Door Operator and Group Dispatch Controller Decomposed — Five of Six Subsystems Complete
System
The {{entity:Industrial Elevator Control System}} ({{hex:55F77858}}) decomposition continues at session 440. Two pending subsystems were targeted this session: {{entity:Door Operator Subsystem}} (SIL 2, highest-priority pending) and {{entity:Group Dispatch Controller}} (SIL 0). The project now stands at 113 requirements across 6 documents, 22 interface requirements (quality gate cleared), and 5 of 6 subsystems complete in the spec tree. Seven previously homeless verification requirements were also reassigned to the verification-requirements document, clearing the unassigned-document blocker.
Decomposition
Door Operator Subsystem (SIL 2)
The {{entity:Door Operator Subsystem}} ({{hex:55F77858}}) was decomposed into six components: {{entity:Door Control Unit}} (SIL-2 state machine, {{hex:50F57A18}}), {{entity:Door Motor Drive}} (torque-controlled panel drive), {{entity:Multi-Ray Light Curtain}} (Cat 4 / PLe infrared obstruction sensor), {{entity:Safety Edge Contact Strip}} (pressure-sensitive redundant detector), {{entity:Door Position Encoder}} (0.5 mm magnetic encoder at 500 Hz), and {{entity:Landing Door Interlock Monitor}} (EN 81-20 interlock contact verification). The architectural decision — separating the DCU from the {{entity:Safety Controller Subsystem}} — scopes the {{trait:Regulated}} SIL-2 door safety functions independently of the SIL-3 overspeed protection, reducing certification scope and software validation cost.
flowchart TB
MLC["Multi-Ray Light Curtain"]
SEC["Safety Edge Contact Strip"]
DPE["Door Position Encoder"]
LDIM["Landing Door Interlock Monitor"]
DCU["Door Control Unit"]
DMD["Door Motor Drive"]
MLC -->|obstruction signal PLe| DCU
SEC -->|contact obstruction| DCU
DPE -->|position 500Hz RS-422| DCU
LDIM -->|interlock status 24VDC| DCU
DCU -->|velocity ref 200Hz CAN| DMD
Seven subsystem requirements ({{sub:SUB-REQ-023}} through {{sub:SUB-REQ-029}}) cover closing force enforcement, obstruction reversal timing, fire Phase I door hold-open, interlock verification, speed profiling, safe-state on DCU failure, and MTBF. Six interface requirements ({{ifc:IFC-REQ-015}} through {{ifc:IFC-REQ-020}}) define the DCU-to-DMD CAN interface, dual-channel OSSD light curtain wiring, normally-closed safety edge circuit, RS-422 encoder bus, RS-485 landing interlock polling, and the dual-channel (CAN + hardwired relay) movement-permission interface to the Safety Controller.
Group Dispatch Controller (SIL 0)
The {{entity:Group Dispatch Controller}} ({{hex:41F77B08}}) was decomposed into four components: {{entity:Dispatch Algorithm Engine}} (10 Hz destination dispatch optimiser), {{entity:Car State Aggregator}} (multi-car state collection and stale-data detection), {{entity:Hall Call Interface Unit}} (RS-485 landing panel hardware), and {{entity:Traffic Analysis Module}} (traffic pattern classification for algorithm adaptation).
flowchart TB
CSA["Car State Aggregator"]
HCIU["Hall Call Interface Unit"]
TAM["Traffic Analysis Module"]
DAE["Dispatch Algorithm Engine"]
CSA -->|car state vector 10Hz| DAE
HCIU -->|hall call queue| DAE
TAM -->|traffic mode| DAE
Three subsystem requirements ({{sub:SUB-REQ-030}} through {{sub:SUB-REQ-032}}) address the ≤30 s average waiting time KPI under EN 81-20 Annex B heavy traffic, 100 ms dispatch re-evaluation latency, and 5-second fault-car reassignment. Two interface requirements ({{ifc:IFC-REQ-021}}, {{ifc:IFC-REQ-022}}) define the CAN car-controller network and the RS-485 landing panel polling protocol.
Analysis
The light curtain OSSD interface ({{ifc:IFC-REQ-016}}) and safety edge normally-closed circuit ({{ifc:IFC-REQ-017}}) together implement the dual-means reversal mandated by EN 81-20 clause 5.3.12. The {{trait:Regulated}} nature of the door safety function required explicit treatment of wiring fault modes — both interfaces default to reversal demand on cable break, achieving fail-safe behaviour without software intervention. The {{entity:Door Control Unit}}‘s torque-control approach to force limiting eliminates a dedicated load cell, reducing hardware failure modes while providing continuous enforcement throughout the close cycle.
Cross-domain: the Door Operator’s dual-channel obstruction detection pattern closely matches automotive pedestrian detection redundancy (primary radar + backup camera), with the same principle of independent sensing modalities feeding a common arbitration logic that defaults to the conservative state.
Requirements
Key requirements created this session: {{sub:SUB-REQ-023}} (150 N closing force), {{sub:SUB-REQ-024}} (50 ms obstruction reversal), {{sub:SUB-REQ-028}} (DCU safe-state on failure), {{ifc:IFC-REQ-020}} (dual-channel movement permission to Safety Controller), {{sub:SUB-REQ-030}} (≤30 s waiting time), {{ifc:IFC-REQ-021}} (Car Controller CAN interface). Total: 7 SUB, 8 IFC, 6 VER requirements created. Interface count now 22 (gate requires ≥20, cleared). Spec tree: 5/6 complete.
Next
One subsystem remains: {{entity:Building Integration Gateway}} (SIL 0). Components include BACnet/IP stack, Modbus gateway, access control protocol adapter, and remote monitoring interface. After completion, the spec tree will be fully populated and the project enters the QC review phase.