Hazard & Risk Analysis (HRA) — ISO/IEC/IEEE 15289 — Report | IEC 61508 Phase 3
Generated 2026-03-27 — UHT Journal / universalhex.org
| Hazard | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|
| H-001: Uncontrolled car movement — car moves without valid command due to contactor welding, drive fault, or logic failure | catastrophic | rare | SIL 3 | motor de-energised, mechanical brake engaged, UCMP device activated |
| H-002: Overspeed in down direction — car exceeds rated speed due to VFD/brake failure or rope slippage | catastrophic | rare | SIL 3 | overspeed governor trips, progressive safety gear engages on car guide rails, car decelerates to stop |
| H-003: Door zone entrapment — passenger trapped between closing doors or car/landing gap | critical | medium | SIL 2 | doors re-open within 3s, door force limited to 150N, car held stationary |
| H-004: Car levelling failure — car stops >±10mm from floor level | major | medium | SIL 1 | re-levelling active, car repositioned to ±5mm, doors remain closed until level |
| H-005: Power failure with passengers trapped — mains loss with car between floors | critical | low | SIL 2 | ARD battery drives car to nearest floor at reduced speed, doors open, intercom active |
| H-006: Hoistway flooding/fire exposure — water ingress or fire/smoke in hoistway | critical | low | SIL 2 | fire recall to designated floor, doors open, motor de-energised, pit sump pump active |
| H-007: Counterweight derailment — counterweight leaves rails during seismic event or structural failure | catastrophic | rare | SIL 3 | seismic mode activated, car stopped at nearest floor, mechanical brakes engaged, hoistway access locked |
| H-008: Drive EMI corrupts safety signals — VFD interference causes incorrect position or false safety status | critical | low | SIL 2 | safety controller detects signal discrepancy, emergency stop, car held at current position |
| Ref | SIL | Requirement | V&V |
|---|---|---|---|
| IFC-REQ-008 | SIL 3 | The interface between the Safety CPU and the Safety Output Actuator SHALL use dual independent hardwired digital outputs, both required to be de-energ... | Test |
| IFC-REQ-009 | SIL 3 | The interface between Motor Control Unit and Variable Frequency Drive SHALL transmit torque reference commands at 1 kHz via CAN bus at 1 Mbit/s with m... | Test |
| IFC-REQ-010 | SIL 3 | The interface between Rotary Encoder and Motor Control Unit SHALL deliver 2048 pulse/rev quadrature signals at 5V TTL with cable shielding such that t... | Test |
| IFC-REQ-011 | SIL 3 | The interface between Motor Control Unit and Safety Controller SHALL transmit drive fault status via dual-channel hardwired relay outputs (NC logic) a... | Test |
| IFC-REQ-012 | SIL 2 | The interface between Safety Controller and Electromagnetic Brake SHALL provide 24V DC dual-coil supply with independent switching circuits for each c... | Test |
| IFC-REQ-015 | SIL 2 | The interface between Door Control Unit and Door Motor Drive SHALL transmit velocity and torque reference commands at 200 Hz via CAN bus at 500 kbit/s... | Test |
| IFC-REQ-016 | SIL 2 | The interface between Multi-Ray Light Curtain and Door Control Unit SHALL use a hardwired dual-channel safety output (OSSD1 and OSSD2), de-energising ... | Test |
| IFC-REQ-017 | SIL 2 | The interface between Safety Edge Contact Strip and Door Control Unit SHALL use a hardwired normally-closed contact on an isolated 24 VDC input, with ... | Test |
| IFC-REQ-020 | SIL 2 | The interface between Door Control Unit and Safety Controller Subsystem SHALL transmit door state (OPEN, CLOSING, CLOSED, FAULT) and interlock status ... | Test |
| SUB-REQ-005 | SIL 2 | When the Seismic and Fire Interface receives a Phase I fire recall relay signal, the Safety Controller Subsystem SHALL command all cars to the designa... | Test |
| SUB-REQ-006 | SIL 2 | When the Seismic and Fire Interface receives a seismic P-wave event signal, the Safety Controller Subsystem SHALL initiate immediate car deceleration ... | Test |
| SUB-REQ-008 | SIL 3 | When the Safety CPU detects a discrepancy fault, watchdog timeout, or internal diagnostic failure, the Safety Controller Subsystem SHALL transition to... | Test |
| SUB-REQ-009 | SIL 3 | The Safety Controller Subsystem SHALL perform a power-on self-test (POST) covering dual-channel RAM/ROM integrity, encoder signal plausibility, safety... | Test |
| SUB-REQ-010 | SIL 3 | The Motor Control Unit SHALL regulate car velocity to track the commanded profile within ±0.05 m/s steady-state error and achieve stopping accuracy of... | Test |
| SUB-REQ-011 | SIL 3 | The Motor Control Unit SHALL generate velocity profiles with acceleration and jerk limited to ≤1.5 m/s² and ≤2.5 m/s³ respectively at all operating sp... | Test |
| SUB-REQ-013 | SIL 3 | When mains power fails, the Electromagnetic Brake SHALL engage within 150 ms of 24 V DC coil de-energisation and hold the car stationary against 150% ... | Test |
| SUB-REQ-017 | SIL 3 | The Electromagnetic Brake SHALL have dual independent coils such that failure of one coil does not reduce braking torque below 100% of motor rated tor... | Inspection |
| SUB-REQ-019 | SIL 2 | The UPS Module SHALL maintain 24V DC output for at least 30 minutes at full elevator safety load after mains failure, as required to complete emergenc... | Test |
| SUB-REQ-023 | SIL 2 | The Door Operator Subsystem SHALL limit door closing force to ≤150 N measured at the leading edge of the car door panel at all points during the closi... | Test |
| SUB-REQ-025 | SIL 2 | When a Fire Phase I Recall command is received from the Safety Controller, the Door Operator Subsystem SHALL complete the current door cycle within 3 ... | Demonstration |
| SUB-REQ-027 | SIL 2 | The Door Operator Subsystem SHALL control door panel velocity to a profile with maximum closing speed ≤0.3 m/s and shall decelerate to ≤0.1 m/s during... | Test |
| SUB-REQ-028 | SIL 2 | When the Door Control Unit detects a watchdog timeout, internal CPU fault, or loss of position encoder feedback, the Door Operator Subsystem SHALL de-... | Test |
| SUB-REQ-045 | SIL 2 | The Power Distribution Subsystem ARD battery bank SHALL provide energy capacity to sustain 3 complete rescue cycles per car at full rated load simulta... | Test |
| SUB-REQ-047 | SIL 2 | The Safety Controller Subsystem SHALL, upon receipt of a seismic P-wave trigger from the seismic detector, issue a deceleration command to each car to... | Test |
| SUB-REQ-048 | SIL 2 | The Safety Controller Subsystem and all safety-critical signal paths SHALL maintain operational integrity under radiated electromagnetic fields of 10 ... | Test |
| SYS-REQ-002 | SIL 1 | The Industrial Elevator Control System SHALL control car velocity to achieve acceleration ≤1.5 m/s², jerk ≤2.0 m/s³, and rated speed of 2.5 m/s, with ... | Test |
| SYS-REQ-006 | SIL 2 | When mains power fails, the Industrial Elevator Control System SHALL drive each car to the nearest landing at ≤0.15 m/s using ARD batteries, open door... | Test |
| SYS-REQ-007 | SIL 2 | When a fire alarm Phase I signal is received, the Industrial Elevator Control System SHALL cancel all pending calls and deliver all cars to the design... | Test |
| SYS-REQ-008 | SIL 3 | When a seismic P-wave is detected, the Industrial Elevator Control System SHALL decelerate all cars to the nearest floor within 10 seconds, open doors... | Test |
| SYS-REQ-011 | SIL 2 | The Industrial Elevator Control System SHALL reject electromagnetic interference from co-located VFDs and HVAC drives per EN 12016, maintaining safety... | Test |
| SYS-REQ-018 | SIL 2 | The Industrial Elevator Control System ARD batteries SHALL sustain at least 3 complete rescue cycles per car during mains failure, where one rescue cy... | Test |
| VER-REQ-005 | SIL 3 | Verify SUB-REQ-002 (overspeed): Drive car at rated speed; inject encoder signal to simulate 116% rated speed; measure time from encoder threshold cros... | Test |
| VER-REQ-006 | SIL 3 | Verify SUB-REQ-008 (safe state on fault): Inject a simulated Safety CPU dual-channel discrepancy; measure time to brake engagement and VFD inhibit. Pa... | Test |
| VER-REQ-007 | SIL 3 | Verify SUB-REQ-009 (power-on self-test): Apply power to the Safety Controller Subsystem and observe POST execution. Pass criterion: POST completes all... | Test |
| VER-REQ-012 | SIL 3 | Verify IFC-REQ-011: simulate ENCODER_FAULT on MCU while monitoring Safety Controller relay inputs; measure relay de-assertion time. Pass if relay open... | Test |
| VER-REQ-013 | SIL 3 | Verify SUB-REQ-012: inject synthetic encoder signal at 115.1% of rated speed via MCU test port; measure time from threshold crossing to OVERSPEED faul... | Test |
| VER-REQ-017 | SIL 2 | Verify SUB-REQ-023: apply calibrated load cell to car door leading edge during powered close cycle at rated supply voltage, reduced supply voltage (-1... | Test |
| VER-REQ-018 | SIL 2 | Verify SUB-REQ-024: during powered close cycle, interrupt light curtain beam at 50%, 75%, and 95% of closing travel; separately activate safety edge a... | Test |
| VER-REQ-019 | SIL 2 | Verify IFC-REQ-016: break beam of Multi-Ray Light Curtain and measure time from beam break to OSSD de-assertion at Door Control Unit input. Repeat for... | Test |
| VER-REQ-020 | SIL 2 | Verify IFC-REQ-020: with door in OPEN state, confirm car-movement-permitted relay is de-energised. Command door to CLOSE; confirm relay energises with... | Test |
| VER-REQ-021 | SIL 2 | Verify Door Operator end-to-end: command 1000 consecutive open-close cycles under rated load with 20% of cycles including a simulated obstruction even... | Test |
| VER-REQ-035 | SIL 3 | Verify SUB-REQ-051 (Safety Controller hot standby): inject a simulated primary channel failure while car is in motion, confirm secondary channel asser... | Test |
| VER-REQ-040 | SIL 3 | Verify SUB-REQ-004 (safety chain scan rate): With the safety chain circuit assembled and all safety devices closed, disable each safety device contact... | Test |
| VER-REQ-041 | SIL 3 | Verify SUB-REQ-010 (motor velocity control accuracy): With car loaded to rated capacity, command constant-speed runs at 25%, 50%, 75%, and 100% rated ... | Test |
| VER-REQ-042 | SIL 3 | Verify SUB-REQ-012 (MCU overspeed detection): Drive car at rated speed; inject encoder signal offset to simulate 116% of rated contract speed into the... | Test |
| VER-REQ-043 | SIL 3 | Verify SUB-REQ-013 (brake engagement under power failure): With car loaded to 150% rated capacity in up direction (worst-case backdrive load), disconn... | Test |
| VER-REQ-044 | SIL 2 | Verify SUB-REQ-018 (ATS mains-to-UPS transfer): With elevator in rated operation, reduce mains voltage to below 85% of nominal using a programmable po... | Test |
| VER-REQ-045 | SIL 2 | Verify SUB-REQ-019 (UPS 30-minute holdup): With UPS battery at 100% SoC and elevator controller operating at full safety system load (all relays energ... | Test |
| VER-REQ-046 | SIL 2 | Verify SUB-REQ-048 (EMC immunity of safety-critical paths): Subject Safety Controller Subsystem and all safety-critical signal cables to radiated elec... | Test |
| VER-REQ-048 | SIL 3 | Verify SUB-REQ-015 (encoder fault detection): With car in motion at rated speed, disconnect encoder signal cable to simulate encoder loss; separately ... | Test |
| VER-REQ-049 | SIL 2 | Verify Fire Service Phase II operation (EN 81-72): Insert firefighter key into Phase II switch on Car 1. Confirm: (a) car enters exclusive hold-to-run... | Test |
| VER-REQ-050 | SIL 2 | Verify Maintenance mode speed enforcement and car-top interlock: Insert maintenance key switch. Confirm car speed limited to 0.3 m/s in both direction... | Test |
Goal Structuring Notation per GSN Community Standard v3. Top goal decomposes into hazard mitigation sub-goals, each supported by SIL-allocated requirements and verification evidence.
flowchart TD
G0["<b>G0: Top Goal</b><br/>Industrial Elevator Control System is acceptably safe"]
S0{"<b>S0: Strategy</b><br/>Argument by hazard<br/>mitigation per IEC 61508"}
G0 --> S0
G1["<b>G1: H-001</b><br/>Uncontrolled car movement — car moves without valid command ...<br/>SIL 3"]
S0 --> G1
G2["<b>G2: H-002</b><br/>Overspeed in down direction — car exceeds rated speed due to...<br/>SIL 3"]
S0 --> G2
G3["<b>G3: H-003</b><br/>Door zone entrapment — passenger trapped between closing doo...<br/>SIL 2"]
S0 --> G3
G4["<b>G4: H-004</b><br/>Car levelling failure — car stops >±10mm from floor level<br/>SIL 1"]
S0 --> G4
Sn3_0(["<b>SYS-REQ-002</b>"])
G4 --> Sn3_0
Sn3_1(["<b>VER-REQ-046</b>"])
G4 --> Sn3_1
G5["<b>G5: H-005</b><br/>Power failure with passengers trapped — mains loss with car ...<br/>SIL 2"]
S0 --> G5
Sn4_0(["<b>SYS-REQ-006</b>"])
G5 --> Sn4_0
G6["<b>G6: H-006</b><br/>Hoistway flooding/fire exposure — water ingress or fire/smok...<br/>SIL 2"]
S0 --> G6
G7["<b>G7: H-007</b><br/>Counterweight derailment — counterweight leaves rails during...<br/>SIL 3"]
S0 --> G7
Sn6_0(["<b>SYS-REQ-008</b>"])
G7 --> Sn6_0
G8["<b>G8: H-008</b><br/>Drive EMI corrupts safety signals — VFD interference causes ...<br/>SIL 2"]
S0 --> G8
Sn7_0(["<b>SYS-REQ-011</b>"])
G8 --> Sn7_0 Machine-readable safety case structure. Import into GSN tools (Astah GSN, ASCE, NOR-STA).
# GSN Safety Case — Industrial Elevator Control System
# Generated 2026-03-27
# Goal Structuring Notation (GSN) per GSN Community Standard v3
goals:
G0:
text: "Industrial Elevator Control System is acceptably safe"
type: top-goal
supported_by: [S0]
strategies:
S0:
text: "Argument by hazard mitigation per IEC 61508"
supported_by: [G1, G2, G3, G4, G5, G6, G7, G8]
G1:
text: "H-001: Uncontrolled car movement — car moves without valid command due to contactor welding, drive fault, or logic failure"
sil: 3
safe_state: "motor de-energised, mechanical brake engaged, UCMP device activated"
supported_by: []
evidence: []
G2:
text: "H-002: Overspeed in down direction — car exceeds rated speed due to VFD/brake failure or rope slippage"
sil: 3
safe_state: "overspeed governor trips, progressive safety gear engages on car guide rails, car decelerates to stop"
supported_by: []
evidence: []
G3:
text: "H-003: Door zone entrapment — passenger trapped between closing doors or car/landing gap"
sil: 2
safe_state: "doors re-open within 3s, door force limited to 150N, car held stationary"
supported_by: []
evidence: []
G4:
text: "H-004: Car levelling failure — car stops >±10mm from floor level"
sil: 1
safe_state: "re-levelling active, car repositioned to ±5mm, doors remain closed until level"
supported_by: [SYS-REQ-002, VER-REQ-046]
evidence: [REQ-SEINDUSTRIALELEVATOR-008]
G5:
text: "H-005: Power failure with passengers trapped — mains loss with car between floors"
sil: 2
safe_state: "ARD battery drives car to nearest floor at reduced speed, doors open, intercom active"
supported_by: [SYS-REQ-006]
evidence: []
G6:
text: "H-006: Hoistway flooding/fire exposure — water ingress or fire/smoke in hoistway"
sil: 2
safe_state: "fire recall to designated floor, doors open, motor de-energised, pit sump pump active"
supported_by: []
evidence: []
G7:
text: "H-007: Counterweight derailment — counterweight leaves rails during seismic event or structural failure"
sil: 3
safe_state: "seismic mode activated, car stopped at nearest floor, mechanical brakes engaged, hoistway access locked"
supported_by: [SYS-REQ-008]
evidence: []
G8:
text: "H-008: Drive EMI corrupts safety signals — VFD interference causes incorrect position or false safety status"
sil: 2
safe_state: "safety controller detects signal discrepancy, emergency stop, car held at current position"
supported_by: [SYS-REQ-011]
evidence: []
solutions:
IFC-REQ-008:
text: "The interface between the Safety CPU and the Safety Output Actuator SHALL use dual independent hardwired digital outputs"
verification: Test
sil: 3
IFC-REQ-009:
text: "The interface between Motor Control Unit and Variable Frequency Drive SHALL transmit torque reference commands at 1 kHz "
verification: Test
sil: 3
IFC-REQ-010:
text: "The interface between Rotary Encoder and Motor Control Unit SHALL deliver 2048 pulse/rev quadrature signals at 5V TTL wi"
verification: Test
sil: 3
IFC-REQ-011:
text: "The interface between Motor Control Unit and Safety Controller SHALL transmit drive fault status via dual-channel hardwi"
verification: Test
sil: 3
IFC-REQ-012:
text: "The interface between Safety Controller and Electromagnetic Brake SHALL provide 24V DC dual-coil supply with independent"
verification: Test
sil: 2
IFC-REQ-015:
text: "The interface between Door Control Unit and Door Motor Drive SHALL transmit velocity and torque reference commands at 20"
verification: Test
sil: 2
IFC-REQ-016:
text: "The interface between Multi-Ray Light Curtain and Door Control Unit SHALL use a hardwired dual-channel safety output (OS"
verification: Test
sil: 2
IFC-REQ-017:
text: "The interface between Safety Edge Contact Strip and Door Control Unit SHALL use a hardwired normally-closed contact on a"
verification: Test
sil: 2
IFC-REQ-020:
text: "The interface between Door Control Unit and Safety Controller Subsystem SHALL transmit door state (OPEN, CLOSING, CLOSED"
verification: Test
sil: 2
SUB-REQ-005:
text: "When the Seismic and Fire Interface receives a Phase I fire recall relay signal, the Safety Controller Subsystem SHALL c"
verification: Test
sil: 2
SUB-REQ-006:
text: "When the Seismic and Fire Interface receives a seismic P-wave event signal, the Safety Controller Subsystem SHALL initia"
verification: Test
sil: 2
SUB-REQ-008:
text: "When the Safety CPU detects a discrepancy fault, watchdog timeout, or internal diagnostic failure, the Safety Controller"
verification: Test
sil: 3
SUB-REQ-009:
text: "The Safety Controller Subsystem SHALL perform a power-on self-test (POST) covering dual-channel RAM/ROM integrity, encod"
verification: Test
sil: 3
SUB-REQ-010:
text: "The Motor Control Unit SHALL regulate car velocity to track the commanded profile within ±0.05 m/s steady-state error an"
verification: Test
sil: 3
SUB-REQ-011:
text: "The Motor Control Unit SHALL generate velocity profiles with acceleration and jerk limited to ≤1.5 m/s² and ≤2.5 m/s³ re"
verification: Test
sil: 3
SUB-REQ-013:
text: "When mains power fails, the Electromagnetic Brake SHALL engage within 150 ms of 24 V DC coil de-energisation and hold th"
verification: Test
sil: 3
SUB-REQ-017:
text: "The Electromagnetic Brake SHALL have dual independent coils such that failure of one coil does not reduce braking torque"
verification: Inspection
sil: 3
SUB-REQ-019:
text: "The UPS Module SHALL maintain 24V DC output for at least 30 minutes at full elevator safety load after mains failure, as"
verification: Test
sil: 2
SUB-REQ-023:
text: "The Door Operator Subsystem SHALL limit door closing force to ≤150 N measured at the leading edge of the car door panel "
verification: Test
sil: 2
SUB-REQ-025:
text: "When a Fire Phase I Recall command is received from the Safety Controller, the Door Operator Subsystem SHALL complete th"
verification: Demonstration
sil: 2
SUB-REQ-027:
text: "The Door Operator Subsystem SHALL control door panel velocity to a profile with maximum closing speed ≤0.3 m/s and shall"
verification: Test
sil: 2
SUB-REQ-028:
text: "When the Door Control Unit detects a watchdog timeout, internal CPU fault, or loss of position encoder feedback, the Doo"
verification: Test
sil: 2
SUB-REQ-045:
text: "The Power Distribution Subsystem ARD battery bank SHALL provide energy capacity to sustain 3 complete rescue cycles per "
verification: Test
sil: 2
SUB-REQ-047:
text: "The Safety Controller Subsystem SHALL, upon receipt of a seismic P-wave trigger from the seismic detector, issue a decel"
verification: Test
sil: 2
SUB-REQ-048:
text: "The Safety Controller Subsystem and all safety-critical signal paths SHALL maintain operational integrity under radiated"
verification: Test
sil: 2
SYS-REQ-002:
text: "The Industrial Elevator Control System SHALL control car velocity to achieve acceleration ≤1.5 m/s², jerk ≤2.0 m/s³, and"
verification: Test
sil: 1
SYS-REQ-006:
text: "When mains power fails, the Industrial Elevator Control System SHALL drive each car to the nearest landing at ≤0.15 m/s "
verification: Test
sil: 2
SYS-REQ-007:
text: "When a fire alarm Phase I signal is received, the Industrial Elevator Control System SHALL cancel all pending calls and "
verification: Test
sil: 2
SYS-REQ-008:
text: "When a seismic P-wave is detected, the Industrial Elevator Control System SHALL decelerate all cars to the nearest floor"
verification: Test
sil: 3
SYS-REQ-011:
text: "The Industrial Elevator Control System SHALL reject electromagnetic interference from co-located VFDs and HVAC drives pe"
verification: Test
sil: 2
SYS-REQ-018:
text: "The Industrial Elevator Control System ARD batteries SHALL sustain at least 3 complete rescue cycles per car during main"
verification: Test
sil: 2
VER-REQ-005:
text: "Verify SUB-REQ-002 (overspeed): Drive car at rated speed; inject encoder signal to simulate 116% rated speed; measure ti"
verification: Test
sil: 3
VER-REQ-006:
text: "Verify SUB-REQ-008 (safe state on fault): Inject a simulated Safety CPU dual-channel discrepancy; measure time to brake "
verification: Test
sil: 3
VER-REQ-007:
text: "Verify SUB-REQ-009 (power-on self-test): Apply power to the Safety Controller Subsystem and observe POST execution. Pass"
verification: Test
sil: 3
VER-REQ-012:
text: "Verify IFC-REQ-011: simulate ENCODER_FAULT on MCU while monitoring Safety Controller relay inputs; measure relay de-asse"
verification: Test
sil: 3
VER-REQ-013:
text: "Verify SUB-REQ-012: inject synthetic encoder signal at 115.1% of rated speed via MCU test port; measure time from thresh"
verification: Test
sil: 3
VER-REQ-017:
text: "Verify SUB-REQ-023: apply calibrated load cell to car door leading edge during powered close cycle at rated supply volta"
verification: Test
sil: 2
VER-REQ-018:
text: "Verify SUB-REQ-024: during powered close cycle, interrupt light curtain beam at 50%, 75%, and 95% of closing travel; sep"
verification: Test
sil: 2
VER-REQ-019:
text: "Verify IFC-REQ-016: break beam of Multi-Ray Light Curtain and measure time from beam break to OSSD de-assertion at Door "
verification: Test
sil: 2
VER-REQ-020:
text: "Verify IFC-REQ-020: with door in OPEN state, confirm car-movement-permitted relay is de-energised. Command door to CLOSE"
verification: Test
sil: 2
VER-REQ-021:
text: "Verify Door Operator end-to-end: command 1000 consecutive open-close cycles under rated load with 20% of cycles includin"
verification: Test
sil: 2
VER-REQ-035:
text: "Verify SUB-REQ-051 (Safety Controller hot standby): inject a simulated primary channel failure while car is in motion, c"
verification: Test
sil: 3
VER-REQ-040:
text: "Verify SUB-REQ-004 (safety chain scan rate): With the safety chain circuit assembled and all safety devices closed, disa"
verification: Test
sil: 3
VER-REQ-041:
text: "Verify SUB-REQ-010 (motor velocity control accuracy): With car loaded to rated capacity, command constant-speed runs at "
verification: Test
sil: 3
VER-REQ-042:
text: "Verify SUB-REQ-012 (MCU overspeed detection): Drive car at rated speed; inject encoder signal offset to simulate 116% of"
verification: Test
sil: 3
VER-REQ-043:
text: "Verify SUB-REQ-013 (brake engagement under power failure): With car loaded to 150% rated capacity in up direction (worst"
verification: Test
sil: 3
VER-REQ-044:
text: "Verify SUB-REQ-018 (ATS mains-to-UPS transfer): With elevator in rated operation, reduce mains voltage to below 85% of n"
verification: Test
sil: 2
VER-REQ-045:
text: "Verify SUB-REQ-019 (UPS 30-minute holdup): With UPS battery at 100% SoC and elevator controller operating at full safety"
verification: Test
sil: 2
VER-REQ-046:
text: "Verify SUB-REQ-048 (EMC immunity of safety-critical paths): Subject Safety Controller Subsystem and all safety-critical "
verification: Test
sil: 2
VER-REQ-048:
text: "Verify SUB-REQ-015 (encoder fault detection): With car in motion at rated speed, disconnect encoder signal cable to simu"
verification: Test
sil: 3
VER-REQ-049:
text: "Verify Fire Service Phase II operation (EN 81-72): Insert firefighter key into Phase II switch on Car 1. Confirm: (a) ca"
verification: Test
sil: 2
VER-REQ-050:
text: "Verify Maintenance mode speed enforcement and car-top interlock: Insert maintenance key switch. Confirm car speed limite"
verification: Test
sil: 2