Concept of Operations (ConOps) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.1
Generated 2026-03-27 — UHT Journal / universalhex.org
The Industrial Elevator Control System exists to safely and efficiently transport people and freight between floors in commercial, industrial, and high-rise buildings. Without this system, vertical transportation would depend on manual or hydraulic mechanisms lacking the precision, speed, safety monitoring, and energy efficiency required by modern building codes and operational demands. The system addresses the need for continuous, high-availability vertical transport (>99.5% uptime) while enforcing safety-critical functions — overspeed protection, uncontrolled movement detection, door zone interlocking, and emergency evacuation — that prevent fatal accidents in hoistway environments. It integrates with building management systems to optimise energy consumption, traffic flow during peak periods, and emergency response coordination.
| Stakeholder | Relationship | Hex Code |
|---|---|---|
| Building Occupant / Elevator Passenger | primary user, interacts via hall/car buttons, expects <30s wait, smooth ride, accurate levelling. Includes mobility-impaired users (EN 81-70). Derived from: Morning Rush, Power Failure, Fire Recall scenarios. | 000C0081 |
| Elevator Maintenance Technician | performs EN 81-20 preventive/corrective maintenance, exclusive hoistway access, uses maintenance mode. Personal safety depends on interlocks. Derived from: Quarterly Maintenance scenario. | 000420F8 |
| Building Facility Manager | day-to-day operation via BMS, monitors status, schedules maintenance, configures traffic patterns, coordinates emergency response. Derived from: all scenarios (BMS notifications). | 00045AF8 |
| Fire Service / Emergency Responder | Phase I/II fire recall operation, manual hold-to-run control, trained per ASME A17.1. Derived from: Fire Alarm Recall scenario. | 000D3AF9 |
| Elevator Regulatory Inspector | certifies EN 81-20/50 and local code compliance, annual statutory inspections, authority to condemn. Requires test records and modification history. | 008428F9 |
| Elevator OEM / System Integrator | designs, installs, commissions, provides controller hardware/software, type examination certification (Lifts Directive 2014/33/EU), spare parts and updates over 20-25 year lifecycle. | 40843A39 |
| Mode | Description |
|---|---|
| Initialisation | power restored or controller reset → self-test of safety chain, encoders, door interlocks, brakes, BMS comms (15-60s) → pass: normal operation; fail: out-of-service with fault code |
| Normal Operation | all diagnostics pass → car/hall call dispatch, VFD motor control, floor positioning, door cycles, group dispatch optimisation, continuous safety monitoring → fault: degraded/emergency; fire alarm: fire service; maintenance key: maintenance |
| Degraded Operation | non-safety-critical fault (encoder redundancy loss, single door fault, BMS comms failure) → reduced speed, single-car operation, manual door fallback, operator notification → fault cleared: normal; escalation: emergency shutdown |
| Emergency Shutdown | overspeed, uncontrolled movement, safety chain break, seismic, fire → regenerative braking then mechanical brake, car to nearest floor, doors open, motor de-energised → manual reset by qualified technician required |
| Fire Service | fire alarm Phase I recall to designated floor, doors open, normal service suspended; Phase II firefighter key switch for exclusive manual control, hold-to-run, door override → fire key removal + manual reset. EN 81-72 |
| Maintenance | keyed switch on car top or machine room → 0.3 m/s max, car-top/machine-room control only, dispatch disabled, lowered governor threshold → switch to normal: re-initialisation |
| Seismic Operation | P-wave trigger or building seismic system → stop at nearest floor, doors open, safe hold during shaking, 60s hold timer after last trigger → low-speed inspection trip → normal operation. EN 81-77 |
07:30-09:00, ground floor lobby fills with 200+ workers. Group dispatch enters up-peak mode — all cars return to lobby after serving highest call. Load weighing at 80% triggers hall call bypass. Door dwell 3s. Wait time target <30s. Energy peaks from continuous motor cycling. Building porter monitors lobby queue.
one car reports encoder redundancy fault, removed from group. 3 remaining cars rebalance — wait times rise to 45-50s. BMS notification triggers technician dispatch (45min ETA). If second car fails: critical degraded, lobby attendant redirects passengers to stairs for floors <5.
mains fails, UPS sustains controller 30min. ARD batteries drive each car between floors to nearest landing at 0.15 m/s. Wheelchair user in Car 2 at floor 18 — ARD takes to floor 17, doors open. Emergency lighting and intercom active. Generator starts 12s but elevator restart needs manual confirmation from building engineer.
fire on floor 12 triggers Phase I recall. All cars cancel calls, travel non-stop to ground floor, doors open. Floor 12 locked out. Car 3 above fire floor stops at 11 for evacuation, then continues to ground. Fire service Phase II: firefighter keys into Car 1 for exclusive manual hold-to-run control.
certified technician switches Car 1 to maintenance via key. Car removed from group. Technician rides car top at 0.3 m/s inspecting rails, ropes, doors, safety gear, governor tension. Tests ARD, measures brake torque. 2-4 hours per car, 2 days for 4-car group with rotation. Records per EN 81-20.
P-wave detector triggers alert. All cars decelerate to nearest floor, doors open. 60s hold timer after last trigger. Building sway sensor confirms structural integrity. Post-event: technician runs low-speed inspection trip (0.3 m/s full shaft) checking rails, ropes, counterweight. Cars pass inspection one-by-one to resume service.
| Category | Constraint |
|---|---|
| Thermal | hoistway 0-50°C ambient, machine room ≤40°C (EN 81-20), 5-95% RH non-condensing, controller derating above 40°C. Below-grade pits subject to flooding. |
| EMC | VFD switching 4-16 kHz, co-located with HVAC drives and power distribution. EN 12015 emissions, EN 12016 immunity (10 V/m radiated). Shielded cabling mandatory for safety circuits. |
| Power | 3-phase 400VAC/50Hz, dedicated switchboard, regenerative braking to grid or resistor. UPS 30min for controller, ARD batteries for 3 rescue cycles. IEC 60364 grounding. |
| Regulatory | EN 81-20/50, EN 81-70 accessibility, EN 81-72 fire, EN 81-77 seismic, IEC 61508 SIL 3, EU Lifts Directive 2014/33/EU, ASME A17.1 (NA), local building codes. |
| Physical space | controller in machine room (typically roof level) or machine-room-less (MRL) installation in hoistway overhead. IP54 minimum for pit equipment. Car top inspection station required. |
| System | Interface | Hex Code |
|---|---|---|
| Building Management System | BACnet/IP or Modbus TCP, 1Hz polling, bidirectional — provides status (position, faults, energy), receives commands (VIP priority, floor lockout, schedules, fire alarm). Building operator owned. | 50AD7B48 |
| Building Fire Alarm Panel | hardwired relay contacts (not software), Phase I recall, alternate floor, machine room and hoistway smoke detectors. EN 81-72 compliant. Fire system integrator owned. | D4AD7858 |
| Building Access Control System | card reader/biometric at hall stations, RS-485 or IP, authorised floor list per credential. Security contractor owned. Must not override safety or fire recall. | 50BD7819 |
| Emergency Intercom / Telephone | two-way voice in car to monitoring centre. Auto-dials on entrapment (>2min stationary between floors). Battery backed, GSM backup. EN 81-28. Telecom provider owned. | — |
flowchart TB n0["system<br>Industrial Elevator Control System"] n1["system<br>Industrial Elevator Control System"] n2["actor<br>Building Occupants"] n3["actor<br>Maintenance Technician"] n4["actor<br>Facility Manager"] n5["actor<br>Fire Service"] n6["actor<br>Building Management System"] n7["actor<br>Fire Alarm Panel"] n8["actor<br>Access Control System"] n9["actor<br>Emergency Intercom"] n10["actor<br>Building Power Supply"] n2 -->|Hall/car calls, destination requests| n1 n1 -->|Floor indicators, door status, audio| n2 n3 -->|Maintenance commands, test inputs| n1 n1 -->|Diagnostics, fault codes| n3 n1 -->|Status, alarms, energy data| n4 n5 -->|Phase II manual commands| n1 n6 -->|Schedules, floor lockout, VIP priority| n1 n1 -->|Car position, door state, faults| n6 n7 -->|Phase I recall, smoke alarm| n1 n8 -->|Authorised floor list per credential| n1 n1 -->|Auto-dial on entrapment| n9 n10 -->|3-phase mains, UPS, ARD battery| n1
Industrial Elevator Control System — Context