ISO 22201:2009

INTERNATIONAL ISO
STANDARD 22201
First edition
2009-01-15


Lifts (elevators) — Design and
development of programmable electronic
systems in safety-related applications for
lifts (PESSRAL)
Ascenseurs — Conception et mise au point des systèmes électroniques
programmables dans les applications liées à la sécurité des ascenseurs
(PESSRAL)




Reference number
ISO 22201:2009(E)
©
ISO 2009

---------------------- Page: 1 ----------------------
ISO 22201:2009(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2009 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 22201:2009(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Conformance. 2
3 Normative references . 2
4 Terms and definitions. 3
5 Symbols and abbreviated terms . 6
6 Requirements . 6
6.1 General. 6
6.2 Extended application of this International Standard . 6
6.3 Safety function SIL requirements . 7
6.4 SIL-relevant and non-SIL-relevant safe-state requirements. 7
6.5 Implementation and demonstration requirements for verification of SIL compliance. 15
Annex A (normative) Techniques and measures to implement, verify and maintain SIL
compliance . 17
Annex B (informative) Applicable lift codes, standards and laws . 33
Annex C (informative) Example of a risk-reduction decision table. 43
Bibliography . 44

© ISO 2009 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 22201:2009(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 22201 was prepared by Technical Committee ISO/TC 178, Lifts, escalators and moving walks.

iv © ISO 2009 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 22201:2009(E)
Introduction
The Working Group ISO/TC 178, WG8 has developed this International Standard as a result of ISO/TC 178
resolution 234/2004, document N 343. Systems comprised of electrical and/or electronic components have
been used for many years to perform safety functions in most application sectors. Computer-based systems,
generically referred to as programmable electronic systems (PES), are being used in many application sectors
to perform non-safety functions and, increasingly, to perform safety functions. In order to effectively and safely
exploit computer-system technology, it is essential that those responsible for making decisions have sufficient
guidance on the safety aspects on which to make these decisions. In most situations, safety is achieved by a
number of protective systems that rely on many technologies (for example mechanical, hydraulic, pneumatic,
electrical, electronic, programmable electronic). It is necessary that any safety strategy, therefore, consider
not only all the elements within an individual system (for example sensors, controlling devices and actuators)
but also all the safety-related subsystems making up the total combination of safety-related systems.
This International Standard is based upon the guidelines provided in the generic IEC 61508 series of
standards of the International Electro-technical Commission (IEC) and EN 81 (all parts) of the Comité
Européen de Normalisation (CEN).
The requirements given in this International Standard recognize the fact that the product family covers a total
range of passenger and goods/passenger lifts used in residential buildings, offices, hospitals, hotels,
industrial plants, etc. This International Standard is the product family standard for lifts and takes
precedence over all aspects of the generic standard.
This International Standard sets out the product specific requirements for systems comprised of
programmable electronic components and programmable electronic systems (PES) that are used to perform
safety functions in lifts. This International Standard has been developed in order that consistent technical and
performance requirements and rational be specified for programmable electronic systems in safety-related
applications for lifts (PESSRAL). Most of the specific measures in Clause A.2 have been copied from EN 81-1.
Risk analysis, terminology and technical solutions have been considered, taking into account the methods of
the IEC 61508 series of standards. The risk analysis of each safety function specified in Table 1 resulted in
the classification of electric safety functions applied to PESSRAL. Tables 1 and 2 give the safety integrity level
and functional requirements, respectively, for each electric safety function.
The safety-integrity levels (SIL) specified in this International Standard can also be applied to other
technologies used to satisfy the safety functions specified in this International Standard.
Within the context of the harmonization with national standards for lifts, the application of this International
Standard is intended to be by reference within a national standard lift such as lift codes, standards, or laws.
The reason for this is three-fold:
a) to allow selective reference by national standards to specific lift-safety functions described in this
International Standard; not all lift-safety functions identified in this International Standard are called out in
every national standard;
b) to allow for future harmonization of national standards with lift-safety functions identified in this
International Standard:
⎯ Because there exist some differences in the requirements for fulfilment of the safety objectives of
national lift standards and in national practice of lift use and maintenance, there are instances where
the requirements for lift-safety functions described in this International Standard are based on the
consensus work and agreement by the ISO committee responsible for this International Standard.
National bodies may chose to selectively harmonize with those lift-safety functions that differ in the
requirements called for by the existing national standard in future standard revisions.
© ISO 2009 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO 22201:2009(E)
⎯ It is important to note that more than 90 % of the safe-state requirements and more than 80 % of the
anticipated SIL requirements by the national standards referenced in this International Standard are
already harmonized with the requirements of the lift-safety functions specified in this International
Standard. The remainder is not harmonized for the reasons given above.
c) to allow for the application of this International Standard where lift-safety functions are new or deviate
from those specified in this International Standard. More and more, national lift legislations are moving to
performance-based requirements. For this reason, the development of new or different lift-safety
functions can be foreseen in product specific applications. For those who require lift-safety functions that
are new or different from those specified in this International Standard, this International Standard
provides a verifiable method to establish the necessary level of safety integrity for those functions.


vi © ISO 2009 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO 22201:2009(E)

Lifts (elevators) — Design and development of programmable
electronic systems in safety-related applications for lifts
(PESSRAL)
1 Scope
This International Standard is applicable to the product family of passenger and goods/passenger lifts used in
residential buildings, offices, hospitals, hotels, industrial plants, etc. This International Standard covers those
aspects that it is necessary to address when programmable electronic systems are used to carry out electric
safety functions for lifts (PESSRAL). This International Standard is applicable for lift-safety functions that are
identified in lift codes, standards or laws that reference this International Standard for PESSRAL. The SILs
specified in this International Standard are understood to be valid for PESSRAL in the context of the
referenced lift codes, standards and laws in Annex B.
NOTE Within this International Standard, the UK term “lift” is used throughout instead of the US term “elevator”.
This International Standard is also applicable for PESSRAL that are new or deviate from those described in
this International Standard.
The requirements of this International Standard regarding electrical safety/protective devices are such that it is
not necessary to take into consideration the possibility of a failure of an electric safety/protective device
complying with all the requirements of this International Standard and other relevant standards.
In particular, this International Standard
a) uses safety integrity levels (SIL) for specifying the target failure measure for the safety functions
implemented by the PESSRAL;
b) specifies the requirements for achieving safety integrity for a function but does not specify who is
responsible for implementing and maintaining the requirements (for example, designers, suppliers,
owner/operating company, contractor); this responsibility is assigned to different parties according to
safety planning and national regulations;
c) applies to PES used in lift applications that meet the minimum requirements of a recognized lift standard
such as EN 81, ASME A17.1-2007/CSA B44-07, or lift laws such as the Japan Building Standard Law
Enforcement Order For Elevator and Escalator;
d) defines the relationship between this International Standard and IEC 61508 and defines the relationship
between this International Standard and the EMC standard for lifts on immunity, ISO 22200;
e) outlines the relationship between lift-safety functions and their safe-state conditions;
f) applies to phases and activities that are specific to design of software and related hardware but not to
those phases and activities that occur post-design, for example sourcing and manufacturing;
g) requires the manufacturer of the PESSRAL to provide instructions that specify what is necessary to
maintain the integrity of the PESSRAL (instruction manual) for the organization carrying out the assembly,
connections, adjustment and maintenance of the lift;
h) provides requirements relating to the software and hardware safety validation;
© ISO 2009 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO 22201:2009(E)
i) establishes the safety-integrity levels for specific lift-safety functions;
j) specifies techniques/measures required for achieving the specified safety-integrity levels;
k) provides risk-reduction decision tables for the application of PESSRALs;
l) defines a maximum level of performance (SIL 3) that can be achieved for a PESSRAL according to this
International Standard and defines a minimum level of performance (SIL 1).
This International Standard does not cover
⎯ hazards arising from the PES equipment itself, such as electric shock etc.;
⎯ the concept of fail-safe, which can be of value when the failure modes are well defined and the level of
complexity is relatively low; the concept of fail-safe is considered inappropriate because of the full range
of complexity of the PESSRAL that are within the scope of this International Standard;
⎯ other relevant requirements necessary for the complete application of a PESSRAL in a lift-safety function,
such as the mechanical construction, mounting and labelling of switches, actuators, or sensors that
contain the PESSRAL. It is necessary that these requirements be carried out in accordance with the
national lift standard that references this International Standard.
2 Conformance
To conform to this International Standard, it shall be shown that each of the requirements outlined in Clause 6
has been satisfied to the defined criteria and, therefore, the clause objective(s) has(have) been met.
3 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
IEC 61508-1:1999, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 1: General requirements
IEC 61508-2, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 2: Requirements for electrical/electronic/programmable/electronic safety-related systems
IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 3: Software requirements
IEC 61508-4, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 4: Definitions and abbreviations
IEC 61508-5, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 5: Example of methods for the determination of safety integrity levels
IEC 61508-7:2000, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 7: Overview of techniques and measures
ISO 22200, Electromagnetic compatibility — Product family standard for lifts, escalators and moving walks —
Immunity
IEC 60664-1:2007, Insulation coordination for equipment within low-voltage systems — Part 1: Principles,
requirements and tests
2 © ISO 2009 – All rights reserved

---------------------- Page: 8 ----------------------
ISO 22201:2009(E)
IEC 61249-2-1, Materials for printed boards and other interconnecting structures — Part 2-1: Reinforced base
materials, clad and unclad — Phenolic cellulose paper reinforced laminated sheets, economic grade, copper
clad
IEC 62326-1, Printed boards — Part 1: Generic specification
4 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 61508-4 and the following apply.
NOTE The definitions in this International Standard take precedence over those in the generic standard.
4.1
manually operated stopping device
stopping device that is intentionally, by human intervention, actuated and de-actuated (e.g. such as a toggle
switch, mushroom type, hand-operated switch)
4.2
non-manually operated stopping device
stopping device that is automatically actuated or de-actuated due to human intervention or detection
4.3
non-SIL-relevant safe-state requirement
required response to the actuation of an SIL-rated safety function where the function performing this response
is not required to be SIL rated
NOTE See Figure 4 and Table 2.
4.4
programmable electronic system
PES
system for control, protection or monitoring based on one or more programmable electronic devices, including
all elements of the system, such as power supplies, sensors and other input devices, data highways and other
communication paths, and actuators and other output devices
NOTE 1 See Figure 1.
NOTE 2 A PES may include elements that perform SI-rated requirements and non-SIL-rated requirements. The SIL
rating is only required for those elements that perform the SI-relevant functional requirements.
4.5
programmable electronic systems in safety-related applications for lifts
PESSRAL
application of a software based PES in a safety-related system for a lift
4.6
proof test
periodic test performed to detect failures in a safety-related system
NOTE Where separate channels are used, these tests are done for each channel separately.

© ISO 2009 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO 22201:2009(E)

Key
1 extent of PES
2 input interfaces (for example, D-A converters)
3 input devices (for example, sensors)
4 communications
5 programmable electronics (PEs)
6 output interfaces (for example, D-A converters)
7 output devices/final elements (for example, actuators)
a
The programmable electronics are shown centrally located but could exist at several places in the PES.
Figure 1 — Basic PES structure
4.7
safety chain
total combination of safety devices that fulfil all or a group of lift safety functions
NOTE See Figure 2.

Key
1 safety device 1, function 1
2 safety device 2, function 2
3 safety device n, function n
4 safety device (n + 1), function (n + 1)
a
All or a group of required list-safety functions; see Table 1.
Figure 2 — Safety chain
4 © ISO 2009 – All rights reserved

---------------------- Page: 10 ----------------------
ISO 22201:2009(E)
4.8
safety device
part of the safety-related system, including necessary control circuits, that is designated to achieve, in its own
right, a lift-safety function and that may consist of PES elements and non-PES elements
NOTE See Figure 3 and Table 1.

Key
1 PES elements
2 non-PES elements
Figure 3 — Safety device
4.9
safety function
function implemented by a safety-related system that is intended to achieve or maintain a safe state of the lift
with respect to a specific hazardous event
NOTE 1 See Table 1.
NOTE 2 A safety function may include non-SIL-relevant requirements; see Table 2.
4.10
safety-related system
one or more safety devices performing one or more safety functions that may be based on programmable
electronic systems (PES), electrical, electronic and/or mechanical elements of the lift
4.11
safety integrity level
SIL
discrete level (one out of a possible four) for specifying the safety-integrity requirements of the safety functions
allocated to the programmable electronic safety-related system, where safety-integrity level 4 has the highest
level of safety integrity and safety-integrity level 1 has the lowest
NOTE 1 The SIL is indicative of a failure rate that includes all causes of failures (both random hardware failures and
systematic failures) that lead to an unsafe state, for example hardware failures, software-induced failures and failures due
to electrical interference.
NOTE 2 In the context of this International Standard, SIL 3 is the highest safety integrity level that shall be applied to
lifts.
4.12
SIL-relevant safe-state requirement
part of the safety-related system where it is necessary that the specified SIL of the function be met
NOTE See Figure 4 and Table 2.

Key
1 SIL-relevant safe-state requirement(s)
2 non-SIL-relevant safe-state requirement(s)
Figure 4 — Lift-safety function
© ISO 2009 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO 22201:2009(E)
4.13
system reaction time
sum of the following two values:
a) time period between the occurrence of a fault in the PESSRAL and the initiation of the corresponding
action on the lift;
b) time period for the lift to respond to the action, maintaining a safe state.
5 Symbols and abbreviated terms
ETSL Emergency terminal speed limiting
ETS Emergency terminal stopping
PCB Printed circuit board
6 Requirements
6.1 General
6.1.1 Table 1 defines the safety-function names, the associated lift functional description, applicable lift type
and required SIL for the SIL-relevant part of the safety function. A lift is permitted to operate without
interruption when safety functions are not actuated.
NOTE Safety functions refer to those lift functions that are identified in codes, standards and laws that reference this
International Standard for PESSRAL. (See Table B.1.)
6.1.2 Table 2 defines the safe-state requirements when the safety functions in Table 1 are actuated. If a
safety function should actuate, the safety function shall cause the lift system to revert to the safe-state
conditions specified by the requirements of Table 2.
6.1.3 PESSRAL shall consider the reaction time of the lift to respond to the safety function and internal fault
detection in the time necessary to achieve the safe-state condition without hazard. Methods that fulfil internal
fault detection shall consider the necessary system reaction time required by the SIL (see example).
EXAMPLE If an internal fault is detected by comparison of data in a two-channel system within the time necessary to
meet the system's reaction time, then it is not necessary to complete a variable-memory range test within the system
reaction time because the safety integrity is verified by the two-channel design.
6.2 Extended application of this International Standard
6.2.1 General
The requirements in 6.2.2 to 6.2.4 are provided to verify SILs and safe-state conditions for lift-safety functions
that are new or deviate from the requirements provided in 6.3 and 6.4, or are referenced by codes and
standards not harmonized with the requirements of codes, standards or laws referenced in Table B.1.
6.2.2 Risk assessment
Where alternatives to the requirements of 6.3 and/or 6.4 are sought, methods for the determination of the
required safety-integrity level shall be performed in accordance with IEC 61508-5. The same methods shall be
used to establish the rationale for a new PESSRAL function and corresponding SIL or a revised PESSRAL
function and/or SIL that deviate from the requirements of 6.3 and 6.4. The mean target failure frequency for
the worst-case severity of the consequence of any single potential hazard scenario shall not exceed a
−7
frequency of 5 × 10 /year. See also Annex C.
6 © ISO 2009 – All rights reserved

---------------------- Page: 12 ----------------------
ISO 22201:2009(E)
6.2.3 Limits for specifying SIL for PESSRAL
Target failure measures required for specifying a PES in a lift-safety-related function shall be no less than
SIL 1 and no greater than SIL 3. If a target failure measure requires a SIL higher than SIL 3, consideration
should be given to redesigning the system such that the required target-failure measure is satisfied with SIL 3
or less. If an SIL lower than SIL 1 is required, a non-SIL-rated PES may be used but it shall not be classified
as a PESSRAL. No PESSRAL shall have a SIL of less than SIL 1 even if it is applied to a safety function
requiring less than SIL 1.
Applications that require the use of a single safety function of safety integrity level 4 are not typically required
in the lift industry. Such applications shall be avoided because of the difficulty of achieving and maintaining
such high levels of performance throughout the life cycle of the safety device. If the analysis results in a safety
integrity level of 4 or higher being assigned to a lift-safety function, consideration shall be given to changing
the process design in such a way that it becomes more inherently safe or by adding additional layers of
protection. These enhancements can, perhaps, then reduce the safety-integrity-level requirements for the lift-
safety function. If the safety-integrity level cannot be reduced, the target failure measure for the safety function
shall be distributed across multiple PESSRAL of SIL 3 or less that are sufficiently independent and certified in
the application.
6.2.4 Safe-state requirements
For lift-safety functions that are new or differ from those specified in 6.3 and 6.4, the designer shall identify the
safe-state requirements in a manner similar to that in which they are described in Table 2.
6.3 Safety function SIL requirements
Table 1 provides the required SIL for each lift safety function. For further information, see Table B.1.
6.4 SIL-relevant and non-SIL-relevant safe-state requirements
Table 2 provides the required response of the lift to the lift safety functions of Table 1 and the SIL and non-SIL
relevant requirements for each response from actuation of that function. An “X” indicates the response is
required for the safe-state condition when the safety function actuates or where the PESSRAL detects an
internal fault condition. See corresponding notes where a numerical note reference value is used in place of
an “X” for further clarification of the required response.

© ISO 2009 – All rights reserved 7

---------------------- Page: 13 ----------------------
ISO 22201:2009(E)
Table 1 — Safety function SIL requirements
Id. number Lift-safety function Functional description Lift type SIL
application
1 Check final stopping limit Detects that fewer than 1,5 turns of rope remain Positive drive 1
positive drive on the sheave or when the car has not reached (winding drum)
top or bottom travel limit in the shaft and or that
the rope is unwinding in the reverse direction
2 Check tension, Detects loss of tension in the suspension means Positive drive 2
suspension means (e.g. rope or chain) (winding drum)
hydraulic
3 Check for running motor Detects loss of motor generator running condition Traction 1
generator
4 Check tension, Detects loss of tension in the compensation Traction 3
compensation means means
5 Check compensation tie- Detects if the travel limits have been exceeded Traction 3
down for the compensation tie-down means (anti-
rebound)
6 Check motor field running Detects loss of DC hoist motor field running Traction 1
current current
7 Check tension, final limit Detects loss of tension in the means for the Traction 1
linkage linkage of transmission of car position for the final hydraulic
limit
8 Check tension, ETSL Detects loss of tension in the means for the Traction 2
linkage linkage of transmission of car position for
emergency terminal speed limiting (ETSL)
9 Check fully retracted Detects if working platform is fully retracted All 3
working platform
10 Check manually operated Detects if a manually operated stopping device All 3
stopp
...