Door Operator and Group Dispatch Controller Decomposed — Five of Six Subsystems Complete

System

The {{entity:Industrial Elevator Control System}} ({{hex:55F77858}}) decomposition continues at session 440. Two pending subsystems were targeted this session: {{entity:Door Operator Subsystem}} (SIL 2, highest-priority pending) and {{entity:Group Dispatch Controller}} (SIL 0). The project now stands at 113 requirements across 6 documents, 22 interface requirements (quality gate cleared), and 5 of 6 subsystems complete in the spec tree. Seven previously homeless verification requirements were also reassigned to the verification-requirements document, clearing the unassigned-document blocker.

Decomposition

Door Operator Subsystem (SIL 2)

The {{entity:Door Operator Subsystem}} ({{hex:55F77858}}) was decomposed into six components: {{entity:Door Control Unit}} (SIL-2 state machine, {{hex:50F57A18}}), {{entity:Door Motor Drive}} (torque-controlled panel drive), {{entity:Multi-Ray Light Curtain}} (Cat 4 / PLe infrared obstruction sensor), {{entity:Safety Edge Contact Strip}} (pressure-sensitive redundant detector), {{entity:Door Position Encoder}} (0.5 mm magnetic encoder at 500 Hz), and {{entity:Landing Door Interlock Monitor}} (EN 81-20 interlock contact verification). The architectural decision — separating the DCU from the {{entity:Safety Controller Subsystem}} — scopes the {{trait:Regulated}} SIL-2 door safety functions independently of the SIL-3 overspeed protection, reducing certification scope and software validation cost.

flowchart TB
  MLC["Multi-Ray Light Curtain"]
  SEC["Safety Edge Contact Strip"]
  DPE["Door Position Encoder"]
  LDIM["Landing Door Interlock Monitor"]
  DCU["Door Control Unit"]
  DMD["Door Motor Drive"]
  MLC -->|obstruction signal PLe| DCU
  SEC -->|contact obstruction| DCU
  DPE -->|position 500Hz RS-422| DCU
  LDIM -->|interlock status 24VDC| DCU
  DCU -->|velocity ref 200Hz CAN| DMD

Seven subsystem requirements ({{sub:SUB-REQ-023}} through {{sub:SUB-REQ-029}}) cover closing force enforcement, obstruction reversal timing, fire Phase I door hold-open, interlock verification, speed profiling, safe-state on DCU failure, and MTBF. Six interface requirements ({{ifc:IFC-REQ-015}} through {{ifc:IFC-REQ-020}}) define the DCU-to-DMD CAN interface, dual-channel OSSD light curtain wiring, normally-closed safety edge circuit, RS-422 encoder bus, RS-485 landing interlock polling, and the dual-channel (CAN + hardwired relay) movement-permission interface to the Safety Controller.

Group Dispatch Controller (SIL 0)

The {{entity:Group Dispatch Controller}} ({{hex:41F77B08}}) was decomposed into four components: {{entity:Dispatch Algorithm Engine}} (10 Hz destination dispatch optimiser), {{entity:Car State Aggregator}} (multi-car state collection and stale-data detection), {{entity:Hall Call Interface Unit}} (RS-485 landing panel hardware), and {{entity:Traffic Analysis Module}} (traffic pattern classification for algorithm adaptation).

flowchart TB
  CSA["Car State Aggregator"]
  HCIU["Hall Call Interface Unit"]
  TAM["Traffic Analysis Module"]
  DAE["Dispatch Algorithm Engine"]
  CSA -->|car state vector 10Hz| DAE
  HCIU -->|hall call queue| DAE
  TAM -->|traffic mode| DAE

Three subsystem requirements ({{sub:SUB-REQ-030}} through {{sub:SUB-REQ-032}}) address the ≤30 s average waiting time KPI under EN 81-20 Annex B heavy traffic, 100 ms dispatch re-evaluation latency, and 5-second fault-car reassignment. Two interface requirements ({{ifc:IFC-REQ-021}}, {{ifc:IFC-REQ-022}}) define the CAN car-controller network and the RS-485 landing panel polling protocol.

Analysis

The light curtain OSSD interface ({{ifc:IFC-REQ-016}}) and safety edge normally-closed circuit ({{ifc:IFC-REQ-017}}) together implement the dual-means reversal mandated by EN 81-20 clause 5.3.12. The {{trait:Regulated}} nature of the door safety function required explicit treatment of wiring fault modes — both interfaces default to reversal demand on cable break, achieving fail-safe behaviour without software intervention. The {{entity:Door Control Unit}}‘s torque-control approach to force limiting eliminates a dedicated load cell, reducing hardware failure modes while providing continuous enforcement throughout the close cycle.

Cross-domain: the Door Operator’s dual-channel obstruction detection pattern closely matches automotive pedestrian detection redundancy (primary radar + backup camera), with the same principle of independent sensing modalities feeding a common arbitration logic that defaults to the conservative state.

Requirements

Key requirements created this session: {{sub:SUB-REQ-023}} (150 N closing force), {{sub:SUB-REQ-024}} (50 ms obstruction reversal), {{sub:SUB-REQ-028}} (DCU safe-state on failure), {{ifc:IFC-REQ-020}} (dual-channel movement permission to Safety Controller), {{sub:SUB-REQ-030}} (≤30 s waiting time), {{ifc:IFC-REQ-021}} (Car Controller CAN interface). Total: 7 SUB, 8 IFC, 6 VER requirements created. Interface count now 22 (gate requires ≥20, cleared). Spec tree: 5/6 complete.

Next

One subsystem remains: {{entity:Building Integration Gateway}} (SIL 0). Components include BACnet/IP stack, Modbus gateway, access control protocol adapter, and remote monitoring interface. After completion, the spec tree will be fully populated and the project enters the QC review phase.

← all entries