System Requirements Specification (SyRS) — ISO/IEC/IEEE 15289 — Specification | IEEE 29148 §6.2–6.4
Generated 2026-03-27 — UHT Journal / universalhex.org
| Standard | Title |
|---|---|
| BS 1.1 | — |
| EN 12015 | Electromagnetic compatibility — Emission standard for lifts, escalators and moving walks |
| EN 12015/12016 | Electromagnetic compatibility — Emission standard for lifts, escalators and moving walks |
| EN 12016 | Electromagnetic compatibility — Immunity standard for lifts, escalators and moving walks |
| EN 61810-3 | — |
| EN 81-20 | Safety rules for the construction and installation of lifts — Passenger and goods passenger lifts |
| EN 81-28 | Remote alarm on passenger and goods passenger lifts |
| EN 81-50 | Design rules, calculations, examinations and tests of lift components |
| EN 81-70 | Accessibility to lifts for persons including persons with disability |
| EN 81-72 | Firefighters lifts |
| EN 81-73 | Behaviour of lifts in the event of fire |
| EN 81-77 | Lifts subject to seismic conditions |
| EN 81-80 | Rules for the improvement of safety of existing passenger and goods passenger lifts |
| EN81-77 | — |
| IEC 60364 | — |
| IEC 60529 | Degrees of protection provided by enclosures (IP Code) |
| IEC 60896-11 | — |
| IEC 60950 | — |
| IEC 61000-4-3 | Electromagnetic compatibility — Radiated, radio-frequency, electromagnetic field immunity test |
| IEC 61000-4-3/4-6 | Electromagnetic compatibility — Radiated, radio-frequency, electromagnetic field immunity test |
| IEC 61000-4-6 | — |
| IEC 61010-1 | — |
| IEC 61439 | Low-voltage switchgear and controlgear assemblies |
| IEC 61439-1 | Low-voltage switchgear and controlgear assemblies |
| IEC 61439-compliant | Low-voltage switchgear and controlgear assemblies |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61508-2 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61508-3 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61508-compliant | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61800-3 | — |
| IEC 61800-5-2 | Adjustable speed electrical power drive systems — Safety requirements — Functional |
| IEC 62061 | Safety of machinery — Functional safety of safety-related control systems |
| IEC 62133 | — |
| ISO 13849-1 | Safety of machinery — Safety-related parts of control systems — General principles for design |
| ISO 25745 | — |
| ISO 25745-2 | Energy performance of lifts, escalators and moving walks — Energy calculation and classification for lifts |
| ISO 4190-5 | Lift installation — Part 5: Control devices, signals and additional fittings |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| ASC | Advanced Application Specific Controller |
| BC | Building Controller |
| CCCS | Completeness, Consistency, Correctness, Stability |
| EARS | Easy Approach to Requirements Syntax |
| IFC | Interface Requirements |
| MCU | Motor Control Unit |
| OSSD | Output Signal Switching Device |
| PICS | Protocol Implementation Conformance Statement |
| SFF | Safe Failure Fraction |
| STK | Stakeholder Requirements |
| STO | Safe Torque Off |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-REQ-001 | The Industrial Elevator Control System SHALL provide a maximum average waiting time of 30 seconds during peak traffic periods for hall calls at any floor. Rationale: Building Occupant, Morning Rush scenario: 200+ workers arriving 07:30-09:00 require group dispatch to maintain <30s wait. Exceeding this causes lobby congestion and occupant dissatisfaction in commercial buildings. | Test | stakeholder, stk-passenger, session-436, idempotency:stk-passenger-wait-time-436 |
| STK-REQ-002 | The Industrial Elevator Control System SHALL provide ride comfort with acceleration ≤1.5 m/s², jerk ≤2.0 m/s³, and floor levelling accuracy within ±5 mm of landing sill. Rationale: Building Occupant, all operational scenarios: passengers expect smooth acceleration profiles and precise levelling for safe boarding. H-004 (levelling failure) derives from poor levelling causing trip hazards. | Test | stakeholder, stk-passenger, session-436, idempotency:stk-passenger-ride-comfort-436 |
| STK-REQ-003 | The Industrial Elevator Control System SHALL provide accessible operation for mobility-impaired users in compliance with EN 81-70, including tactile buttons, audible announcements, and minimum 1100 mm car door opening. Rationale: Building Occupant (mobility-impaired), Power Failure scenario: wheelchair user at floor 18 requires ARD to bring car to safe landing. EN 81-70 mandates accessibility features. Lifts Directive 2014/33/EU requires compliance. | Inspection | stakeholder, stk-passenger, accessibility, session-436, idempotency:stk-passenger-accessibility-436 |
| STK-REQ-004 | The Industrial Elevator Control System SHALL provide exclusive hoistway access mode with all interlocks active, preventing car movement from group dispatch while a maintenance technician is working on the car top or in the pit. Rationale: Maintenance Technician, Quarterly Maintenance scenario: technician riding car top at 0.3 m/s inspecting rails and ropes. Loss of exclusive access would expose technician to crushing hazard from adjacent car or unexpected car movement. | Test | stakeholder, stk-technician, session-436, idempotency:stk-technician-access-436 |
| STK-REQ-005 | The Industrial Elevator Control System SHALL provide maintenance mode with car top and machine room inspection controls operating at ≤0.3 m/s, enabling inspection of the full shaft height within the 2-4 hour per-car maintenance window. Rationale: Maintenance Technician, Quarterly Maintenance scenario: EN 81-20 requires inspection speed ≤0.3 m/s for car-top inspection. Technician must traverse full shaft to inspect rails, ropes, doors, safety gear, and governor tension. | Test | stakeholder, stk-technician, session-436, idempotency:stk-technician-maintenance-mode-436 |
| STK-REQ-006 | The Industrial Elevator Control System SHALL provide real-time status reporting to the Building Management System including car position, fault codes, energy consumption, and operating mode at ≥1 Hz update rate. Rationale: Facility Manager, all scenarios: BMS notifications trigger technician dispatch (45min ETA in Single Car Failure scenario). Without real-time status, facility manager cannot coordinate maintenance rotation or emergency response. | Test | stakeholder, stk-facility-manager, session-436, idempotency:stk-facility-bms-status-436 |
| STK-REQ-007 | The Industrial Elevator Control System SHALL allow the facility manager to configure traffic patterns, floor lockouts, VIP priority assignments, and maintenance schedules via the BMS interface without requiring controller software modification. Rationale: Facility Manager, Morning Rush and Single Car Failure scenarios: operator must adjust dispatch behaviour for peak periods and redirect passengers when cars are out of service. Configuration changes must not require OEM intervention to control operating costs. | Demonstration | stakeholder, stk-facility-manager, session-436, idempotency:stk-facility-config-436 |
| STK-REQ-008 | When a fire alarm Phase I signal is received, the Industrial Elevator Control System SHALL cancel all car and hall calls and return all cars non-stop to the designated landing with doors open within 60 seconds. Rationale: Fire Service, Fire Alarm Recall scenario: all cars must recall to ground floor for evacuation. Car 3 above fire floor must stop at floor 11 for passenger evacuation before continuing to ground. EN 81-72 mandates Phase I recall behaviour. | Test | stakeholder, stk-fire-service, session-436, idempotency:stk-fire-recall-436 |
| STK-REQ-009 | When a firefighter key is inserted and turned, the Industrial Elevator Control System SHALL provide exclusive manual hold-to-run control of a single car with door override capability, disabling all automatic dispatch and group functions for that car. Rationale: Fire Service, Fire Alarm Recall scenario: Phase II firefighter control per EN 81-72 and ASME A17.1. Firefighter needs exclusive control to reach fire floor, hold-to-run prevents unintended movement, door override allows venting or access. | Test | stakeholder, stk-fire-service, session-436, idempotency:stk-fire-phase2-436 |
| STK-REQ-010 | The Industrial Elevator Control System SHALL maintain complete test records, fault logs, and modification history accessible to regulatory inspectors in compliance with EN 81-20 Annex A, retaining records for a minimum of 10 years. Rationale: Regulatory Inspector: annual statutory inspections require brake torque records, ARD test results, safety circuit verification, and modification history. Inspector authority to condemn installation requires auditable evidence trail. | Inspection | stakeholder, stk-inspector, session-436, idempotency:stk-inspector-records-436 |
| STK-REQ-011 | The Industrial Elevator Control System SHALL comply with EN 81-20, EN 81-50, EN 81-70, EN 81-72, EN 81-77, and the EU Lifts Directive 2014/33/EU, and SHALL be certifiable to IEC 61508 SIL 3 for safety-critical functions. Rationale: Regulatory Inspector and OEM: H-001 (uncontrolled movement) and H-002 (overspeed) both rated SIL 3 require the safety controller to meet IEC 61508 SIL 3 systematic capability. Non-compliance blocks market access in EU and condemns the installation. | Analysis | stakeholder, stk-inspector, regulatory, session-436, idempotency:stk-inspector-compliance-436 |
| STK-REQ-012 | The Industrial Elevator Control System SHALL use a modular controller architecture supporting component replacement and software updates over a 20-25 year service life without requiring full system replacement. Rationale: OEM/System Integrator: elevator controllers have 20-25 year lifecycles. Discrete subsystems (drive, safety controller, dispatch) must be independently upgradeable. Non-modular designs force premature full-system replacement at 5-10x cost. | Analysis | stakeholder, stk-oem, session-436, idempotency:stk-oem-modular-436 |
| STK-REQ-013 | The Industrial Elevator Control System SHALL operate within the environmental envelope of 0-50°C hoistway ambient, ≤40°C machine room, 5-95% RH non-condensing, and withstand EMI from co-located VFD and HVAC drives per EN 12016 (10 V/m radiated immunity). Rationale: Environment as stakeholder: thermal and EMC constraints from industrial building environment. H-008 (drive EMI corrupting safety signals) is SIL 2 — safety controller must reject interference. EN 12015/12016 mandatory for CE marking. | Test | stakeholder, stk-environment, session-436, idempotency:stk-environment-envelope-436 |
| STK-REQ-014 | The Industrial Elevator Control System SHALL operate from 3-phase 400 VAC/50 Hz supply with UPS sustaining the controller for a minimum of 30 minutes and ARD batteries providing at least 3 rescue cycles per car during mains failure. Rationale: Environment as stakeholder, Power Failure scenario: UPS sustains controller for battery-powered car movement to nearest landing. H-005 (passengers trapped during power failure) rated SIL 2 requires defined ARD capacity. IEC 60364 grounding required. | Test | stakeholder, stk-environment, power, session-436, idempotency:stk-environment-power-436 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQ-001 | The Industrial Elevator Control System SHALL implement group dispatch that achieves ≤30 s average waiting time with 4 cars serving 20 floors at 150% rated load during up-peak traffic of ≥200 passengers per 5-minute interval. Rationale: Derives from STK-REQ-001 (passenger wait time). 200 passengers/5min is the morning rush peak from ConOps. 4-car group with 150% rated load is the design configuration. Failure to meet this causes lobby congestion and occupant complaints. | Test | system, dispatch, session-436, idempotency:sys-group-dispatch-436 |
| SYS-REQ-002 | The Industrial Elevator Control System SHALL control car velocity to achieve acceleration ≤1.5 m/s², jerk ≤2.0 m/s³, and rated speed of 2.5 m/s, with floor-level positioning accuracy of ±5 mm maintained by closed-loop position control. Rationale: Derives from STK-REQ-002 (ride comfort). ±5 mm levelling prevents trip hazards (H-004, SIL 1). 2.5 m/s rated speed enables 20-floor traverse within acceptable transit time. Jerk limit prevents passenger discomfort and load shifting. | Test | system, motion, sil-1, session-436, idempotency:sys-motion-control-436 |
| SYS-REQ-003 | The Industrial Elevator Control System safety controller SHALL detect overspeed conditions exceeding 115% of rated speed and initiate progressive safety gear engagement within 200 ms, achieving SIL 3 per IEC 61508. Rationale: H-002 (overspeed in down direction), SIL 3. EN 81-20 mandates overspeed governor with progressive safety gear. 115% threshold from EN 81-20 Table 7. 200 ms response ensures deceleration within shaft overrun distance. | Test | rt-sil-gap, red-team-session-460 |
| SYS-REQ-004 | The Industrial Elevator Control System safety controller SHALL detect uncontrolled car movement exceeding 200 mm from floor level with doors open and engage the UCMP device within 300 ms, achieving SIL 3 per IEC 61508. Rationale: H-001 (uncontrolled movement), SIL 3. UCMP per EN 81-20:2014 Clause 5.6.7.2. 200 mm threshold prevents passenger fall-through. Contactor welding or drive fault is the root cause — safety controller must be independent of main controller. | Test | rt-sil-gap, red-team-session-460 |
| SYS-REQ-005 | The Industrial Elevator Control System SHALL monitor door closing force not to exceed 150 N and re-open doors within 3 seconds when an obstruction is detected in the door zone, achieving SIL 2 per IEC 61508. Rationale: H-003 (door zone entrapment), SIL 2. EN 81-20 Clause 5.3.6 mandates 150 N max force. 3-second re-open prevents passenger injury. Light curtain and force sensor provide redundant detection. | Test | rt-sil-gap, red-team-session-460 |
| SYS-REQ-006 | When mains power fails, the Industrial Elevator Control System SHALL drive each car to the nearest landing at ≤0.15 m/s using ARD batteries, open doors, and activate emergency lighting within 30 seconds of power loss, achieving SIL 2. Rationale: H-005 (passengers trapped during power failure), SIL 2. Power Failure scenario: wheelchair user at floor 18 must reach landing. 0.15 m/s from ConOps. 30s limit ensures entrapment does not exceed EN 81-28 alarm trigger threshold. | Test | system, safety, sil-2, power, session-436, idempotency:sys-ard-rescue-436 |
| SYS-REQ-007 | When a fire alarm Phase I signal is received, the Industrial Elevator Control System SHALL cancel all pending calls and deliver all cars to the designated landing within 60 seconds with doors open, per EN 81-72. Rationale: Derives from STK-REQ-008 (fire recall). Fire Alarm scenario: 60s budget accounts for car at highest floor plus door operations. Floor lock-out of fire floor prevents cars stopping at hazard. Car above fire floor stops one below for evacuation first. | Test | system, fire, sil-2, session-436, idempotency:sys-fire-recall-436 |
| SYS-REQ-008 | When a seismic P-wave is detected, the Industrial Elevator Control System SHALL decelerate all cars to the nearest floor within 10 seconds, open doors, and maintain safe-hold state for 60 seconds after the last trigger, per EN 81-77. Rationale: H-007 (counterweight derailment), SIL 3 during active seismic event. Seismic scenario: P-wave detection gives 5-10s before S-wave arrival. 60s hold timer from ConOps. Post-event: low-speed inspection trip (0.3 m/s) required before normal service. | Test | system, safety, sil-3, seismic, session-436, idempotency:sys-seismic-response-436 |
| SYS-REQ-009 | When one car in the group reports a non-safety-critical fault, the Industrial Elevator Control System SHALL remove that car from group dispatch and rebalance remaining cars to maintain ≤50 s average waiting time with N-1 cars. Rationale: Derives from STK-REQ-001 and STK-REQ-006. Single Car Failure scenario: 3 remaining cars must rebalance, wait time rises to 45-50s. Degraded performance threshold must be explicit for BMS alerting. | Test | system, dispatch, degraded, session-436, idempotency:sys-degraded-dispatch-436 |
| SYS-REQ-010 | The Industrial Elevator Control System SHALL provide a BACnet/IP interface to the Building Management System with ≥1 Hz status updates, supporting bidirectional command/status exchange per BACnet B-ASC device profile. Rationale: Derives from STK-REQ-006 (BMS status). BACnet/IP from external interface definition. 1 Hz from ConOps. B-ASC profile provides standard object model for elevator status (position, faults, energy, mode). | Test | system, interface, bms, session-436, idempotency:sys-bms-interface-436 |
| SYS-REQ-011 | The Industrial Elevator Control System SHALL reject electromagnetic interference from co-located VFDs and HVAC drives per EN 12016, maintaining safety signal integrity with no spurious safety trips at 10 V/m radiated immunity, achieving SIL 2 for safety signal paths. Rationale: H-008 (drive EMI corrupts safety signals), SIL 2. EMC constraint from concept phase. Safety controller must detect signal discrepancy caused by EMI rather than acting on corrupted data. Shielded cabling mandatory for safety circuits. | Test | system, safety, sil-2, emc, session-436, idempotency:sys-emi-immunity-436 |
| SYS-REQ-012 | The Industrial Elevator Control System SHALL achieve ≥99.5% availability measured over a rolling 12-month period, with mean time between failures ≥5000 hours for the complete system excluding scheduled maintenance windows. Rationale: Derives from mission statement (>99.5% uptime). MTBF target derived from 4-car group: single car MTBF ≥1250h allows N-1 degraded operation within the 99.5% system availability budget. | Analysis | system, reliability, session-436, idempotency:sys-availability-436 |
| SYS-REQ-013 | The Industrial Elevator Control System SHALL log all safety events, fault codes, maintenance actions, and parameter changes with timestamps, retaining logs for ≥10 years in non-volatile storage accessible to regulatory inspectors. Rationale: Derives from STK-REQ-010 (test records). EN 81-20 Annex A requires comprehensive event logging. 10-year retention covers two statutory inspection cycles and typical liability periods. | Inspection | system, logging, session-436, idempotency:sys-event-logging-436 |
| SYS-REQ-016 | The Industrial Elevator Control System SHALL comply with EU Lifts Directive 2014/33/EU, demonstrate conformity via the applicable conformity assessment route (Annex IV, VI, VII, or VIII), and carry CE marking prior to placing on the market, with a Declaration of Conformity maintained throughout the product lifecycle. Rationale: EU Lifts Directive 2014/33/EU is the mandatory legal framework for lifts placed on the EU market. STK-REQ-011 requires compliance with 2014/33/EU as a non-negotiable regulatory constraint — failure to achieve CE marking makes the system unsaleable in the EU. The conformity assessment route is specified to avoid ambiguity about which Notified Body approval path applies. | Inspection | system, compliance, regulatory, session-443, idempotency:sys-lifts-directive-compliance-443 |
| SYS-REQ-017 | The Industrial Elevator Control System SHALL report to the Building Management System the following status data items at a minimum update rate of 1 Hz: car position (floor and direction), fault codes (ISO 4190-5 format), real-time energy consumption per car (kWh ±2%), and current operating mode (standard-operation, independent-service, fire-recall, out-of-service). Rationale: STK-REQ-006 specifies four distinct data items (position, fault codes, energy consumption, operating mode) that the BMS requires for building automation integration and energy reporting compliance. SYS-REQ-010 establishes the BACnet/IP transport at 1 Hz; this requirement defines the payload content to ensure all four stakeholder-required data types are transmitted. Energy reporting at ±2% is required for EU Energy Performance of Buildings Directive compliance for lifts in Class A commercial buildings. | Test | system, interface, bms, session-443, idempotency:sys-bms-status-data-items-443 |
| SYS-REQ-018 | The Industrial Elevator Control System ARD batteries SHALL sustain at least 3 complete rescue cycles per car during mains failure, where one rescue cycle is defined as driving a fully loaded car from any floor to the nearest landing at ≤0.15 m/s with doors operated, after which the battery SHALL recover to ≥90% capacity within 8 hours of mains restoration. Rationale: STK-REQ-014 requires 3 rescue cycles per car, which is the benchmark in EN 81-20 Annex D for ARD energy storage. SYS-REQ-006 only specifies that cars reach the nearest landing; it does not bound the number of sequential operations available in a blackout event. Three cycles covers worst-case: power fails during consecutive trip cycles before all cars complete rescue. The 8-hour recovery specification aligns with a standard work-shift interval to ensure the system is ready for the next workday. | Test | system, safety, power, ard, sil-2, session-443, idempotency:sys-ard-rescue-cycles-443 |
| Source | Target | Type | Description |
|---|---|---|---|
| STK-REQ-014 | SYS-REQ-018 | derives | ARD rescue cycle count derived from maintenance stakeholder power-resilience requirement |
| STK-REQ-006 | SYS-REQ-017 | derives | BMS status data item requirement derived from facility manager stakeholder need |
| STK-REQ-011 | SYS-REQ-016 | derives | EU Lifts Directive compliance derived from regulatory requirement |
| STK-REQ-001 | SYS-REQ-012 | derives | STK-REQ-001 passenger wait time derives to SYS-REQ-012 availability |
| STK-REQ-012 | SYS-REQ-012 | derives | STK-REQ-012 modular architecture derives to SYS-REQ-012 availability target |
| STK-REQ-009 | SYS-REQ-007 | derives | STK-REQ-009 Phase II firefighter control derives to SYS-REQ-007 fire recall |
| STK-REQ-007 | SYS-REQ-001 | derives | STK-REQ-007 operator configuration derives to SYS-REQ-001 group dispatch |
| STK-REQ-005 | SYS-REQ-002 | derives | STK-REQ-005 maintenance inspection speed derives to SYS-REQ-002 velocity control |
| STK-REQ-004 | SYS-REQ-003 | derives | STK-REQ-004 exclusive hoistway access derives to SYS-REQ-003 safety chain |
| STK-REQ-010 | SYS-REQ-013 | derives | Inspector records drives logging |
| STK-REQ-013 | SYS-REQ-011 | derives | Environmental drives EMI immunity |
| STK-REQ-006 | SYS-REQ-010 | derives | BMS status drives BACnet |
| STK-REQ-001 | SYS-REQ-009 | derives | Wait time drives degraded dispatch |
| STK-REQ-013 | SYS-REQ-008 | derives | Environmental drives seismic |
| STK-REQ-008 | SYS-REQ-007 | derives | Fire recall need drives system req |
| STK-REQ-014 | SYS-REQ-006 | derives | Power supply drives ARD rescue |
| STK-REQ-003 | SYS-REQ-005 | derives | Accessibility drives door protection |
| STK-REQ-011 | SYS-REQ-004 | derives | SIL3 compliance drives UCMP |
| STK-REQ-011 | SYS-REQ-003 | derives | SIL3 compliance drives overspeed |
| STK-REQ-002 | SYS-REQ-002 | derives | Ride comfort drives motion control |
| STK-REQ-001 | SYS-REQ-001 | derives | Passenger wait time drives dispatch |