ISO 22201-1:2017

INTERNATIONAL ISO
STANDARD 22201-1
First edition
2017-02
Lifts (elevators), escalators and
moving walks — Programmable
electronic systems in safety-related
applications —
Part 1:
Lifts (elevators) (PESSRAL)
Ascenseurs, escaliers mécaniques et trottoirs roulants — Systèmes
électroniques programmables dans les applications liées à la
sécurité —
Partie 1: Ascenseurs (PESSRAL)
Reference number
©
ISO 2017
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Symbols and abbreviated terms . 6
5 Requirements . 7
5.1 General . 7
5.2 Extended application of this document . 7
5.2.1 General. 7
5.2.2 Risk assessment . . 7
5.2.3 Limits for specifying SIL for PESSRAL . 7
5.2.4 Safe-state requirements . 8
5.3 Safety function SIL requirements . 8
5.4 SIL-relevant and non-SIL-relevant safe-state requirements . 8
5.5 Implementation and demonstration requirements for verification of SIL compliance .20
5.5.1 General.20
5.5.2 Required techniques and measures to implement and demonstrate PE
systems compliance with specified safety integrity levels .20
5.5.3 Loss of power after a PESSRAL device has actuated.20
Annex A (normative) Techniques and measures to implement, verify and maintain
SIL compliance .21
Annex B (informative) Applicable lift codes, standards and laws .36
Annex C (informative) Example of a risk-reduction decision table .47
Bibliography .48
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www . i so .org/ iso/ foreword .html.
The committee responsible for this document is ISO/TC 178, Lifts, escalators and moving walks.
This first edition cancels and replaces ISO 22201:2009, which has been technically revised
(incorporating ISO 22201:2009/Cor 1:2011) and includes the following changes:
— editorial changes that correct typographical errors and terminology inconsistencies between
this document and its reference standards, including between it and the two other standards in the
22201 series.
A list of all parts in the ISO 22201 series can be found on the ISO website.
iv © ISO 2017 – All rights reserved

Introduction
Systems comprised of electrical and/or electronic elements have been used for many years to
perform safety functions in most application sectors. Computer-based systems, generically referred
to as programmable electronic systems, are being used in many application sectors to perform non-
safety functions and, increasingly, to perform safety functions. In order to effectively and safely
exploit computer-system technology, it is essential that those responsible for making decisions have
sufficient guidance on the safety aspects on which to make these decisions. In most situations, safety
is achieved by a number of protective systems that rely on many technologies (for example mechanical,
hydraulic, pneumatic, electrical, electronic, programmable electronic). It is necessary that any safety
strategy, therefore, considers not only all the components within an individual system (for example
sensors, controlling devices and actuators), but also all the safety-related elements making up the total
combination of safety-related systems.
This document is based upon the guidelines provided in the generic IEC 61508 series of standards of
the International Electrotechnical Commission (IEC) and EN 81 (all parts) of the Comité Européen de
Normalization (CEN).
The requirements given in this document recognize the fact that the product family covers a total range
of passenger and goods/passenger lifts used in residential buildings, offices, hospitals, hotels, industrial
plants, etc. This document is the product family standard for lifts and takes precedence over all aspects
of the generic standard.
This document sets out the product specific requirements for systems comprised of programmable
electronic components and programmable electronic systems that are used to perform safety functions
in lifts. This document has been developed in order that consistent technical and performance
requirements and rational be specified for programmable electronic systems in safety-related
applications for lifts (PESSRAL).
Risk analysis, terminology and technical solutions have been considered, taking into account the
methods of the IEC 61508 series of standards. The risk analysis of each safety function specified in
Table 1 resulted in the classification of electric safety functions applied to PESSRAL. Tables 1 and 2 give
the safety integrity level and functional requirements, respectively, for each electric safety function.
The safety integrity levels (SIL) specified in this document can also be applied to other technologies
used to satisfy the safety functions specified in this document.
Within the context of the harmonization with national standards for lifts, the application of this
document is intended to be by reference within a national standard lift such as lift codes, standards, or
laws. The reason for this is threefold:
a) to allow selective reference by national standards to specific lift safety functions described in this
document (not all lift safety functions identified in this document are called out in every national
standard);
b) to allow for future harmonization of national standards with lift safety functions identified in this
document:
— Because there exist some differences in the requirements for fulfilment of the safety objectives
of national lift standards and in national practice of lift use and maintenance, there are instances
where the requirements for lift safety functions described in this document are based on the
consensus work and agreement by the ISO committee responsible for this document. National
bodies may choose to selectively harmonize with those lift safety functions that differ in the
requirements called for by the existing national standard in future standard revisions.
— It is important to note that more than 90 % of the safe-state requirements and more than 80 %
of the anticipated SIL requirements by the national standards referenced in this document
are already harmonized with the requirements of the lift safety functions specified in this
document. The remainder is not harmonized for the reasons given above.
c) to allow for the application of this document where lift safety functions are new or deviate
from those specified in this document. More and more, national lift legislations are moving to
performance-based requirements. For this reason, the development of new or different lift safety
functions can be foreseen in product specific applications. For those who require lift safety
functions that are new or different from those specified in this document, this document provides a
verifiable method to establish the necessary level of safety integrity for those functions.
vi © ISO 2017 – All rights reserved

INTERNATIONAL STANDARD ISO 22201-1:2017(E)
Lifts (elevators), escalators and moving walks —
Programmable electronic systems in safety-related
applications —
Part 1:
Lifts (elevators) (PESSRAL)
1 Scope
This document is applicable to the product family of passenger and goods/passenger lifts used in
residential buildings, offices, hospitals, hotels, industrial plants, etc. This document covers those
aspects that it is necessary to address when programmable electronic systems are used to carry out
electric safety functions for lifts (PESSRAL). This document is applicable for lift safety functions that
are identified in lift codes, standards or laws that reference this document for PESSRAL. The SILs
specified in this document are understood to be valid for PESSRAL in the context of the referenced lift
codes, standards and laws in Annex B.
NOTE Within this document, the UK term “lift” is used throughout instead of the US term “elevator”.
This document is also applicable for PESSRAL that are new or deviate from those described in this
document.
The requirements of this document regarding electrical safety/protective devices are such that it is not
necessary to take into consideration the possibility of a failure of an electric safety/protective device
complying with all the requirements of this document and other relevant standards.
In particular, this document
a) uses safety integrity levels (SIL) for specifying the target failure measure for the safety functions
implemented by the PESSRAL;
b) specifies the requirements for achieving safety integrity for a function but does not specify who is
responsible for implementing and maintaining the requirements (for example, designers, suppliers,
owner/operating company, contractor); this responsibility is assigned to different parties according
to safety planning and national regulations;
c) applies to PE systems used in lift applications that meet the minimum requirements of a recognized
lift standard such as EN 81, ASME A17.1-2007/CSA B44-07, or lift laws such as the Japan Building
Standard Law Enforcement Order For Elevator and Escalator;
d) defines the relationship between this document and IEC 61508 and defines the relationship
between this document and the EMC standard for lifts on immunity, ISO 22200;
e) outlines the relationship between lift safety functions and their safe-state conditions;
f) applies to phases and activities that are specific to design of software and related hardware but not
to those phases and activities that occur post-design, for example sourcing and manufacturing;
g) requires the manufacturer of the PESSRAL to provide instructions that specify what is necessary
to maintain the integrity of the PESSRAL (instruction manual) for the organization carrying out
the assembly, connections, adjustment and maintenance of the lift;
h) provides requirements relating to the software and hardware safety validation;
i) establishes the safety integrity levels for specific lift safety functions;
j) specifies techniques/measures required for achieving the specified safety integrity levels;
k) provides risk-reduction decision tables for the application of PESSRALs;
l) defines a maximum level of performance (SIL 3) that can be achieved for a PESSRAL according to
this document and defines a minimum level of performance (SIL 1).
This document does not cover:
— hazards arising from the PE systems equipment itself, such as electric shock, etc.;
— the concept of fail-safe, which can be of value when the failure modes are well defined and the level
of complexity is relatively low; the concept of fail-safe is considered inappropriate because of the
full range of complexity of the PESSRAL that are within the scope of this document;
— other relevant requirements necessary for the complete application of a PESSRAL in a lift safety
function, such as the mechanical construction, mounting and labelling of switches, actuators,
or sensors that contain the PESSRAL. It is necessary that these requirements be carried out in
accordance with the national lift standard that references this document.
— foreseeable misuse involving security threats related to malevolent or unauthorized action. In cases
where a security threat analysis needs to be considered, this standard may be used, provided the
specified SIL has been reassessed.
2 Normative references
The following documents are referred to in text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 22200, Electromagnetic compatibility — Product family standard for lifts, escalators and moving
walks — Immunity
IEC 61249-2-1, Materials for printed boards and other interconnecting structures — Part two-1: Reinforced
base materials, clad and unclad — Phenolic cellulose paper reinforced laminated sheets, economic grade,
copper clad
IEC 61508-1:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 1: General requirements
IEC 61508-2, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 3: Software requirements
IEC 61508-5, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 5: Example of methods for the determination of safety integrity levels
IEC 61508-7:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 7: Overview of techniques and measures
IEC 62326-1, Printed boards — Part 1: Generic specification
3 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 61508-4 and the following apply.
NOTE The definitions in this document take precedence over those in the generic standard.
2 © ISO 2017 – All rights reserved

ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
3.1
manually operated stopping device
stopping device that is intentionally, by human intervention, actuated and de-actuated
EXAMPLE Toggle switch, mushroom type or hand-operated switch.
3.2
non-manually operated stopping device
stopping device that is automatically actuated or de-actuated due to human intervention or detection
3.3
non-SIL-relevant safe-state requirement
required response to the actuation of an SIL-rated safety function where the function performing this
response is not required to be SIL rated
Note 1 to entry: See Figure 4 and Table 2.
3.4
programmable electronic
PE
based on computer technology which can be comprised of hardware, software, and of input and/or
output units
Note 1 to entry: This term covers microelectronic devices based on one or more central processing units (CPUs),
together with associated memories, etc.
EXAMPLE The following are all programmable electronic devices:
— microprocessors;
— micro-controllers;
— programmable controllers;
— field programmable gate array (FPGA);
— application specific integrated circuits (ASICs);
— programmable logic controllers (PLCs); and
— other computer-based devices (for example smart sensors, transmitters, actuators).
3.5
programmable electronic system
PE system
system for control, protection or monitoring based on one or more programmable electronic devices,
including all elements of the system, such as power supplies, sensors and other input devices, data
highways and other communication paths, and actuators and other output devices
Note 1 to entry: See Figure 1.
Note 2 to entry: A PE system may include elements that perform SIL-rated requirements and non-SIL-rated
requirements. The SIL rating is only required for those elements that perform the SIL-relevant functional
requirements.
Key
1 extent of PE system
2 input interfaces (for example, A-D converters)
3 input devices (for example, sensors)
4 communications
5 programmable electronics (PEs)
6 output interfaces (for example, D-A converters)
7 output devices/final elements (for example, actuators)
a
The programmable electronics are shown centrally located but could exist at several places in the PE system.
Figure 1 — Basic PE systems structure
3.6
programmable electronic systems in safety-related applications for lifts
PESSRAL
application of a software-based PE system in a safety-related system for a lift
3.7
proof test
periodic test performed to detect dangerous hidden failures in a safety-related system so that, if
necessary, a repair can restore the system to an “as new” condition or as close as practical to this
condition.
Note 1 to entry: In this standard the term “proof test” is used but it is recognized that a synonymous term is
“periodical test”.
Note 2 to entry: The effectiveness of the proof test will be dependent both on failure coverage and repair
effectiveness. In practice, detecting 100 % of the hidden dangerous failures is not easily achieved for other than
low-complexity E/E/PE safety-related systems. This should be the target. As a minimum, all the safety functions
which are executed are checked according to the E/E/PE system safety requirements specification. If separate
channels are used, these tests are done for each channel separately. For complex elements, an analysis may need
to be performed in order to demonstrate that the probability of hidden dangerous failure not detected by proof
tests is negligible over the whole life duration of the E/E/PE safety-related system.
4 © ISO 2017 – All rights reserved

Note 3 to entry: A proof test needs some time to be achieved. During this time the E/E/PE safety-related system
may be inhibited partially or completely. The proof test duration can be neglected only if the part of the E/E/PE
safety-related system under test remains available in case of a demand for operation or if the EUC is shut down
during the test.
Note 4 to entry: During a proof test, the E/E/PE safety-related system may be partly or completely unavailable to
respond to a demand for operation. The MTTR can be neglected for SIL calculations only if the EUC is shut down
during repair or if other risk measures are put in place with equivalent effectiveness.
3.8
safety chain
total combination of safety devices that fulfil all or a group of lift safety functions
Note 1 to entry: See Figure 2.
Key
1 safety device 1, function 1
2 safety device 2, function 2
3 safety device n, function n
4 safety device (n + 1), function (n + 1)
a
All or a group of required lift safety functions; see Table 1.
Figure 2 — Safety chain
3.9
safety device
part of the safety-related system, including necessary control circuits, that is designated to achieve, in
its own right, a lift safety function and that may consist of PE elements and non-PE elements
Note 1 to entry: See Figure 3 and Table 1.
Key
1 PE elements
2 non-PE elements
Figure 3 — Safety device
3.10
safety function
function implemented by a safety-related system that is intended to achieve or maintain a safe state of
the lift with respect to a specific hazardous event
Note 1 to entry: See Table 1.
Note 2 to entry: A safety function may include non-SIL-relevant requirements; see Table 2.
3.11
safety-related system
one or more safety devices performing one or more safety functions that can be based on programmable
electronic (PE), electrical, electronic and/or mechanical elements of the lift
3.12
safety integrity level
SIL
discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety
functions allocated to the programmable electronic safety-related system, where safety integrity level
4 has the highest level of safety integrity and safety integrity level 1 has the lowest
Note 1 to entry: The SIL is indicative of a failure rate that includes all causes of failures (both random hardware
failures and systematic failures) that lead to an unsafe state, for example hardware failures, software-induced
failures and failures due to electrical interference.
Note 2 to entry: In the context of this document, SIL 3 is the highest safety integrity level that shall be applied to lifts.
3.13
SIL-relevant safe-state requirement
part of the safety-related system where it is necessary that the specified SIL of the function be met
Note 1 to entry: See Figure 4 and Table 2.
Key
1 SIL-relevant safe-state requirement(s)
2 non-SIL-relevant safe-state requirement(s)
Figure 4 — Lift safety function
3.14
system reaction time
sum of the following two values:
a) time period between the occurrence of a fault in the PESSRAL and the initiation of the corresponding
action on the lift;
b) time period for the lift to respond to the action, maintaining a safe state.
4 Symbols and abbreviated terms
ETSL emergency terminal speed limiting
ETS emergency terminal stopping
EUC equipment under control
6 © ISO 2017 – All rights reserved

MTTR mean time to repair
PCB printed circuit board
5 Requirements
5.1 General
5.1.1 Table 1 defines the safety-function names, associated lift functional description, applicable lift
type and required SIL for the SIL-relevant part of the safety function. A lift is permitted to operate without
interruption when safety functions are not actuated.
NOTE Safety functions refer to those lift functions that are identified in codes, standards and laws that
reference this document for PESSRAL. See Table B.1.
5.1.2 Table 2 defines the safe-state requirements when the safety functions in Table 1 are actuated. If
a safety function should actuate, the safety function shall cause the lift system to revert to the safe-state
conditions specified by the requirements of Table 2.
5.1.3 PESSRAL shall consider the reaction time of the lift to respond to the safety function and internal
fault detection in the time necessary to achieve the safe-state condition without hazard. Methods that
fulfil internal fault detection shall consider the necessary system reaction time required by the SIL (see
example).
EXAMPLE If an internal fault is detected by comparison of data in a two-channel system within the time
necessary to meet the system’s reaction time, then it is not necessary to complete a variable-memory range test
within the system reaction time because the safety integrity is verified by the two-channel design.
5.2 Extended application of this document
5.2.1 General
The requirements in 5.2.2 to 5.2.4 are provided to verify SILs and safe-state conditions for lift safety
functions that are new or deviate from the requirements provided in 5.3 and 5.4, or are referenced by
codes and standards not harmonized with the requirements of codes, standards or laws referenced in
Table B.1.
5.2.2 Risk assessment
Where alternatives to the requirements of 5.3 and/or 5.4 are sought, methods for the determination
of the required safety integrity level shall be performed in accordance with IEC 61508-5. The same
methods shall be used to establish the rationale for a new PESSRAL function and corresponding SIL or
a revised PESSRAL function and/or SIL that deviate from the requirements of 5.3 and 5.4. The mean
target failure frequency for the worst-case severity of the consequence of any single potential hazard
−7
scenario shall not exceed a frequency of 5 × 10 /year. See also Annex C.
5.2.3 Limits for specifying SIL for PESSRAL
Target failure measures required for specifying a PE system in a lift safety-related function shall be no
less than SIL 1 and no greater than SIL 3. If a target failure measure requires a SIL higher than SIL 3,
consideration should be given to redesigning the system such that the required target-failure measure
is satisfied with SIL 3 or less. If an SIL lower than SIL 1 is required, a non-SIL-rated PE system may be
used but it shall not be classified as a PESSRAL. No PESSRAL shall have a SIL of less than SIL 1 even if it
is applied to a safety function requiring less than SIL 1.
Applications that require the use of a single safety function of safety integrity level 4 are not typically
required in the lift industry. Such applications shall be avoided because of the difficulty of achieving and
maintaining such high levels of performance throughout the life cycle of the safety device. If the analysis
results in a safety integrity level of 4 or higher being assigned to a lift safety function, consideration
shall be given to changing the process design in such a way that it becomes more inherently safe or
by adding additional layers of protection. These enhancements can, perhaps, then reduce the safety
integrity level requirements for the lift safety function. If the safety integrity level cannot be reduced,
the target failure measure for the safety function shall be distributed across multiple PESSRAL of SIL 3
or less that are sufficiently independent and certified in the application.
5.2.4 Safe-state requirements
For lift safety functions that are new or differ from those specified in 5.3 and 5.4, the designer shall
identify the safe-state requirements in a manner similar to that in which they are described in Table 2.
5.3 Safety function SIL requirements
Table 1 provides the required SIL for each lift safety function. For further information, see Table B.1.
5.4 SIL-relevant and non-SIL-relevant safe-state requirements
Table 2 provides the required response of the lift to the lift safety functions of Table 1 and the SIL and
non-SIL-relevant requirements for each response from actuation of that function. An “X” indicates
the response is required for the safe-state condition when the safety function actuates or where the
PESSRAL detects an internal fault condition. See corresponding notes where a numerical note reference
value is used in place of an “X” for further clarification of the required response.
Table 1 — Safety function SIL requirements
Lift type
ID no. Lift safety function Functional description SIL
application
1 Check final stopping limit Detects that fewer than 1,5 turns of rope Positive drive 1
positive drive remain on the sheave or when the car has (winding
not reached top or bottom travel limit in drum)
the shaft and or that the rope is unwinding
in the reverse direction
2 Check tension, suspen- Detects loss of tension in the suspension Positive drive 2
sion means means (e.g. rope or chain) (winding
drum)
hydraulic
3 Check for running mo- Detects loss of motor-generator running Traction 1
tor-generator condition
4 Check tension, compensa- Detects loss of tension in the compensa- Traction 3
tion means tion means
5 Check compensation tie- Detects if the travel limits have been Traction 3
down exceeded for the compensation tie-down
means (anti-rebound)
6 Check motor field run- Detects loss of DC hoist motor field run- Traction 1
ning current ning current
7 Check tension, final limit Detects loss of tension in the means for the Traction hy- 1
linkage linkage of transmission of car position for draulic
the final limit
8 Check tension, ETSL Detects loss of tension in the means for the Traction 2
linkage linkage of transmission of car position for
emergency terminal speed limiting (ETSL)
a
The letter designation on 10.x refers to stop switch location.
b
The “.1”, “.2”, “.3” designation on 10 is consistent with the function SIL.
8 © ISO 2017 – All rights reserved

Table 1 (continued)
Lift type
ID no. Lift safety function Functional description SIL
application
9 Check fully retracted Detects if working platform is fully All 3
working platform retracted
a
10 (a,b,c,…i) Check manually operated Detects if a manually operated stopping All 3
stopping device device (e.g. emergency stop switch) is
actuated as applicable at car-top, pit,
pulley room, docking operation, passen-
ger/goods (freight) in-car, in-car, machine
remote from the motion controller dis-
connect, machine spaces, control spaces,
machine rooms, control rooms, equipment
inspection and test access panels and
inspection station
b
10(i).1 Check non-manually oper- Detects if non-manually operated stopping All 1
ated stopping device device (e.g. switch) is actuated as applica-
ble at pulley room
b
10(a,d,g,h).2 Check non-manually oper- Detects if non-manually operated stopping All 2
ated stopping device device (e.g. switch) is actuated as applica-
ble at passenger/goods (freight) in-car, pit,
machinery spaces, equipment inspection,
emergency and test panels
b
10(e).3 Check non-manually oper- Detects if non-manually operated stopping All 3
ated stopping device device (e.g. switch) is actuated as applica-
ble at inspection station
11 Check car safety gear Detects if car safety gear has actuated All 1
12 Check car overspeed Detects car speed exceeding maximum All 2
(manual reset) limit set prior to or up to governor tripping
speed; requires manual reset
13 Check reset of governor Detects if the governor is not in the reset All 3
(manual type) position
14 Check tension in governor Detects loss of tension in the governor All 3
rope (or equivalent) rope or car safety rope
15 Check car overspeed (au- Detects car speed exceeding the maximum All 2
tomatic reset permitted) limit set prior to or up to governor tripping
speed; may be automatically reset
16 Check final limit Detects if car exceeds the final limit All 1
(automatic or inspection)
17 Check for emergency ter- Detects insufficient speed reduction in Traction 2
minal speed limit (ETSL) terminal zone where reduced stroke buff-
ers are applied
18 Check tension in two sus- Detects loss of tension in a rope or chain All 1
pension means in case of two ropes or a two-chain-type
suspension
19 Check manual evacuation Detects that the manual means (e.g. wheel) Traction wind- 1
means for emergency evacuation is engaged with ing drum
the machine
20 Check the fully retracted Detects the fully retracted (inactive) posi- All 3
position of the mechani- tion of the mechanical device
cal device
21 Check proper inactive Detects proper full disengagement of inac- All 3
position of pit protection tive position of the mechanical device that
mechanical device provides clearance protection in pit
a
The letter designation on 10.x refers to stop switch location.
b
The “.1”, “.2”, “.3” designation on 10 is consistent with the function SIL.
Table 1 (continued)
Lift type
ID no. Lift safety function Functional description SIL
application
22 Check proper full engage- Detects proper full engagement of the All 3
ment of the pit protection mechanical device that provides clearance
mechanical device protection in pit
23 Check movable stops not Detects movable stops not fully retracted All 3
fully retracted
24 Check movable stops not Detects movable stops not fully extended All 3
fully extended
25 Check doors providing Detects open access doors providing ac- All 2
access to equipment inside cess to equipment inside the hoistway
hoistway
26 Check doors providing Detects open access doors, access from All 2
access from working area working area outside hoistway
outside hoistway
27 Check circuit-breaker Detects activation of the device to release All 2
release device the circuit breaker contactor (replacement
of main switch)
28 Check levelling and Detects if car position is outside the level- All 2
re-levelling ling zone, with open doors, during level-
ling, re-levelling, or electrical anti-creeping
29 Check tension, levelling Detects loss of tension in the means for the All 2
zone position rope or linkage of transmission of car position for
equivalent levelling zone
30 Check travel limit for Detects if the car exceeds the position All 2
docking operation limits for docking operation
31 Check docking operation Detects if docking operation is enabled All 2
32 Check car/landing door Detects if bypass operation is activated for All 3
bypass operation landing and car door device(s)
33 Check top of car inspec- Detects if top of car inspection operation All 3
tion operation is enabled
34 Check in-car inspection Detects if in-car inspection operation is All 3
operation enabled
35 Check clamping device Detects engaged clamping device Hydraulic 1
36 Check emergency electri- Detects if emergency electrical operation All 3
cal operation (such as machine room, machine space,
control room, control space, inspection
and test panel, working platform and pit
operation) is enabled
37 Check equipment in-car Detects if equipment in-car access panel is All 2
access panel not closed
38 Check ascending car over Detects if maximum speed for an ascend- All 2
speed ing car is exceeded
39 Check uncontrolled car Detects uncontrolled movement of the car All 2
movement
40 Check pawl device Detects if the position of the pawl device is Hydraulic 1
not retracted
41 Check buffer position of Detects if the buffer is not in normal ex- Hydraulic 3
pawl device tended position where the pawl is used
42 Check normal extended Detects if the buffer is not in the normal All 3
position of buffer extended position
a
The letter designation on 10.x refers to stop switch location.
b
The “.1”, “.2”, “.3” designation on 10 is consistent with the function SIL.
10 © ISO 2017 – All rights reserved

Table 1 (continued)
Lift type
ID no. Lift safety function Functional description SIL
application
43 Check extended position Detects if the buffer mounted to safety All 1
of buffer mounted to safe- device is not in normal extended position
ty device
44 Check unlocked car door(s) Detects unlocked car door(s) All 2
45 Check hoistway access Detects if the hoistway access operation All 3
operation is enabled
46 Check hoistway inspec- Detects if inspection or emergency hoist- All 2
tion and emergency doors way doors or traps are not closed
and traps
47 Check pit door Detects if pit access door is not closed All 2
48 Check landing doors and Detects unlocked position of landing doors All 3
panels and panels
49 Check car and landing Detects if car or landing doors, or car or All 3
doors and car and landing landing door panels are not closed
door panels
50 Check locked in-car in- Detects if inspection or emergency doors All 2
spection and emergency or traps are unlocked in car or hoistway
doors and traps
51 Check emergency terminal Detects if car is not decelerating when All 1
stopping (ETS) approaching the terminal landings
a
The letter designation on 10.x refers to stop switch location.
b
The “.1”, “.2”, “.3” designation on 10 is consistent with the function SIL.
12 © ISO 2017 – All rights reserved
Table 2 — Safe-state requirements
NOTE  The definitions Removal Block Limit Inter- Trans- Limit Limit Manual Ignore Ignore Block Block Block Block Block Block Ve- Acti-
of “Rx” are given at of power (pre- the rupt fer to the car reset “check “check (pre- (pre- (pre- (pre- (pre- (pre- locity vate
the end of this table. from vent) travel supply inspec- speed move- re- car landing vent) vent) vent) vent) vent) vent) profile signal-
machine auto- range circuit tion of the ment to quired door is door is auto- docking emer- an- in-car hoist- stop ling
motor matic to the opera- car a direc- closed closed matic opera- gency ti-creep inspec- way and/or
and brake oper- coil tion tion and/or and/or oper- tion elec- (hy- tion access profile
(traction ation of the locked” locked” ation trical draulic opera- opera- start
lifts), re- of lift circuit of the opera- only) tion tion permit-
spectively, (R22) breaker doors tion ted
from contac-
motor tor
and/or
involved
valve(s)
(hydraulic
lifts)
ID Lift safety
SIL-relevant Non-SIL-relevant
No. functions
1 Check final stopping X — — — — — — X — — — — — — — — — —
limit positive drive
2 Check tension, sus- X — — — — — — — — — — — — — — — — —
pension means
3 Check for running X — — — — — — — — — — — — — — — — —
motor-generator
4 Check tension, com- X — — — — — — — — — — — — — — — — —
pensation means
5 Check compensation X — — — — — — — — — — — — — — — — —
tie-down
6 Check motor field X — — — — — — — — — — — — — — — — —
running current
7 Check tension, final X — — — — — — — — — — — — — — — — —
limit linkage
8 Check tension, ETSL X — — — — — — — — — — — — — — — — —
linkage
9 Check fully retract- R26 — X — — — — — — — — — — — — — — —
ed working platform
10 Check manual (and X — — — — — — — — — X — — — — — — —
non-manual) stop,
stopping device
11 Check car safety gear X — — — — — — — — — — — — — — — — —
12 Check car overspeed X — — — — — — X — — — — — — — — — —
(manual reset)
Table 2 (continued)
NOTE  The definitions Removal Block Limit Inter- Trans- Limit Limit Manual Ignore Ignore Block Block Block Block Block Block Ve- Acti-
of “Rx” are given at of power (pre- the rupt fer to the car reset “check “check (pre- (pre- (pre- (pre- (pre- (pre- locity vate
the end of this table. from vent) travel supply inspec- speed move- re- car landing vent) vent) vent) vent) vent) vent) profile signal-
machine auto- range circuit tion of the ment to quired door is door is auto- docking emer- an- in-car hoist- stop ling
motor matic to the opera- car a direc- closed closed matic opera- gency ti-creep inspec- way and/or
and brake oper- coil tion tion and/or and/or oper- tion elec- (hy- tion access profile
(traction ation of the locked” locked” ation trical draulic opera- opera- start
lifts), re- of lift circuit of the opera- only) tion tion permit-
spectively, (R22) breaker doors tion ted
from contac-
motor tor
and/or
involved
valve(s)
(hydraulic
lifts)
ID Lift safety
SIL-relevant Non-SIL-relevant
No. functions
13 Check reset of gov- X — — — — — — — — — — — — — — — — —
ernor
(manual type)
14 Check tension in X — — — — — — — — — — — — — — — — —
governor rope (or
equivalent)
15 Check car overspeed X — — — — — — — — — — — — — — — — —
(automatic reset
permitted)
16 Check final limit X — — — — — — R24 — — — — — — — — — —
(automatic or in-
spection)
17 Check for emergency X — — — — — — — — — — — — — — — X —
terminal speed limit
(ETSL)
18 Check tension in X — — — — — — — — — — — — — — — — —
two-suspension
means
19 Check manual evac- X — — — — — — — — — — — — — — — — —
uation means
20 Check the fully X — — — — — — — — — — — — — — — — —
retracted position
of the mechanical
device
21 Check proper inac- R27 — — — — — — — — — — — — — — — —
...