© ISO 2016 Lifts (elevators), escalators and moving walks — Programmable electronic systems in safety related applications — Part 3 Life cycle guideline for programmable electronic systems related to[.]
TECHNICAL REPORT ISO/TR 22201-3 Second edition 2016-11-15 Lifts (elevators), escalators and moving walks — Programmable electronic systems in safety related applications — Part 3: Life cycle guideline for programmable electronic systems related to PESSRAL and PESSRAE Ascenseurs, escaliers mécaniques et trottoirs roulants — Conception et mise au point des systèmes électroniques programmables dans les applications liées la sécurité — Partie 3: Lignes directrices pour le cycle de vie des systèmes électroniques programmables liés PESSRAL et PESSRAE Reference number ISO/TR 22201-3:2016(E) © ISO 2016 ISO/TR 2 01-3 :2 016(E) COPYRIGHT PROTECTED DOCUMENT © ISO 2016, Published in Switzerland All rights reserved Unless otherwise specified, no part o f this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission Permission can be requested from either ISO at the address below or ISO’s member body in the country o f the requester ISO copyright o ffice Ch de Blandonnet • CP 401 CH-1214 Vernier, Geneva, Switzerland Tel +41 22 749 01 11 Fax +41 22 749 09 47 copyright@iso.org www.iso.org ii © ISO 2016 – All rights reserved ISO/TR 2 01 -3 : 6(E) Contents Page iv Introduction v Scope Normative references Terms and definitions Instruction manual content 4.1 Sa fety precautions 4.2 Markings, signs, pictograms and written warnings 4.3 Elements to consider for content of the instruction manual Procedure Annex A (informative) Elements of instruction manual and validation process Bibliography Foreword © ISO 2016 – All rights reserved iii ISO/TR 2 01-3 :2 016(E) Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies) The work o f preparing International Standards is normally carried out through ISO technical committees Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters o f electrotechnical standardization The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part In particular the different approval criteria needed for the di fferent types o f ISO documents should be noted This document was dra fted in accordance with the editorial rules of the ISO/IEC Directives, Part (see www.iso.org/directives) Attention is drawn to the possibility that some o f the elements o f this document may be the subject o f patent rights ISO shall not be held responsible for identi fying any or all such patent rights Details o f any patent rights identified during the development o f the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) Any trade name used in this document is in formation given for the convenience o f users and does not constitute an endorsement For an explanation on the meaning o f ISO specific terms and expressions related to formity assessment, as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html The committee responsible for this document is ISO/TC 178, Lifts, escalators and moving walks This second edition cancels and replaces the first edition (ISO/TR 22201-3:2013), which has been technically revised A list of all parts in the ISO 22201 series can be found on the ISO website iv © ISO 2016 – All rights reserved ISO/TR 2 01 -3 : 6(E) Introduction This document addresses phases in the li fe cycle planning and actions for post-installation activities (e.g maintenance, repair, and replacement and modification o f inter face) o f PESSRAL and PESSRAE to help ensure the sa fety integrity level (SIL) over the li fe cycle o f the system © ISO 2016 – All rights reserved v TECHNICAL REPORT ISO/TR 22201-3:2016(E) Lifts (elevators), escalators and moving walks — Programmable electronic systems in safety related applications — Part 3: Life cycle guideline for programmable electronic systems related to PESSRAL and PESSRAE Scope This document provides additional information and process for the development of the instruction manual required by ISO 22201-1 (PESSRAL) and ISO 22201-2 (PESSRAE) for programmable electronic systems for use by competent maintenance person(s) that carry out maintenance operations Normative references There are no normative references in this document Terms and definitions For the purposes o f this document, the terms and definitions given in ISO 22201-1, ISO 22201-2 and the ollowing apply f ISO and IEC maintain terminological databases for use in standardization at the following addresses: — IEC Electropedia: available at http://www.electropedia.org/ — ISO Online browsing platform: available at http://www.iso.org/obp 3.1 competent maintenance person designated person, suitably trained, qualified by knowledge and practical experience, provided with necessary instructions and supported within their maintenance organization (3.4) to enable the required maintenance operations to be sa fely carried out Note to entry: The competence o f the maintenance person within the maintenance organization (3.4) should be continuously updated 3.2 design equivalent original equipment manu facturer, or third party certified product, which fulfils same SIL rated element/subsystem design specifications but has di fferent specifications for the non-SIL rated portion o f the PE system 3.3 functional equivalent product which fulfils same functional requirements with di fferent SIL rated element/subsystem design specifications from that o f the original certified product © ISO 2016 – All rights reserved ISO/TR 2 01 -3 : 01 6(E) maintenance organization company or part o f a company where competent maintenance person(s) operations on behalf of the owner (3.7) of the installation (3.1) carry out maintenance 3.5 manufacturer natural or legal person who takes responsibility for the design, manu facture and placing on the market sa fety components for li fts or o f machinery (escalator, passenger conveyor, service li ft and accessible goods only li ft) maintenance post-installation li fe cycle activities, including preventative, replacement, repair, and alteration (modifications) owner natural or legal person who has the power or disposal o f the installation and takes the responsibility for its operation and use 3.8 programmable electronic PE based on computer technology which may be comprised o f hardware, so ftware, and o f input and/or output units Note to entry: This term covers microelectronic devices based on one or more central processing units (CPUs) together with associated memories, etc EXAMPLE The following are all programmable electronic devices: — microprocessors; — micro-controllers; — programmable controllers; — field programmable gate array (FPGA); — application specific integrated circuits (ASICs); — programmable logic controllers (PLCs); — other computer-based devices (for example, smart sensors, transmitters, actuators) programmable electronic s ys tem PE s ystem system for control, protection or monitoring based on one or more programmable electronic devices, including all elements o f the system such as power supplies, sensors and other input devices, data highways and other communication paths, and actuators and other output devices Note to entry: See Figure Note to entry: A PE system may per form functions that fulfil requirements for SIL rated and non-SIL rated unction(s) The SIL rating o f a function is only required to consider that portion o f the PE system that per forms f the SIL relevant functional requirements © ISO 2016 – All rights reserved ISO/TR 2 01 -3 : 6(E) NOTE The programmable electronics are shown centrally located but could exist at several places in the PE system Figure — B asic PE s ys tem s tructure 10 product equivalent original equipment manu facturer or third party certified product that is a direct replacement in design, make, model, and version (built to the same production drawings) o f the original certified product Instruction manual content This clause addresses special considerations for process and additional content of instruction manuals applied to PE system as described in ISO 22201-1 and ISO 22201-2 4.1 Safety precautions In creating an instruction manual, the developer should carry out a risk assessment to identi fy and address possible hazards for this phase o f the li fe cycle o f PE system (See ISO 14798 for possible hazard assessment methodology) 4.2 Markings, signs, pictograms and written warnings Assemblies containing SIL rated devices should be labelled or tagged with identification in formation, in accordance with national requirements, and indicate that the maintainer should refer to the © ISO 2016 – All rights reserved ISO/TR 2 01 -3 : 01 6(E) instruction manual for detail instructions and precautions Where possible, readily understandable signs and pictograms taken from applicable ISO standards should be used, for example, ISO 7000:2014, symbol 1640 I f the risk assessment indicates that additional specific warnings are required for the purpose o f maintenance, these will be a ffixed directly on the installation/component or, when this is not possible, in the close vicinity Markings, signs, pictograms and written warnings should be readily understandable and unambiguous Signs or written warnings carrying only “DANGER” should not be used In formation a ffixed directly on the installation/component should be permanent and legible 4.3 Elements to consider for content of the instruction manual Listed below are elements to consider for contents of the instruction manual See also A.1 for additional elements of consideration a) All the necessary operations to ensure the sa fe and intended functioning o f the installation and its components a fter the completion o f the installation and throughout its li fe cycle b) Repair or changing o f components which may occur due to wear or tear and does not a ffect the characteristics of the installation c) Modernization o f the installation, including the changing o f any characteristic o f the installation (speed, load, etc.) d) Rescue operations carried out by fire brigades and emergency personnel e) The specifications and the intended use o f the installation (type o f installation, per formance, type o f goods to be transported, type o f users, etc.) f) The environment in which the installation and its components are installed (weather conditions, vandalism, etc.) g) Any restriction o f use h) The result of the risk assessment (see 4.1) undertaken or every working area and for every task to be f i) The specific maintenance instructions provided by the manu facturer o f the sa fety elements Procedure The instructions for maintenance o f PE system are provided by the manu facturer when placed on the market They should be the result o f a risk assessment and written in the o fficial language(s) o f the country for the location o f the installation When preparing the content o f the maintenance instructions, the following elements should be taken into account in the manual a) Control documents — Control documents are identified and maintained for the li fe o f a PE system that includes SIL rated hardware or software These documents include: 1) Functional requirements: i) design specifications (system and element/subsystem); ii) production specification; © ISO 2016 – All rights reserved ISO/TR 2 01-3 :2 016(E) i i i) b) vers ion identi fic ation and vers ion control M ntena nce ac tivity a nd re cord ke epi ng o f mai ntenance ac tivity — T he ac tivitie s , date a nd e xp lanation o f re a s on the owner 1) c) for for the fol lowi ng mai ntena nce ac tivity o f PE s ys tem are re corde d and re tai ne d by the l i fe o f the PE s ys tem i n s ta l lation: p re ventati ve m a i ntena nce o f the s a fe ty de vice (s che du le d s a fe ty test, etc.); fu nc tio n ac tu atio n, pro o f 2) fa i lu re event o f the s a fe ty device; 3) mo d i fic ation i n the PE s ys tem device (ob s ole s cence, up grade, rel i abi l ity i mprovement, e tc ) ; 4) mo d i fic ation o f the i nter face s to the s a fe ty device or its envi ron ment Va l idation o f replacement or mo d i fic ation pro ce s s — Replacements or mo d i fic ation s th at re s u lt from the maintenance activities in (b) should be made according to the process outlined in A.2 a nd shou ld no t mo d i fy the m i ni mu m re qui re d S I L S I L releva nt func tion s for the fu nc tion Where S I L releva nt a nd non- (tho s e i nd ic ate d i n I S O 2 01-1 and I S O 2 01-2 a re i n c i rc u its d riven b y or commu n ic ati ng with S I L rate d p ar ts) are i nclude d i n the de s ign o f the S I L rati ng o f the PE s ys tem, changes made to software or hardware of the non-SIL relevant functions are treated in the same ma nner a s a change to the S I L relevant p or tion o f the PE s ys tem © ISO 2016 – All rights reserved ISO/TR 2 01 -3 : 01 6(E) Annex A (informative) Elements of instruction manual and validation process A.1 Additional elements for creating instruction manual See Table A.1 Table A.1 — Additional elements for creating ins truction manual ID E lement to consider C o n s ideration o f d i agno s tic s a nd fa i lu re mo de s identi fie d C l a r ity i n how to p er fo r m the pro o f te s t C l a r ity i n ga i n i n g acce s s to PE elements C l a r ity i n rep l ac i n g PE elements I denti fic ation o f the p hys ic a l elements i nclud i n g s o ftwa re I denti fic ation o f PE elements i n c u mentation Vers ion a nd figu ratio n m a n agement o f PE s ys tem de vice s a nd rel ate d software Ve r s io n a n d c o n fi g u r atio n m a n a ge me n t o f s ys te m i n te r fac e s w i th PE s ys tem devices - P re c autio n s co ncer n i n g s en s iti vity to ch a n ge s i n e x tern a l envi ron menta l co n d ition o f the i n s ta l l ation (e g a i r p re s s u re , temp eratu re , hu m id ity, E S D , E M I , - and grounding) 10 f f 11 Precautions related to introduction of unintended faults due to test simulation setup/parameters 12 Precautions related to unintended faults due to test conditions 13 f f Fre quenc y or m a i nten a nce ac tio n i nclud i n g p ro o P re c autio n s rel ate d to u n i ntende d te s t au lts due to s o twa re to o l s (co n figu ration , pro gra m m i ng , a nd te s ti ng to ol s) or i ncomp atib i l ity o f s o ftwa re to o l s 14 Precautions related to misleading results due to misuse of software tools f fware tools (con fig u ration , p ro gra m m i n g , a nd te s ti n g to ol s) or i ncomp atibi l ity o A P r o c e s s f o r v a l i d a t i n g P E s y s t e m d e v i c e r e p l a c e m e n t o r m o d so t i f i c a t i o n See Figure A.1 © ISO 2016 – All rights reserved ISO/TR 2 01 -3 : 6(E) Figure A.1 — Process for validating PE system device replacement or modification A.3 Verification/certification categories for the SIL rating o f the PE system device in the applied safety function Application test (system level): a test carried out by or witnessed by a registered or licenced pro fessional engineer, testing laboratory, or certi fying organization to ensure formance to code requirements These tests not address formity to certifications that may be required by other standards, e.g EMC Certification (system): a process carried out by an independent organization which is authorized to evaluate the formity with the appropriate standards Function test (field or factory): verification that field installation does not introduce a failure These tests not address formity to certifications that may be required by other standards, e.g EMC © ISO 2016 – All rights reserved ISO/TR 2 01 -3 : 01 6(E) Bibliography [1] ISO 3864-1, Graphical symbols — Safety colours and safety signs — Part 1: Design principles for [2] ISO 14798, [3] ISO 22201-1, Lifts (elevators), escalators and moving walks — Programmable electronic systems in [4] ISO 22201-2, Lifts (elevators), escalators and moving walks — Programmable electronic systems in safety signs and safety markings Lifts (elevators), escalators and moving walks — Risk assessment and reduction methodology safety related applications — Part 1: Lifts (elevators) (PESSRAL) safety related applications — Part 2: Escalators and moving walks (PESSRAE) © ISO 2016 – All rights reserved ISO/TR 2 01-3 :2 016(E) I CS 40 Price based on pages © ISO 2016 – All rights reserved