ISO 22201-1:2017

INTERNATIONAL ISO
STANDARD 22201-1
First edition
2017-02
Lifts (elevators), escalators and
moving walks — Programmable
electronic systems in safety-related
applications —
Part 1:
Lifts (elevators) (PESSRAL)
Ascenseurs, escaliers mécaniques et trottoirs roulants — Systèmes
électroniques programmables dans les applications liées à la
sécurité —
Partie 1: Ascenseurs (PESSRAL)
Reference number
ISO 22201-1:2017(E)
©
ISO 2017

---------------------- Page: 1 ----------------------
ISO 22201-1:2017(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 22201-1:2017(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Symbols and abbreviated terms . 6
5 Requirements . 7
5.1 General . 7
5.2 Extended application of this document . 7
5.2.1 General. 7
5.2.2 Risk assessment . . 7
5.2.3 Limits for specifying SIL for PESSRAL . 7
5.2.4 Safe-state requirements . 8
5.3 Safety function SIL requirements . 8
5.4 SIL-relevant and non-SIL-relevant safe-state requirements . 8
5.5 Implementation and demonstration requirements for verification of SIL compliance .20
5.5.1 General.20
5.5.2 Required techniques and measures to implement and demonstrate PE
systems compliance with specified safety integrity levels .20
5.5.3 Loss of power after a PESSRAL device has actuated.20
Annex A (normative) Techniques and measures to implement, verify and maintain
SIL compliance .21
Annex B (informative) Applicable lift codes, standards and laws .36
Annex C (informative) Example of a risk-reduction decision table .47
Bibliography .48
© ISO 2017 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 22201-1:2017(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www . i so .org/ iso/ foreword .html.
The committee responsible for this document is ISO/TC 178, Lifts, escalators and moving walks.
This first edition cancels and replaces ISO 22201:2009, which has been technically revised
(incorporating ISO 22201:2009/Cor 1:2011) and includes the following changes:
— editorial changes that correct typographical errors and terminology inconsistencies between
this document and its reference standards, including between it and the two other standards in the
22201 series.
A list of all parts in the ISO 22201 series can be found on the ISO website.
iv © ISO 2017 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 22201-1:2017(E)

Introduction
Systems comprised of electrical and/or electronic elements have been used for many years to
perform safety functions in most application sectors. Computer-based systems, generically referred
to as programmable electronic systems, are being used in many application sectors to perform non-
safety functions and, increasingly, to perform safety functions. In order to effectively and safely
exploit computer-system technology, it is essential that those responsible for making decisions have
sufficient guidance on the safety aspects on which to make these decisions. In most situations, safety
is achieved by a number of protective systems that rely on many technologies (for example mechanical,
hydraulic, pneumatic, electrical, electronic, programmable electronic). It is necessary that any safety
strategy, therefore, considers not only all the components within an individual system (for example
sensors, controlling devices and actuators), but also all the safety-related elements making up the total
combination of safety-related systems.
This document is based upon the guidelines provided in the generic IEC 61508 series of standards of
the International Electrotechnical Commission (IEC) and EN 81 (all parts) of the Comité Européen de
Normalization (CEN).
The requirements given in this document recognize the fact that the product family covers a total range
of passenger and goods/passenger lifts used in residential buildings, offices, hospitals, hotels, industrial
plants, etc. This document is the product family standard for lifts and takes precedence over all aspects
of the generic standard.
This document sets out the product specific requirements for systems comprised of programmable
electronic components and programmable electronic systems that are used to perform safety functions
in lifts. This document has been developed in order that consistent technical and performance
requirements and rational be specified for programmable electronic systems in safety-related
applications for lifts (PESSRAL).
Risk analysis, terminology and technical solutions have been considered, taking into account the
methods of the IEC 61508 series of standards. The risk analysis of each safety function specified in
Table 1 resulted in the classification of electric safety functions applied to PESSRAL. Tables 1 and 2 give
the safety integrity level and functional requirements, respectively, for each electric safety function.
The safety integrity levels (SIL) specified in this document can also be applied to other technologies
used to satisfy the safety functions specified in this document.
Within the context of the harmonization with national standards for lifts, the application of this
document is intended to be by reference within a national standard lift such as lift codes, standards, or
laws. The reason for this is threefold:
a) to allow selective reference by national standards to specific lift safety functions described in this
document (not all lift safety functions identified in this document are called out in every national
standard);
b) to allow for future harmonization of national standards with lift safety functions identified in this
document:
— Because there exist some differences in the requirements for fulfilment of the safety objectives
of national lift standards and in national practice of lift use and maintenance, there are instances
where the requirements for lift safety functions described in this document are based on the
consensus work and agreement by the ISO committee responsible for this document. National
bodies may choose to selectively harmonize with those lift safety functions that differ in the
requirements called for by the existing national standard in future standard revisions.
— It is important to note that more than 90 % of the safe-state requirements and more than 80 %
of the anticipated SIL requirements by the national standards referenced in this document
are already harmonized with the requirements of the lift safety functions specified in this
document. The remainder is not harmonized for the reasons given above.
© ISO 2017 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO 22201-1:2017(E)

c) to allow for the application of this document where lift safety functions are new or deviate
from those specified in this document. More and more, national lift legislations are moving to
performance-based requirements. For this reason, the development of new or different lift safety
functions can be foreseen in product specific applications. For those who require lift safety
functions that are new or different from those specified in this document, this document provides a
verifiable method to establish the necessary level of safety integrity for those functions.
vi © ISO 2017 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO 22201-1:2017(E)
Lifts (elevators), escalators and moving walks —
Programmable electronic systems in safety-related
applications —
Part 1:
Lifts (elevators) (PESSRAL)
1 Scope
This document is applicable to the product family of passenger and goods/passenger lifts used in
residential buildings, offices, hospitals, hotels, industrial plants, etc. This document covers those
aspects that it is necessary to address when programmable electronic systems are used to carry out
electric safety functions for lifts (PESSRAL). This document is applicable for lift safety functions that
are identified in lift codes, standards or laws that reference this document for PESSRAL. The SILs
specified in this document are understood to be valid for PESSRAL in the context of the referenced lift
codes, standards and laws in Annex B.
NOTE Within this document, the UK term “lift” is used throughout instead of the US term “elevator”.
This document is also applicable for PESSRAL that are new or deviate from those described in this
document.
The requirements of this document regarding electrical safety/protective devices are such that it is not
necessary to take into consideration the possibility of a failure of an electric safety/protective device
complying with all the requirements of this document and other relevant standards.
In particular, this document
a) uses safety integrity levels (SIL) for specifying the target failure measure for the safety functions
implemented by the PESSRAL;
b) specifies the requirements for achieving safety integrity for a function but does not specify who is
responsible for implementing and maintaining the requirements (for example, designers, suppliers,
owner/operating company, contractor); this responsibility is assigned to different parties according
to safety planning and national regulations;
c) applies to PE systems used in lift applications that meet the minimum requirements of a recognized
lift standard such as EN 81, ASME A17.1-2007/CSA B44-07, or lift laws such as the Japan Building
Standard Law Enforcement Order For Elevator and Escalator;
d) defines the relationship between this document and IEC 61508 and defines the relationship
between this document and the EMC standard for lifts on immunity, ISO 22200;
e) outlines the relationship between lift safety functions and their safe-state conditions;
f) applies to phases and activities that are specific to design of software and related hardware but not
to those phases and activities that occur post-design, for example sourcing and manufacturing;
g) requires the manufacturer of the PESSRAL to provide instructions that specify what is necessary
to maintain the integrity of the PESSRAL (instruction manual) for the organization carrying out
the assembly, connections, adjustment and maintenance of the lift;
h) provides requirements relating to the software and hardware safety validation;
i) establishes the safety integrity levels for specific lift safety functions;
© ISO 2017 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO 22201-1:2017(E)

j) specifies techniques/measures required for achieving the specified safety integrity levels;
k) provides risk-reduction decision tables for the application of PESSRALs;
l) defines a maximum level of performance (SIL 3) that can be achieved for a PESSRAL according to
this document and defines a minimum level of performance (SIL 1).
This document does not cover:
— hazards arising from the PE systems equipment itself, such as electric shock, etc.;
— the concept of fail-safe, which can be of value when the failure modes are well defined and the level
of complexity is relatively low; the concept of fail-safe is considered inappropriate because of the
full range of complexity of the PESSRAL that are within the scope of this document;
— other relevant requirements necessary for the complete application of a PESSRAL in a lift safety
function, such as the mechanical construction, mounting and labelling of switches, actuators,
or sensors that contain the PESSRAL. It is necessary that these requirements be carried out in
accordance with the national lift standard that references this document.
— foreseeable misuse involving security threats related to malevolent or unauthorized action. In cases
where a security threat analysis needs to be considered, this standard may be used, provided the
specified SIL has been reassessed.
2 Normative references
The following documents are referred to in text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 22200, Electromagnetic compatibility — Product family standard for lifts, escalators and moving
walks — Immunity
IEC 61249-2-1, Materials for printed boards and other interconnecting structures — Part two-1: Reinforced
base materials, clad and unclad — Phenolic cellulose paper reinforced laminated sheets, economic grade,
copper clad
IEC 61508-1:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 1: General requirements
IEC 61508-2, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 3: Software requirements
IEC 61508-5, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 5: Example of methods for the determination of safety integrity levels
IEC 61508-7:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 7: Overview of techniques and measures
IEC 62326-1, Printed boards — Part 1: Generic specification
3 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 61508-4 and the following apply.
NOTE The definitions in this document take precedence over those in the generic standard.
2 © ISO 2017 – All rights reserved

---------------------- Page: 8 ----------------------
ISO 22201-1:2017(E)

ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
3.1
manually operated stopping device
stopping device that is intentionally, by human intervention, actuated and de-actuated
EXAMPLE Toggle switch, mushroom type or hand-operated switch.
3.2
non-manually operated stopping device
stopping device that is automatically actuated or de-actuated due to human intervention or detection
3.3
non-SIL-relevant safe-state requirement
required response to the actuation of an SIL-rated safety function where the function performing this
response is not required to be SIL rated
Note 1 to entry: See Figure 4 and Table 2.
3.4
programmable electronic
PE
based on computer technology which can be comprised of hardware, software, and of input and/or
output units
Note 1 to entry: This term covers microelectronic devices based on one or more central processing units (CPUs),
together with associated memories, etc.
EXAMPLE The following are all programmable electronic devices:
— microprocessors;
— micro-controllers;
— programmable controllers;
— field programmable gate array (FPGA);
— application specific integrated circuits (ASICs);
— programmable logic controllers (PLCs); and
— other computer-based devices (for example smart sensors, transmitters, actuators).
3.5
programmable electronic system
PE system
system for control, protection or monitoring based on one or more programmable electronic devices,
including all elements of the system, such as power supplies, sensors and other input devices, data
highways and other communication paths, and actuators and other output devices
Note 1 to entry: See Figure 1.
Note 2 to entry: A PE system may include elements that perform SIL-rated requirements and non-SIL-rated
requirements. The SIL rating is only required for those elements that perform the SIL-relevant functional
requirements.
© ISO 2017 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO 22201-1:2017(E)

Key
1 extent of PE system
2 input interfaces (for example, A-D converters)
3 input devices (for example, sensors)
4 communications
5 programmable electronics (PEs)
6 output interfaces (for example, D-A converters)
7 output devices/final elements (for example, actuators)
a
The programmable electronics are shown centrally located but could exist at several places in the PE system.
Figure 1 — Basic PE systems structure
3.6
programmable electronic systems in safety-related applications for lifts
PESSRAL
application of a software-based PE system in a safety-related system for a lift
3.7
proof test
periodic test performed to detect dangerous hidden failures in a safety-related system so that, if
necessary, a repair can restore the system to an “as new” condition or as close as practical to this
condition.
Note 1 to entry: In this standard the term “proof test” is used but it is recognized that a synonymous term is
“periodical test”.
Note 2 to entry: The effectiveness of the proof test will be dependent both on failure coverage and repair
effectiveness. In practice, detecting 100 % of the hidden dangerous failures is not easily achieved for other than
low-complexity E/E/PE safety-related systems. This should be the target. As a minimum, all the safety functions
which are executed are checked according to the E/E/PE system safety requirements specification. If separate
channels are used, these tests are done for each channel separately. For complex elements, an analysis may need
to be performed in order to demonstrate that the probability of hidden dangerous failure not detected by proof
tests is negligible over the whole life duration of the E/E/PE safety-related system.
4 © ISO 2017 – All rights reserved

---------------------- Page: 10 ----------------------
ISO 22201-1:2017(E)

Note 3 to entry: A proof test needs some time to be achieved. During this time the E/E/PE safety-related system
may be inhibited partially or completely. The proof test duration can be neglected only if the part of the E/E/PE
safety-related system under test remains available in case of a demand for operation or if the EUC is shut down
during the test.
Note 4 to entry: During a proof test, the E/E/PE safety-related system may be partly or completely unavailable to
respond to a demand for operation. The MTTR can be neglected for SIL calculations only if the EUC is shut down
during repair or if other risk measures are put in place with equivalent effectiveness.
3.8
safety chain
total combination of safety devices that fulfil all or a group of lift safety functions
Note 1 to entry: See Figure 2.
Key
1 safety device 1, function 1
2 safety device 2, function 2
3 safety device n, function n
4 safety device (n + 1), function (n + 1)
a
All or a group of required lift safety functions; see Table 1.
Figure 2 — Safety chain
3.9
safety device
part of the safety-related system, including necessary control circuits, that is designated to achieve, in
its own right, a lift safety function and that may consist of PE elements and non-PE elements
Note 1 to entry: See Figure 3 and Table 1.
Key
1 PE elements
2 non-PE elements
Figure 3 — Safety device
© ISO 2017 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO 22201-1:2017(E)

3.10
safety function
function implemented by a safety-related system that is intended to achieve or maintain a safe state of
the lift with respect to a specific hazardous event
Note 1 to entry: See Table 1.
Note 2 to entry: A safety function may include non-SIL-relevant requirements; see Table 2.
3.11
safety-related system
one or more safety devices performing one or more safety functions that can be based on programmable
electronic (PE), electrical, electronic and/or mechanical elements of the lift
3.12
safety integrity level
SIL
discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety
functions allocated to the programmable electronic safety-related system, where safety integrity level
4 has the highest level of safety integrity and safety integrity level 1 has the lowest
Note 1 to entry: The SIL is indicative of a failure rate that includes all causes of failures (both random hardware
failures and systematic failures) that lead to an unsafe state, for example hardware failures, software-induced
failures and failures due to electrical interference.
Note 2 to entry: In the context of this document, SIL 3 is the highest safety integrity level that shall be applied to lifts.
3.13
SIL-relevant safe-state requirement
part of the safety-related system where it is necessary that the specified SIL of the function be met
Note 1 to entry: See Figure 4 and Table 2.
Key
1 SIL-relevant safe-state requirement(s)
2 non-SIL-relevant safe-state requirement(s)
Figure 4 — Lift safety function
3.14
system reaction time
sum of the following two values:
a) time period between the occurrence of a fault in the PESSRAL and the initiation of the corresponding
action on the lift;
b) time period for the lift to respond to the action, maintaining a safe state.
4 Symbols and abbreviated terms
ETSL emergency terminal speed limiting
ETS emergency terminal stopping
EUC equipment under control
6 © ISO 2017 – All rights reserved

---------------------- Page: 12 ----------------------
ISO 22201-1:2017(E)

MTTR mean time to repair
PCB printed circuit board
5 Requirements
5.1 General
5.1.1 Table 1 defines the safety-function names, associated lift functional description, applicable lift
type and required SIL for the SIL-relevant part of the safety function. A lift is permitted to operate without
interruption when safety functions are not actuated.
NOTE Safety functions refer to those lift functions that are identified in codes, standards and laws that
reference this document for PESSRAL. See Table B.1.
5.1.2 Table 2 defines the safe-state requirements when the safety functions in Table 1 are actuated. If
a safety function should actuate, the safety function shall cause the lift system to revert to the safe-state
conditions specified by the requirements of Table 2.
5.1.3 PESSRAL shall consider the reaction time of the lift to respond to the safety function and internal
fault detection in the time necessary to achieve the safe-state condition without hazard. Methods that
fulfil internal fault detection shall consider the necessary system reaction time required by the SIL (see
example).
EXAMPLE If an internal fault is detected by comparison of data in a two-channel system within the time
necessary to meet the system’s reaction time, then it is not necessary to complete a variable-memory range test
within the system reaction time because the safety integrity is verified by the two-channel design.
5.2 Extended application of this document
5.2.1 General
The requirements in 5.2.2 to 5.2.4 are provided to verify SILs and safe-state conditions for lift safety
functions that are new or deviate from the requirements provided in 5.3 and 5.4, or are referenced by
codes and standards not harmonized with the requirements of codes, standards or laws referenced in
Table B.1.
5.2.2 Risk assessment
Where alternatives to the requirements of 5.3 and/or 5.4 are sought, methods for the determination
of the required safety integrity level shall be performed in accordance with IEC 61508-5. The same
methods shall be used to establish the rationale for a new PESSRAL function and corresponding SIL or
a revised PESSRAL function and/or SIL that deviate from the requirements of 5.3 and 5.4. The mean
target failure frequency for the worst-case severity of the consequence of any single potential hazard
−7
scenario shall not exceed a frequency of 5 × 10 /year. See also Annex C.
5.2.3 Limits for specifying SIL for PESSRAL
Target failure measures required for specifying a PE system in a lift safety-related function shall be no
less than SIL 1 and no greater than SIL 3. If a target failure measure requires a SIL higher than SIL 3,
consideration should be given to redesigning the system such that the required target-failure measure
is satisfied with SIL 3 or less. If an SIL lower than SIL 1 is required, a non-SIL-rated PE system may be
used but
...