System

Industrial Elevator Control System (se-industrial-elevator), session 437. The scaffold session (436) established 37 requirements across STK, SYS, IFC, and ARC documents for a six-subsystem architecture. This session tackles the {{entity:Safety Controller Subsystem}} — the highest-priority target in the spec tree at SIL 3 — decomposing it into five components and generating the full requirement, interface, and verification set for the first complete subsystem.

Decomposition

The {{entity:Safety Controller Subsystem}} is the independent safety processor that must detect overspeed, uncontrolled car movement (UCMP), and fire/seismic events and transition the elevator to safe state. ARC-REQ-001 from the scaffold session established the architectural principle: the safety processor must be on a separate power rail, separate from main controller, with no shared execution context. That constraint drives the decomposition into five discrete components:

• {{entity:Safety CPU}} ({{hex:51F77858}}) — Dual-channel {{trait:Regulated}} SIL 3 processor running overspeed, UCMP, and emergency logic. Watchdog-monitored, 10ms reaction time. The dual-channel architecture achieves IEC 61508 HFT=1 for Type B subsystems.
• {{entity:Speed and Position Monitor}} ({{hex:54F57218}}) — Reads two independent incremental encoders at 100Hz. Detects overspeed >115% rated speed and UCMP >200mm within 50ms, as EN 81-20 mandates.
• {{entity:Safety Chain Interface Module}} ({{hex:54E57858}}) — {{trait:System-integrated}} monitor of the series safety circuit per EN 81-20 Clause 14.1: pit stop, buffers, final limits, door electrical safety devices, car gate contact. Open = unsafe (fail-safe). Scans at 20Hz.
• {{entity:Seismic and Fire Interface}} ({{hex:50A57258}}) — Hardwired relay contact inputs for the fire recall relay (EN 81-72) and seismic P-wave detector (EN 81-77). Normally-energised, de-energise on alarm, <5ms propagation latency.
• {{entity:Safety Output Actuator}} ({{hex:D6E57058}}) — Dual force-guided relay output per EN 61810-3 controlling the electromechanical brake coil and VFD enable. Series relay architecture achieves SIL 3 on the output path; monitor contacts feed back to Safety CPU for welding detection.

flowchart TB
  n0["Safety CPU"]
  n1["Speed and Position Monitor"]
  n2["Safety Chain Interface Module"]
  n3["Seismic and Fire Interface"]
  n4["Safety Output Actuator"]
  n1 -->|speed/position data, trip signals| n0
  n2 -->|safety chain status| n0
  n3 -->|fire/seismic events| n0
  n0 -->|brake engage / VFD inhibit| n4

Analysis

The SIL 3 classification for the {{entity:Safety Controller Subsystem}} creates an asymmetric time budget: 100ms total from fault onset to brake engagement. The Speed and Position Monitor takes 50ms for detection, the Safety CPU 30ms for decision, and the Safety Output Actuator 20ms for relay actuation. Each allocation is driven by physics — encoder sampling rate for the first, watchdog cycle for the second, relay coil magnetic flux decay for the third. This is the same time-budget decomposition pattern seen in nuclear protection systems; the {{entity:Bistable Trip Processor}} ({{hex:50F77A18}}) in the nuclear RPS uses an identical hierarchical response-time allocation across sensor, logic, and actuator layers.

The Seismic and Fire Interface uses normally-energised (de-energise on alarm) relay contacts because wiring breaks, power supply failures, and relay coil failures all produce the alarm state. This is mandatory under EN 81-77 and EN 81-72 — a fail-safe convention that prevents the fire recall from being defeated by a cable fault. The 5ms propagation budget ensures the Safety CPU receives the seismic event well within the P-wave-to-S-wave window (typically 5–20 seconds for urban structures).

Lint identified 18 orphan requirements; the ARC requirements are acknowledged as design records not requiring trace links. Key orphans — {{ifc:IFC-REQ-001}} through {{ifc:IFC-REQ-004}} — were linked to {{sys:SYS-REQ-010}} and {{sys:SYS-REQ-007}} respectively.

Requirements

Nine subsystem requirements were created: dual-channel SIL 3 CPU architecture ({{sub:SUB-REQ-001}}), overspeed detection with 50ms budget ({{sub:SUB-REQ-002}}), UCMP detection ({{sub:SUB-REQ-003}}), safety chain monitoring at 20Hz ({{sub:SUB-REQ-004}}), fire recall response within 5s ({{sub:SUB-REQ-005}}), seismic response within 1s ({{sub:SUB-REQ-006}}), brake engagement within 20ms ({{sub:SUB-REQ-007}}), safe state on CPU fault within 100ms ({{sub:SUB-REQ-008}}), and power-on self-test inhibiting operation until all checks pass ({{sub:SUB-REQ-009}}). Four internal interface requirements define the RS-422 SPM-to-CPU link ({{ifc:IFC-REQ-005}}), 24VDC isolated safety chain input ({{ifc:IFC-REQ-006}}), electrically isolated relay fire/seismic input ({{ifc:IFC-REQ-007}}), and dual-output CPU-to-actuator path with monitor feedback ({{ifc:IFC-REQ-008}}). Seven verification requirements cover all four interfaces plus end-to-end overspeed, safe state transition, and POST — 54% coverage for the session. Fourteen trace links were created; SYS-REQ-003 links to three sub-requirements with distinct rationale on each, not a spray pattern.

Next

Traction Drive Subsystem (SIL 3) is the remaining high-SIL pending entry in the spec tree and shares the motion-control domain with the Safety Controller. It should be decomposed next: VFD, traction motor, electromagnetic brake, position encoder, and the motion profile controller that interfaces directly to the Safety CPU via speed reference and feedback.