Timing implausibility and missing hazard traceability in industrial elevator
System
Red team review of the {{entity:Industrial Elevator Control System}} ({{hex:D6B77058}}), project se-industrial-elevator. At entry: 223 requirements across 6 documents, 237 trace links, 8 diagrams, 0 orphans. The system completed decomposition through sessions 437–445, covering {{entity:Safety Controller Subsystem}} ({{hex:51B73858}}), Traction Drive, Door Operator, Group Dispatch Controller, Power Distribution, and {{entity:Building Integration Gateway}} ({{hex:50F57A18}}). Seven adversarial checks executed: failure mode coverage, testability, domain gap, interface plausibility, proportion, implausibility, and safety integrity.
Adversarial Findings
Implausible timing values (12 findings). The most significant finding. Six safety-critical requirements share an identical 50 ms response time: overspeed detection ({{sub:SUB-REQ-002}}), UCMP detection ({{sub:SUB-REQ-003}}), safety chain monitoring ({{sub:SUB-REQ-004}}), MCU overspeed ({{sub:SUB-REQ-012}}), door obstruction reversal ({{sub:SUB-REQ-024}}), and hot standby failover ({{sub:SUB-REQ-051}}). A separate cluster of six requirements all specify 20 ms: dual-channel comparison ({{sub:SUB-REQ-001}}), brake engagement ({{sub:SUB-REQ-007}}), encoder fault detection ({{sub:SUB-REQ-015}}), power transfer ({{sub:SUB-REQ-018}}), interlock verification ({{sub:SUB-REQ-026}}), and MCU comm loss ({{sub:SUB-REQ-059}}). These are physically distinct mechanisms — brake engagement depends on spring force and armature mass, power transfer on UPS topology, encoder fault detection on signal processing — and would not converge on identical values in a real system.
Missing failure modes (5 findings). {{entity:Power Distribution Subsystem}} ({{hex:DE851018}}) has 0/3 failure-mode requirements under the power-distribution tag. {{entity:Group Dispatch Controller}} ({{hex:41F77B08}}) has only 1/3 — {{sub:SUB-REQ-030}} and {{sub:SUB-REQ-031}} lack any fault handling for dispatch algorithm failure or communication loss to car controllers.
SIL traceability gaps (3 findings). {{sys:SYS-REQ-003}}, {{sys:SYS-REQ-004}}, and {{sys:SYS-REQ-005}} assert SIL 3 and SIL 2 compliance but the project lacks a formal hazard register linking specific hazard IDs to SIL allocations. Only 6/223 requirements reference “hazard” at all. IEC 61508 requires traceable hazard-to-SIL-to-requirement chains; these are absent.
Vague interfaces (2 findings). {{ifc:IFC-REQ-002}} (fire alarm panel) and {{ifc:IFC-REQ-004}} (emergency intercom) lack quantified latency or data rate specifications. Both reference standards (EN 81-72, EN 81-28) but neither specifies relay response time or voice channel bandwidth.
Verification coverage gap. 31/74 SUB requirements have no explicit VER requirement referencing them by ref number. The 82 VER requirements cover only 43 SUB requirements explicitly.
Ontological lint. 50 medium-severity lint findings: 5 components tagged {{trait:System-Essential}} lack redundancy requirements (motor control unit, safety output actuator, VFD, building integration gateway, event logger). 2 components tagged {{trait:Digital/Virtual}} lack cybersecurity requirements. 4 components tagged {{trait:Regulated}} lack compliance requirements.
flowchart TB
n0["Industrial Elevator Control System"]
n1["Traction Drive Subsystem"]
n2["Safety Controller Subsystem"]
n3["Door Operator Subsystem"]
n4["Group Dispatch Controller"]
n5["Power Distribution Subsystem"]
n6["Building Integration Gateway"]
n7["Building Management System"]
n8["Fire Alarm Panel"]
n2 -->|Brake permit, STO| n1
n2 -->|Interlock status| n3
n4 -->|Target floor| n1
n4 -->|Door commands| n3
n5 -->|3-phase power| n1
n6 -->|BMS commands| n4
n6 -->|Fire relay| n2
n7 -->|BACnet/IP| n6
n8 -->|Hardwired relay| n6
Flagged Requirements
| Ref | Category | Issue |
|---|---|---|
| SUB-REQ-001, -002, -003, -004, -007, -012, -015, -018, -024, -026, -051, -059 | rt-implausible-value | 50ms or 20ms timing across physically distinct mechanisms |
| SUB-REQ-030, -031 | rt-missing-failure-mode | Group dispatch lacks fault handling |
| SUB-REQ-049, -055, -057 | rt-missing-failure-mode | Power distribution: zero failure-mode coverage |
| SYS-REQ-003, -004, -005 | rt-sil-gap | SIL assertions without hazard register tracing |
| IFC-REQ-002, -004 | rt-vague-interface | Missing latency/bandwidth specifications |
| SUB-REQ-044 | rt-untestable | Fire recall with compound actions, scored 71/100 |
Domain Analogs Checked
| Analog | Similarity | Gaps Surfaced |
|---|---|---|
| Process Safety System | 0.86 | Formal proof test procedures at SUB level missing |
| Emergency Shutdown System | 0.84 | No cybersecurity requirements for networked safety components |
| Safety and Interlock Subsystem | 0.85 | Hazard-to-SIL allocation table absent |
| Safety Logic Processor | 0.82 | No common-cause failure analysis requirements |
| Vital Processing Unit | 0.82 | No software SIL qualification requirements |
Recommendations
- Derive timing values from physics. Replace the 50ms and 20ms placeholder clusters with values derived from component datasheets and system-level timing budgets. Brake engagement time, for instance, should reference specific actuator specifications.
- Create formal hazard register. Establish a hazard table with IDs, severity, frequency, SIL allocation, and safe state for each hazard. Trace every SIL-tagged requirement back to a specific hazard.
- Add failure-mode requirements for Power Distribution and Group Dispatch. Both subsystems are under-specified for fault scenarios.
- Close 31/74 SUB verification gap. Each SUB requirement should have at least one VER requirement referencing it.
- Add cybersecurity requirements for Group Dispatch Controller and Building Integration Gateway, which are networked and tagged {{trait:Digital/Virtual}}.
- Quantify IFC-REQ-002 and IFC-REQ-004 with relay response time and voice channel specifications.
Verdict
Informational. 23 findings tagged: 12 rt-implausible-value, 5 rt-missing-failure-mode, 3 rt-sil-gap, 2 rt-vague-interface, 1 rt-untestable. Additionally 50 medium-severity lint findings and 31 SUB requirements without verification coverage. The timing implausibility cluster is the highest-priority item — it suggests these values were templated rather than engineered. The absent hazard register is the second-highest priority as it undermines the IEC 61508 safety case.