ISO 8102-6:2019

INTERNATIONAL ISO
STANDARD 8102-6
First edition
2019-01
Electrical requirements for lifts,
escalators and moving walks —
Part 6:
Programmable electronic systems
in safety-related applications
for escalators and moving walks
(PESSRAE)
Exigences électriques pour ascenseurs, escaliers mécaniques et
trottoirs roulants —
Partie 6: Systèmes électroniques programmables dans les applications
liées à la sécurité pour escaliers mécaniques et trottoirs roulants
Reference number
©
ISO 2019
© ISO 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Requirements . 6
4.1 General . 6
4.2 Extended application of this document . 7
4.2.1 General. 7
4.2.2 Risk assessment . . 7
4.2.3 Limits for specifying SIL for PESSRAE . 7
4.2.4 Safe-state requirements . 8
4.3 Safety function SIL requirements . 8
4.4 SIL relevant and non-SIL relevant safe state requirements . 9
4.5 Implementation and demonstration requirements for verification of SIL compliance .15
4.5.1 General.15
4.5.2 Required techniques and measures to implement and demonstrate PE
systems compliance with specified safety integrity levels in this document .15
4.5.3 Loss of power after a PESSRAE device has actuated .15
Annex A (normative) Techniques and measures to implement, verify, and maintain SIL
compliance .16
Annex B (informative) Example of risk reduction decision table .19
Bibliography .20
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 178, Lifts, escalators and moving walks.
This document cancels and replaces ISO 22201-2:2013.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2019 – All rights reserved

Introduction
0.1 General
Systems comprised of electrical and/or electronic elements have been used for many years to perform
safety functions in most application sectors. Computer-based systems, generically referred to as
programmable electronic systems, are being used in many application sectors to perform non-safety
functions and, increasingly, to perform safety functions. If computer system technology is to be
effectively and safely exploited, it is essential that those responsible for making decisions have sufficient
guidance on the safety aspects on which to make these decisions. In most situations, safety is achieved
by a number of protective systems that rely on many technologies (for example mechanical, hydraulic,
pneumatic, electrical, electronic, programmable electronic). Therefore, any safety strategy needs to
consider not only all the components within an individual system (for example sensors, controlling
devices and actuators) but also all the safety-related elements making up the total combination of
safety-related systems.
This document is based on the guidelines provided in generic standards IEC 62061 and EN 115-1:2008.
The requirements given in this document recognize the fact that the product family covers a total
range of escalators and moving walks used in residential buildings, offices, hospitals, hotels, industrial
plants, etc. This document is the product family standard for escalators and moving walks and takes
precedence over all aspects of the generic standard.
This document sets out the product-specific requirements for systems comprising programmable
electronic elements that are used to perform safety functions in escalators and moving walks. This
document has been developed so that consistent technical and performance requirements and rationale
can be specified for programmable electronic system in safety-related application for escalators
(PESSRAE) and moving walks.
Risk analysis, terminology, and technical solutions have been considered, taking into account the
methods of the IEC 61508 series. The risk analysis of each safety function specified in Table 1 resulted
in the classification of electric safety functions applied to PESSRAE. Tables 1 and 2 give the safety
integrity level and functional requirements, respectively, for each electric safety function.
The safety integrity levels (SIL) specified in this document can also be applied to other technologies
used to satisfy the safety functions specified in this document.
0.2 Harmonization with national escalator and moving walk standards
The application of this document is intended to be by reference within a national escalator and moving
walk standards such as escalator and moving walk codes, standards, or laws. There are three reasons
for this.
— to allow selective reference by national standards to specific escalator and moving walk safety
functions described in this document. Not all escalator and moving walk safety functions identified
in this document are called out in every national standard;
— to allow for future harmonization of national standards with escalator and moving walk safety
functions identified in this document. Because some differences exist in the requirements for
fulfilment of the safety objective of national escalator and moving walk standards and in national
practice of escalator and moving walk use and maintenance, there are instances where the
requirements for escalator and moving walk safety functions described in this document are based
on the consensus work and agreement by ISO/TC 178. National bodies can choose to selectively
harmonize with those escalator and moving walk safety functions that differ in the requirements
called for by the existing national standards in future revisions;
— to allow for the application of this document where escalator and moving walk safety functions
are new or deviate from those specified in this document. More and more, national escalator and
moving walk legislations are moving to performance based requirements. For this reason the
development of new or different escalator and moving walk safety functions can be foreseen in
product specific applications. For those who require escalator and moving walk safety functions
that are new or different from those specified in this document, this document provides a verifiable
method to establish the necessary level of safety integrity for those functions.
vi © ISO 2019 – All rights reserved

INTERNATIONAL STANDARD ISO 8102-6:2019(E)
Electrical requirements for lifts, escalators and moving
walks —
Part 6:
Programmable electronic systems in safety-related
applications for escalators and moving walks (PESSRAE)
1 Scope
1.1 This document is applicable to the product family of escalators and moving walks used in
residential buildings, offices, hospitals, hotels, industrial plants, etc. This document covers those aspects
that need to be addressed when programmable electronic systems are used to carry out electric safety
functions for escalators and moving walks (PESSRAE). This document is applicable for escalator and
moving walk safety functions that are identified in escalator and moving walk codes, standards, or laws
that reference this document for PESSRAE application. The safety integrity levels (SILs) specified in this
document are understood to be valid for PESSRAE application in the context of the referenced escalator
and moving walk codes, standards, and laws in the Bibliography.
1.2 This document is also applicable for the application of PESSRAE that are new or deviate from those
described in this document.
1.3 The requirements of this document regarding electrical safety/protective devices are such that it is
not necessary to take into consideration the possibility of a failure of an electric safety/protective device
complying with all the requirements of this document and other relevant standards.
This document:
a) uses safety integrity levels (SIL) for specifying the target failure rate for the safety functions to be
implemented by the PESSRAE;
b) specifies the requirements for achieving safety integrity for a function but does not specify who is
responsible for implementing and maintaining the requirements (for example, designers, suppliers,
owner/operating company, contractor); this responsibility is assigned to different parties according
to safety planning and national regulations;
c) applies to PE systems used in escalator and moving walk applications that meet the minimum
requirements of a recognized escalator and moving walk standards, such as EN 115, ASME A17.1/
CSA B44 or The Japan Building Standard Law Enforcement Order For Elevator and Escalator;
d) defines the relationship between this document and IEC 61508 and defines the relationship
between this document and ISO 22200;
e) outlines the relationship between escalator and moving walk safety functions and their safe-state
conditions;
f) applies to phases and activities that are specific to design of hardware and software but not the
phases and activities which occur post design, for example sourcing and manufacturing;
h) provides requirements relating to the hardware and software safety validation;
i) establishes the safety integrity levels for specific escalator and moving walk safety functions;
j) specifies techniques/measures required for achieving the specified safety integrity levels;
k) defines a maximum level of performance (SIL 3) which can be achieved for a PESSRAE according to
this document and defines a minimum level of performance (SIL 1).
1.4 This document does not cover:
a) hazards arising from the PE systems equipment itself such as electric shock etc.;
b) the concept of fail-safe that can be of value when the failure modes are well defined and the level of
complexity is relatively low. The concept of fail-safe was considered inappropriate because of the
full range of complexity of PESSRAE that are within the scope of this document;
c) other relevant requirements necessary for the complete application of a PESSRAE in an escalator
and moving walk safety function, such as system integration specifications, temperature and
humidity, the mechanical construction, mounting and labelling of switches, actuators, or sensors
that contain PESSRAE.
d) foreseeable misuse involving security threats related to malevolent or unauthorized action. This
document can be used in cases where a security threat analysis needs to be considered, provided
that the specified SIL has been reassessed.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
IEC 61508-1:2010, Functional safety of electrical/electronic/programmable electronic safety-related
systems — Part 1: General Requirements
IEC 61508-2, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 3: Software requirements
IEC 61508-4, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 4: Definitions and abbreviations
IEC 61508-5, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 5: Example of methods for the determination of Safety Integrity Levels
ISO 22200, Electromagnetic compatibility — Product family standard for lifts, escalators and moving
walks — Immunity
IEC 62061, Safety of machinery — Functional safety of safety-related electrical, electronic and
programmable electronic control systems
3 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 61508-4 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
2 © ISO 2019 – All rights reserved

3.1
non-SIL relevant safe-state requirement
required response to the actuation of a SIL rated safety function where the function performing this
response is not required to be SIL-rated
Note 1 to entry: See Figure 4 and Table 2.
3.2
programmable electronic
PE
based on computer technology which can be composed of hardware, software, and of input and/or
output units
Note 1 to entry: This term covers microelectronic devices based on one or more central processing units (CPUs)
together with associated memories, etc.
EXAMPLE The following are all programmable electronic devices:
—  microprocessors;
—  micro-controllers;
—  programmable controllers;
—  field programmable gate array (FPGA);
—  application specific integrated circuits (ASICs);
—  programmable logic controllers (PLCs);
—  other computer-based devices (for example smart sensors, transmitters, actuators).
3.3
programmable electronic system
PE system
system for control, protection or monitoring based on one or more programmable electronic devices,
including all elements of the system such as power supplies, sensors and other input devices, data
highways and other communication paths, and actuators and other output devices
Note 1 to entry: See Figure 1.
Note 2 to entry: A PE systems may perform functions that fulfil requirements for SIL-rated and non-SIL–rated
function(s). The SIL rating of a function is only required to consider that portion of PE systems that perform the
SIL relevant functional requirements.
Note 3 to entry: The programmable electronics are shown centrally located but can exist at several places in the
PE systems.
Figure 1 — Basic PE systems structure
3.4
programmable electronic systems in safety-related applications for escalators and moving walks
PESSRAE
application of a software-based PE systems in a safety-related system for escalators and moving walks
4.5
proof test
periodic test performed to detect dangerous hidden failures in a safety-related system so that, if
necessary, a repair can restore the system to an “as new” condition or as close as practical to this
condition
Note 1 to entry: In this document, the term “proof test” is used but it is recognized that a synonymous term is
“periodical test”.
Note 2 to entry: The effectiveness of the proof test is dependent both on failure coverage and repair effectiveness.
In practice, detecting 100 % of the hidden dangerous failures is not easily achieved for other than low-complexity
E/E/PE safety-related systems. This should be the target. As a minimum, all the safety functions which are
executed are checked according to the E/E/PE system safety requirements specification. If separate channels are
used, these tests are done for each channel separately. For complex elements, it can be necessary to perform an
analysis in order to demonstrate that the probability of hidden dangerous failure not detected by proof tests is
negligible over the whole life duration of the E/E/PE safety-related system.
Note 3 to entry: A proof test needs some time to be achieved. During this time, the E/E/PE safety-related system
may be inhibited partially or completely. The proof test duration can be neglected only if the part of the E/E/PE
safety-related system under test remains available in case of a demand for operation or if the EUC is shut down
during the test.
Note 4 to entry: During a proof test, the E/E/PE safety-related system may be partly or completely unavailable to
respond to a demand for operation. The MTTR can be neglected for SIL calculations only if the EUC is shut down
during repair or if other risk measures are put in place with equivalent effectiveness.
Note 5 to entry: A repair (including replacement) can be considered restoring the system to "as new”.
3.6
safety circuit
total combination of safety devices that fulfil all or a group of escalator and moving walk safety
functions
Note 1 to entry: See Figure 2
4 © ISO 2019 – All rights reserved

Figure 2 — Safety circuit
3.7
safety device
part of the safety-related system, including necessary control circuits, that has been designated to
achieve, in its own right, an escalator and moving walk safety function and can consist of PE system
elements and non-PE system elements
Note 1 to entry: See Figure 3 and Table 1.
Figure 3 — Safety device
3.8
safety function
function to be implemented by a safety-related system, which is intended to achieve or maintain a safe-
state of the escalator and moving walk, with respect to a specific hazardous event
Note 1 to entry: See Table 1.
Note 2 to entry: A safety function may include non-SIL relevant requirements, see Table 2.
3.9
safety-related system
system which consists of one or more safety devices performing one or more safety functions that can
be based on programmable electronic (PE), electrical, electronic and/or mechanical elements of the
escalator and moving walk
Note 1 to entry: The term includes all the hardware, software and supporting services (for example, power
supplies) necessary to carry out the specified safety function [sensors, other input devices, final elements
(actuators) and other output devices are therefore included in the safety-related system].
3.10
safety integrity level
SIL
discrete level for specifying the safety integrity requirements of the safety functions to be allocated to
the programmable electronic safety-related system
Note 1 to entry: There are four SIL: safety integrity level 4 has the highest level of safety integrity and safety
integrity level 1 has the lowest.
Note 2 to entry: In the context of this document, SIL 3 is the highest safety integrity level that is applied to
escalators and moving walks.
Note 3 to entry: The SIL is indicative of a failure rate that includes all causes of failures (both random hardware
failures and systematic failures), which lead to an unsafe state, for example hardware failures, software induced
failures and failures due to electrical interference
3.11
SIL relevant safe-state requirement
part of the safety-related system where it is required to meet the specified SIL of the function
Note 1 to entry: See Figure 4 and Table 2.
Figure 4 — Escalator and moving walk safety function
3.12
system reaction time
sum of the following two values:
a) the time period between the occurrence of a fault in the PESSRAE and the initiation of the
corresponding action on the escalator and moving walk;
b) the time period for the escalator and moving walk to respond to the action, maintaining a safe state.
4 Requirements
4.1 General
4.1.1 Table 1 defines the safety function names, the associated escalator and moving walk functional
description, applicable escalator and moving walk type and required SIL for the SIL relevant part of the
safety function.
NOTE Safety functions refer to the escalator and moving walk functions that are identified in codes
standards and laws that reference this document for PESSRAE application.
6 © ISO 2019 – All rights reserved

4.1.2 Table 2 defines the safe-state requirements when the safety functions in Table 1 are actuated. If a
safety function actuates, the safety function shall cause the escalator and moving walk system to revert to
the safe-state conditions specified by the requirements of Table 2.
4.1.3 PESSRAE shall consider the reaction time of the escalator and moving walk to respond to the
safety function and internal fault detection in the necessary time to achieve the safe-state condition
without hazard. Methods that fulfil internal fault detection shall consider the necessary system reaction
time required by the SIL.
NOTE For example, if an internal fault is detected by comparison of data in
...