Functional Safety for Lifts (elevators)

Functional Safety for Lifts (elevators)

I recently came across a series of standards for lifts (elevators), escalators and moving walkways. I thought it was a good example of a sector specific standard. The standard in question is ISO 22201-1 and was first published in 2017. It uses SIL levels and lists fifty one safety functions and gives a SIL for each one with a maximum SIL of 3. This is one of the nice things about a sector specific standard if one exists. It takes the generic IEC 61508 standard and identifies the requirements which are applicable to that equipment type. It is much easier to read a standard related to one specific type of equipment as it is only about 60 pages long instead of a generic standard which can span up to to 700 pages. Part 2 of ISO 22201 covers escalators and moving walk ways.

Even if you have no interest in lifts/elevators hopefully you will find the details of what a sector specific standard looks like interesting.

The first part of any standard you should read is the scope and I note the scope of this standard includes both passenger and goods lifts and their use in hotels, homes, factories and hospitals. It refers to the safety systems as PESSRAL (programmable electronic systems in safety related applications for lifts).

Similar to the home appliance standards UL 1998 and IEC 60730 it gives various architectures and their suitability for various SIL: 

  • One channel with self-test for SIL 1
  • One channel with self-test and monitoring for SIL 2, where monitor means a separate diagnostic block
  • Two channels with comparison for SIL 2 and SIL 3

I note the table describing these architectures describes them as “possible measures for failure control” which I like as in theory IEC 61508 allows a single channel system to SIL 3 if the diagnostic coverage is high enough. Achieving 99% diagnostic coverage is difficult but it is still good not to “tie a designers hands”.

However there appears to be no such choice with the SIL. Other standards such as the robot standard ISO 10218-1 requires SIL 2 with a HFT of 1 or PLd, CAT3 unless a risk assessment shows otherwise but here there are no “ifs or buts” a given safety integrity level is mandated.

Safety functions specified at SIL 3 includes safety functions to check for:

  • Loss of tension in the compensation means
  • Working platform is fully retracted
  • Loss of tension in the governor rope or car safety rope
  • Car or landing door, or car or landing door panels are open

Safety functions at a SIL 1 level include:

  • Detects loss of DC hoist motor field running current
  • Detects if car safety gear is actuated
  • Detects and engaged clamping device

A separate table gives the safe state for each of the 51 safety functions.

The standard contains two annexes one of which is normative and one is informative. (A normative annex gives requirements while an informative one contains only guidance.) The informative Annex A allows two routes one using the measures from IEC 61508-2 and IEC 61508-3 or alternatively a tailored approach based on the contents of the Annex.

Items which came to my notice when reading Annex A include

  • No requirement to consider a combination of two or more faults
  • A means to claim a fault exclusion for shorts on a PCB
  • A minimum separation distance on a PCB of 3mm (clearance) and 4mm (creepage) if a safety and non-safety function are on the same PCB
  • Specific safety accuracies in the range of +/-1% to +/-5% for things like the measurement of masses, forces, distances, speeds, voltages, currents, temperature and accelerations
  • Requirements for protection against all odd bit, 2 bit and some 3 bit failures in variable memories for single channel safety functions even at SIL 1

I note there is no mention of cyber security which means for guidance you must fall back on IEC 61508 which in turn refers you to the IEC 62443 series which was covered in an earlier blog.

Also, not covered are network requirements. Therefore, the reader needs to revert to IEC 61508 and then IEC 61784-3. Typically, this means that 1% of the allowed PFH (probability of dangerous failure per hour) would apply to the network which is a failure rate of 1e-9/h for a SIL 3 safety function. See my previous blog on functional safety for networking for more information.

My video for this blog shows a dangerous situation on a ski lift – I hope nobody was seriously injured as it looks bad- https://www.youtube.com/watch?v=ydL6dg4WJ7c&feature=youtu.be

For next time, the discussion will be on the “If I had to keep one thing from Functional Safety”.