← All reports
PDF Excel ReqIF

Industrial Elevator Control System

System Requirements Specification (SyRS) — ISO/IEC/IEEE 15289 — Specification | IEEE 29148 §6.2–6.4
Generated 2026-03-27 — UHT Journal / universalhex.org

Referenced Standards

StandardTitle
BS 1.1
EN 12015 Electromagnetic compatibility — Emission standard for lifts, escalators and moving walks
EN 12015/12016 Electromagnetic compatibility — Emission standard for lifts, escalators and moving walks
EN 12016 Electromagnetic compatibility — Immunity standard for lifts, escalators and moving walks
EN 61810-3
EN 81-20 Safety rules for the construction and installation of lifts — Passenger and goods passenger lifts
EN 81-28 Remote alarm on passenger and goods passenger lifts
EN 81-50 Design rules, calculations, examinations and tests of lift components
EN 81-70 Accessibility to lifts for persons including persons with disability
EN 81-72 Firefighters lifts
EN 81-73 Behaviour of lifts in the event of fire
EN 81-77 Lifts subject to seismic conditions
EN 81-80 Rules for the improvement of safety of existing passenger and goods passenger lifts
EN81-77
IEC 60364
IEC 60529 Degrees of protection provided by enclosures (IP Code)
IEC 60896-11
IEC 60950
IEC 61000-4-3 Electromagnetic compatibility — Radiated, radio-frequency, electromagnetic field immunity test
IEC 61000-4-3/4-6 Electromagnetic compatibility — Radiated, radio-frequency, electromagnetic field immunity test
IEC 61000-4-6
IEC 61010-1
IEC 61439 Low-voltage switchgear and controlgear assemblies
IEC 61439-1 Low-voltage switchgear and controlgear assemblies
IEC 61439-compliant Low-voltage switchgear and controlgear assemblies
IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61508-2 Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61508-3 Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61508-compliant Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61800-3
IEC 61800-5-2 Adjustable speed electrical power drive systems — Safety requirements — Functional
IEC 62061 Safety of machinery — Functional safety of safety-related control systems
IEC 62133
ISO 13849-1 Safety of machinery — Safety-related parts of control systems — General principles for design
ISO 25745
ISO 25745-2 Energy performance of lifts, escalators and moving walks — Energy calculation and classification for lifts
ISO 4190-5 Lift installation — Part 5: Control devices, signals and additional fittings

Acronyms & Abbreviations

AcronymExpansion
ARC Architecture Decisions
ASC Advanced Application Specific Controller
BC Building Controller
CCCS Completeness, Consistency, Correctness, Stability
EARS Easy Approach to Requirements Syntax
IFC Interface Requirements
MCU Motor Control Unit
OSSD Output Signal Switching Device
PICS Protocol Implementation Conformance Statement
SFF Safe Failure Fraction
STK Stakeholder Requirements
STO Safe Torque Off
SUB Subsystem Requirements
SYS System Requirements
UHT Universal Hex Taxonomy
VER Verification Plan

Stakeholder Requirements (STK)

RefRequirementV&VTags
STK-REQ-001 The Industrial Elevator Control System SHALL provide a maximum average waiting time of 30 seconds during peak traffic periods for hall calls at any floor.
Rationale: Building Occupant, Morning Rush scenario: 200+ workers arriving 07:30-09:00 require group dispatch to maintain <30s wait. Exceeding this causes lobby congestion and occupant dissatisfaction in commercial buildings.
Test stakeholder, stk-passenger, session-436, idempotency:stk-passenger-wait-time-436
STK-REQ-002 The Industrial Elevator Control System SHALL provide ride comfort with acceleration ≤1.5 m/s², jerk ≤2.0 m/s³, and floor levelling accuracy within ±5 mm of landing sill.
Rationale: Building Occupant, all operational scenarios: passengers expect smooth acceleration profiles and precise levelling for safe boarding. H-004 (levelling failure) derives from poor levelling causing trip hazards.
Test stakeholder, stk-passenger, session-436, idempotency:stk-passenger-ride-comfort-436
STK-REQ-003 The Industrial Elevator Control System SHALL provide accessible operation for mobility-impaired users in compliance with EN 81-70, including tactile buttons, audible announcements, and minimum 1100 mm car door opening.
Rationale: Building Occupant (mobility-impaired), Power Failure scenario: wheelchair user at floor 18 requires ARD to bring car to safe landing. EN 81-70 mandates accessibility features. Lifts Directive 2014/33/EU requires compliance.
Inspection stakeholder, stk-passenger, accessibility, session-436, idempotency:stk-passenger-accessibility-436
STK-REQ-004 The Industrial Elevator Control System SHALL provide exclusive hoistway access mode with all interlocks active, preventing car movement from group dispatch while a maintenance technician is working on the car top or in the pit.
Rationale: Maintenance Technician, Quarterly Maintenance scenario: technician riding car top at 0.3 m/s inspecting rails and ropes. Loss of exclusive access would expose technician to crushing hazard from adjacent car or unexpected car movement.
Test stakeholder, stk-technician, session-436, idempotency:stk-technician-access-436
STK-REQ-005 The Industrial Elevator Control System SHALL provide maintenance mode with car top and machine room inspection controls operating at ≤0.3 m/s, enabling inspection of the full shaft height within the 2-4 hour per-car maintenance window.
Rationale: Maintenance Technician, Quarterly Maintenance scenario: EN 81-20 requires inspection speed ≤0.3 m/s for car-top inspection. Technician must traverse full shaft to inspect rails, ropes, doors, safety gear, and governor tension.
Test stakeholder, stk-technician, session-436, idempotency:stk-technician-maintenance-mode-436
STK-REQ-006 The Industrial Elevator Control System SHALL provide real-time status reporting to the Building Management System including car position, fault codes, energy consumption, and operating mode at ≥1 Hz update rate.
Rationale: Facility Manager, all scenarios: BMS notifications trigger technician dispatch (45min ETA in Single Car Failure scenario). Without real-time status, facility manager cannot coordinate maintenance rotation or emergency response.
Test stakeholder, stk-facility-manager, session-436, idempotency:stk-facility-bms-status-436
STK-REQ-007 The Industrial Elevator Control System SHALL allow the facility manager to configure traffic patterns, floor lockouts, VIP priority assignments, and maintenance schedules via the BMS interface without requiring controller software modification.
Rationale: Facility Manager, Morning Rush and Single Car Failure scenarios: operator must adjust dispatch behaviour for peak periods and redirect passengers when cars are out of service. Configuration changes must not require OEM intervention to control operating costs.
Demonstration stakeholder, stk-facility-manager, session-436, idempotency:stk-facility-config-436
STK-REQ-008 When a fire alarm Phase I signal is received, the Industrial Elevator Control System SHALL cancel all car and hall calls and return all cars non-stop to the designated landing with doors open within 60 seconds.
Rationale: Fire Service, Fire Alarm Recall scenario: all cars must recall to ground floor for evacuation. Car 3 above fire floor must stop at floor 11 for passenger evacuation before continuing to ground. EN 81-72 mandates Phase I recall behaviour.
Test stakeholder, stk-fire-service, session-436, idempotency:stk-fire-recall-436
STK-REQ-009 When a firefighter key is inserted and turned, the Industrial Elevator Control System SHALL provide exclusive manual hold-to-run control of a single car with door override capability, disabling all automatic dispatch and group functions for that car.
Rationale: Fire Service, Fire Alarm Recall scenario: Phase II firefighter control per EN 81-72 and ASME A17.1. Firefighter needs exclusive control to reach fire floor, hold-to-run prevents unintended movement, door override allows venting or access.
Test stakeholder, stk-fire-service, session-436, idempotency:stk-fire-phase2-436
STK-REQ-010 The Industrial Elevator Control System SHALL maintain complete test records, fault logs, and modification history accessible to regulatory inspectors in compliance with EN 81-20 Annex A, retaining records for a minimum of 10 years.
Rationale: Regulatory Inspector: annual statutory inspections require brake torque records, ARD test results, safety circuit verification, and modification history. Inspector authority to condemn installation requires auditable evidence trail.
Inspection stakeholder, stk-inspector, session-436, idempotency:stk-inspector-records-436
STK-REQ-011 The Industrial Elevator Control System SHALL comply with EN 81-20, EN 81-50, EN 81-70, EN 81-72, EN 81-77, and the EU Lifts Directive 2014/33/EU, and SHALL be certifiable to IEC 61508 SIL 3 for safety-critical functions.
Rationale: Regulatory Inspector and OEM: H-001 (uncontrolled movement) and H-002 (overspeed) both rated SIL 3 require the safety controller to meet IEC 61508 SIL 3 systematic capability. Non-compliance blocks market access in EU and condemns the installation.
Analysis stakeholder, stk-inspector, regulatory, session-436, idempotency:stk-inspector-compliance-436
STK-REQ-012 The Industrial Elevator Control System SHALL use a modular controller architecture supporting component replacement and software updates over a 20-25 year service life without requiring full system replacement.
Rationale: OEM/System Integrator: elevator controllers have 20-25 year lifecycles. Discrete subsystems (drive, safety controller, dispatch) must be independently upgradeable. Non-modular designs force premature full-system replacement at 5-10x cost.
Analysis stakeholder, stk-oem, session-436, idempotency:stk-oem-modular-436
STK-REQ-013 The Industrial Elevator Control System SHALL operate within the environmental envelope of 0-50°C hoistway ambient, ≤40°C machine room, 5-95% RH non-condensing, and withstand EMI from co-located VFD and HVAC drives per EN 12016 (10 V/m radiated immunity).
Rationale: Environment as stakeholder: thermal and EMC constraints from industrial building environment. H-008 (drive EMI corrupting safety signals) is SIL 2 — safety controller must reject interference. EN 12015/12016 mandatory for CE marking.
Test stakeholder, stk-environment, session-436, idempotency:stk-environment-envelope-436
STK-REQ-014 The Industrial Elevator Control System SHALL operate from 3-phase 400 VAC/50 Hz supply with UPS sustaining the controller for a minimum of 30 minutes and ARD batteries providing at least 3 rescue cycles per car during mains failure.
Rationale: Environment as stakeholder, Power Failure scenario: UPS sustains controller for battery-powered car movement to nearest landing. H-005 (passengers trapped during power failure) rated SIL 2 requires defined ARD capacity. IEC 60364 grounding required.
Test stakeholder, stk-environment, power, session-436, idempotency:stk-environment-power-436

System Requirements (SYS)

RefRequirementV&VTags
SYS-REQ-001 The Industrial Elevator Control System SHALL implement group dispatch that achieves ≤30 s average waiting time with 4 cars serving 20 floors at 150% rated load during up-peak traffic of ≥200 passengers per 5-minute interval.
Rationale: Derives from STK-REQ-001 (passenger wait time). 200 passengers/5min is the morning rush peak from ConOps. 4-car group with 150% rated load is the design configuration. Failure to meet this causes lobby congestion and occupant complaints.
Test system, dispatch, session-436, idempotency:sys-group-dispatch-436
SYS-REQ-002 The Industrial Elevator Control System SHALL control car velocity to achieve acceleration ≤1.5 m/s², jerk ≤2.0 m/s³, and rated speed of 2.5 m/s, with floor-level positioning accuracy of ±5 mm maintained by closed-loop position control.
Rationale: Derives from STK-REQ-002 (ride comfort). ±5 mm levelling prevents trip hazards (H-004, SIL 1). 2.5 m/s rated speed enables 20-floor traverse within acceptable transit time. Jerk limit prevents passenger discomfort and load shifting.
Test system, motion, sil-1, session-436, idempotency:sys-motion-control-436
SYS-REQ-003 The Industrial Elevator Control System safety controller SHALL detect overspeed conditions exceeding 115% of rated speed and initiate progressive safety gear engagement within 200 ms, achieving SIL 3 per IEC 61508.
Rationale: H-002 (overspeed in down direction), SIL 3. EN 81-20 mandates overspeed governor with progressive safety gear. 115% threshold from EN 81-20 Table 7. 200 ms response ensures deceleration within shaft overrun distance.
Test rt-sil-gap, red-team-session-460
SYS-REQ-004 The Industrial Elevator Control System safety controller SHALL detect uncontrolled car movement exceeding 200 mm from floor level with doors open and engage the UCMP device within 300 ms, achieving SIL 3 per IEC 61508.
Rationale: H-001 (uncontrolled movement), SIL 3. UCMP per EN 81-20:2014 Clause 5.6.7.2. 200 mm threshold prevents passenger fall-through. Contactor welding or drive fault is the root cause — safety controller must be independent of main controller.
Test rt-sil-gap, red-team-session-460
SYS-REQ-005 The Industrial Elevator Control System SHALL monitor door closing force not to exceed 150 N and re-open doors within 3 seconds when an obstruction is detected in the door zone, achieving SIL 2 per IEC 61508.
Rationale: H-003 (door zone entrapment), SIL 2. EN 81-20 Clause 5.3.6 mandates 150 N max force. 3-second re-open prevents passenger injury. Light curtain and force sensor provide redundant detection.
Test rt-sil-gap, red-team-session-460
SYS-REQ-006 When mains power fails, the Industrial Elevator Control System SHALL drive each car to the nearest landing at ≤0.15 m/s using ARD batteries, open doors, and activate emergency lighting within 30 seconds of power loss, achieving SIL 2.
Rationale: H-005 (passengers trapped during power failure), SIL 2. Power Failure scenario: wheelchair user at floor 18 must reach landing. 0.15 m/s from ConOps. 30s limit ensures entrapment does not exceed EN 81-28 alarm trigger threshold.
Test system, safety, sil-2, power, session-436, idempotency:sys-ard-rescue-436
SYS-REQ-007 When a fire alarm Phase I signal is received, the Industrial Elevator Control System SHALL cancel all pending calls and deliver all cars to the designated landing within 60 seconds with doors open, per EN 81-72.
Rationale: Derives from STK-REQ-008 (fire recall). Fire Alarm scenario: 60s budget accounts for car at highest floor plus door operations. Floor lock-out of fire floor prevents cars stopping at hazard. Car above fire floor stops one below for evacuation first.
Test system, fire, sil-2, session-436, idempotency:sys-fire-recall-436
SYS-REQ-008 When a seismic P-wave is detected, the Industrial Elevator Control System SHALL decelerate all cars to the nearest floor within 10 seconds, open doors, and maintain safe-hold state for 60 seconds after the last trigger, per EN 81-77.
Rationale: H-007 (counterweight derailment), SIL 3 during active seismic event. Seismic scenario: P-wave detection gives 5-10s before S-wave arrival. 60s hold timer from ConOps. Post-event: low-speed inspection trip (0.3 m/s) required before normal service.
Test system, safety, sil-3, seismic, session-436, idempotency:sys-seismic-response-436
SYS-REQ-009 When one car in the group reports a non-safety-critical fault, the Industrial Elevator Control System SHALL remove that car from group dispatch and rebalance remaining cars to maintain ≤50 s average waiting time with N-1 cars.
Rationale: Derives from STK-REQ-001 and STK-REQ-006. Single Car Failure scenario: 3 remaining cars must rebalance, wait time rises to 45-50s. Degraded performance threshold must be explicit for BMS alerting.
Test system, dispatch, degraded, session-436, idempotency:sys-degraded-dispatch-436
SYS-REQ-010 The Industrial Elevator Control System SHALL provide a BACnet/IP interface to the Building Management System with ≥1 Hz status updates, supporting bidirectional command/status exchange per BACnet B-ASC device profile.
Rationale: Derives from STK-REQ-006 (BMS status). BACnet/IP from external interface definition. 1 Hz from ConOps. B-ASC profile provides standard object model for elevator status (position, faults, energy, mode).
Test system, interface, bms, session-436, idempotency:sys-bms-interface-436
SYS-REQ-011 The Industrial Elevator Control System SHALL reject electromagnetic interference from co-located VFDs and HVAC drives per EN 12016, maintaining safety signal integrity with no spurious safety trips at 10 V/m radiated immunity, achieving SIL 2 for safety signal paths.
Rationale: H-008 (drive EMI corrupts safety signals), SIL 2. EMC constraint from concept phase. Safety controller must detect signal discrepancy caused by EMI rather than acting on corrupted data. Shielded cabling mandatory for safety circuits.
Test system, safety, sil-2, emc, session-436, idempotency:sys-emi-immunity-436
SYS-REQ-012 The Industrial Elevator Control System SHALL achieve ≥99.5% availability measured over a rolling 12-month period, with mean time between failures ≥5000 hours for the complete system excluding scheduled maintenance windows.
Rationale: Derives from mission statement (>99.5% uptime). MTBF target derived from 4-car group: single car MTBF ≥1250h allows N-1 degraded operation within the 99.5% system availability budget.
Analysis system, reliability, session-436, idempotency:sys-availability-436
SYS-REQ-013 The Industrial Elevator Control System SHALL log all safety events, fault codes, maintenance actions, and parameter changes with timestamps, retaining logs for ≥10 years in non-volatile storage accessible to regulatory inspectors.
Rationale: Derives from STK-REQ-010 (test records). EN 81-20 Annex A requires comprehensive event logging. 10-year retention covers two statutory inspection cycles and typical liability periods.
Inspection system, logging, session-436, idempotency:sys-event-logging-436
SYS-REQ-016 The Industrial Elevator Control System SHALL comply with EU Lifts Directive 2014/33/EU, demonstrate conformity via the applicable conformity assessment route (Annex IV, VI, VII, or VIII), and carry CE marking prior to placing on the market, with a Declaration of Conformity maintained throughout the product lifecycle.
Rationale: EU Lifts Directive 2014/33/EU is the mandatory legal framework for lifts placed on the EU market. STK-REQ-011 requires compliance with 2014/33/EU as a non-negotiable regulatory constraint — failure to achieve CE marking makes the system unsaleable in the EU. The conformity assessment route is specified to avoid ambiguity about which Notified Body approval path applies.
Inspection system, compliance, regulatory, session-443, idempotency:sys-lifts-directive-compliance-443
SYS-REQ-017 The Industrial Elevator Control System SHALL report to the Building Management System the following status data items at a minimum update rate of 1 Hz: car position (floor and direction), fault codes (ISO 4190-5 format), real-time energy consumption per car (kWh ±2%), and current operating mode (standard-operation, independent-service, fire-recall, out-of-service).
Rationale: STK-REQ-006 specifies four distinct data items (position, fault codes, energy consumption, operating mode) that the BMS requires for building automation integration and energy reporting compliance. SYS-REQ-010 establishes the BACnet/IP transport at 1 Hz; this requirement defines the payload content to ensure all four stakeholder-required data types are transmitted. Energy reporting at ±2% is required for EU Energy Performance of Buildings Directive compliance for lifts in Class A commercial buildings.
Test system, interface, bms, session-443, idempotency:sys-bms-status-data-items-443
SYS-REQ-018 The Industrial Elevator Control System ARD batteries SHALL sustain at least 3 complete rescue cycles per car during mains failure, where one rescue cycle is defined as driving a fully loaded car from any floor to the nearest landing at ≤0.15 m/s with doors operated, after which the battery SHALL recover to ≥90% capacity within 8 hours of mains restoration.
Rationale: STK-REQ-014 requires 3 rescue cycles per car, which is the benchmark in EN 81-20 Annex D for ARD energy storage. SYS-REQ-006 only specifies that cars reach the nearest landing; it does not bound the number of sequential operations available in a blackout event. Three cycles covers worst-case: power fails during consecutive trip cycles before all cars complete rescue. The 8-hour recovery specification aligns with a standard work-shift interval to ensure the system is ready for the next workday.
Test system, safety, power, ard, sil-2, session-443, idempotency:sys-ard-rescue-cycles-443

Requirements by Category (IEEE 29148)

5
Functional Requirements
15
Performance Requirements
1
Interface Requirements
5
Safety Requirements
1
Environmental Requirements
1
Reliability & Availability
8
Compliance & Regulatory

Traceability Matrix — STK to SYS

SourceTargetTypeDescription
STK-REQ-014 SYS-REQ-018 derives ARD rescue cycle count derived from maintenance stakeholder power-resilience requirement
STK-REQ-006 SYS-REQ-017 derives BMS status data item requirement derived from facility manager stakeholder need
STK-REQ-011 SYS-REQ-016 derives EU Lifts Directive compliance derived from regulatory requirement
STK-REQ-001 SYS-REQ-012 derives STK-REQ-001 passenger wait time derives to SYS-REQ-012 availability
STK-REQ-012 SYS-REQ-012 derives STK-REQ-012 modular architecture derives to SYS-REQ-012 availability target
STK-REQ-009 SYS-REQ-007 derives STK-REQ-009 Phase II firefighter control derives to SYS-REQ-007 fire recall
STK-REQ-007 SYS-REQ-001 derives STK-REQ-007 operator configuration derives to SYS-REQ-001 group dispatch
STK-REQ-005 SYS-REQ-002 derives STK-REQ-005 maintenance inspection speed derives to SYS-REQ-002 velocity control
STK-REQ-004 SYS-REQ-003 derives STK-REQ-004 exclusive hoistway access derives to SYS-REQ-003 safety chain
STK-REQ-010 SYS-REQ-013 derives Inspector records drives logging
STK-REQ-013 SYS-REQ-011 derives Environmental drives EMI immunity
STK-REQ-006 SYS-REQ-010 derives BMS status drives BACnet
STK-REQ-001 SYS-REQ-009 derives Wait time drives degraded dispatch
STK-REQ-013 SYS-REQ-008 derives Environmental drives seismic
STK-REQ-008 SYS-REQ-007 derives Fire recall need drives system req
STK-REQ-014 SYS-REQ-006 derives Power supply drives ARD rescue
STK-REQ-003 SYS-REQ-005 derives Accessibility drives door protection
STK-REQ-011 SYS-REQ-004 derives SIL3 compliance drives UCMP
STK-REQ-011 SYS-REQ-003 derives SIL3 compliance drives overspeed
STK-REQ-002 SYS-REQ-002 derives Ride comfort drives motion control
STK-REQ-001 SYS-REQ-001 derives Passenger wait time drives dispatch