System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
flowchart TB n0["system<br>Industrial Elevator Control System"] n1["subsystem<br>Traction Drive Subsystem"] n2["subsystem<br>Safety Controller Subsystem"] n3["subsystem<br>Door Operator Subsystem"] n4["subsystem<br>Group Dispatch Controller"] n5["subsystem<br>Power Distribution Subsystem"] n6["subsystem<br>Building Integration Gateway"] n7["external<br>Building Management System"] n8["external<br>Fire Alarm Panel"] n2 -->|Brake permit, STO| n1 n2 -->|Interlock status| n3 n4 -->|Target floor| n1 n4 -->|Door commands| n3 n5 -->|3-phase power| n1 n6 -->|BMS commands| n4 n6 -->|Fire relay| n2 n7 -->|BACnet/IP| n6 n8 -->|Hardwired relay| n6
Industrial Elevator Control System — Decomposition
| Subsystem | Diagram | SIL | Status |
|---|---|---|---|
| Traction Drive Subsystem | Traction Drive Subsystem — Internal | SIL 3 | complete |
| Safety Controller Subsystem | Safety Controller Subsystem — Internal | SIL 3 | complete |
| Door Operator Subsystem | Door Operator Subsystem — Internal | SIL 2 | complete |
| Group Dispatch Controller | Group Dispatch Controller — Internal | — | complete |
| Power Distribution Subsystem | Power Distribution Subsystem — Internal | SIL 2 | complete |
| Building Integration Gateway | Building Integration Gateway — Internal | — | complete |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The Safety Controller Subsystem SHALL implement a dual-channel Safety CPU certified to IEC 61508 SIL 3, with each channel independently executing safety logic and a cross-channel comparison that triggers a discrepancy fault within 20 ms of channel divergence. Rationale: IEC 61508 SIL 3 requires hardware fault tolerance HFT=1 for Type B subsystems at the Safety Integrity Level demanded by the EN 81-20 safety functions (overspeed, UCMP). Dual-channel architecture is the standard realisation. 20ms discrepancy window is derived from the 10ms safety function reaction time plus one monitor cycle, ensuring faults are detected before a safety function miss-execution can propagate. | Test | rt-implausible-value, red-team-session-460 |
| SUB-REQ-002 | The Speed and Position Monitor SHALL detect car velocity exceeding 115% of rated speed and assert an overspeed trip signal to the Safety CPU within 50 ms of the threshold crossing. Rationale: Derived from SYS-REQ-003. 115% rated speed is the EN 81-20 Clause 5.6 overspeed governor calibration trigger point. 50ms is allocated to the Speed and Position Monitor from the 100ms total safety function response time budget; the remaining 50ms covers Safety CPU decision and Safety Output Actuator brake engagement. | Test | rt-implausible-value, red-team-session-460 |
| SUB-REQ-003 | The Speed and Position Monitor SHALL detect uncontrolled car movement exceeding 200 mm from the landing level with the door zone open and assert a UCMP trip signal to the Safety CPU within 50 ms of threshold crossing. Rationale: Derived from SYS-REQ-004. 200mm is the EN 81-20 Clause 5.6.7 maximum permitted uncontrolled movement before personnel entering or exiting the car are at risk of shear between car sill and landing sill. 50ms detection budget matches overspeed allocation, providing symmetric time-budget accounting. | Test | rt-implausible-value, red-team-session-460 |
| SUB-REQ-004 | The Safety Chain Interface Module SHALL monitor the series safety circuit at ≥20 Hz scan rate and assert a safety chain open fault to the Safety CPU within 50 ms of any safety device contact opening. Rationale: Derived from SYS-REQ-003. EN 81-20 Clause 14.1.2 mandates that the opening of any electrical safety device in the series chain must result in immediate machine stoppage. 20Hz scan ensures detection within one scan cycle at the 50ms budget allocation. Contacts monitored include: pit stop, buffers, final limit switches, car top inspection, door electrical safety devices, car gate, and slack rope. | Test | rt-implausible-value, red-team-session-460 |
| SUB-REQ-005 | When the Seismic and Fire Interface receives a Phase I fire recall relay signal, the Safety Controller Subsystem SHALL command all cars to the designated recall floor and inhibit car operation within 5 s, per EN 81-72. Rationale: Derived from SYS-REQ-007. EN 81-72 Clause 5.2 sets a 5-second maximum response time from fire recall signal to car motion towards recall floor. The Seismic and Fire Interface provides <5ms latency, leaving 4.995s for the Safety CPU command and drive response. Hardwired relay input (not software protocol) per IFC-REQ-002 ensures this path cannot be disrupted by network failure. | Test | subsystem, safety-controller, sil-2, session-437, idempotency:sub-sc-fire-recall-437 |
| SUB-REQ-006 | When the Seismic and Fire Interface receives a seismic P-wave event signal, the Safety Controller Subsystem SHALL initiate immediate car deceleration to the nearest floor within 1 s, per EN 81-77 Level 1 response. Rationale: Derived from SYS-REQ-008. EN 81-77 Clause 5.3.1 Level 1 specifies that on P-wave detection the elevator must reach the nearest floor and open doors before the destructive S-waves arrive, typically 5-20 seconds after P-wave. 1-second response ensures the car is moving to safety well within the P-to-S window. Seismic and Fire Interface <5ms latency is critical to meeting this budget. | Test | subsystem, safety-controller, sil-2, session-437, idempotency:sub-sc-seismic-response-437 |
| SUB-REQ-007 | The Safety Output Actuator SHALL engage the electromechanical safety brake within 20 ms of receiving a brake-engage command from the Safety CPU, using two independent force-guided relays wired in series, with relay monitor contacts providing feedback confirmation to the Safety CPU. Rationale: Derived from SYS-REQ-003. 20ms brake engagement is the Safety Output Actuator allocation within the 100ms total safety function response time. Force-guided relays per EN 61810-3 are required because they provide mechanical interlocking between normally-open and normally-closed contacts, preventing contact welding from causing undetected failure. Dual-relay series architecture achieves SIL 3 PFH requirement without relying on a single relay. | Test | rt-implausible-value, red-team-session-460 |
| SUB-REQ-008 | When the Safety CPU detects a discrepancy fault, watchdog timeout, or internal diagnostic failure, the Safety Controller Subsystem SHALL transition to safe state (brake engaged, VFD inhibited, all car motion stopped) within 100 ms. Rationale: IEC 61508 SIL 3 requires that detected dangerous failures result in transition to a defined safe state within the fault reaction time specified in the safety requirements specification. 100ms is derived from the EN 81-20 safety function response time budget. Safe state is: brake engaged (power removed from brake coil), VFD enable open (drive inhibited), car motion zero. | Test | subsystem, safety-controller, sil-3, session-437, idempotency:sub-sc-safe-state-fault-437 |
| SUB-REQ-009 | The Safety Controller Subsystem SHALL perform a power-on self-test (POST) covering dual-channel RAM/ROM integrity, encoder signal plausibility, safety chain continuity, and relay coil drive circuits, and SHALL inhibit elevator operation until all POST checks pass. Rationale: IEC 61508 Part 2 Clause 7.4.3 mandates periodic and start-up diagnostics for SIL 3 hardware. POST ensures that latent faults from the prior power-off period are detected before any motion is attempted. Elevator inhibition on POST failure prevents operation with an undetected fault condition; EN 81-20 requires that the elevator cannot be placed in service while a safety function is impaired. | Test | subsystem, safety-controller, sil-3, session-437, idempotency:sub-sc-post-test-437 |
| SUB-REQ-010 | The Motor Control Unit SHALL regulate car velocity to track the commanded profile within ±0.05 m/s steady-state error and achieve stopping accuracy of ±5 mm relative to floor datum. Rationale: Derived from SYS-REQ-002 (±5 mm stopping, ≤4 m/s). ±0.05 m/s steady-state band at 1 kHz loop closure; tighter than the system-level 4 m/s ceiling to leave margin for mechanical compliance in the rope system. 5 mm levelling accuracy required by EN 81-20 clause 5.6.3 for accessible landing. | Test | subsystem, traction-drive, sil-3, session-439, idempotency:sub-traction-velocity-439 |
| SUB-REQ-011 | The Motor Control Unit SHALL generate velocity profiles with acceleration and jerk limited to ≤1.5 m/s² and ≤2.5 m/s³ respectively at all operating speeds. Rationale: Derived from SYS-REQ-002. 1.5 m/s² acceleration cap from EN 81-20 occupant comfort limit and building structural load constraint. 2.5 m/s³ jerk limit prevents abrupt force transients on ropes and passengers. | Test | subsystem, traction-drive, sil-3, session-439, idempotency:sub-traction-accel-439 |
| SUB-REQ-012 | The Motor Control Unit SHALL detect encoder-measured car velocity exceeding 115% of rated contract speed and assert an OVERSPEED fault signal to the Safety Controller within 50 ms of threshold crossing. Rationale: Derived from SYS-REQ-003 (overspeed >115%). 50 ms detection latency is the tightest budget allowed before the Safety Controller must engage the governor; longer latency risks exceeding the mechanical overspeed governor trip threshold before electronic detection. SIL-3 function per IEC 62061 Table D.5. | Test | rt-implausible-value, red-team-session-460 |
| SUB-REQ-013 | When mains power fails, the Electromagnetic Brake SHALL engage within 150 ms of 24 V DC coil de-energisation and hold the car stationary against 150% of motor rated torque. Rationale: Derived from SYS-REQ-006 (power fail drives to nearest landing). Brake engages before MCU loses capacity to control velocity; 150 ms is within the UPS hold-up window. 150% torque hold accounts for maximum loaded car on maximum gradient rope wrap angle. Fail-safe spring-applied design is the safe state for SIL-3 power loss hazard. | Test | subsystem, traction-drive, sil-3, session-439, idempotency:sub-traction-brake-engage-439 |
| SUB-REQ-014 | The Variable Frequency Drive SHALL comply with EN 12015 Class C2 conducted and radiated emission limits and shall not cause encoder signal bit-error rate to exceed 1e-6 during rated switching frequency PWM switching. Rationale: Derived from SYS-REQ-011 (EMI rejection from co-located VFDs). PWM switching at 8–16 kHz induces common-mode currents; line reactors and EMI filter are required. Encoder BER of 1e-6 ensures speed feedback integrity for the closed-loop controller; violations cause positional drift at the floor landing. | Test | subsystem, traction-drive, session-439, idempotency:sub-traction-emi-439 |
| SUB-REQ-015 | The Motor Control Unit SHALL detect encoder signal loss or quadrature error within 20 ms and assert an ENCODER_FAULT to the Safety Controller, transitioning the drive to zero-torque safe state. Rationale: Loss of encoder feedback prevents accurate velocity or position computation; continued drive operation would produce uncontrolled acceleration. 20 ms fault detection is within the motor speed-change time constant at maximum jerk (motor inertia ~5 kg.m2), ensuring detection before runaway. SIL-3 diagnostic function per IEC 62061 clause 6.7.4. | Test | rt-implausible-value, red-team-session-460 |
| SUB-REQ-016 | The Traction Drive Subsystem SHALL achieve mean time between failures of at least 50000 hours for the Variable Frequency Drive and Motor Control Unit, verified by component reliability analysis. Rationale: Derived from SYS-REQ-012 (99.5% availability over 12 months). MTBF of 50000 h for drive electronics contributes to system availability budget; lower MTBF would make the drive the dominant failure contributor to missed availability target. Value from EN 81-20 annex reliability targets and field data from PMSM drive installations. | Analysis | subsystem, traction-drive, session-439, idempotency:sub-traction-mtbf-439 |
| SUB-REQ-017 | The Electromagnetic Brake SHALL have dual independent coils such that failure of one coil does not reduce braking torque below 100% of motor rated torque. Rationale: EN 81-20 clause 12.5.1 requires two independent braking elements for machine brakes. Each coil must independently hold full load to ensure a single-coil failure does not create an uncontrolled descent hazard. Inspection verified against manufacturer type-test certificate. | Inspection | subsystem, traction-drive, sil-3, session-439, idempotency:sub-traction-brake-dual-439 |
| SUB-REQ-018 | The Power Distribution Subsystem SHALL transfer from mains to UPS backup supply within 20 ms of mains voltage dropping below 85% of nominal, maintaining 24V DC safety bus within ±5% throughout the transfer. Rationale: Derived from SYS-REQ-006 (power fail response). 20ms transfer time is within the MCU and Safety Controller hold-up capacitance hold-up; 85% threshold detects brownout before full dropout. ±5% voltage tolerance required by 24V DC relay and MCU power supply specifications. | Test | rt-implausible-value, red-team-session-460 |
| SUB-REQ-019 | The UPS Module SHALL maintain 24V DC output for at least 30 minutes at full elevator safety load after mains failure, as required to complete emergency evacuation procedures. Rationale: Derived from SYS-REQ-006 and EN 81-20 clause 12.9 (rescue operation power). 30 minutes is the minimum time for emergency services to reach the site and manually release passengers in a worst-case scenario. | Test | subsystem, power-dist, sil-2, session-439, idempotency:sub-power-ups-holdtime-439 |
| SUB-REQ-020 | The Power Management Controller SHALL monitor battery State of Charge at 1 Hz and assert a LOW_BATTERY fault to the Safety Controller when SoC drops below 20%, triggering load shedding of non-critical loads. Rationale: Deep discharge protection prevents battery damage and ensures the 30-minute hold-up budget is achievable on next power cycle. 20% threshold provides headroom against measurement uncertainty while leaving capacity for emergency brake operations. | Test | subsystem, power-dist, session-439, idempotency:sub-power-batt-monitor-439 |
| SUB-REQ-021 | The Variable Frequency Drive SHALL accept 400V AC three-phase supply in the range 380–420V, 50 Hz ±2 Hz, and shall not draw more than 63A RMS per phase at peak regenerative or motoring load. Rationale: Power source and current limit requirements for the VFD address the lint finding that Powered entities must have power budget requirements. 63A at 400V AC matches the installation circuit breaker rating; exceeding this trips the MCB and causes unplanned outage against SYS-REQ-012. | Test | subsystem, traction-drive, power, session-439, idempotency:sub-vfd-power-439 |
| SUB-REQ-022 | The Building Integration Gateway SHALL reject any Building Management System command that would override a safety-critical elevator state (fire recall, seismic hold, emergency stop), and shall notify the BMS of the rejection within 500 ms via BACnet alarm object. Rationale: Addresses lint finding that Functionally Autonomous BMS has no safety override constraints. The BMS operates independently and may issue conflicting commands; the gateway must enforce elevator safety state precedence to prevent BMS-commanded unsafe movements. 500ms notification enables BMS to log the event and alert building operators. | Test | subsystem, building-integration, session-439, idempotency:sub-bms-override-439 |
| SUB-REQ-023 | The Door Operator Subsystem SHALL limit door closing force to ≤150 N measured at the leading edge of the car door panel at all points during the closing travel, measured in accordance with EN 81-20 clause 5.3.12. Rationale: EN 81-20 clause 5.3.12 mandates 150 N maximum closing force to prevent injury to trapped persons. The Door Motor Drive torque control loop enforces this continuously; the test verifies that the force limit holds under worst-case conditions (low supply voltage, worn belt, maximum payload). | Test | subsystem, door-operator, sil-2, session-440, idempotency:sub-door-closing-force-440 |
| SUB-REQ-024 | When the Multi-Ray Light Curtain or Safety Edge Contact Strip detects an obstruction during door closing, the Door Operator Subsystem SHALL reverse the door to the fully open position within 50 ms of signal activation. Rationale: 50 ms reversal budget derived from EN 81-20 clause 5.3.11 reaction time allowance for powered closing devices. The light curtain and safety edge provide dual-channel detection per Cat 4 / PLe; reversal within 50 ms prevents contact force from exceeding the 150 N limit assuming approach speeds within the closing speed profile. | Test | rt-implausible-value, red-team-session-460 |
| SUB-REQ-025 | When a Fire Phase I Recall command is received from the Safety Controller, the Door Operator Subsystem SHALL complete the current door cycle within 3 seconds, then hold the car doors open and disable call-driven door closure for the duration of the recall. Rationale: EN 81-72 clause 8.5.3 requires the car to land at the designated floor with doors open during Phase I. Holding doors open prevents passenger entrapment during firefighter evacuation. 3 second maximum cycle time bounds lobby arrival delay to acceptable limits. | Demonstration | subsystem, door-operator, sil-2, session-440, idempotency:sub-door-fire-recall-440 |
| SUB-REQ-026 | The Door Operator Subsystem SHALL verify that all monitored landing door interlock contacts are closed before issuing a car-movement-permitted signal to the Safety Controller, with detection of any open contact within 20 ms. Rationale: EN 81-20 clause 8.9 prohibits car movement unless all landing doors are closed and locked. The 20 ms detection window is derived from the Safety Controller 50 ms reaction budget (SYS-REQ-003); interlock status must be valid before the Safety Controller acts on a move command. | Test | rt-implausible-value, red-team-session-460 |
| SUB-REQ-027 | The Door Operator Subsystem SHALL control door panel velocity to a profile with maximum closing speed ≤0.3 m/s and shall decelerate to ≤0.1 m/s during the final 50 mm of travel before the fully-closed position. Rationale: EN 81-20 clause 5.3.11 limits door closing kinetic energy to control contact impact. The 0.3 m/s maximum and 0.1 m/s final-approach limit ensure panel kinetic energy is within the 150 N equivalent impulse threshold at all approach velocities. The Door Position Encoder at 0.5 mm resolution enables precise velocity profiling during the final 50 mm deceleration zone. | Test | subsystem, door-operator, sil-2, session-440, idempotency:sub-door-speed-profile-440 |
| SUB-REQ-028 | When the Door Control Unit detects a watchdog timeout, internal CPU fault, or loss of position encoder feedback, the Door Operator Subsystem SHALL de-energise the Door Motor Drive and open the safety chain within 100 ms, preventing car departure. Rationale: SIL-2 safe state requirement. DCU failure must not result in a car departing with doors open. De-energising the motor drive defaults to mechanical brake applied; opening the safety chain is a redundant action that prevents Safety Controller from issuing a move command, achieving HFT=1 for the combined door safety function. | Test | subsystem, door-operator, sil-2, session-440, idempotency:sub-door-safe-state-440 |
| SUB-REQ-029 | The Door Operator Subsystem SHALL achieve a mean time between failures (MTBF) of ≥500,000 door cycles under the rated load conditions specified in EN 81-20 Annex A. Rationale: Industrial elevator duty cycle averages 200 cycles/day in a heavy-use commercial building; 500,000 cycles equates to approximately 6.8 years before expected component replacement, matching the standard maintenance interval for door operator mechanical components (EN 81-80). | Analysis | subsystem, door-operator, session-440, idempotency:sub-door-mtbf-440 |
| SUB-REQ-030 | The Group Dispatch Controller SHALL achieve average passenger waiting time ≤30 seconds during up-peak traffic (200 persons/5 minutes on the entry floor) for a building served by ≥4 cars. Rationale: SYS-REQ-001 mandates ≤30s average waiting time. The 200 persons/5 min loading rate is the EN 81-20 Annex B heavy-traffic standard for commercial buildings. At ≥4 cars, destination dispatch algorithms achieve this threshold; simulation and acceptance trial data from comparable installations confirm this bound. | Test | rt-missing-failure-mode, red-team-session-460 |
| SUB-REQ-031 | The Group Dispatch Controller SHALL re-evaluate car assignments within 100 ms of any new hall call registration or car state change. Rationale: Responsiveness to new calls determines the system's ability to minimise waiting time. 100 ms re-evaluation cycle at 10 Hz allows the dispatch engine to react to new calls before the nearest car has travelled more than 0.15 m at rated speed, preventing assignment delay from causing missed stops. | Test | rt-missing-failure-mode, red-team-session-460 |
| SUB-REQ-032 | When one car in the group reports a non-safety-critical fault, the Group Dispatch Controller SHALL reassign all pending calls from the faulted car within 5 seconds and exclude the faulted car from future assignments until fault clearance. Rationale: Derived from SYS-REQ-009. 5 second reassignment window prevents passengers from waiting at a faulted car indefinitely; in practice, call reassignment occurs within 1 dispatch cycle (100ms) but 5s allows for edge cases where multiple cars are simultaneously in door zones. | Demonstration | subsystem, group-dispatch, session-440, idempotency:sub-gdc-fault-reassign-440 |
| SUB-REQ-033 | The BACnet/IP Stack SHALL publish elevator group status (car positions, fault codes, operating mode, energy consumption) as BACnet analog and binary objects at ≥1 Hz update rate with ≤500 ms latency from subsystem state change to BACnet object update. Rationale: SYS-REQ-010 requires ≥1 Hz BACnet/IP status updates to BMS. The 500 ms latency ceiling ensures BMS dashboards and HVAC integration reactions occur within human attention span; at 1 Hz update rate, a 500 ms latency still satisfies the 1 Hz requirement. B-ASC device profile mandates analog and binary presentation of status data. | Test | subsystem, building-integration-gateway, session-441, idempotency:sub-big-bacnet-status-441 |
| SUB-REQ-034 | The Event Logger SHALL record all safety events, fault codes, maintenance actions, and parameter changes with NTP-synchronised timestamps (±1 s accuracy), retaining records for a minimum of 10 years at the design event rate of ≤50 events per day, and SHALL protect record integrity using SHA-256 hash chaining detectable at export. Rationale: SYS-REQ-013 requires logging of safety events, fault codes, maintenance actions, and parameter changes. EN 81-20 Clause 5.12 mandates tamper-evident records with 10-year retention. Hash chaining provides forensic integrity for incident investigation and insurance claims; a broken hash chain is detectable at export, meeting the tamper-evident requirement without requiring secure hardware enclaves. | Inspection | subsystem, building-integration-gateway, session-441, idempotency:sub-big-event-logger-441 |
| SUB-REQ-035 | The Access Control Interface Module SHALL validate per-credential floor authorisation requests within ≤500 ms using a locally cached authorisation table updated from the building access control system at ≤30 s intervals, and SHALL NOT permit access control commands to override fire recall or emergency stop states. Rationale: SYS-REQ-010 requires bidirectional command exchange; IFC-REQ-003 specifies ≤500 ms credential validation response time. Local caching at 30 s intervals maintains operation during network intermittency while keeping authorisation current. The safety override prohibition derives from the requirement that only the Safety Controller may initiate or cancel safety states (SYS-REQ-007 and SYS-REQ-008). | Test | subsystem, building-integration-gateway, session-441, idempotency:sub-big-access-ctrl-441 |
| SUB-REQ-036 | The Emergency Communications Unit SHALL detect car entrapment (car stationary between floor zones for >2 minutes) and automatically initiate two-way voice communication to the 24/7 monitoring centre via PSTN primary connection within 30 s of entrapment detection, with automatic GSM fallback if PSTN is unavailable, and SHALL maintain this capability from internal battery for ≥24 hours standby and ≥1 hour active call. Rationale: IFC-REQ-004 requires EN 81-28 compliant emergency communications with auto-dialling on entrapment (>2 minutes stationary between floors), battery backup, and GSM fallback. EN 81-28 specifies ≥24 h standby and ≥1 h active call for battery backup. The 30 s auto-dial initiation window ensures the monitoring centre receives notice while the entrapment cause is still recoverable (before passenger distress escalates). | Test | subsystem, building-integration-gateway, session-441, idempotency:sub-big-emergency-comms-441 |
| SUB-REQ-037 | When the Building Integration Gateway loses communication with the BMS for >5 s, the BACnet/IP Stack SHALL log the communication fault, cease forwarding BMS commands to the Group Dispatch Controller, and continue operating in the last-known safe state until connectivity is restored; it SHALL NOT initiate any car movement commands independently. Rationale: A BMS communication failure must not leave the elevator in an ambiguous command state. Ceasing BMS command forwarding prevents stale or repeated commands from being executed after reconnection. The 5 s timeout balances detection speed against transient network interruptions; below 5 s, normal IP network retransmission would generate false faults. | Test | subsystem, building-integration-gateway, session-441, idempotency:sub-big-safe-state-441 |
| SUB-REQ-039 | The Speed and Position Monitor SHALL operate from a 24V DC safety-rail supply in the range 22-28V DC, with maximum power consumption of 5W at 24V, and shall remain operational when supply voltage drops to 20V DC for up to 100 ms during switching transients. Rationale: Position monitor is SIL 3 Powered component per IEC 61508. The 24V safety rail is standard for safety-critical elevator subsystems. 5W budget covers FPGA-class dual-channel encoder decoding. The 100ms low-voltage tolerance covers ATS switchover per ARC-REQ-008. | Test | idempotency:sub-posmon-power-442 |
| SUB-REQ-040 | The Safety Output Actuator SHALL be powered from the 24V DC safety rail in the range 22-28V DC with maximum steady-state current draw of 2A, and shall maintain brake-hold state during supply brownout down to 18V DC for up to 50 ms. Rationale: Safety Output Actuator has Powered trait with physical brake drive coils. The 24V safety rail provides UPS-backed power per ARC-REQ-008. The 2A peak reflects dual 24V brake coil energisation. The 50ms brownout tolerance is derived from UPS hold-up time under worst-case load. | Test | idempotency:sub-soa-power-442 |
| SUB-REQ-042 | The Safety Controller subsystem SHALL be implemented as a standalone DIN-rail mounted module within the controller cabinet, physically separated from the main controller PCB by at least 100mm, with the Safety Output Actuator relay drivers on a dedicated PCB segregated from logic circuits. Rationale: Physical separation of safety controller from main controller is required by IEC 61508 SIL 3 to prevent common-cause failures from PCB manufacturing defects, thermal coupling, and EMC interference. A minimum 100mm separation is per IEC 61010-1 creepage and clearance requirements at 300V working voltage. | Inspection | idempotency:sub-safety-ctrl-physical-442 |
| SUB-REQ-043 | The Motor Control Unit SHALL be implemented as a PCB assembly within the Variable Frequency Drive enclosure, cooled by the VFD heatsink and cooling fan, with the MCU processor and gate driver circuits segregated on separate PCB layers to minimise switching noise coupling. Rationale: Motor Control Unit is physically co-located with the VFD to minimise gate drive signal path length and reduce switching noise immunity requirements. PCB layer segregation between digital MCU and high-voltage gate drivers is required by IEC 61800-3 EMC category C2 for VFDs in residential environments. | Inspection | idempotency:sub-mcu-physical-442 |
| SUB-REQ-044 | The Group Dispatch Controller SHALL, upon receipt of a fire recall command from the Safety Controller, cancel all hall and car calls for all cars in the group, route each car via the most direct path to the designated fire service landing, and complete all car deliveries to the designated landing within 60 seconds of fire recall command receipt. Rationale: SYS-REQ-007 requires all cars delivered to designated landing within 60 seconds; this SUB requirement decomposes that into the specific Group Dispatch Controller actions: call cancellation, optimal routing, and timing bound. The Group Dispatch Controller is the only subsystem that controls inter-car routing decisions; delegating fire recall logic here keeps the Safety Controller focused on safety signal processing rather than traffic management. | Test | rt-untestable, red-team-session-460 |
| SUB-REQ-045 | The Power Distribution Subsystem ARD battery bank SHALL provide energy capacity to sustain 3 complete rescue cycles per car at full rated load simultaneously for all cars in the group, with battery capacity verified at ≥100% SoC under maximum load during commissioning and re-verified at ≥80% SoC at annual maintenance intervals. Rationale: SYS-REQ-018 requires 3 rescue cycles per car; this SUB requirement assigns the battery sizing obligation to the Power Distribution Subsystem which owns the UPS/ARD energy storage and capacity management. The simultaneous-all-cars worst case bounds the battery bank at group level, preventing undersizing when multiple cars lose mains simultaneously. Annual re-verification at 80% minimum SoC accounts for battery ageing per IEC 62133 cycle life specification. | Test | subsystem, power-distribution-subsystem, ard, sil-2, session-443, idempotency:sub-pds-ard-battery-3cycles-443 |
| SUB-REQ-046 | The Building Integration Gateway SHALL implement the BACnet B-ASC (Advanced Application Specific Controller) device profile per ASHRAE 135-2020, supporting BACnet/IP transport layer, with a minimum of 40 BACnet objects covering car status, fault log, energy metering, and floor lockout command objects for each car in the group. Rationale: SYS-REQ-010 requires BACnet/IP with B-ASC device profile; this SUB requirement decomposes the specific BACnet object model required to carry the four data types from SYS-REQ-017 (position, faults, energy, mode) plus floor lockout commands from BMS. B-ASC is the appropriate profile for application controllers that interface to BMS servers — B-BC (Building Controller) would be over-specified. The 40-object minimum covers 4 cars × 10 objects each (present-value, reliability, event-state, out-of-service, status-flags plus 5 data-type specific objects). | Test | subsystem, building-integration-gateway, bacnet, session-443, idempotency:sub-big-bacnet-bASC-profile-443 |
| SUB-REQ-047 | The Safety Controller Subsystem SHALL, upon receipt of a seismic P-wave trigger from the seismic detector, issue a deceleration command to each car to bring it to a stop at the nearest accessible floor, complete all car stops within 10 seconds of P-wave trigger, hold all cars at the stopped floor with doors open for 60 seconds, and prevent car movement for the duration of the hold period regardless of car call and hall call dispatch commands. Rationale: SYS-REQ-008 requires all cars stopped at nearest floor within 10 seconds and held for 60 seconds after seismic trigger per EN 81-77. The Safety Controller is the designated responder because it has authority to override normal dispatch commands and directly brake cars independently of the main controller. The 10-second bound is derived from EN 81-77 Section 4.6.1 maximum stopping distance limit for 1 m/s² deceleration from rated speed. The 60-second hold prevents cars re-entering service while aftershocks are still probable. | Test | subsystem, safety-controller-subsystem, seismic, sil-2, session-443, idempotency:sub-sc-seismic-decel-443 |
| SUB-REQ-048 | The Safety Controller Subsystem and all safety-critical signal paths SHALL maintain operational integrity under radiated electromagnetic fields of 10 V/m (80 MHz–1 GHz) per EN 12016:2013, with no spurious safety trips, nuisance stops, or false state transitions during or after exposure. Rationale: SYS-REQ-011 mandates EN 12016 immunity at 10 V/m for safety signal integrity at SIL 2. Subsystem-level immunity testing is required by IEC 61508 Part 2 (Table A.17) for validation of immunity margins in co-located VFD and HVAC drive environments. Without this requirement, there is no traceable path from the system EMC mandate to subsystem acceptance criteria. | Test | subsystem, safety-controller, emc, sil-2, session-444, idempotency:sub-safety-emc-immunity-444 |
| SUB-REQ-049 | The Industrial Elevator Control System controller cabinet SHALL be housed in a steel enclosure rated IP54 per IEC 60529, with overall external dimensions not exceeding 800 mm H × 600 mm W × 250 mm D, installed in the designated machine room with a panel-mounted OLED display and membrane keypad for local parameter access. Rationale: SYS-REQ-015 specifies the physical housing and installation constraints for the controller cabinet. IP54 protection is necessary to prevent dust ingress and water splash contamination in machine room environments. The dimension constraint ensures compatibility with standard machine room allocation as specified in EN 81-20 machine room layout requirements. Inspection verification is appropriate as the enclosure rating and dimensions are directly measurable at factory acceptance. | Inspection | rt-missing-failure-mode, red-team-session-460 |
| SUB-REQ-050 | The Industrial Elevator Control System SHALL comply with EU Lifts Directive 2014/33/EU and carry CE marking, with a signed Declaration of Conformity referencing the applicable conformity assessment module maintained throughout the product lifecycle and made available to regulatory inspectors within 48 hours of request. Rationale: SYS-REQ-016 mandates EU Lifts Directive compliance and CE marking as a legal prerequisite for placing the system on the EU market. The Declaration of Conformity is a mandatory document under Article 13 of the Directive. Inspection verification is appropriate as compliance is demonstrated through documentation review and conformity assessment records rather than functional test. | Inspection | subsystem, building-integration-gateway, compliance, session-444, idempotency:sub-eu-lifts-directive-ce-444 |
| SUB-REQ-051 | The Safety Controller Subsystem SHALL implement a watchdog-supervised hot standby architecture where the secondary channel monitors primary channel health and asserts a safe stop output within 50 ms of detecting primary channel failure, ensuring no single-point failure causes loss of the safety function. Rationale: IEC 61508 SIL-3 with System-Essential classification requires redundancy for any component whose failure could defeat all safety functions simultaneously. The 50 ms switchover budget is derived from the 100 ms total safety reaction time: 50 ms for detection and switchover leaves 50 ms for actuator engagement. Hot standby (vs cold) is required because elevator safety functions must be continuously active during car motion. | Test | rt-implausible-value, red-team-session-460 |
| SUB-REQ-052 | The Group Dispatch Controller SHALL implement stateful failover such that, when the active dispatch instance becomes unresponsive for more than 200 ms, the standby instance assumes dispatch authority without loss of in-progress car assignments, maintaining group dispatch throughput at ≥80% of rated capacity. Rationale: The Group Dispatch Controller is System-Essential: its failure causes complete loss of group elevator service. 200 ms failover window is derived from the 1 s passenger perceived response latency budget; 800 ms for assignment re-evaluation leaves 200 ms for failover. 80% throughput floor maintains acceptable service during the switchover period. IEC 62061 requires that system-essential functions implement redundancy or monitored single-channel architectures. | Test | subsystem, group-dispatch-controller, session-445, idempotency:sub-gdc-redundancy-failover-445 |
| SUB-REQ-053 | The Variable Frequency Drive SHALL implement a defined state machine with states: Idle, Ready, Accelerating, Running, Decelerating, Braking, Fault, and Emergency-Stop; transitions between states SHALL be governed by command inputs and motor feedback, and an invalid transition request SHALL be rejected within 5 ms with a fault event logged. Rationale: The VFD is State-Transforming (UHT trait): it changes motor energy state and elevator car kinetic state across a bounded set of operating modes. Undefined transitions are a root cause of elevator runaway incidents documented in NTSB elevator safety reports. The 5 ms rejection latency ensures fault detection within one motor control cycle at 200 Hz update rate. Explicit state machine is required by IEC 61800-5-2 SIL functional safety for drive systems. | Test | subsystem, traction-drive, session-445, idempotency:sub-vfd-state-machine-445 |
| SUB-REQ-054 | The Door Operator Subsystem SHALL implement a defined door state machine with states: Fully-Closed, Opening, Fully-Open, Closing, Obstructed, Fault; the system SHALL prevent a Closing-to-Opening transition in less than 200 ms to protect door mechanism, and SHALL enter Fault state if door position sensor disagreement persists for more than 500 ms. Rationale: The Door Operator Subsystem is State-Transforming: it physically moves the door through a sequence of bounded mechanical states. The 200 ms minimum dwell on direction reversal is derived from motor inertia specifications for the brushless door motor to prevent mechanical stress. The 500 ms sensor disagreement timeout is the maximum tolerable period before a stuck-door hazard materialises, per EN 81-20 Clause 5.3.3 door protection requirements. | Test | subsystem, door-operator, session-445, idempotency:sub-dos-state-machine-445 |
| SUB-REQ-055 | The Industrial Elevator Control System controller cabinet SHALL be housed in a sheet steel enclosure rated IP54 per IEC 60529, with external dimensions not exceeding 800 mm height x 600 mm width x 250 mm depth, flush-mounted panel display and 16-key service keypad, and cable entry points sealed with IP54-rated glands on the underside. Rationale: SYS-REQ-015 allocates the enclosure requirement to the system level; this subsystem requirement decomposes it to physical construction standards. IP54 is the minimum for machine rooms per EN 81-20 Annex B. The dimensional constraint is derived from the minimum machine room floor area (1.4 m2) mandated by EN 81-20 Clause 6.3.2, leaving clearance for maintenance access. Bottom cable entry prevents water ingress from above. | Inspection | rt-missing-failure-mode, red-team-session-460 |
| SUB-REQ-056 | The Building Integration Gateway SHALL publish to the BACnet/IP Building Management System the following data objects at a minimum update rate of 1 Hz: car position (AI, floor integer and direction BO), active fault codes in ISO 4190-5 format (MSI), per-car real-time energy consumption (AI, kWh, ±2% accuracy), and current operating mode (MV: Standard-Operation, Independent-Service, Fire-Recall, Out-of-Service). Rationale: SYS-REQ-017 requires these four data items published at 1 Hz; this requirement decomposes the allocation to the Building Integration Gateway as the BACnet interface owner. BACnet object types (AI, BO, MSI, MV) are specified to enable BMS integrator point mapping without ambiguity. The 1 Hz rate is the minimum needed for real-time energy dashboards (per EN ISO 25745-2 energy measurement requirements for elevators). ±2% energy accuracy matches the meter class required by EN ISO 25745. | Test | subsystem, building-integration-gateway, session-445, idempotency:sub-big-bms-data-items-445 |
| SUB-REQ-057 | The Power Distribution Subsystem ARD battery bank SHALL sustain a minimum of 3 complete rescue cycles per car (each cycle: driving a fully loaded car from any floor to the nearest landing at 0.15 m/s with doors operated), and the battery management controller SHALL initiate a capacity self-test within 24 hours of mains restoration, reporting remaining capacity via BACnet AI to the Building Management System. Rationale: SYS-REQ-018 defines the 3-cycle rescue endurance; this requirement decomposes it to the Power Distribution Subsystem and adds the self-test obligation. The 24-hour self-test window follows the battery recovery period (8 h charge) with 16 h margin. Reporting to BMS via BACnet AI ensures building operators receive battery health data without manual inspection, satisfying EN 81-20 maintenance requirements for ARD systems. Without the self-test, degraded battery capacity may go undetected until the next mains failure. | Test | rt-missing-failure-mode, red-team-session-460 |
| SUB-REQ-058 | While Maintenance Mode is active (key switch engaged and car-top control box connected), the Safety Controller SHALL limit car speed to ≤0.63 m/s (inspection speed per EN 81-20 Clause 5.12.1.4), disable group dispatch commands, and prevent door closure unless the car-top inspection control is held active. Rationale: Maintenance mode at inspection speed is mandated by EN 81-20 Clause 5.12.1 to prevent injury to maintenance personnel working in the hoistway. The 0.63 m/s limit is the EN 81-20 maximum for inspection operation. Speed limiting must be enforced by the Safety Controller (SIL 3) to provide a safety-critical constraint independent of the drive system. This SUB requirement closes the gap identified by VER-REQ-050. | Test | |
| SUB-REQ-059 | When the Motor Control Unit fails to receive a velocity command from the Safety Controller within two consecutive 10 ms scan cycles, the Motor Control Unit SHALL assert a drive-fault signal on the safety bus and transition the Variable Frequency Drive to Safe Torque Off (STO) state within 20 ms. Rationale: MCU is System-Essential (ontological trait Bit 16); loss of MCU command link must not leave the VFD running uncontrolled. IEC 61508-3 Clause 7.4.2 requires watchdog timeout protection for safety-critical control loops. The 20 ms STO transition budget is derived from SYS-REQ-002 jerk limit: at maximum jerk 2.0 m/s³, 20 ms adds ≤0.8 mm/s velocity, well within the overspeed detection margin. | Test | rt-implausible-value, red-team-session-460 |
| SUB-REQ-060 | The Variable Frequency Drive SHALL assert STO and engage the electromagnetic brake within 150 ms of loss of MCU communication (no valid torque reference received for >50 ms) or receipt of a hardware STO signal from the Safety Output Actuator, and SHALL log the fault event with timestamp on the internal diagnostics port. Rationale: VFD is System-Essential (ontological trait); safe-stop on MCU loss prevents uncontrolled drive. The 150 ms total budget (50 ms detection + 100 ms brake engagement) is consistent with EN 81-20 Clause 5.5 requirement for stopping device activation time. Logging is needed for incident investigation under EN 81-20 Clause 5.10. | Test | |
| SUB-REQ-061 | The Safety Command Validator SHALL output a discrete go/no-go digital signal (24V DC logic, sourced from the safety bus) to the BACnet/IP Stack for each received BMS command, with signal transition time ≤5 ms and output impedance ≤100 Ω, and SHALL output a reject-code byte identifying the rejection reason when a command is blocked. Rationale: Safety Command Validator is classified Outputs Effect (ontological trait Bit 10); without an output specification, no interface contract exists for the BACnet/IP Stack to consume. The 24V DC sourced output matches the safety bus standard in this design. The 5 ms transition time is derived from the 10 ms safety chain scan rate in SUB-REQ-004, ensuring the validator decision is captured within one scan. | Test | |
| SUB-REQ-062 | The Safety Command Validator SHALL implement dual-channel validation logic, with each channel independently processing incoming BMS commands and cross-checking outputs; if the two channels disagree on a command decision, the Safety Command Validator SHALL default to rejection and log a validator-disagreement fault. Rationale: Safety Command Validator is System-Essential (ontological trait Bit 16); a single-channel validator cannot achieve SIL 2 required for safety-neutral command interception per IEC 61508 Clause 7.6. Dual-channel with disagreement detection and fail-safe default provides the required diagnostic coverage for SIL 2 compliance. | Test | |
| SUB-REQ-063 | The Event Logger SHALL store all safety event records simultaneously in two independent non-volatile storage devices (primary flash, secondary FRAM), and SHALL verify write integrity by reading back each record after write; if a write verification fails on the primary device, the Event Logger SHALL immediately write to the secondary device and raise a storage-fault alarm. Rationale: Event Logger is System-Essential (ontological trait Bit 16); single-point-of-failure storage violates EN 81-20 Clause 5.12 requirements for tamper-evident audit trail. Dual-device storage with read-back verification provides fault tolerance against flash wear-out and bit-flip errors. FRAM provides write endurance >10^12 cycles vs flash ~10^5, ensuring secondary device remains available over system lifetime. | Test | |
| SUB-REQ-064 | The Event Logger SHALL compute and store a SHA-256 HMAC over each event record (including timestamp, event code, and previous record hash) to form a hash-chained tamper-evident log, and SHALL provide a log-integrity verification API that can be invoked by authorised maintenance tools to detect any record modification or deletion. Rationale: EN 81-20 Clause 5.12 mandates tamper-evident audit records; SHA-256 HMAC hash chaining provides cryptographic tamper detection. The hash chain ensures that deletion or modification of any record invalidates all subsequent records, providing verifiable evidence of log integrity for regulatory inspections. HMAC keyed with a device-specific key prevents hash recalculation by an attacker who replaces records. | Test | |
| SUB-REQ-065 | The Safety Output Actuator SHALL perform a self-test cycle at each power-up and every 24 hours during operation, in which each output channel is briefly de-energised and re-energised in sequence while monitoring channel feedback for correct response; any channel that fails self-test SHALL be flagged and the Safety Controller notified, preventing car motion until the fault is cleared. Rationale: Safety Output Actuator is System-Essential (ontological trait Bit 16); IEC 61508-2 Clause 7.4.6 requires diagnostic coverage for hardware safety functions. Self-test provides the automatic diagnostic coverage needed for SIL 3 certification of the safe-state output path. The 24-hour interval balances diagnostic frequency against interruption of service. Brief de-energisation (< motor coil release time) ensures test is non-intrusive during car rest. | Test | |
| SUB-REQ-066 | The Power Distribution Subsystem ARD battery bank SHALL provide a minimum rated capacity of 2.5 kWh at the 1-hour discharge rate (C1 rating) at 20°C ambient, ensuring 3 complete rescue cycles per car at rated car load for a 4-car group with simultaneous ARD activation, with capacity derated per the battery manufacturer's temperature derating curve for ambient temperatures between -10°C and +40°C. Rationale: SYS-REQ-018 mandates 3 rescue cycles per car at rated load for all cars simultaneously. Derivation: 1 rescue cycle at 0.15 m/s over 60 m hoistway (20-floor, 3 m spacing) ≈ 400 s; drive power at rated load at 0.15 m/s ≈ 0.15 kWh per car per cycle; 3 cycles × 4 cars = 12 cycles × 0.15 kWh = 1.8 kWh; 2.5 kWh includes 39% margin for battery ageing and control system overhead. Temperature derating required per IEC 60896-11 for VRLA cells. | Test | |
| SUB-REQ-067 | The Building Integration Gateway SHALL revert to a degraded-communication mode within 10 seconds of detecting BACnet/IP network loss, in which it queues up to 512 event records in RAM for retransmission upon network restoration, continues accepting Safety Command Validator inputs locally, and raises a network-fault alarm; no safety function SHALL be disabled due to BACnet/IP network loss. Rationale: Building Integration Gateway is System-Essential (ontological trait Bit 16); loss of BMS communication must not compromise safety functions. IEC 61508 Clause 7.4.3 requires that safety-rated components operate in a known safe state on communication loss. Queuing 512 records in RAM at 1 Hz = 512 s buffer prevents data loss during typical network outages. Safety Command Validator remaining active locally ensures commands can still be intercepted even without BMS connectivity. | Test | |
| SUB-REQ-068 | The Safety Controller Subsystem SHALL comply with EN 81-72 Annex B Phase II firefighter service requirements: when a Phase II key switch on the car is set to ON, the Safety Controller SHALL transfer exclusive car movement control to the car-mounted firefighter panel, suppress all automatic door closing, and maintain car speed at ≤0.63 m/s; Phase II mode SHALL override but not disable Phase I recall until the Phase II key is set to OFF. Rationale: STK-REQ-009 mandates firefighter control capability. EN 81-72 Clause 5.4.3 (Phase II) requires exclusive firefighter control from inside the car, suppression of automatic door closing, and maintained inspection speed. The 0.63 m/s limit is the EN 81-72 maximum for firefighter operation. Phase II cannot disable Phase I recall because EN 81-72 Clause 5.4.1 requires Phase I fire recall to remain active as a higher-priority function. | Test | |
| SUB-REQ-069 | The Safety Controller Subsystem SHALL comply with EN 81-77 Clause 5.3.4 seismic Category 1 requirements: upon receipt of a P-wave trigger signal with amplitude ≥0.05g from the seismic detector, the Safety Controller SHALL initiate the seismic response sequence (decelerate, stop, hold) within 500 ms of P-wave arrival, regardless of car position or operating mode. Rationale: SYS-REQ-008 specifies seismic response aligned with EN 81-77; SUB-REQ-047 covers the operational sequence but does not reference the standard trigger threshold. EN 81-77 Clause 5.3.4 Category 1 requires response initiation within 500 ms of P-wave detection at ≥0.05g. This threshold is chosen to avoid false triggers from building HVAC vibration while capturing seismic events above the damage threshold for the elevator guide rail system. | Test | |
| SUB-REQ-070 | The Building Integration Gateway BACnet/IP Stack SHALL implement the BACnet B-ASC device profile (Annex L, BACnet Standard 135-2020), registering as a B-ASC device with device instance configurable in range 1–4194302, supporting COV subscriptions with maximum subscription lifetime of 3600 seconds, and responding to Who-Is/I-Am broadcasts within 200 ms. Rationale: SYS-REQ-010 requires a BACnet B-ASC device profile; no SUB requirement currently decomposes the specific BACnet conformance requirements. BACnet Annex L B-ASC is the minimum profile for analog-output control applications. COV subscription lifetime of 3600 s is the EN 81-20 integration guideline maximum. The 200 ms Who-Is/I-Am response time is the ASHRAE standard BACnet network response guideline. | Test | |
| SUB-REQ-071 | The Safety Controller Subsystem SHALL implement IEC 61508-2 Clause 7.4.3 SIL 3 hardware architectural constraints: the hardware fault tolerance (HFT) SHALL be ≥1 (dual-channel) for all safety functions with Safe Failure Fraction (SFF) <90%, and ≥0 for SFF ≥99%; the Safety Controller SHALL perform continuous online diagnostics with diagnostic coverage ≥99% for all safety-critical inputs. Rationale: SYS-REQ-003 and SYS-REQ-004 require SIL 3 for overspeed and UCMP protection. No SUB requirement currently states the IEC 61508-2 architectural constraints that must be met to achieve SIL 3. HFT ≥1 (dual-channel) with SFF <90% is required by IEC 61508-2 Table 3 for Type B subsystems at SIL 3. Diagnostic coverage ≥99% is required by IEC 61508-2 Clause 7.4.3.2.2 for SIL 3 HFT=1 architectures. | Analysis | |
| SUB-REQ-072 | The Group Dispatch Controller SHALL implement a traffic-load watchdog that detects degraded dispatch performance when average waiting time exceeds 50 s for three consecutive 5-minute sampling intervals, and SHALL generate a performance-degraded alarm to the Building Integration Gateway and log the event; the alarm SHALL clear automatically when average waiting time returns below 30 s for one consecutive 5-minute interval. Rationale: SYS-REQ-001 mandates ≤30 s average waiting time. No existing SUB requirement covers performance monitoring and alarm for SYS-REQ-001 violations. The 50 s threshold (167% of SYS-REQ-001 limit) provides a warning before the system is substantially degraded. Hysteresis (alarm at 50 s, clear at 30 s) prevents alarm oscillation during transient peak loads. This requirement enables predictive maintenance escalation before a formal SLA breach. | Test | |
| SUB-REQ-073 | The Power Distribution Subsystem SHALL be housed in a dedicated IP54-rated, flame-retardant (UL94 V-0) steel enclosure mounted within the elevator machine room, containing at minimum: an IEC 61439-compliant busbar assembly, UPS module, ARD battery bank, isolation contactors, and monitoring interface board, with all components accessible for maintenance via a front-hinged door without removing the enclosure from its mounting. Rationale: The lint analysis identified that the power distribution subsystem entity (hex 54F51018) lacks the Physical Object trait despite requirements (SUB-REQ-018, SUB-REQ-045, SUB-REQ-057) imposing physical constraints. IEC 60950 and EN 81-20 require that safety-relevant electrical equipment in elevator machine rooms be housed in enclosed, rated enclosures. This requirement defines the physical form factor to reconcile the ontological classification and ensure inspection-based verification of the enclosure at commissioning. | Inspection | |
| SUB-REQ-074 | The Power Distribution Subsystem enclosure SHALL be a physical LRU installed in the elevator machine room, rated IP54 per IEC 60529, constructed from flame-retardant steel (UL94 V-0), with defined dimensional envelope not exceeding 800mm × 600mm × 300mm and a maximum installed mass of 80 kg, accessible via a front-hinged maintenance door. Rationale: The power distribution subsystem entity classification lacks the Physical Object trait, creating an ontological mismatch with SUB-REQ-066 which imposes physical capacity constraints. This requirement defines the enclosure as a physical object with dimensional and material constraints derived from EN 81-20 Section 6.3.3 (machine room clearance) and IEC 61439 LV switchgear assembly standards. | Inspection | |
| SUB-REQ-075 | The Safety Controller Subsystem SHALL define and implement IEC 61508-compliant proof test intervals not exceeding 8760 hours (1 year) for all SIL 3 safety functions, including the dual-channel safety CPU, safety output actuators, and safety chain monitoring. Each proof test SHALL exercise the complete safety function from input sensing through to final element actuation and confirm PFDavg remains within SIL 3 target (≥10^-4 to <10^-3 per hour). Rationale: IEC 61508-2 Clause 7.4.9 requires proof test intervals to be specified as part of the SIL verification. Cross-domain analog (nuclear reactor protection system, hex 50F77859) identified this gap: nuclear SIL 3 functions define proof test intervals explicitly whereas the elevator specification omitted this. Without stated proof test intervals, the PFDavg calculation for SIL 3 cannot be validated and the safety case is incomplete. | Test | |
| SUB-REQ-076 | The Industrial Elevator Control System controller cabinet SHALL be housed in a steel enclosure rated IP54 per IEC 60529, installed in the machine room, with panel-mounted display and keypad, dimensions not exceeding 800mm H x 600mm W x 250mm D. Rationale: System physical embodiment required per lift machinery directive 2006/42/EC and EN 81-20 Annex D for machine room installation. IP54 rating protects electronics in dusty machine room environments. Cabinet dimensions reflect standard DIN rail backplate sizing for the control PCBs. | Inspection | idempotency:sys-physical-cabinet-442 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between the Industrial Elevator Control System and the Building Management System SHALL use BACnet/IP (ASHRAE 135) with B-ASC device profile, providing car position, fault codes, energy consumption, and operating mode at ≥1 Hz, and accepting VIP priority, floor lockout, and schedule commands. Rationale: External interface: BMS is building-operator owned. BACnet/IP selected over Modbus TCP because BACnet B-ASC provides standard elevator object model (Lift Group Object per Addendum 135-2016bs). Failure of this interface triggers degraded mode (SYS-REQ-009) but does not affect safety functions. | Test | interface, external, bms, session-436, idempotency:ifc-ext-bms-436 |
| IFC-REQ-002 | The interface between the Industrial Elevator Control System and the Building Fire Alarm Panel SHALL use hardwired relay contacts (not software protocol) for Phase I recall, alternate floor designation, and machine room smoke detection, per EN 81-72. Rationale: External interface: fire panel is fire system integrator owned. Hardwired relay mandated by EN 81-72 to ensure fire recall cannot be blocked by software or network failure. Safety-critical interface directly to Safety Controller Subsystem. | Test | rt-vague-interface, red-team-session-460 |
| IFC-REQ-003 | The interface between the Industrial Elevator Control System and the Building Access Control System SHALL use RS-485 or IP protocol providing per-credential authorised floor lists, with response time ≤500 ms per credential validation, and SHALL NOT override safety functions or fire recall. Rationale: External interface: security contractor owned. Access control must not interfere with EN 81-72 fire recall or EN 81-20 safety chain. 500ms response ensures access validation does not add perceptible delay to hall call registration. | Test | interface, external, access-control, session-436, idempotency:ifc-ext-access-436 |
| IFC-REQ-004 | The interface between the Industrial Elevator Control System and the Emergency Intercom/Telephone SHALL provide two-way voice communication from the car to a monitoring centre, auto-dialling on entrapment (>2 minutes stationary between floors), with battery backup and GSM fallback, per EN 81-28. Rationale: External interface: telecom provider owned. EN 81-28 mandates auto-dial on entrapment detection. GSM backup ensures communication when building landline fails. Battery backup per EN 81-28 Clause 5.2 ensures intercom survives power failure concurrent with entrapment. | Test | rt-vague-interface, red-team-session-460 |
| IFC-REQ-005 | The interface between the Speed and Position Monitor and the Safety CPU SHALL transmit speed data at ≥100 Hz, with absolute position resolution ≤1 mm, over a dedicated RS-422 differential serial link with CRC-16 error detection. Rationale: Derived from SYS-REQ-003 and SUB-REQ-002. 100Hz sampling provides 10ms temporal resolution sufficient to compute position change and trip within the 50ms detection budget. RS-422 differential signalling provides noise immunity against the VFD switching fields present in the machine room (EN 12016 10 V/m immunity). CRC-16 detects single-burst errors up to 16 bits from EMI events. | Test | interface, safety-controller, session-437, idempotency:ifc-spm-cpu-437 |
| IFC-REQ-006 | The interface between the Safety Chain Interface Module and the Safety CPU SHALL use a 24 VDC isolated digital input, with open circuit detected as fault, and shall not share wiring with any non-safety-rated circuit. Rationale: EN 81-20 Clause 14.1.2 mandates that the safety chain circuit operates on isolated 24VDC or equivalent low voltage, and that its wiring is segregated from power circuits to prevent shorts from masking an open safety device. Open = fault (de-energised = unsafe) is the fail-safe convention ensuring cable break or power loss causes safe shutdown. | Inspection | interface, safety-controller, session-437, idempotency:ifc-scim-cpu-437 |
| IFC-REQ-007 | The interface between the Seismic and Fire Interface and the Safety CPU SHALL be electrically isolated, with relay contact inputs on normally-energised circuits (de-energise on alarm) and signal propagation latency ≤5 ms. Rationale: Derived from IFC-REQ-002 (fire panel interface) and SYS-REQ-008. Normally-energised (de-energise on alarm) convention ensures cable break or power supply failure to the fire panel results in an alarm condition, preventing the safe recall from being defeated by a wiring fault. 5ms latency is required to meet the EN 81-77 1-second seismic response budget; crossing 5ms allows at most 0.5% of the window for signal acquisition. | Test | interface, safety-controller, session-437, idempotency:ifc-sfi-cpu-437 |
| IFC-REQ-008 | The interface between the Safety CPU and the Safety Output Actuator SHALL use dual independent hardwired digital outputs, both required to be de-energised simultaneously to engage the safety brake, with relay monitor contacts wired back to Safety CPU as confirmation inputs. Rationale: Derived from SUB-REQ-007. Single-channel output would mean a CPU output stuck-on could prevent brake engagement — dual independent outputs achieve the SIL 3 requirement for HFT=1 on the safety output path. Monitor contacts provide diagnostic coverage by detecting contact welding (both contacts should open when commanded); detected welding triggers safe state on the next demand. | Test | interface, safety-controller, sil-3, session-437, idempotency:ifc-cpu-soa-437 |
| IFC-REQ-009 | The interface between Motor Control Unit and Variable Frequency Drive SHALL transmit torque reference commands at 1 kHz via CAN bus at 1 Mbit/s with message latency not exceeding 1 ms and CRC error detection on every frame. Rationale: 1 kHz command rate matches the velocity loop closure frequency; higher latency degrades control bandwidth and causes velocity overshoot. CAN CRC provides hardware error detection required for SIL-3 safety function integrity per IEC 62061 clause 6.7.4. | Test | interface, traction-drive, sil-3, session-439, idempotency:ifc-mcu-vfd-439 |
| IFC-REQ-010 | The interface between Rotary Encoder and Motor Control Unit SHALL deliver 2048 pulse/rev quadrature signals at 5V TTL with cable shielding such that total signal integrity maintains less than 1 error per million pulses at maximum motor speed. Rationale: Encoder pulse integrity is the primary feedback signal for SIL-3 velocity control; errors translate directly to position drift at floor landings. 1 error per million pulses at 3000 rpm is equivalent to one missed pulse per 20 seconds — within correction capability of the position accumulator. | Test | interface, traction-drive, sil-3, session-439, idempotency:ifc-encoder-mcu-439 |
| IFC-REQ-011 | The interface between Motor Control Unit and Safety Controller SHALL transmit drive fault status via dual-channel hardwired relay outputs (NC logic) at 24V DC with maximum de-assertion to relay-open time of 50 ms. Rationale: Derived from SYS-REQ-003 and SYS-REQ-006. Hardwired relay outputs provide hardware-level fault notification independent of bus communication, required for SIL-3 safety function. NC logic ensures brake engagement on wire break or MCU power loss (fail-safe). 50ms latency matches the safety controller reaction time budget. | Test | interface, traction-drive, sil-3, session-439, idempotency:ifc-mcu-safetyctrl-439 |
| IFC-REQ-012 | The interface between Safety Controller and Electromagnetic Brake SHALL provide 24V DC dual-coil supply with independent switching circuits for each coil, monitored for coil continuity at 100 ms intervals. Rationale: Dual independent coil supply circuits implement the two-element brake requirement of EN 81-20 clause 12.5.1. 100ms continuity monitoring detects coil open-circuit faults before the next brake engagement event, preventing silent degradation of the fail-safe function. | Test | interface, traction-drive, sil-2, session-439, idempotency:ifc-safetyctrl-brake-439 |
| IFC-REQ-013 | The interface between Power Management Controller and Automatic Transfer Switch SHALL transmit source-select commands via CAN at 10 Hz with command acknowledgement within 5 ms, confirming output relay state. Rationale: 10 Hz command rate allows PMC to confirm ATS state within 100ms of a mains transition event; 5ms ACK confirms relay has physically operated, not just received the command, preventing ghost-operation faults. | Test | interface, power-dist, session-439, idempotency:ifc-pmc-ats-439 |
| IFC-REQ-014 | The interface between UPS Module and Power Management Controller SHALL provide battery SoC, voltage, current, and fault status via SMBus at 100 kHz with data freshness not exceeding 2 seconds. Rationale: SMBus is the industry standard for battery management (SBS 1.1). 2s freshness ensures PMC acts on current battery state when deciding load shedding; stale data could cause premature shed or miss a rapid discharge event. | Test | interface, power-dist, session-439, idempotency:ifc-ups-pmc-439 |
| IFC-REQ-015 | The interface between Door Control Unit and Door Motor Drive SHALL transmit velocity and torque reference commands at 200 Hz via CAN bus at 500 kbit/s, with maximum message latency of 5 ms and CRC error detection on every frame. Rationale: 200 Hz command rate matches the DCU velocity control loop closure frequency; lower rates cause underdamped torque response and risk force limit exceedance on initial panel contact. CAN CRC provides hardware error detection required for SIL-2 safety function integrity per IEC 62061. 500 kbit/s chosen to fit within standard automotive-grade CAN while leaving headroom for diagnostic messages. | Test | interface, door-operator, sil-2, session-440, idempotency:ifc-dcu-dmd-440 |
| IFC-REQ-016 | The interface between Multi-Ray Light Curtain and Door Control Unit SHALL use a hardwired dual-channel safety output (OSSD1 and OSSD2), de-energising within 20 ms of beam interruption, with cross-channel monitoring by the DCU at each power cycle. Rationale: OSSD (Output Signal Switching Device) dual-channel interface is the standard for Cat 4 / PLe safety devices per EN ISO 13849-1. Hardwired outputs rather than bus communication eliminate bus-level failure modes on the obstruction detection path. 20 ms de-assertion satisfies the 50 ms reversal budget (SUB-REQ-024) with 30 ms margin for door drive response. | Test | interface, door-operator, sil-2, session-440, idempotency:ifc-mlc-dcu-440 |
| IFC-REQ-017 | The interface between Safety Edge Contact Strip and Door Control Unit SHALL use a hardwired normally-closed contact on an isolated 24 VDC input, with a wiring fault (open or short) detected within 100 ms and treated as a demand for door reversal. Rationale: Normally-closed convention ensures that cable damage results in reversal demand rather than masked obstruction. The safety edge provides the redundant detection channel to the light curtain (dual-means requirement of EN 81-20 clause 5.3.12). 100 ms wiring fault detection limits the exposure window to wiring faults between maintenance inspections. | Test | interface, door-operator, sil-2, session-440, idempotency:ifc-sec-dcu-440 |
| IFC-REQ-018 | The interface between Door Position Encoder and Door Control Unit SHALL deliver absolute panel position at 500 Hz with 0.5 mm resolution over RS-422 differential serial, with transmission error rate not exceeding 1 error per 100,000 frames. Rationale: 500 Hz position updates support the DCU velocity profile calculations for the final-approach deceleration zone (SUB-REQ-027); at 0.3 m/s closing speed, 500 Hz yields 0.6 mm position increment per sample — within the 0.5 mm encoder resolution. RS-422 differential signalling provides noise immunity against motor drive switching fields in the car roof environment. | Test | interface, door-operator, session-440, idempotency:ifc-dpe-dcu-440 |
| IFC-REQ-019 | The interface between Landing Door Interlock Monitor and Door Control Unit SHALL use isolated 24 VDC normally-open contact inputs, one per floor landing, with contact state debounced at 10 ms and status reported to Safety Controller within 20 ms of state change. Rationale: Normally-open contacts on a 24 VDC isolated supply ensure that contact contamination or cable damage defaults to 'open' (unsafe) state, consistent with fail-safe convention. 10 ms debounce eliminates contact bounce on new door installations. 20 ms reporting latency satisfies the SUB-REQ-026 interlock verification window. | Test | interface, door-operator, session-440, idempotency:ifc-ldim-dcu-440 |
| IFC-REQ-020 | The interface between Door Control Unit and Safety Controller Subsystem SHALL transmit door state (OPEN, CLOSING, CLOSED, FAULT) and interlock status via CAN at 10 Hz, with a hardwired car-movement-permitted output on a dedicated 24 VDC normally-open relay, de-energised in all non-CLOSED states. Rationale: Dual-channel interface: CAN bus provides diagnostic state for the Safety Controller; the hardwired relay provides the safety-rated movement permission signal. The relay de-energises in non-CLOSED states (including FAULT and OPEN) to prevent car movement when door status is uncertain, achieving SIL-2 required diagnostic coverage on the door interlock path. | Test | interface, door-operator, sil-2, session-440, idempotency:ifc-dcu-safety-ctrl-440 |
| IFC-REQ-021 | The interface between Group Dispatch Controller and each Car Controller SHALL use CAN bus at 250 kbit/s transmitting car state (position, velocity, load, door status, fault flags) at 10 Hz from car to group, and car assignments (destination floor, direction) at ≤100 ms after each dispatch decision from group to car. Rationale: 10 Hz car state reporting provides the Car State Aggregator with position data accurate to 0.03 m at rated speed; sufficient for dispatch decisions. Assignment latency ≤100ms matches the dispatch re-evaluation cycle (SUB-REQ-031), ensuring cars act on assignments before the next dispatch cycle. | Test | interface, group-dispatch, session-440, idempotency:ifc-gdc-car-ctrl-440 |
| IFC-REQ-022 | The interface between Hall Call Interface Unit and landing call panels SHALL use RS-485 multi-drop at 100 kbit/s with polling cycle completing within 50 ms for all floors, providing debounced button state and accepting indicator drive commands. Rationale: 50 ms polling cycle ensures hall call latency from button press to dispatch engine registration is bounded to ≤50 ms; at passenger walking speeds, 50 ms latency is imperceptible. RS-485 multi-drop allows up to 32 floor panels on a single bus, covering standard building heights within cable length limits. | Test | interface, group-dispatch, session-440, idempotency:ifc-hciu-landing-440 |
| IFC-REQ-023 | The interface between the BACnet/IP Stack and the Safety Command Validator SHALL pass all received BMS command objects (VIP priority, floor lockout, schedule commands) through the Safety Command Validator before forwarding to the Group Dispatch Controller, using an internal synchronous API with response latency ≤50 ms, so that the BACnet stack cannot bypass safety validation. Rationale: The Safety Command Validator must be architecturally in-line with every BMS command path to the elevator controller; an asynchronous or bypass-capable interface would allow commands to reach the Group Dispatch Controller without safety validation if the validator is slow or faulted. The 50 ms response budget ensures the 500 ms total rejection notification deadline (SUB-REQ-022) is met with margin. | Test | interface, building-integration-gateway, session-441, idempotency:ifc-bacnet-validator-441 |
| IFC-REQ-024 | The interface between the Building Integration Gateway and the Group Dispatch Controller SHALL use the internal CAN bus at 500 kbit/s, transmitting floor lockout masks and VIP priority assignments as structured messages with a maximum message period of 100 ms and a maximum end-to-end latency from BMS command receipt to Group Dispatch acknowledgment of ≤300 ms. Rationale: Group Dispatch Controller processes hall calls on a 100 ms scheduling cycle (SUB-REQ-031); BMS commands must arrive within one scheduling cycle to be effective. The 300 ms end-to-end budget (50 ms validation + 100 ms CAN transfer + 100 ms GDC scheduling + 50 ms margin) fits within the IEC 61508 timing requirements for non-safety command interfaces. | Test | interface, building-integration-gateway, session-441, idempotency:ifc-big-gdc-441 |
| IFC-REQ-025 | The interface between the Event Logger and the internal CAN bus SHALL allow the Event Logger to receive event broadcasts from Safety Controller Subsystem, Traction Drive Subsystem, Door Operator Subsystem, and Group Dispatch Controller with ≤100 ms from event occurrence to log write commit, and SHALL be read-only (the Event Logger SHALL NOT transmit commands on the CAN bus). Rationale: A read-only Event Logger cannot affect elevator behaviour through the logging interface, preventing a logging subsystem fault from disrupting safety-critical operations. The 100 ms log commit latency ensures events are captured before any watchdog-triggered state transition could overwrite transient state in subsystem memory buffers. | Test | interface, building-integration-gateway, session-441, idempotency:ifc-event-logger-can-441 |
| IFC-REQ-026 | The interface between the Safety Command Validator and the Safety Controller Subsystem SHALL provide the Safety Command Validator with the current safety state (fire recall active, seismic hold active, emergency stop active) via a push subscription at ≥10 Hz, with a maximum latency of 100 ms from safety state change to Safety Command Validator update. Rationale: The Safety Command Validator requires current safety state to correctly block or permit BMS commands. A 10 Hz push rate ensures the validator has state fresher than its 500 ms rejection window (SUB-REQ-022); a 100 ms state latency means no BMS command can pass validation during an ongoing safety event even with worst-case timing. | Test | interface, building-integration-gateway, session-441, idempotency:ifc-validator-safety-ctrl-441 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | ARC: Safety Controller — independent SIL 3 processor separate from main controller. Safety monitoring (overspeed, UCMP) and fire/seismic response grouped because Jaccard similarity 0.842 and both require IEC 61508 SIL 3 certification. Alternative: safety functions distributed across subsystems — rejected because SIL 3 certification of distributed safety is prohibitively expensive and reduces diagnostic coverage. Constraint: EN 81-20 requires safety-critical functions independent of main controller failure. Rationale: H-001 and H-002 both SIL 3. IEC 61508 Part 2 requires architectural independence of safety function from non-safety functions. Dual-channel safety processor with >99% diagnostic coverage is standard industry practice for elevator safety controllers. | Analysis | informational, architecture-decision |
| ARC-REQ-002 | ARC: Traction Drive — dedicated VFD and motion control loop separate from dispatch logic. Motion control requires deterministic real-time loop (1 kHz) while dispatch operates at event-driven timescale (seconds). Alternative: integrated drive-and-dispatch — rejected because real-time jitter from dispatch computation degrades motion profile smoothness. VFD, motor, brake, and encoders are physically co-located and share failure modes (electrical insulation, thermal). Rationale: Motion control at 2.5 m/s with ±5mm levelling requires deterministic 1 kHz loop. Mixing event-driven dispatch with real-time servo creates jitter that degrades ride comfort (STK-REQ-002). VFD switching at 4-16 kHz must be isolated from safety signal paths per H-008. | Analysis | informational, architecture-decision |
| ARC-REQ-003 | ARC: Door Operator — separate subsystem from traction drive despite both having motors. Door motor is low-power AC/DC with belt drive operating at 0.3-0.5 m/s; traction motor is high-power PMSM at 2.5 m/s. Different failure modes (door entrapment vs overspeed), different SIL levels (SIL 2 vs SIL 3), different physical location (car vs machine room/hoistway). No engineering basis for grouping. Rationale: H-003 door entrapment is SIL 2; H-001/H-002 overspeed/UCMP are SIL 3. Mixed SIL allocation within a single subsystem creates certification complexity. Door operator is a field-replaceable unit with distinct maintenance schedule. | Analysis | informational, architecture-decision |
| ARC-REQ-004 | ARC: Building Integration Gateway — consolidates all external protocol translation (BACnet, RS-485, EN 81-28 intercom) and event logging. Alternative: each subsystem handles its own external interface — rejected because protocol translation is cross-cutting, BACnet object model requires aggregated status from all subsystems, and logging must be centralised for 10-year audit trail integrity. Rationale: BACnet B-ASC profile requires a single IP endpoint aggregating car position, faults, energy, and mode from all subsystems. Distributed logging creates audit trail fragmentation that fails EN 81-20 Annex A inspection requirements. | Analysis | informational, architecture-decision |
| ARC-REQ-005 | ARC: Power Distribution — separate subsystem for mains switching, UPS, and ARD. Alternative: power management embedded in traction drive — rejected because ARD rescue drive operates independently when main drive has faulted. UPS sustains controller when traction power is unavailable. Power subsystem must function during traction drive failure, requiring failure independence. Rationale: H-005 (power failure with passengers) requires ARD to operate when traction drive subsystem has lost mains. IEC 60364 requires dedicated switchboard isolation. UPS and ARD have different battery chemistries and maintenance cycles. | Analysis | informational, architecture-decision |
| ARC-REQ-006 | ARC: Group Dispatch Controller — software-only subsystem on main controller hardware. Alternative: dedicated dispatch hardware per car — rejected because group optimisation requires global view of all car positions and calls. Runs on main controller alongside BMS interface, but dispatch algorithm is logically independent module with configurable traffic patterns. Rationale: ETA-based group dispatch requires simultaneous access to all 4 cars' position, load, and call data. Distributed dispatch per car would require consensus protocol adding latency to 30s wait time budget. Software modularity sufficient for functional separation. | Analysis | informational, architecture-decision |
| ARC-REQ-007 | ARC: Traction Drive Subsystem — Gearless PMSM drive with closed-loop vector control. A gearless permanent-magnet synchronous motor (PMSM) with integral VFD was selected over a geared induction motor to eliminate gear wear and noise, reduce machine room footprint, and enable regenerative braking. Vector control with a Motor Control Unit (MCU) closes the velocity loop at 1 kHz, achieving ±5 mm stopping accuracy without a mechanical levelling device. Dual-coil electromagnetic brake provides fail-safe mechanical retention; spring-applied design ensures parking safety during power loss without relying on software. Rotary encoder on the motor shaft feeds both speed regulation and floor position computation, avoiding a separate landing sensor for the drive layer. Rationale: Architecture decision documents the key trade-off (gearless vs geared, VFD vector control vs V/f) and explains the fail-safe brake choice. Essential for future maintainers and safety case arguments. | Inspection | informational, architecture-decision |
| ARC-REQ-008 | ARC: Power Distribution Subsystem — UPS-backed ATS with SoC-managed load shedding. A UPS Module provides fail-safe 24V DC backup for safety-critical circuits; the Automatic Transfer Switch isolates loads from mains within 20ms. Load shedding priority (safety > drive > comfort) is implemented in the Power Management Controller rather than hardwired contactor sequence, enabling configurable adaptation for future car additions without rewiring. Rationale: Records the load-shedding architecture choice and explains why software-managed priority beats hardwired sequencing for a multi-car elevator installation. | Inspection | informational, architecture-decision |
| ARC-REQ-009 | ARC: Door Operator Subsystem — dual-channel obstruction detection with independent light curtain and safety edge. The subsystem uses a dedicated Door Control Unit separate from the Safety Controller to isolate door cycle logic from car movement logic, reducing the SIL-2 door safety functions from the SIL-3 overspeed protection scope. Light curtain (Cat 4 / PLe, EN ISO 13849-1) provides primary obstruction coverage; safety edge contact strip provides backup on physical contact, satisfying EN 81-20 clause 5.3.12 for dual-means reversal. The Door Motor Drive uses torque control rather than speed control to enforce the 150 N closing force limit without requiring a separate force sensor. Rationale: Architectural trade-off: separating DCU from Safety Controller reduces the SIL-2 door functions scope and allows independent validation of door software, lowering certification cost. Using torque control eliminates a sensor (force load cell) while providing continuous force limiting — the alternative (force sensor with speed control) adds a hardware failure mode. | Inspection | informational, architecture-decision |
| ARC-REQ-010 | ARC: Group Dispatch Controller — destination dispatch with traffic-adaptive algorithm. The subsystem separates real-time car state aggregation from the dispatch algorithm to allow algorithm updates without modifying the safety-neutral state aggregation layer. Hall Call Interface Unit is hardware-separated from the dispatch logic to isolate landing panel wiring failures from the dispatch processor. Traffic Analysis Module runs asynchronously at low priority, ensuring dispatch latency is bounded regardless of analysis load. Rationale: Separation of car state aggregation from algorithm allows algorithm iteration without re-validating the state aggregation layer. Hardware separation of HCIU limits landing panel wiring fault blast radius to the hall call function only, not the dispatch processor. | Inspection | informational, architecture-decision |
| ARC-REQ-011 | ARC: Building Integration Gateway — five-component decomposition (BACnet/IP Stack, Safety Command Validator, Access Control Interface Module, Event Logger, Emergency Communications Unit). Protocol translation isolated to single gateway per original ARC-REQ-004 rationale. Safety Command Validator is a dedicated component rather than logic inside BACnet/IP Stack because command interception must execute regardless of BACnet stack health — an independent fail-safe posture. Event Logger is separate from the main controller's diagnostic log because EN 81-20 Clause 5.12 mandates tamper-evident audit records with 10-year retention, requiring dedicated non-volatile storage and SHA-256 hash chaining. Emergency Communications Unit operates autonomously (battery-backed, GSM fallback) because entrapment detection must function even if the main controller has faulted. Rationale: Protocol gateway decomposition isolates external interface complexity. Safety Command Validator independence ensures BMS cannot override safety states even if BACnet stack has a software fault. Event Logger independence required by EN 81-20 audit retention obligations. | Analysis | informational, architecture-decision |
flowchart TB n0["component<br>Safety CPU"] n1["component<br>Speed and Position Monitor"] n2["component<br>Safety Chain Interface Module"] n3["component<br>Seismic and Fire Interface"] n4["component<br>Safety Output Actuator"] n1 -->|speed/position data, trip signals| n0 n2 -->|safety chain status| n0 n3 -->|fire/seismic events| n0 n0 -->|brake engage / VFD inhibit| n4
Safety Controller Subsystem — Internal
flowchart TB n0["component<br>Door Control Unit"] n1["component<br>Door Motor Drive"] n2["component<br>Multi-Ray Light Curtain"] n3["component<br>Safety Edge Contact Strip"] n4["component<br>Door Position Encoder"] n5["component<br>Landing Door Interlock Monitor"] n6["component<br>Door Control Unit"] n7["component<br>Door Motor Drive"] n8["component<br>Multi-Ray Light Curtain"] n9["component<br>Safety Edge Contact Strip"] n10["component<br>Door Position Encoder"] n11["component<br>Landing Door Interlock Monitor"] n6 -->|velocity ref 200Hz CAN| n7 n8 -->|obstruction signal PLe| n6 n9 -->|contact obstruction| n6 n10 -->|position 500Hz RS-422| n6 n11 -->|interlock status 24VDC| n6
Door Operator Subsystem — Internal
flowchart TB n0["component<br>Dispatch Algorithm Engine"] n1["component<br>Car State Aggregator"] n2["component<br>Hall Call Interface Unit"] n3["component<br>Traffic Analysis Module"] n1 -->|car state vector 10Hz| n0 n2 -->|hall call queue| n0 n3 -->|traffic mode| n0
Group Dispatch Controller — Internal
flowchart TB n0["component<br>BACnet/IP Stack"] n1["component<br>Safety Command Validator"] n2["component<br>Access Control Interface Module"] n3["component<br>Event Logger"] n4["component<br>Emergency Communications Unit"] n0 -->|BMS commands| n1 n0 -->|event records| n3 n1 -->|rejection audit| n3 n2 -.->|access control cmds| n1
Building Integration Gateway — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Access Control Interface Module | 50F57818 | Hardware/software module within the Building Integration Gateway providing RS-485 (Modbus RTU) and IP communication to the building access control system. Validates per-credential floor authorisation lists with response time ≤500 ms. Maintains a cached authorisation table updated every 30 s from the access control system, enabling operation during network intermittency. Translates authorised floor lists into floor lockout commands for the Group Dispatch Controller. Does not override safety functions or fire recall. Supports up to 10,000 credential entries. |
| Automatic Transfer Switch | D6F53018 | Solid-state automatic transfer switch that routes power from mains 400V AC or UPS 24V DC backup to the elevator subsystems based on commands from the Power Management Controller. Switching time less than 20 ms. Output ratings: 400V AC 63A for VFD feed; 24V DC 30A for control circuits. Galvanic isolation between sources. Integral monitoring of output voltage and current; overcurrent protection at 125% rated. DIN rail mounted in MCC panel. |
| BACnet/IP Stack | 41F57318 | Software protocol stack implementing ASHRAE 135 BACnet/IP with B-ASC device profile on the Building Integration Gateway. Runs on embedded Linux, manages the elevator's BACnet object model (analog inputs for car position and energy, binary inputs for fault states, event enrollment objects for alarms). Aggregates real-time status from all subsystems via internal CAN bus at 1 Hz and exposes it as BACnet objects to the Building Management System. Handles confirmed/unconfirmed service requests, generates ChangeOfState and Out-Of-Range event notifications. Connected via 100BASE-TX Ethernet to BMS network. |
| Building access control system interface | 50BD7819 | Access control interface for Industrial Elevator Control System: card reader or biometric system at hall stations controls floor access. Controller receives authorised floor list per credential. Integration via serial (RS-485) or IP protocol. Security system owned by building security contractor. Elevator controller restricts car operating panel — only authorised floors illuminate. Must not override safety functions or fire recall. |
| Building facility manager | 000C5AF8 | Operates Industrial Elevator Control System day-to-day via BMS interface. Monitors elevator status, schedules maintenance windows, configures traffic patterns (VIP floors, restricted access, weekend schedules). Receives fault notifications and decides whether to take car out of service. Responsible for emergency procedures — coordinates with fire service during fire recall. Not qualified to enter hoistway. |
| Building Facility Manager | 00045AF8 | Stakeholder of Industrial Elevator Control System: manages the building. Responsible for scheduling maintenance, monitoring energy, managing access control integration, responding to entrapment alarms |
| Building fire alarm panel interface | D4AD7858 | Fire panel interface for Industrial Elevator Control System: hardwired relay contacts from building fire alarm panel to elevator controller. Phase I recall signal (normally open, energise to recall). Alternate floor signal if primary recall floor compromised. Smoke detector inputs for machine room and hoistway top. Must be hardwired (not software-based) per EN 81-72. Owned by fire system integrator — coordination required during commissioning. |
| Building Integration Gateway | 50F57A18 | Subsystem of Industrial Elevator Control System: protocol gateway between elevator controller domain and building systems. BACnet/IP server (B-ASC profile) at 1Hz for BMS — provides car position, fault codes, energy consumption, operating mode; receives VIP priority, floor lockout, schedule commands. Fire alarm relay interface (hardwired contacts from building fire panel, EN 81-72). RS-485/IP connection to building access control for floor authorization per credential. EN 81-28 emergency intercom with auto-dial on entrapment (>2min stationary between floors), GSM backup. Event logging and diagnostic reporting — 10-year non-volatile retention. Interfaces: all internal subsystems (status collection), external building systems (protocol translation). |
| Building Interface Management | 50F57118 | System function of Industrial Elevator Control System: manages all external building system interfaces. BACnet/IP to BMS at 1Hz for status/command. Hardwired fire alarm relay inputs. RS-485/IP to access control for floor authorization. EN 81-28 emergency intercom auto-dial on entrapment. Translates between elevator domain protocols and building system protocols. Inputs: BMS commands, access credentials, fire panel contacts, intercom triggers. Outputs: BACnet status objects, floor authorization list, alarm notifications. |
| Building Management System interface | 50AD7B48 | BMS interface for Industrial Elevator Control System: bidirectional communication via BACnet/IP or Modbus TCP. Provides elevator status (car position, door state, fault codes, energy consumption) to BMS. Receives commands: VIP floor priority, access control floor lockout, weekend/holiday schedules, fire alarm inputs. Typical polling rate 1Hz. Owned by building operator, protocol specification agreed at design stage. |
| Building occupant / elevator passenger | 00084011 | Primary user of Industrial Elevator Control System. Office workers, visitors, delivery personnel, and residents who use elevators daily. Interacts via hall call buttons and car operating panel. Expects <30s wait time, smooth ride quality (<0.5 m/s² jerk), accurate floor levelling, and accessible car dimensions (EN 81-70). Includes mobility-impaired users requiring wheelchair access, tactile buttons, and audible floor announcements. |
| Building Occupant / Elevator Passenger | 000C0081 | Stakeholder of Industrial Elevator Control System: primary user expecting reliable safe accessible transportation between floors. Includes persons with disabilities EN 81-70, children, elderly |
| Car levelling failure at landing hazard | 40352011 | Hazard in Industrial Elevator Control System: car stops above or below floor level by >±10mm due to encoder drift, brake drag, or load compensation failure. Consequence: trip hazard for passengers, wheelchair accessibility failure, freight cart tipping. Re-levelling function must correct within ±5mm. Position feedback via incremental encoder with absolute reference at each floor. |
| Car State Aggregator | 40B57308 | Software module that collects, validates, and maintains the real-time state of each car in the group (position, velocity, door status, load, fault flags, destination queue). Receives car state messages from individual car controllers at 10 Hz via CAN bus. Detects stale data (>200 ms) and marks cars as unavailable for dispatch. Provides the consolidated car state vector to the Dispatch Algorithm Engine. Runs on Group Dispatch Controller hardware. |
| Counterweight derailment hazard | 00040011 | Hazard in Industrial Elevator Control System: counterweight leaves guide rails due to seismic event, guide rail bracket failure, or excessive building sway. Consequence: counterweight strikes car or hoistway equipment causing structural failure, rope tension loss, uncontrolled car movement. Mitigated by seismic restraint brackets, guide rail alignment monitoring, and seismic mode activation. Particularly critical in high-rise installations above 30 floors. |
| Degraded operation mode of Industrial Elevator Control System | 50B67A08 | Reduced-capability mode entered when non-safety-critical faults occur: encoder redundancy loss, single door operator fault, BMS communication failure, or partial group dispatch failure. Car continues serving calls but with restrictions: reduced speed, single-car operation if group controller fails, manual door operation on affected floors. Operator notification via BMS. Exit: fault cleared → normal operation; additional fault escalation → emergency shutdown. |
| Diagnostic and Logging | 41F77358 | System function of Industrial Elevator Control System: records all safety events, fault codes, maintenance actions, parameter changes with timestamps in non-volatile storage. 10-year retention per EN 81-20. Continuous self-diagnostics on encoder redundancy, door interlocks, brake wear, contactor state. Generates fault codes for BMS notification. Maintains modification history for regulatory inspection. Inputs: all sensor data, safety chain state, controller parameters. Outputs: fault codes, diagnostic reports, audit logs, BMS fault notifications. |
| Dispatch Algorithm Engine | 51B77B08 | Real-time software module implementing the group lift dispatch algorithm on the Group Dispatch Controller hardware. Evaluates hall calls against all car positions, velocities, load weights, and destination assignments using a destination dispatch algorithm (hall call allocation with energy-weighted cost function). Optimises for ≤30s average waiting time during peak traffic (200 persons/5min floor). Runs on a dedicated processor at 10 Hz decision cycle. Interfaces to car controllers via CAN network. |
| Door Control Unit | 50F57A18 | SIL-2 rated microcontroller running the elevator door state machine. Receives open/close commands from the Safety Controller, executes timed door cycles, monitors obstruction detection inputs, enforces 150N closing force limit (EN 81-20 clause 5.3.12), and controls the door motor drive. Outputs position commands at 100 Hz, interfaces to light curtain sensor, safety edge, and door position encoder. Transitions to held-open state on obstruction detection within 50 ms. |
| Door Management | 50F73B18 | System function of Industrial Elevator Control System: controls car and landing door opening/closing cycles. Light curtain obstruction detection with 3s re-open. Force limiting to 150N max closing force. Door zone interlocking with car position. Pre-opening when approaching floor. Nudging mode after timeout. Inputs: car position, call status, light curtain, door encoder, force sensor. Outputs: door motor drive, interlock status, obstruction alarm. |
| Door Motor Drive | D5F57008 | Three-phase brushless DC motor drive providing torque-controlled operation of the door panel. Receives velocity/position reference from Door Control Unit at 200 Hz via CAN. Drives the door belt/chain mechanism at up to 0.3 m/s panel velocity. Limits closing torque to maintain ≤150N contact force at the leading edge. Includes current sensing for torque feedback. Provides motor fault status to DCU within 10 ms of fault detection. |
| Door Operator Subsystem | 55F77858 | Subsystem of Industrial Elevator Control System: permanent-magnet door motor with belt drive for car doors, landing door coupling via vane/clutch mechanism. Light curtain (infrared, 2D array) for obstruction detection. Force sensor limiting closing force to 150N per EN 81-20. Door encoder for position/speed feedback. Door zone interlocking with car position via safety controller. Pre-opening when car within 200mm of floor. Nudging mode after 20s obstruction timeout. 3s re-open on obstruction. Interfaces: safety controller (interlock status, door zone signal), group controller (open/close commands, dwell time), building integration (access control floor lockout). |
| Door Position Encoder | D4E57008 | Magnetic linear encoder measuring car door panel position with 0.5 mm resolution at 500 Hz output rate. Tracks panel travel from fully open to fully closed (typically 800–1200 mm range). Provides absolute position data to Door Control Unit for landing zone calculation, interlock verification, and closing speed profiling. RS-422 differential output for noise immunity in motor-rich environment. |
| Door zone entrapment hazard | 40842A51 | Hazard in Industrial Elevator Control System: passenger trapped between closing doors or between car and landing doors. Consequence: crush injury, limb entrapment, fatality if dragged into hoistway. Door protection via infrared curtain, mechanical safety edge, and re-opening circuit. EN 81-20 requires doors to re-open within 3 seconds on obstruction detection. Door force limited to 150N. |
| Drive system electromagnetic interference hazard | 40050859 | Hazard in Industrial Elevator Control System: VFD-generated EMI corrupts safety controller inputs or encoder signals, causing incorrect position reporting or false safety chain status. Consequence: car moves to wrong floor, doors open outside door zone, safety functions fail to trigger. Mitigated by shielded cabling, EMC filters on VFD output, galvanic isolation of safety circuits from drive circuits. EN 12015/12016 EMC compliance required. |
| Electromagnetic Brake | D6D51018 | Spring-applied, electrically-released electromagnetic disc brake on the traction motor shaft. Engagement force 2000 N; hold torque 150% of motor rated torque. Released by 24 V DC coil current; spring-applied when power is removed (fail-safe). Response time: engage ≤150 ms from de-energise; release ≤100 ms from energise. Dual-coil redundant design per EN 81-20 clause 12.5. Provides primary mechanical stop when car is parked and secondary safety stop in power failure. |
| Electromagnetic compatibility environment for elevator | 40853858 | EMC environment for Industrial Elevator Control System: VFD switching at 4-16 kHz generates conducted and radiated emissions affecting encoder signals and safety controller inputs. Co-located with building power distribution, HVAC drives, and LED lighting drivers. Must comply with EN 12015 (emissions) and EN 12016 (immunity). Shielded cabling mandatory for safety circuits. Radiated immunity to 10 V/m required. |
| Elevator maintenance technician | 00042AF8 | Certified technician performing preventive and corrective maintenance on Industrial Elevator Control System per EN 81-20. Has exclusive access to machine room, car top inspection station, and pit. Uses maintenance mode key switch. Responsible for rope inspection, brake testing, safety gear verification, door gap measurement, and ARD testing. Quarterly inspections plus emergency callouts. Works alone in hoistway — personal safety depends on maintenance mode interlocks. |
| Elevator Maintenance Technician | 000420F8 | Stakeholder of Industrial Elevator Control System: performs routine maintenance, fault diagnosis, and repair. Requires safe access to machine room, hoistway, car top. Uses maintenance mode and diagnostics |
| Elevator OEM / system integrator | 40A43A58 | Manufacturer or integrator who designs, installs, and commissions Industrial Elevator Control System. Provides controller hardware, VFD, safety devices, and control software. Responsible for type examination certification (EU Lifts Directive 2014/33/EU). Supplies spare parts and software updates over 20-25 year lifecycle. Holds proprietary knowledge of controller firmware and diagnostic protocols. |
| Elevator OEM / System Integrator | 40843A39 | Stakeholder of Industrial Elevator Control System: designs, manufactures, and installs elevator systems. Responsible for system architecture, component selection, safety certification, and commissioning |
| Elevator power infrastructure | 54853018 | Power supply for Industrial Elevator Control System: 3-phase 400VAC 50Hz mains (or 480VAC 60Hz in NA), dedicated elevator switchboard with lockable isolator. VFD regenerative braking feeds energy back to building grid or braking resistor. UPS for controller logic (30min minimum). ARD battery bank for emergency rescue (3 cycles minimum). Grounding per IEC 60364 with equipotential bonding in machine room and pit. |
| Elevator regulatory framework | 408538D9 | Regulatory environment for Industrial Elevator Control System: EN 81-20/50 (safety rules for construction and installation), EN 81-70 (accessibility), EN 81-72 (fire service), EN 81-77 (seismic), ASME A17.1 (NA), IEC 61508 SIL 3 (safety functions), EU Lifts Directive 2014/33/EU (CE marking), local building codes, AS 1735 (Australia). Notified body type examination required for new installations. |
| Elevator regulatory inspector | 000038F8 | Government or notified-body inspector who certifies Industrial Elevator Control System compliance with EN 81-20/50, ASME A17.1, and local building codes. Performs annual statutory inspections and witnesses safety tests (overspeed governor trip, buffer test, door force measurement). Has authority to condemn elevator and prohibit operation if safety deficiencies found. Requires access to test records, maintenance logs, and modification history. |
| Elevator Regulatory Inspector | 008428F9 | Stakeholder of Industrial Elevator Control System: government-appointed inspector who certifies elevator installations meet EN 81-20. Conducts periodic inspections, witnesses tests, issues compliance certificates |
| Emergency Communications Unit | D5FF7A58 | EN 81-28 compliant emergency telephone and intercom controller within the Building Integration Gateway. Monitors car position state from the main controller; triggers entrapment detection when car is stationary between floors for >2 minutes. Auto-dials a 24/7 monitoring centre via PSTN primary and GSM fallback, maintaining voice connection until confirmed by an operator. Provides two-way voice via a car-mounted speaker/microphone. Has internal battery backup providing ≥24 hours of standby and ≥1 hour of active call operation. Performs weekly auto-test call per EN 81-28. |
| Emergency intercom and telephone system | D4FD7A58 | Emergency communication interface for Industrial Elevator Control System: two-way voice intercom in car connecting to building reception or 24/7 monitoring centre. Auto-dials on entrapment detection (car stationary between floors >2 minutes). Must work during power failure (battery backed). EN 81-28 compliance required. GSM backup if landline fails. Owned by telecom provider, maintained by elevator contractor. |
| Emergency Power Management | 51F73A18 | System function of Industrial Elevator Control System: manages UPS for 30-minute controller sustain and ARD batteries for car rescue during mains failure. Monitors battery charge state, initiates rescue drive at 0.15 m/s to nearest floor. Manages regenerative braking energy during normal operation — grid return or resistor dissipation. Switches between mains, UPS, and ARD modes. Inputs: mains voltage, battery SOC, car position, rescue trigger. Outputs: power bus selection, ARD motor drive command, battery charge control. |
| Emergency shutdown mode of Industrial Elevator Control System | 50B73A50 | Safety-critical mode entered on overspeed detection, uncontrolled car movement, safety chain break, seismic event, or fire alarm. Immediate response: regenerative braking to deceleration then mechanical brake application. Car brought to nearest floor if possible, doors opened, motor de-energised, brake locked. If fire mode: car sent to designated fire recall floor, doors opened, system handed to fire service. Cannot be exited without manual reset by qualified technician or fire service override. |
| Event Logger | 40853258 | Non-volatile event recording module within the Building Integration Gateway. Records all safety events, fault codes, maintenance actions, and parameter changes from all subsystems via the internal CAN bus. Uses flash-backed FIFO with 10-year retention capacity at expected event rates (≤50 events/day). Each record includes GPS/NTP-synchronised timestamp (±1 s accuracy), event code, subsystem source, and parameter snapshot. Provides USB and Ethernet export interfaces for maintenance terminals. Tamper-evident with SHA-256 hash chain for audit integrity. Compliant with EN 81-20 Clause 5.12 for record retention. |
| Fire alarm recall scenario | 00B57A11 | Emergency scenario for Industrial Elevator Control System: fire detected on floor 12. Building fire panel sends Phase I signal to elevator controller. All cars immediately cancel current calls and travel non-stop to designated recall floor (ground). Doors open and remain open. Floor 12 hall button locked out — car will not travel to fire floor. Car 3 was traveling upward past floor 10 — it continues to floor 11 (next available stop above fire floor, as it cannot stop at 12), opens doors briefly for evacuation, then proceeds to ground. Fire service arrives, inserts Phase II key in Car 1 for manual firefighter operation. |
| Fire and Seismic Response | 55F77A18 | System function of Industrial Elevator Control System: processes fire alarm Phase I recall signal (hardwired relay, not software) to cancel all calls and drive cars to designated floor within 60s. Processes P-wave seismic detector signal to stop cars at nearest floor with 60s hold timer. Fire floor lockout. Phase II firefighter key enables exclusive manual hold-to-run. Inputs: fire relay contact, seismic P-wave trigger, firefighter key switch, building sway sensor. Outputs: recall command, floor lockout, mode switch to fire service or seismic. |
| Fire service / emergency responder | 01857AF9 | Interacts with Industrial Elevator Control System during fire emergencies via Phase I recall (automatic) and Phase II manual operation (firefighter key). Requires elevator as vertical transport for equipment to fire floor. Needs reliable manual control — hold-to-run operation, door close override, independent car operation. Trained in elevator emergency procedures per ASME A17.1. Expects car to be at recall floor with doors open on arrival. |
| Fire Service / Emergency Responder | 000D3AF9 | Stakeholder of Industrial Elevator Control System: firefighters who use the elevator in fire recall mode EN 81-72. Need reliable Phase I/II recall and manual override under fire conditions |
| Fire service mode of Industrial Elevator Control System | 40B57A50 | Override mode activated by fire alarm input from building fire panel (Phase I recall) or firefighter key switch in car (Phase II operation). Phase I: all cars recalled to designated floor, doors open, normal service suspended. Phase II: firefighter has exclusive manual control — car moves only while button held, door close override enabled, automatic leveling disabled. Entered via hardwired fire alarm circuit (not software). Exit only via fire service key removal and manual reset. EN 81-72 and ASME A17.1 compliant. |
| Group Dispatch Controller | 41F77B08 | Subsystem of Industrial Elevator Control System: real-time dispatch software running on main controller hardware. Manages 4-car group assignment using estimated time of arrival (ETA) algorithms. Traffic modes: up-peak (lobby bias), down-peak, balanced, VIP priority. Load weighing input from each car (0-150% rated) for hall call bypass at 80%. Wait time optimisation target <30s normal, <50s N-1 degraded. Rebalances on car fault removal. Configurable traffic patterns, floor lockouts, scheduled modes. Inputs from hall/car call buttons, car position, car load, BMS commands. Outputs: car-to-floor assignment, door dwell adjustment, estimated wait time. |
| Group Dispatch Optimisation | 41F77B08 | System function of Industrial Elevator Control System: accepts hall calls and car calls from 20 floors, assigns calls to 4-car group using traffic pattern analysis. Implements up-peak, down-peak, and balanced modes. Inputs: hall call registration, car position, car load (0-150% rated), current traffic pattern. Outputs: car-to-call assignment, estimated wait time, door dwell time adjustment. Constraints: <30s average wait in normal, <50s in N-1 degraded, 3s door dwell. |
| Hall Call Interface Unit | D6FD7008 | Hardware module managing all hall call button inputs, indicators, and destination dispatch terminals across all floor landings. Collects UP/DOWN button presses and optional destination floor entries from floor terminals. Provides debounced, prioritised call queue to the Dispatch Algorithm Engine. Drives floor landing indicators (arrival chime, direction arrows) based on car assignments. Connected to landing panels via RS-485 bus at 100 kbit/s. |
| Hoistway flooding or fire exposure hazard | 00000011 | Hazard in Industrial Elevator Control System: water ingress from sprinkler activation or pipe burst, or fire/smoke penetration into hoistway. Consequence: electrical short circuits in controller/wiring, loss of safety functions, smoke inhalation by trapped passengers. Mitigation: IP-rated enclosures for pit equipment, smoke detection in machine room, fire recall function (Phase I). Particular risk in below-grade hoistways in flood zones. |
| Hoistway thermal environment | 04000010 | Enclosed vertical shaft environment for Industrial Elevator Control System: ambient temperature 0-50°C (machine room up to 40°C per EN 81-20), humidity 5-95% non-condensing, poor ventilation in shaft. Controller electronics derated above 40°C. Pit subject to flooding in below-grade installations. Vibration from traction machinery and building sway in high-rise installations. |
| industrial elevator control system | D7F77858 | Physical controller cabinet housing control PCBs, safety modules, power supply, and UPS. Installed in machine room per EN 81-20. The physical system controls elevator motion, door operation, and safety functions. Has physical power input, signal wiring to hoistway, and network connections to BMS. |
| Industrial Elevator Control System | 51F77A58 | Integrated electronic control system for industrial freight and passenger elevators in commercial buildings, factories, and warehouses. Manages traction motor drives, door operators, floor-level positioning, car and hall call dispatch, safety chain monitoring, and building management system integration. Operates continuously in enclosed hoistways with temperature extremes (0-50°C shaft ambient), vibration from machinery, and electromagnetic interference from variable-frequency drives. Safety-critical: must comply with EN 81-20/50, ASME A17.1, and IEC 61508 SIL 3 for overspeed protection and uncontrolled movement. Controls elevators carrying up to 5000 kg at speeds up to 6 m/s across 30+ floors. Lifecycle 20-25 years with modernisation cycles. |
| Initialisation mode of Industrial Elevator Control System | 50B73A10 | Power-on self-test and startup sequence for elevator controller. Checks safety chain continuity, encoder position, door interlocks, brake function, and communication links to BMS. Entered on power restoration or controller reset. Car remains stationary with doors locked until all checks pass. Exit: all diagnostics pass → transition to normal operation. Failure: any safety device fault → transition to out-of-service with fault code. Takes 15-60 seconds depending on car position relative to nearest floor. |
| Landing Door Interlock Monitor | 54A53858 | Monitors the electromechanical interlock contacts of all landing door panels at each floor level. Each interlock is a normally-open contact that closes only when the landing door is properly closed and latched (per EN 81-20 clause 8.9). Wired in series on the safety chain; any open contact prevents car movement. DCU reads landing interlock status independently via isolated 24 V DC digital inputs for diagnostic purposes. |
| Maintenance mode of Industrial Elevator Control System | 50B43A10 | Inspection and servicing mode entered via keyed maintenance switch on car top or in machine room. Car speed limited to 0.3 m/s, operated only from car-top inspection station or machine-room panel. Normal call dispatch disabled. Safety chain remains active but speed governor threshold lowered. Technician has direct control of door operations and car movement. Enables access to hoistway equipment, guide rails, counterweight, and door mechanisms. Exit: maintenance switch returned to normal → initialisation sequence. |
| Morning rush hour traffic scenario | 44B63A08 | Normal operations scenario for Industrial Elevator Control System: 07:30-09:00, commercial high-rise. Ground floor lobby fills with 200+ office workers arriving. Hall calls concentrated at ground floor. Group dispatch switches to up-peak algorithm: all cars return to lobby after serving highest call. Car loading monitored by load weighing — 80% capacity triggers bypass of further hall calls. Average wait time target: <30s. Door dwell time reduced to 3s. Energy consumption peaks due to continuous motor cycling. |
| motion control | 40A53A08 | |
| motor control unit | D6E51018 | Physical PCB assembly mounted within the Variable Frequency Drive enclosure. Contains processor die, gate driver integrated circuits, and signal conditioning hardware. Physical component with physical connectors, heatsink interface, and power supply rails. |
| Motor Control Unit | 51F57218 | Embedded real-time controller that closes the velocity and torque control loop for the traction drive. Receives velocity setpoint from the Safety Controller at 100 Hz CAN messages; reads encoder feedback at 10 kHz; outputs torque reference to VFD at 1 kHz. Implements velocity profile generation (S-curve), current limiting, stall detection, and thermal management. Dual-core ARM Cortex-R5 processor for lock-step execution. SIL 3 per IEC 62061. Hosts diagnostic logging ring buffer (256 events). Communicates fault status to Safety Controller within 50 ms. |
| Multi-Ray Light Curtain | D4F57858 | Infrared safety light curtain spanning the full height of the door opening (typically 1800–2100 mm) with transmitter and receiver columns. Provides active obstruction detection across 48 horizontal beams at 20 ms scan cycle. Category 4 / PLe rated per EN ISO 13849-1. Outputs a safety-rated digital signal to Door Control Unit; any beam interruption triggers immediate door reversal command. Immune to sunlight and ambient IR per IEC 60947-5-3. |
| Normal operation mode of Industrial Elevator Control System | 51F73B18 | Primary operating mode handling car/hall call dispatch, floor-level positioning via encoder feedback, door open/close cycles, and passenger traffic management. Variable-frequency drive controls traction motor for smooth acceleration/deceleration profiles. Group dispatch algorithm optimises wait times across elevator bank. Continuous safety monitoring: overspeed governor, slack rope, car position, door zone detection. Entered from initialisation. Exit: fault detected → degraded/emergency; maintenance switch → maintenance mode; fire alarm → fire service mode. |
| Overspeed in down direction hazard | 40852A51 | Hazard in Industrial Elevator Control System: car exceeds rated speed in downward direction due to VFD failure, brake failure, or rope slippage. Consequence: high-energy impact at pit bottom, fatal injuries to occupants. Mitigated by centrifugal overspeed governor mechanically triggering safety gear (progressive type for >1 m/s). IEC 61508 SIL 3 safety function. Governor trip speed: 115% rated speed. |
| power distribution subsystem | DE851018 | A physical steel cabinet (Physical Object, LRU) bolted in elevator machine room. Welded IP54 steel enclosure containing: IEC 61439-compliant copper busbar assembly, sealed lead-acid 48V UPS battery bank (2.5 kWh ARD supply), mains isolation contactors, ARD battery management board, monitoring interface PCB. Physical dimensions: constrained by EN 81-20 machine room. Has mass. Thermal load. Bolted to structural wall. Front-hinged maintenance door. Distributes 3-phase 400V AC mains and 48V DC UPS power. Physical Line-Replaceable Unit. |
| Power Distribution Subsystem | DE851018 | Physical welded steel cabinet installed in elevator machine room. A discrete physical LRU (line-replaceable unit) with IP54 enclosure rating per IEC 60529, flame-retardant UL94 V-0 housing material, and front-hinged maintenance access door. Has physical mass, dimensional envelope, and thermal dissipation load. Contains: IEC 61439-compliant copper busbar assembly (physical conductors), sealed 48V VRLA battery bank (2.5 kWh ARD supply), mains isolation contactors (electromechanical physical devices), and monitoring PCB. Mounted to structural wall of machine room. This is a physical enclosure/cabinet that distributes 3-phase 400V AC mains power and 48V DC UPS power to elevator drive systems and safety subsystems. |
| Power failure during normal operation scenario | 11F43211 | Failure scenario for Industrial Elevator Control System: mains power fails during afternoon operation. UPS maintains controller logic for 30 minutes. ARD batteries activate on all cars between floors. Car 2 is at floor 18 with 6 passengers including a wheelchair user. ARD drives car 2 down at 0.15 m/s to floor 17 (nearest floor below), opens doors. Emergency lighting and intercom activate. Other cars already at floors — doors open, passengers exit. Building emergency generator starts in 12s, but elevator power restoration requires manual confirmation from building engineer to prevent restart with open hoistway doors. |
| Power failure with passengers trapped hazard | 51071211 | Hazard in Industrial Elevator Control System: mains power failure while car is between floors with passengers aboard. Consequence: entrapment (panic, medical emergencies for trapped elderly/disabled), potential for self-rescue attempts leading to falls into hoistway. Mitigated by automatic rescue device (ARD) with battery backup — drives car to nearest floor at reduced speed, opens doors. Battery must sustain 3 rescue cycles minimum. |
| Power Management Controller | 15F77218 | Embedded microcontroller managing power source switching, load shedding, and battery monitoring for the industrial elevator. Monitors mains presence (230V AC), UPS SoC via SMBus, and 24V DC bus voltage. Executes automatic transfer switch (ATS) logic within 20ms of mains failure. Controls solid-state relays for load groups (safety circuits, drive, lighting, ventilation). Communicates bus state to Safety Controller via CAN at 10 Hz. Implements battery deep-discharge protection below 20% SoC. |
| Quarterly preventive maintenance scenario | 00843A58 | Maintenance scenario for Industrial Elevator Control System: every 3 months, certified technician performs EN 81-20 mandated inspection. Technician arrives at machine room, switches Car 1 to maintenance mode via key switch. Car 1 removed from group dispatch — remaining cars handle traffic. Technician rides car top at 0.3 m/s, inspects guide rail alignment, rope condition, door gap clearances, safety gear, governor rope tension. Measures brake holding torque with test weight. Tests ARD by simulating power failure. Records all measurements in maintenance log. Duration: 2-4 hours per car. For 4-car group: full inspection takes 2 days with cars rotated through maintenance. |
| Rotary Encoder | D4F57008 | High-resolution optical rotary encoder mounted on the traction motor shaft for closed-loop speed and position feedback. Provides 2048 pulses/revolution via incremental A/B/Z quadrature signals at 5 V TTL. Maximum shaft speed 3000 rpm. Operating temperature −20 to +80 °C. Connects to Motor Control Unit via shielded cable to minimise VFD-induced noise. Used for both velocity regulation and absolute floor position computation via pulse counting from a reference datum. |
| Safety Chain Interface Module | 54E57858 | Series safety circuit monitor per EN 81-20 Clause 14.1. Reads the state of all electrical safety devices wired in series: pit stop switch, buffers, final limit switches, car top inspection station, door electrical safety devices (DSE) per landing, car gate contact, and slack rope switch. Provides discrete safety chain status (open/closed) to Safety CPU at 20Hz scan rate. Operates on isolated 24VDC safety loop; single-channel open detected as fail-safe (open = unsafe). Feeds into Safety CPU's trip logic for safety gear engagement. |
| Safety Command Validator | 41F77B18 | Software module within the Building Integration Gateway that intercepts all incoming BMS commands (floor lockout, VIP priority, schedule changes) and cross-checks each command against the current safety state published by the Safety Controller Subsystem. Rejects any command that would override or interfere with fire recall, seismic hold, or emergency stop states. On rejection, generates a BACnet alarm notification object within 500 ms and logs the rejection event. Consumes safety state via internal message bus at 10 Hz; outputs command pass/reject decision with timestamp. |
| Safety Controller Subsystem | 51B73858 | Subsystem of Industrial Elevator Control System: independent SIL 3 certified safety processor per IEC 61508. Dual-channel architecture with >99% diagnostic coverage. Monitors: overspeed governor (115% rated speed trip), UCMP device (200mm threshold with doors open), safety chain (interlocks, buffers, pit switch, car-top switch), fire alarm relay (hardwired Phase I recall), seismic P-wave detector. Controls: safety brake engagement, motor contactor (STO), UCMP mechanical device, fire recall mode, seismic safe-hold. Independent of main controller — hardwired safety chain can stop car even if main controller fails. Response time ≤200ms for overspeed, ≤300ms for UCMP. |
| Safety CPU | 51F77858 | Dual-channel SIL 3 certified safety processor (IEC 61508 SIL 3) running elevator safety logic. Executes overspeed detection (>115% rated speed), uncontrolled car movement detection (>200mm), safe state logic, and fire/seismic emergency response. Operates on separate power rail from main controller. Watchdog-monitored with 10ms safety function response time. Inputs from Speed/Position Monitor and Safety Chain Interface; outputs to Safety Output Actuator. |
| Safety Edge Contact Strip | C6C41058 | Mechanically actuated pressure-sensitive contact strip mounted on the leading edge of the car door panel. Provides a redundant, fail-safe obstruction detection channel independent of the light curtain. Triggers on contact forces ≥5 N. Hardwired output — de-energises on contact, directly connected to Door Control Unit safety input. Rated for EN 81-20 clause 5.3.12 and compliant with EN 81-70 accessible design requirements. |
| Safety Monitoring | 51F77858 | System function of Industrial Elevator Control System: continuously monitors safety-critical parameters independent of main controller. Overspeed detection at 115% rated speed via governor and encoder. UCMP detection of 200mm uncontrolled movement with doors open. Safety chain monitoring (interlocks, buffers, pit switch, governor). SIL 3 per IEC 61508. Dual-channel architecture with diagnostic coverage >99%. Inputs: encoder velocity, door state, interlock chain, governor switch. Outputs: safety brake engagement, motor contactor drop, UCMP device activation. |
| Safety Output Actuator | D6E57058 | Dual-channel safety relay output module controlling the elevator's electromechanical safety brake and VFD enable signal. Contains two independent force-guided relays (EN 61810-3) wired in series on the safety brake coil circuit. Both relays must open simultaneously to engage brake; relay monitor contacts feed back to Safety CPU. VFD enable output prevents drive from powering traction motor when tripped. SIL 3 rated output stage with 20ms maximum brake engagement time from trip command. Auto-restart inhibited until Safety CPU clears the trip condition. |
| Seismic and Fire Interface | 50A57258 | Hardwired relay contact input module interfacing external safety systems to the Safety Controller Subsystem. Receives Phase I fire recall relay from Building Fire Alarm Panel (EN 81-72), seismic P-wave detector digital output (EN 81-77), and alternate floor designation relay. Converts relay states to digital signals for Safety CPU. All inputs are fail-safe (normally energised, de-energise on alarm). Provides electrical isolation between external systems and safety CPU. Response latency <5ms to ensure seismic deceleration command meets the ≤1s P-to-S-wave window. |
| Seismic event during operation scenario | 04B77A10 | Emergency scenario for Industrial Elevator Control System: P-wave detector triggers seismic alert. All cars in motion begin deceleration to nearest floor. Car 4 at floor 22 moving down — stops at floor 21, doors open. Counterweight monitored for rail alignment. 60-second hold timer starts after last P-wave detection. Building sway sensor confirms structural integrity. After timer expires and sway below threshold, technician initiates low-speed inspection run: each car travels full shaft at 0.3 m/s while sensors check guide rail alignment, rope tension, and counterweight position. Cars passing inspection return to service one at a time. |
| Seismic operation mode of Industrial Elevator Control System | 50B73A58 | Earthquake response mode triggered by seismic sensor (P-wave detector) or building seismic monitoring system. On seismic trigger: car immediately stops at nearest floor, doors open, system enters safe hold. Prevents car movement during shaking to avoid derailment from guide rails. After seismic event clears (configurable hold timer, typically 60s after last trigger), system runs low-speed inspection trip before resuming normal operation. Required by EN 81-77 and California Building Code. |
| Single car failure during peak traffic scenario | 40343208 | Degraded scenario for Industrial Elevator Control System: during morning rush, one car in 4-car group reports encoder redundancy fault. Controller takes car out of group service, dispatches remaining 3 cars. Wait times increase from 30s to 45-50s. Building management notified. Technician dispatched — ETA 45 minutes. Group algorithm rebalances: cars skip low-traffic floors during peak. If second car fails, system enters critical degraded mode: lobby attendant redirects passengers to stairwells for floors <5. |
| Speed and Position Monitor | 54F57218 | Dual-channel incremental encoder interface module receiving quadrature encoder signals from two independent encoders mounted on the traction sheave and governor sheave. Continuously computes car velocity (resolution 1mm, rate 100Hz) and absolute position relative to landing zones. Detects overspeed at >115% rated speed within 50ms and uncontrolled car movement (creep/drift) exceeding 200mm from landing with doors open. Outputs speed/position data and discrete overspeed/UCMP trip signals to Safety CPU. |
| Traction Drive Subsystem | 54F73018 | Subsystem of Industrial Elevator Control System: gearless permanent-magnet synchronous motor with VFD operating at 4-16 kHz switching frequency. Dual redundant absolute encoders for closed-loop speed/position control. S-curve motion profiles (2.5 m/s rated, 1.5 m/s² accel, 2.0 m/s³ jerk). Floor levelling to ±5mm. Regenerative braking with grid return or resistor dissipation. Mechanical brake (normally-closed, spring-applied, electrically released). Machine-room or MRL mounting. Interfaces: safety controller (brake release permit), group controller (target floor), power subsystem (3-phase supply, regen bus). |
| Traction Motor | D6D51018 | Three-phase permanent-magnet synchronous motor (PMSM) driving the traction sheave of an industrial elevator. Rated 30 kW, 1500 rpm, 400 V, IP54. Receives three-phase AC from the VFD; drives the grooved traction sheave directly (gearless) via a bolted flange. Delivers constant torque from 0 to rated speed; regenerates energy during deceleration back to the DC bus. Mounted on a bedplate in the machine room. High-temperature winding insulation (class F) required. |
| Traffic Analysis Module | 41F77B08 | Software module performing statistical analysis of building traffic patterns to adapt dispatch strategy. Monitors hall call registration rates, waiting time histograms, and car utilisation over rolling 15-minute windows. Classifies traffic mode (up-peak, down-peak, inter-floor, light) and adjusts dispatch algorithm parameters accordingly. Stores 30-day traffic profiles for reporting. Provides traffic mode signal to Dispatch Algorithm Engine. |
| Uncontrolled car movement hazard | 00010851 | Hazard in Industrial Elevator Control System: car moves without valid command due to contactor welding, drive fault, or control logic failure. Consequence: crushing/shearing of passengers or maintenance personnel at floor landings or in hoistway. Most severe elevator hazard — EN 81-20 Clause 5.6 requires unintended car movement protection (UCMP) device as independent safety function. Dual-channel monitoring of motor torque vs position required. |
| UPS Module | D6F51018 | Sealed VRLA or lithium-ion uninterruptible power supply providing 24V DC backup power for elevator safety circuits and MCU. Rated 1.5 kWh capacity; minimum hold-up time 30 minutes at full load. Trickle charges from 230V AC mains via integrated charger. Monitors State of Charge (SoC) and battery health via I2C SMBus; reports status to Power Management Controller. Located in machine room. Temperature range 0-40 °C. Complies with EN 50272-2 battery safety standard. |
| Variable Frequency Drive | D4F53018 | Industrial-grade IGBT-based variable frequency drive (VFD) controlling a traction motor for elevator service. Receives velocity setpoint and current limits from the Motor Control Unit; outputs three-phase PWM waveform to the traction motor at up to 400 V AC, 0–50 Hz. Implements V/f and closed-loop vector control modes. Peak torque output 200% of rated for 10 s. Must reject input harmonic disturbances; fitted with line reactor and EMI filter for compliance with EN 12015. Operating temperature −10 to +55 °C, humidity 95% non-condensing. |
| Component | Belongs To |
|---|---|
| Traction Drive Subsystem | Industrial Elevator Control System |
| Safety Controller Subsystem | Industrial Elevator Control System |
| Door Operator Subsystem | Industrial Elevator Control System |
| Group Dispatch Controller | Industrial Elevator Control System |
| Power Distribution Subsystem | Industrial Elevator Control System |
| Building Integration Gateway | Industrial Elevator Control System |
| Safety CPU | Safety Controller Subsystem |
| Speed and Position Monitor | Safety Controller Subsystem |
| Safety Chain Interface Module | Safety Controller Subsystem |
| Seismic and Fire Interface | Safety Controller Subsystem |
| Safety Output Actuator | Safety Controller Subsystem |
| Variable Frequency Drive | Traction Drive Subsystem |
| Traction Motor | Traction Drive Subsystem |
| Electromagnetic Brake | Traction Drive Subsystem |
| Rotary Encoder | Traction Drive Subsystem |
| Motor Control Unit | Traction Drive Subsystem |
| UPS Module | Power Distribution Subsystem |
| Power Management Controller | Power Distribution Subsystem |
| Automatic Transfer Switch | Power Distribution Subsystem |
| Door Control Unit | Door Operator Subsystem |
| Door Motor Drive | Door Operator Subsystem |
| Multi-Ray Light Curtain | Door Operator Subsystem |
| Safety Edge Contact Strip | Door Operator Subsystem |
| Door Position Encoder | Door Operator Subsystem |
| Landing Door Interlock Monitor | Door Operator Subsystem |
| Dispatch Algorithm Engine | Group Dispatch Controller |
| Car State Aggregator | Group Dispatch Controller |
| Hall Call Interface Unit | Group Dispatch Controller |
| Traffic Analysis Module | Group Dispatch Controller |
| BACnet/IP Stack | Building Integration Gateway |
| Safety Command Validator | Building Integration Gateway |
| Access Control Interface Module | Building Integration Gateway |
| Event Logger | Building Integration Gateway |
| Emergency Communications Unit | Building Integration Gateway |
| From | To |
|---|---|
| Speed and Position Monitor | Safety CPU |
| Safety Chain Interface Module | Safety CPU |
| Seismic and Fire Interface | Safety CPU |
| Safety CPU | Safety Output Actuator |
| Motor Control Unit | Variable Frequency Drive |
| Rotary Encoder | Motor Control Unit |
| Motor Control Unit | Safety Controller |
| Safety Controller | Electromagnetic Brake |
| Variable Frequency Drive | Traction Motor |
| Door Control Unit | Door Motor Drive |
| Multi-Ray Light Curtain | Door Control Unit |
| Safety Edge Contact Strip | Door Control Unit |
| Door Position Encoder | Door Control Unit |
| Landing Door Interlock Monitor | Door Control Unit |
| Door Control Unit | Safety Controller Subsystem |
| BACnet/IP Stack | Safety Command Validator |
| Building Integration Gateway | Group Dispatch Controller |
| Event Logger | Safety Controller Subsystem |
| Safety Command Validator | Safety Controller Subsystem |
| Component | Output |
|---|---|
| Safety CPU | safety-state-commands |
| Speed and Position Monitor | speed-position-data |
| Safety Chain Interface Module | safety-chain-status |
| Seismic and Fire Interface | fire-seismic-events |
| Safety Output Actuator | brake-vfd-control-signals |
| Variable Frequency Drive | Three-phase PWM motor voltage |
| Traction Motor | Mechanical torque on sheave |
| Electromagnetic Brake | Shaft hold/release action |
| Rotary Encoder | Speed and position pulses |
| Motor Control Unit | Velocity setpoint and fault status |
| Door Control Unit | door-cycle-command |
| Multi-Ray Light Curtain | obstruction-detection-signal |
| Safety Edge Contact Strip | contact-obstruction-signal |
| Door Position Encoder | door-panel-position |
| Landing Door Interlock Monitor | interlock-status |
| Door Motor Drive | door-panel-velocity |
| BACnet/IP Stack | BACnet status objects and alarm notifications |
| Safety Command Validator | command pass/reject decisions with audit events |
| Access Control Interface Module | floor authorisation commands for Group Dispatch |
| Event Logger | tamper-evident audit trail records |
| Emergency Communications Unit | two-way voice call to monitoring centre on entrapment |