Safety rules for the construction and installation of lifts - Part 1: Electric lifts

The document permits the use of electronic components in safety circuits  this giving hardware provisions. This amendment extends their use to  permit the inclusion of software (programmable electronic systems). It  covers those aspects that need to be addressed when programmable  electronic systems are used to carry out electric safety funktions for lifts  within the scope of SIST EN 81-1:1998.

Sicherheitsregeln für die Konstruktion und den Einbau von Aufzügen - Teil 1: Elektrisch betriebene Personen- und Lastenaufzüge

Regles de sécurité pour la construction et l'installation des ascenseurs - Partie 1: Ascenseurs électriques

Varnostna pravila za konstruiranje in vgradnjo dvigal (liftov) – 1. del: Električna dvigala

General Information

Status
Withdrawn
Publication Date
28-Feb-2006
Withdrawal Date
18-Aug-2010
Current Stage
9900 - Withdrawal (Adopted Project)
Start Date
17-Aug-2010
Due Date
09-Sep-2010
Completion Date
19-Aug-2010

Relations

Buy Standard

Amendment
EN 81-1:1999/A1:2006
English language
19 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN 81-1:1999/A1:2006
01-marec-2006
9DUQRVWQDSUDYLOD]DNRQVWUXLUDQMHLQYJUDGQMRGYLJDO OLIWRY ±GHO(OHNWULþQD
GYLJDOD
Safety rules for the construction and installation of lifts - Part 1: Electric lifts
Sicherheitsregeln für die Konstruktion und den Einbau von Aufzügen - Teil 1: Elektrisch
betriebene Personen- und Lastenaufzüge
Regles de sécurité pour la construction et l'installation des ascenseurs - Partie 1:
Ascenseurs électriques
Ta slovenski standard je istoveten z: EN 81-1:1998/A1:2005
ICS:
91.140.90 'YLJDOD7HNRþHVWRSQLFH Lifts. Escalators
SIST EN 81-1:1999/A1:2006 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

EUROPEAN STANDARD
EN 81-1:1998/A1
NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2005
ICS 91.140.90

English Version
Safety rules for the construction and installation of lifts - Part 1:
Electric lifts
Règles de sécurité pour la construction et l'installation des Sicherheitsregeln für die Konstruktion und den Einbau von
ascenseurs - Partie 1: Ascenseurs électriques Aufzügen - Teil 1: Elektrisch betriebene Personen- und
Lastenaufzüge
This amendment A1 modifies the European Standard EN 81-1:1998; it was approved by CEN on 13 May 2005.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for inclusion of this
amendment into the relevant national standard without any alteration. Up-to-date lists and bibliographical references concerning such
national standards may be obtained on application to the Central Secretariat or to any CEN member.
This amendment exists in three official versions (English, French, German). A version in any other language made by translation under the
responsibility of a CEN member into its own language and notified to the Central Secretariat has the same status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia,
Slovenia, Spain, Sweden, Switzerland and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: rue de Stassart, 36  B-1050 Brussels
© 2005 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 81-1:1998/A1:2005: E
worldwide for CEN national Members.

---------------------- Page: 2 ----------------------

EN 81-1:1998/A1:2005 (E)
Contents
Page
Foreword .3
1 Modifications in Clause 0 .4
2 Modifications in Clause 2 .4
3 Modifications in Clause 3 .4
4 Modifications in Clause 14 .5
5 Modifications in Clause 16 .10
6 Modifications in Annex A .11
7 Modifications in Annex F.12
8 Amended Annex P .13
Annex ZA (informative) Relationship between this European Standard and the Essential
Requirements of EU Directive 95/16/EC .19


2

---------------------- Page: 3 ----------------------

EN 81-1:1998/A1:2005 (E)
Foreword
This European Standard (EN 81-1:1998/A1:2005) has been prepared by Technical Committee CEN/TC 10 “Lifts,
escalators and moving walks”, the secretariat of which is held by AFNOR.
This Amendment to the European Standard EN 81-1:1998 shall be given the status of a national standard, either
by publication of an identical text or by endorsement, at the latest by May 2006, and conflicting national standards
shall be withdrawn at the latest by May 2006.
This European Standard has been prepared under a mandate given to CEN by the European Commission and the
European Free Trade Association, and supports essential requirements of EU Directive(s).
For relationship with EU Directive(s), see informative Annex ZA, which is an integral part of this European
Standard.
The 1998 edition of EN 81-1, under 14.1.2.1.1 b) 3) and Annex H foresees the use of electronic components in
safety circuits thus giving hardware provisions. This amendment extends their use to permit the inclusion of
software (programmable electronic systems - PESSRAL).
This amendment A1 covers those aspects that need to be addressed when programmable electronic systems
(PESSRAL) are used to carry out electric safety functions for lifts within the scope of EN 81-1:1998 and EN 81-
1:1998/A2:2004.
This amendment A1 covers the necessary additional precautions by replacing the relevant existing text of
EN 81-1:1998 or adding new clauses as indicated.
NOTE Drafting and presentation of the amended text has been arranged to comply with the presentation of EN 81-1:1998.
According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to implement this European Standard: Austria, Belgium, Cyprus, Czech Republic, Denmark,
Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom.
3

---------------------- Page: 4 ----------------------

EN 81-1:1998/A1:2005 (E)

1 Modifications in Clause 0
A new 0.2.6 shall be added as follows:
"0.2.6 Risk analysis, terminology and technical solutions have been considered taking into account the methods of
the EN 61508 series of standards. This led to a necessary classification of safety functions applied to PESSRAL.”
0.3.5 shall be amended as follows:
"0.3.5 The requirements of this European Standard regarding electrical safety devices are such that the possibility
of a failure of an electric safety device (see 14.1.2.1.1 b)) complying with all the requirements of this European
Standard need not to be taken into consideration.”
2 Modifications in Clause 2
Clause 2 shall be amended as follows:
"EN 61508-1:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems - Part
1: General requirements (IEC 61508-1:1998 + Corrigendum 1999).
EN 61508-2:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems - Part
2: Requirements for electrical/electronic/programmable electronic safety-related systems (IEC 61508-2:2000).
EN 61508-3:2001, Functional safety of electrical/electronic/programmable electronic safety related systems - Part
3: Software requirements (IEC 61508-3:1998 + Corrigendum 1999).
EN 61508-4:2001, Functional safety of electrical/electronic/programmable electronic safety related systems - Part
4: Definitions and abbreviations (IEC 61508-4:1998 + Corrigendum 1999).
EN 61508-5:2001, Functional safety of electrical/electronic/programmable electronic safety related systems - Part
5: Examples of methods for the determination of safety integrity levels (IEC 61508-5:1998 + Corrigendum 1999).
EN 61508-7:2001, Functional safety of electrical/electronic/programmable electronic safety related systems – Part
7: Overview of techniques and measures (IEC 61508-7:2000)."
3 Modifications in Clause 3
Clause 3 shall be amended by the following definitions:
"programmable electronic system in safety related applications for lifts (PESSRAL)
(système électronique programmable dans les applications liées à la sécurité des ascenseurs (PESSRAL))
(programmierbares elektronisches System in sicherheitstechnisch relevanten Anwendungen für Aufzüge
(PESSRAL))
system for control, protection or monitoring based on one or more programmable electronic devices, including all
elements of the system such as power supplies, sensors and other input devices, data highways and other
communication paths, and actuators and other output devices, used in safety related applications as listed in
Tables A.1 and A.2.
4

---------------------- Page: 5 ----------------------

EN 81-1:1998/A1:2005 (E)
system reaction time
(temps de réaction système)
(Systemreaktionszeit)
sum of the following two values:
a) time period between the occurrence of a fault in the PESSRAL and the initiation of the corresponding action on
the lift;
b) time period for the lift to respond to the action, maintaining a safe state.
safety integrity level (SIL)
(niveau d’intégrité de sécurité)
(Sicherheits-Integritätslevel)

discrete level for specifying the safety integrity requirements of the safety functions to be allocated to the PESSRAL
NOTE In this European Standard SIL 1 is representing the lowest level and SIL 3 the highest."
4 Modifications in Clause 14
14.1.2.1.1 b) shall be amended as follows:
" 4) programmable electronic systems in safety related applications in accordance with 14.1.2.6."
A new 14.1.2.6 shall be added as follows:
"14.1.2.6 Programmable electronic systems in safety related applications (PESSRAL)
Tables A.1 and A.2 give the safety integrity level for each electric safety device.
Programmable electronic systems designed in accordance with 14.1.2.6 cover the requirements of 14.1.2.3.2.
The minimum requirements of the safety functions common to all SILs are listed in Tables 6, 7 and 8. In addition
specific measures required for SILs 1, 2 and 3 are listed respectively in Tables 9, 10 and 11.
NOTE The EN 61508-7:2001 clauses listed in Tables 6 to 11 refer to the relevant requirements in EN 61508-2:2001 and
EN 61508-3:2001.
To avoid unsafe modification, measures to prevent unauthorised access to the program code and safety related
data of PESSRAL shall be provided, e.g. using EPROM, access code, etc.
If a PESSRAL and a non safety related system share the same hardware, the requirements for PESSRAL shall be
met.
If a PESSRAL and a non safety related system share the same PCB, the requirements of 13.2.2.3 shall apply for
the separation of the two systems.”
The following Tables shall be added:
5

---------------------- Page: 6 ----------------------

EN 81-1:1998/A1:2005 (E)
Table 6 - Common measures to avoid and detect failures - Hardware design
EN 61508-7:2001
No Object Measure
reference
1 Processing unit Use of watch dog. A.9
2 Component selection Use of components only within their specifications.
I/O units and interfaces Defined safe state in the event of power failure or reset.
3 incl. communication
links
Defined safe shut-off state in case of over-voltage or under- A.8.2
4 Power supply
voltage.
5 Variable memory ranges Use of only solid state memories.
Variable memory ranges Read/write test of variable data memory during boot
6
procedure.
7 Variable memory ranges Remote access only to informative data (e.g. statistics).
No possibility to change the program code, either
8 Invariant memory ranges
automatically by the system or remote intervention.
Test of program code memory and fixed data memory during A.4.2
9 Invariant memory ranges boot procedure with a method at least equivalent to sum
check.

Table 7 - Common measures to avoid and detect failures - Software design
EN 61508-7:2001
No Object Measure
reference
Program structure (i.e. modularity, data handling, interface B.3.4/C.2.1
1 Structure
definition) according to the state of the art (see EN 61508-3). C.2.9/C.2.7
During boot procedures a safe state of the lift shall be
2 Boot procedure
maintained.
Limited use of interrupts: use of nested interrupts only if all C.2.6.5
3 Interrupts
possible sequences of interrupts are predictable.
No triggering of watchdog by interrupt procedure except in A.9.4
4 Interrupts
combination with other program sequence conditions.
No power down procedures, such as saving of data, for safety
5 Power down
related functions.
Stack manager in the hardware and/or software with C.2.6.4/
6 Memory management
appropriate reaction procedure. C.5.4
Iteration loops shorter than system reaction time, e.g. by
7 Program
limiting number of loops or checking execution time.
Array pointer offset checks, if not included in the used C.2.6.6
8 Program
programming language.
Defined handling of exceptions (e.g. divisions by zero,
9 Program overflow, variable range checking etc.) which forces the
system into a defined safe state.
No recursive programming, except in well tried standard C.2.6.7
libraries, in approved operating systems, or in high-level
10 Program language compilers. For these exceptions separate stacks for
separate tasks shall be provided and controlled by a memory
management unit.
Documentation of programming library interfaces and

11 Program operating systems at least as complete as the user program
itself.
Plausibility checks on data relevant to safety functions, e.g. C.2.5/C.3.1
12 Program
input patterns, input ranges, internal data.
If any operational mode can be invoked for testing or EN 61508-1:2001,
13 Program validation purposes normal operation of the lift shall not be 7.7.2.1
possible until this mode has been terminated.

6

---------------------- Page: 7 ----------------------

EN 81-1:1998/A1:2005 (E)
Table 7 (continued)
EN 61508-7:2001
No Object Measure
reference
Reach a safe state with due consideration to the system
14 A.7/A.9
Communication system reaction time in a bus communication system with safety
(external and internal) functions in case of loss of communication or a fault in a bus
participant.
15 No reconfiguration of the CPU-bus system, except during C.3.13
the boot procedure.
Bus system
NOTE: Periodical refresh of the CPU-bus system is not
considered as being reconfiguration.
16 No reconfiguration of I/O lines, except during the boot C.3.13
procedures.
I/O handling
NOTE: Periodical refresh of the I/O configuration registers is
not considered as being reconfiguration.


Table 8 - Common measures for the design and implementation process
EN 61508-7:2001
No Measure
reference
1 Assessment of the functional, environmental and interface aspects of the application. A.14/B.1
2 Requirement specification including the safety requirements. B.2.1
3 Reviews of all specifications. B.2.6
4 Design documentation as required in F.6.1 and in addition:
- function description including system architecture and hardware/software interaction;
- software documentation including function and program flow description. C.5.9
5 Design review reports. B.3.7/B.3.8, C.5.16
6 Check of reliability using a method such as failure mode and effect analysis (FMEA). B.6.6
7 Manufacturer's test specification, manufacturer's test reports and field test reports. B.6.1
8 Instruction documents including limits for intended use. B.4.1
9 Repeat and update of above mentioned measures if the product is modified. C.5.23
10 Implementation of version control of hardware and software and its compatibility. C.5.24

7

---------------------- Page: 8 ----------------------

EN 81-1:1998/A1:2005 (E)
Table 9 - Specific measures according to SIL 1
Components and see No. in EN 61508-7:2001
Requirements Measures
functions Annex P reference
The structure shall be such that One channel structure with M 1.1 A.3.1
any single random failure is self-test, or

Structure
detected and the system shall go
two channels or more with M 1.3 A.2.5
into a safe state.
comparison.
Failures in processing units, which Failure correcting hardware, M 2.1 A.3.4
can lead to incorrect results, shall or

be detected.
self-test by software, or M 2.2 A.3.1
If such a failure can lead to a
comparator for two-channel M 2.4 A.1.3
Processing units
dangerous situation the system
structure, or

shall go into a safe state.
reciprocal comparison by M 2.5 A.3.5
software for 2-channel
structure.
Incorrect information modification, The following measures refer
i.e. all odd bit or 2-bit failures and only to a one-channel
some 3-bit and multi-bit failures structure:

Invariant memory
shall be detected at the latest
One-bit redundancy (parity A.5.5
M 3.5
ranges
before the next travel of the lift.
bit), or

block safety with one-word M 3.1 A.4.3
redundancy.
Global failures during addressing, The following measures refer
only to a one-channel
writing, storing and reading as well
as all odd bit and 2-bit failures and structure:

Variable memory
some 3-bit failures and multi-bit
Word-saving with multi-bit M 3.2 A.5.6
ranges
failures shall be detected at the
redundancy, or
latest before the next travel of the
check via test pattern against M 4.1 A.5.2
lift.
static or dynamic faults.
Static failures and cross talk on Code safety, or M 5.4 A.6.2
I/O units and
I/O lines as well as random and
test pattern. M 5.5 A.6.1
interfaces incl.
systematic failures in the data
communication
flow, shall be detected at the latest
links
before the next travel of the lift.
Failures in clock generation for Watchdog with separate time M 6.1 A.9.4
processing units like frequency base, or
Clock modification or break down shall
reciprocal monitoring. M 6.2
be detected at the latest before
the next travel of the lift.
Wrong program sequence and Combination of timing and M 7.1 A.9.4
inappropriate execution time of the logical monitoring of program
Program sequence safety related functions shall be sequence.
detected at the latest before the
next travel of the lift.
NOTE  As a consequence of the detection of a failure, a safe state of the lift shall be maintained.


8

---------------------- Page: 9 ----------------------

EN 81-1:1998/A1:2005 (E)
Table 10 - Specific measures according to SIL 2
see No.
Components EN 61508-7:2001
Requirements Measures in
and functions reference
Annex P
The structure shall be such that One channel with self-test M 1.2 A.3.3
any single random failure is and monitoring, or
detected with due consideration
two channels or more with M 1.3 A.2.5
Structure
to the system reaction time and
comparison.
that the system goes into a safe
state.
Failures in processing units, Failure correcting hardware, M 2.1 A.3.4
which can lead to incorrect and

results, shall be detected with
software self-test supported M 2.3 A.3.3
due consideration to the system
by hardware for one-channel

reaction time.
structure, or

Processing units
If such a failure can lead to a
comparator for 2-channel M 2.4 A.1.3
dangerous situation the system
structure, or
shall go into a safe state.
reciprocal comparison by M 2.5 A.3.5
software for 2-channel
structure.
Incorrect information The following measures refer
modification, i.e. all odd bit or 2- only to a one-channel
bit failures and some 3-bit and structure:

Invariant memory
multi-bit failures shall be
Block safety with one-word M 3.1 A.4.3
ranges
detected with due consideration
redundancy, or
to the system reaction time.
word saving with multi-bit M 3.2 A.5.6
redundancy.
Global failures during The following measures refer
addressing, writing, storing and only to a one-channel
reading as well as all odd bit structure:

Variable memory and 2-bit failures and some 3-bit
Word-saving with multi-bit M 3.2 A.5.6
ranges failures and multi-bit failures
redundancy, or
shall be detected with due
check via test pattern against M 4.1 A.5.2
consideration to the system
static or dynamic faults.
reaction time.
Static failures and cross talk on Code safety, or M 5.4 A.6.2
I/O units and I/O lines as well as random and
test pattern. M 5.5 A 6.1
interfaces incl. systematic failures in the data
communication flow, shall be detected with due
links consideration to the system
reaction time.
Failures in clock generation for Watchdog with separate time M 6.1 A 9.4
processing units like frequency base, or
modification or break down shall
reciprocal monitoring. M 6.2
Clock
be detected with due
consideration to the system
reaction time.
Wrong program sequence and Combination of timing and M 7.1 A.9.4
inappropriate execution time of logical monitoring of program
Program
the safety function shall be sequence.
sequence
detected with due consideration
to the system reaction time.
NOTE  As a consequence of the detection of a failure, a safe state of the lift shall be maintained.



9

---------------------- Page: 10 ---
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.