied
(ETSL)
18 Check tension in two Detects loss of tension in a rope or chain in case All 1
suspension means of two ropes or a two-chain-type suspension
19 Check manual evacuation Detects that the manual means (e.g. wheel) for Traction 1
means emergency evacuation is engaged with the winding drum
machine
20 Check the fully retracted Detects the fully retracted (inactive) position of the All 3
position of the mechanical mechanical device
device
21 Check proper inactive Detects proper full disengagement of inactive All 3
position of pit protection position of the mechanical device that provides
mechanical device clearance protection in pit
22 Check proper full Detects proper full engagement of the mechanical All 3
engagement of the pit device that provides clearance protection in pit
protection mechanical
device
23 Check movable stops not Detects movable stops not fully retracted All 3
fully retracted
24 Check movable stops not Detects movable stops not fully extended All 3
fully extended
25 Check doors providing Detects open access doors providing access to All 2
access to equipment equipment inside the hoistway
inside hoistway
26 Check doors providing Detects open access doors, access from working All 2
access from working area area outside hoistway
outside hoistway
27 Check circuit-breaker Detects activation of the device to release the All 2
release device circuit breaker contactor (replacement of main
switch)
28 Check leveling and re- Detects if car position is outside the leveling zone, All 2
leveling with open doors, during leveling, re-leveling, or
electrical anti-creeping
29 Check tension, leveling Detects loss of tension in the means for the All 2
zone position rope or linkage of transmission of car position for leveling
equivalent zone
30 Check travel limit for Detects if the car exceeds the position limits for All 2
docking operation docking operation
31 Check docking operation Detects if docking operation is enabled All 2

Table 1 (continued)
Id. number Lift-safety function Functional description Lift type SIL
application
32 Check car/landing door Detects if bypass operation is activated for landing All 3
bypass operation and car door device(s)
33 Check top of car Detects if top of car inspection operation is All 3
inspection operation enabled
34 Check in-car inspection Detects if in-car inspection operation is enabled All 3
operation
35 Check clamping device Detects engaged clamping device Hydraulic 1
36 Check emergency Detects if emergency electrical operation (such as All 3
electrical operation machine room, machine space, control room,
control space, inspection and test panel, working
platform and pit operation) is enabled
37 Check equipment in-car Detects if equipment in-car access panel is not All 2
access panel closed
38 Check ascending car over Detects if maximum speed for an ascending car is All 2
speed exceeded
39 Check uncontrolled car Detects uncontrolled movement of the car All 2
movement
40 Check pawl device Detects if the position of the pawl device is not Hydraulic 1
retracted
41 Check buffer position of Detects if the buffer is not in normal extended Hydraulic 3
pawl device position where the pawl is used
42 Check normal extended Detects if the buffer is not in the normal extended All 3
position of buffer position
43 Check extended position Detects if the buffer mounted to safety device is All 1
of buffer mounted to not in normal extended position
safety device
44 Check unlocked car Detects unlocked car door(s) All 2
door(s)
45 Check hoistway access Detects if the hoistway access operation is All 3
operation enabled
46 Check hoistway inspection Detects if inspection or emergency hoistway doors All 2
and emergency doors and or traps are not closed
traps
47 Check pit door Detects if pit access door is not closed All 2
48 Check landing doors and Detects unlocked position of landing doors and All 3
panels panels
49 Check car and landing Detects if car or landing doors, or car or landing All 3
doors and car and landing door panels are not closed
door panels
50 Check locked in-car Detects if inspection or emergency doors or traps All 2
inspection and emergency are unlocked in car or hoistway
doors and traps
51 Check emergency Detects if car is not decelerating when All 1
terminal stopping (ETS) approaching the terminal landings
a
The letter designation on 10.x refers to stop switch location.
b
The “.1”, “.2”, “.3” designation on 10 is consistent with the function SIL.
10 © ISO 2009 – All rights reserved

Table 2 — Safe-state requirements
NOTE   The definitions of the “Rx”
are given at the end of the table.
Id
Lift safety functions SIL relevant Non-SIL-relevant
N°
Check final stopping limit
1 X — — — — — — X — — — — — — — — — —
positive drive
Check tension,
2 X — — — — — — — — — — — — — — — — —
suspension means
Check for running motor
3 X — — — — — — — — — — — — — — — — —
generator
Check tension,
4 X — — — — — — — — — — — — — — — — —
compensation means
Check compensation tie-
5 X — — — — — — — — — — — — — — — — —
down
Check motor field running
6 X — — — — — — — — — — — — — — — — —
current
Check tension, final limit
7 X — — — — — — — — — — — — — — — — —
linkage
Check tension, ETSL
8 X — — — — — — — — — — — — — — — — —
linkage
Check fully retracted
9 R26 — X — — — — — — — — — — — — — — —
working platform
Check manual (and non-
10 manual) stop, stopping X — — — — — — — — — X — — — — — — —
device
11 Check car safety gear X — — — — — — — — — — — — — — — — —
Check car over-speed
12 X — — — — — — X — — — — — — — — — —
(manual reset)
Check reset of governor
13 X — — — — — — — — — — — — — — — — —
(manual type)
Check tension in governor
14 X — — — — — — — — — — — — — — — — —
rope (or equivalent)
Removal of power from machine motor and brake (traction lifts),
respectively, from motor and/or involved valve(s) (hydraulic lifts)
Block (prevent) automatic operation of lift (R22)
Limit the travel range
Interrupt supply circuit to the coil of the circuit breaker contactor
Transfer to inspection operation
Limit the speed of the car
Limit car movement to a direction
Manual reset required
Ignore “check car door is closed and / or locked”
Ignore “check landing door is closed and / or locked”
Block (prevent) automatic operation of the doors
Block (prevent) docking operation
Block (prevent) emergency electrical operation
Block (prevent) anti-creep (hydraulic only)
Block (prevent) in-car inspection operation
Block (prevent) hoistway access operation
Velocity profile stop and / or profile start permitted
Activate signaling
Table 2 (continued)
NOTE   The definitions of the “Rx”
are given at the end of the table.
Id
Lift safety functions SIL relevant Non-SIL-relevant
N°
Check car over-speed
15 (automatic reset X — — — — — — — — — — — — — — — — —
permitted)
Check final limit
16 X — — — — — — R24 — — — — — — — — — —
(automatic or inspection)
Check for emergency
17 terminal speed limit X — — — — — — — — — — — — — — — X —
(ETSL)
Check tension in two-
18 X — — — — — — — — — — — — — — — — —
suspension means
Check manual evacuation
19 X — — — — — — — — — — — — — — — — —
means
Check the fully retracted
20 position of the mechanical X — — — — — — — — — — — — — — — — —
device
Check proper inactive
21 position of pit protection R27 — — — — — — — — — — — — — — — — —
mechanical device
Check proper full
engagement of the pit
22 R29 — X — — R5 — — — — — — — — — — — —
protection mechanical
device
Check movable stops not
23 R28 — — — — — — — — — — — — — — — — —
fully retracted
Check movable stops not
24 R29 — — — — — — — — — — — — — — — — —
fully extended
Check doors providing
25 access to equipment X — — — — — — — — — — — — — — — — —
inside hoistway
Check doors providing
26 access from working area X — — — — — — — — — — — — — — — — —
outside hoistway
12 © ISO 2009 – All rights reserved

Removal of power from machine motor and brake (traction lifts),
respectively, from motor and/or involved valve(s) (hydraulic lifts)
Block (prevent) automatic operation of lift (R22)
Limit the travel range
Interrupt supply circuit to the coil of the circuit breaker contactor
Transfer to inspection operation
Limit the speed of the car
Limit car movement to a direction
Manual reset required
Ignore “check car door is closed and / or locked”
Ignore “check landing door is closed and / or locked”
Block (prevent) automatic operation of the doors
Block (prevent) docking operation
Block (prevent) emergency electrical operation
Block (prevent) anti-creep (hydraulic only)
Block (prevent) in-car inspection operation
Block (prevent) hoistway access operation
Velocity profile stop and / or profile start permitted
Activate signaling
Table 2 (continued)
NOTE   The definitions of the “Rx”
are given at the end of the table.
Id
Lift safety functions SIL relevant Non-SIL-relevant
N°
Check circuit-breaker
27 — — X — — — — — — — — — — — — — —
release device
Check leveling and re-
28 X — R4 — — R2 — — R3 R3 — — — — — — — —
leveling
Check tension, leveling
29 zone position rope or X — — — — — — — — — — — — — — — — —
equivalent
Check travel limit for
30 X — R7 — — — — — R3 R3 — — — — — — — —
docking operation
31 Check docking operation — X — — — R6 R8 — — — — — — — — — — —
Check car/landing door
32 — X — — — R10 — R9 R11R12 X X — — — — — R31
bypass operation
Check top of car R13,
33 — X — X R5 R14 — — — X X X X X X X —
inspection operation R20
Check in-car inspection
34 — X R13 — X R5 R14 — — — X X X X X X —
operation
35 Check clamping device R15 — — — — — R16 — — — — — — — — — — —
Check emergency
36 R17 X — — X R5 — — — — X R21 X — — X —
electrical operation
Check equipment in-car
37 X — — — — — — — — — — — — — — — — —
access panel
Check ascending car
38 X — — — — — — X — — — — — — — — — —
over-speed
Check uncontrolled car
39 X — — — — — — X — — — — — — — — — —
movement
40 Check pawl device R15 — — — — — R16 — — — — — — — — — — —
Check buffer position of
41 R15 — — — — — R16 — — — — — — — — — — —
pawl device
Check normal extended
42 R25 — — — — — — — — — — — — — — — — —
position of buffer
Removal of power from machine motor and brake (traction lifts),
respectively, from motor and/or involved valve(s) (hydraulic lifts)
Block (prevent) automatic operation of lift (R22)
Limit the travel range
Interrupt supply circuit to the coil of the circuit breaker contactor
Transfer to inspection operation
Limit the speed of the car
Limit car movement to a direction
Manual reset required
Ignore “check car door is closed and / or locked”
Ignore “check landing door is closed and / or locked”
Block (prevent) automatic operation of the doors
Block (prevent) docking operation
Block (prevent) emergency electrical operation
Block (prevent) anti-creep (hydraulic only)
Block (prevent) in-car inspection operation
Block (prevent) hoistway access operation
Velocity profile stop and / or profile start permitted
Activate signaling
Table 2 (continued)
NOTE   The definitions of the “Rx”
are given at the end of the table.
Id
Lift safety functions SIL relevant Non-SIL-relevant
N°
Check extended position
43 of buffer mounted to X — — — — — — — — — — — — — — — — —
safety device
Check unlocked car
44 X — — — — — — — — — — — — — — — — —
door(s)
Check hoistway access
45 — X X — — X R19 — R18R18 X — X X — — — —
operation
Check hoistway
inspection and
46 X — — — — — — — — — — — — — — — — —
emergency doors and
traps
47 Check pit door R30 — — — — — — — — — — — — — — — — —
Check landing doors and
48 R23 — — — — X — — — — — — — — — — — —
panels
Check car and landing
49 doors and car and landing R23 — — — — X — — — — — — — — — — — —
door panels
Check locked in-car
inspection and
50 X — — — — — — — — — — — — — — — — —
emergency doors and
traps
Check emergency
51 X — — — — — — — — — — — — — — — — —
terminal stopping (ETSD)
R1 If, after release of the safety gear, the over-speed governor does not automatically reset itself, an electric safety device shall
prevent the starting of the lift while the over-speed governor is not in the reset position.
R2 The car speed is limited to 0,8 m/sec maximum levelling and 0,3 m/sec maximum re-levelling.
R3 Ignore this check in the unlocking
...