ISO 22201-1:2017

INTERNATIONAL ISO
STANDARD 22201-1
First edition
2017-02
Lifts (elevators), escalators and
moving walks — Programmable
electronic systems in safety-related
applications —
Part 1:
Lifts (elevators) (PESSRAL)
Ascenseurs, escaliers mécaniques et trottoirs roulants — Systèmes
électroniques programmables dans les applications liées à la
sécurité —
Partie 1: Ascenseurs (PESSRAL)
Reference number
©
ISO 2017
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Symbols and abbreviated terms . 6
5 Requirements . 7
5.1 General . 7
5.2 Extended application of this document . 7
5.2.1 General. 7
5.2.2 Risk assessment . . 7
5.2.3 Limits for specifying SIL for PESSRAL . 7
5.2.4 Safe-state requirements . 8
5.3 Safety function SIL requirements . 8
5.4 SIL-relevant and non-SIL-relevant safe-state requirements . 8
5.5 Implementation and demonstration requirements for verification of SIL compliance .20
5.5.1 General.20
5.5.2 Required techniques and measures to implement and demonstrate PE
systems compliance with specified safety integrity levels .20
5.5.3 Loss of power after a PESSRAL device has actuated.20
Annex A (normative) Techniques and measures to implement, verify and maintain
SIL compliance .21
Annex B (informative) Applicable lift codes, standards and laws .36
Annex C (informative) Example of a risk-reduction decision table .47
Bibliography .48
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www . i so .org/ iso/ foreword .html.
The committee responsible for this document is ISO/TC 178, Lifts, escalators and moving walks.
This first edition cancels and replaces ISO 22201:2009, which has been technically revised
(incorporating ISO 22201:2009/Cor 1:2011) and includes the following changes:
— editorial changes that correct typographical errors and terminology inconsistencies between
this document and its reference standards, including between it and the two other standards in the
22201 series.
A list of all parts in the ISO 22201 series can be found on the ISO website.
iv © ISO 2017 – All rights reserved

Introduction
Systems comprised of electrical and/or electronic elements have been used for many years to
perform safety functions in most application sectors. Computer-based systems, generically referred
to as programmable electronic systems, are being used in many application sectors to perform non-
safety functions and, increasingly, to perform safety functions. In order to effectively and safely
exploit computer-system technology, it is essential that those responsible for making decisions have
sufficient guidance on the safety aspects on which to make these decisions. In most situations, safety
is achieved by a number of protective systems that rely on many technologies (for example mechanical,
hydraulic, pneumatic, electrical, electronic, programmable electronic). It is necessary that any safety
strategy, therefore, considers not only all the components within an individual system (for example
sensors, controlling devices and actuators), but also all the safety-related elements making up the total
combination of safety-related systems.
This document is based upon the guidelines provided in the generic IEC 61508 series of standards of
the International Electrotechnical Commission (IEC) and EN 81 (all parts) of the Comité Européen de
Normalization (CEN).
The requirements given in this document recognize the fact that the product family covers a total range
of passenger and goods/passenger lifts used in residential buildings, offices, hospitals, hotels, industrial
plants, etc. This document is the product family standard for lifts and takes precedence over all aspects
of the generic standard.
This document sets out the product specific requirements for systems comprised of programmable
electronic components and programmable electronic systems that are used to perform safety functions
in lifts. This document has been developed in order that consistent technical and performance
requirements and rational be specified for programmable electronic systems in safety-related
applications for lifts (PESSRAL).
Risk analysis, terminology and technical solutions have been considered, taking into account the
methods of the IEC 61508 series of standards. The risk analysis of each safety function specified in
Table 1 resulted in the classification of electric safety functions applied to PESSRAL. Tables 1 and 2 give
the safety integrity level and functional requirements, respectively, for each electric safety function.
The safety integrity levels (SIL) specified in this document can also be applied to other technologies
used to satisfy the safety functions specified in this document.
Within the context of the harmonization with national standards for lifts, the application of this
document is intended to be by reference within a national standard lift such as lift codes, standards, or
laws. The reason for this is threefold:
a) to allow selective reference by national standards to specific lift safety functions described in this
document (not all lift safety functions identified in this document are called out in every national
standard);
b) to allow for future harmonization of national standards with lift safety functions identified in this
document:
— Because there exist some differences in the requirements for fulfilment of the safety objectives
of national lift standards and in national practice of lift use and maintenance, there are instances
where the requirements for lift safety functions described in this document are based on the
consensus work and agreement by the ISO committee responsible for this document. National
bodies may choose to selectively harmonize with those lift safety functions that differ in the
requirements called for by the existing national standard in future standard revisions.
— It is important to note that more than 90 % of the safe-state requirements and more than 80 %
of the anticipated SIL requirements by the national standards referenced in this document
are already harmonized with the requirements of the lift safety functions specified in this
document. The remainder is not harmonized for the reasons given above.
c) to allow for the application of this document where lift safety functions are new or deviate
from those specified in this document. More and more, national lift legislations are moving to
performance-based requirements. For this reason, the development of new or different lift safety
functions can be foreseen in product specific applications. For those who require lift safety
functions that are new or different from those specified in this document, this document provides a
verifiable method to establish the necessary level of safety integrity for those functions.
vi © ISO 2017 – All rights reserved

INTERNATIONAL STANDARD ISO 22201-1:2017(E)
Lifts (elevators), escalators and moving walks —
Programmable electronic systems in safety-related
applications —
Part 1:
Lifts (elevators) (PESSRAL)
1 Scope
This document is applicable to the product family of passenger and goods/passenger lifts used in
residential buildings, offices, hospitals, hotels, industrial plants, etc. This document covers those
aspects that it is necessary to address when programmable electronic systems are used to carry out
electric safety functions for lifts (PESSRAL). This document is applicable for lift safety functions that
are identified in lift codes, standards or laws that reference this document for PESSRAL. The SILs
specified in this document are understood to be valid for PESSRAL in the context of the referenced lift
codes, standards and laws in Annex B.
NOTE Within this document, the UK term “lift” is used throughout instead of the US term “elevator”.
This document is also applicable for PESSRAL that are new or deviate from those described in this
document.
The requirements of this document regarding electrical safety/protective devices are such that it is not
necessary to take into consideration the possibility of a failure of an electric safety/protective device
complying with all the requirements of this document and other relevant standards.
In particular, this document
a) uses safety integrity levels (SIL) for specifying the target failure measure for the safety functions
implemented by the PESSRAL;
b) specifies the requirements for achieving safety integrity for a function but does not specify who is
responsible for implementing and maintaining the requirements (for example, designers, suppliers,
owner/operating com
...