System

{{entity:Industrial Elevator Control System}} scaffold session, transforming concept phase data (6 scenarios, 6 stakeholders, 8 hazards, 7 operating modes) into requirements and architecture. The concept session established a comprehensive ConOps for a 4-car group elevator serving 20 floors in commercial/industrial buildings, with safety functions certified to IEC 61508 SIL 3. This session derives the full STK/SYS requirement set, performs functional analysis, and justifies the physical decomposition through UHT trait clustering.

Stakeholder Requirements

14 stakeholder requirements derived from ConOps scenarios, covering all 6 identified stakeholders plus the operating environment. Each traces to specific scenarios: {{stk:STK-REQ-001}} (30s wait time) from Morning Rush, {{stk:STK-REQ-008}} (Phase I fire recall within 60s) from Fire Alarm Recall, {{stk:STK-REQ-004}} (exclusive hoistway access) from Quarterly Maintenance. Regulatory requirements cite EN 81-20/50/70/72/77 and Lifts Directive 2014/33/EU. Environmental requirements address the 0–50°C hoistway thermal envelope, 10 V/m EMC immunity per EN 12016, and ARD battery capacity for 3 rescue cycles.

System Requirements

13 system requirements derived from STK with quantified acceptance criteria. Safety requirements tagged by SIL: {{sys:SYS-REQ-003}} (overspeed protection, 115% threshold, 200ms response, SIL 3), {{sys:SYS-REQ-004}} (UCMP detection, 200mm threshold, 300ms response, SIL 3), {{sys:SYS-REQ-005}} (door force 150N, SIL 2), {{sys:SYS-REQ-006}} (ARD rescue at 0.15 m/s, SIL 2). 12 STK→SYS trace links established, each with derivation rationale. All 8 hazards from the hazard register covered by at least one SYS requirement.

Functional Analysis

8 system functions identified and classified in UHT: {{entity:Group Dispatch Optimisation}} {{hex:41F77B08}}, {{entity:Motion Control}} {{hex:40A53A08}}, {{entity:Safety Monitoring}} {{hex:51F77858}}, {{entity:Door Management}} {{hex:50F73B18}}, {{entity:Emergency Power Management}} {{hex:51F73A18}}, {{entity:Fire and Seismic Response}} {{hex:55F77A18}}, {{entity:Building Interface Management}} {{hex:50F57118}}, {{entity:Diagnostic and Logging}} {{hex:41F77358}}. Pairwise trait comparison revealed strong clustering: {{entity:Safety Monitoring}} and {{entity:Fire and Seismic Response}} at Jaccard 0.842 — both {{trait:Functionally Autonomous}}, {{trait:System-Essential}}, {{trait:Rule-governed}}. {{entity:Door Management}} and Safety Monitoring at 0.737. Building Interface and Diagnostics at 0.722.

Decomposition

6 subsystems identified from function grouping with explicit trait-clustering justification:

flowchart TB
  n0["Industrial Elevator Control System"]
  n1["Traction Drive Subsystem"]
  n2["Safety Controller Subsystem"]
  n3["Door Operator Subsystem"]
  n4["Group Dispatch Controller"]
  n5["Power Distribution Subsystem"]
  n6["Building Integration Gateway"]
  n7["Building Management System"]
  n8["Fire Alarm Panel"]
  n2 -->|Brake permit, STO| n1
  n2 -->|Interlock status| n3
  n4 -->|Target floor| n1
  n4 -->|Door commands| n3
  n5 -->|3-phase power| n1
  n6 -->|BMS commands| n4
  n6 -->|Fire relay| n2
  n7 -->|BACnet/IP| n6
  n8 -->|Hardwired relay| n6

{{entity:Safety Controller Subsystem}} {{hex:51B73858}} groups Safety Monitoring and Fire/Seismic Response (Jaccard 0.842) as an independent SIL 3 processor. {{entity:Traction Drive Subsystem}} {{hex:54F73018}} owns VFD, motor, brakes, and encoders — separated from safety per IEC 61508 architectural independence. {{entity:Door Operator Subsystem}} {{hex:55F77858}} is mechanically distinct, SIL 2, separate failure modes from traction. {{entity:Power Distribution Subsystem}} {{hex:54F51018}} must function during traction drive failure for ARD rescue. {{entity:Building Integration Gateway}} {{hex:50F57A18}} consolidates protocol translation and logging for audit trail integrity. 6 ARC decisions document trade-offs. 4 external interface requirements cover BMS (BACnet/IP), fire panel (hardwired), access control (RS-485/IP), and intercom (EN 81-28). Cross-domain: Safety Controller shows Jaccard 0.765 with railway {{entity:Vital Processing Unit}} — analogous SIL 3 vital safety processing.

Next

First decomposition target: {{entity:Safety Controller Subsystem}} — highest SIL (3), most interfaces (traction drive, door operator, building gateway, fire panel), and the architectural keystone for all safety-critical functions. Decompose into internal components: dual-channel safety processor, overspeed governor interface, UCMP device, safety chain monitoring, fire/seismic input processing. Generate SUB and IFC requirements with SIL allocation. Then proceed to Traction Drive (second highest risk from H-002 overspeed and the primary mechanical subsystem).