Industrial Elevator Control System

Rationale: Integration test to verify interface compliance at system boundaries. CRC error rate threshold aligns with IEC 61508 SIL 3 diagnostic coverage requirements for the communication channel.

Rationale: Integration test to verify interface compliance at system boundaries. Each safety device must be individually tested per EN 81-50 testing requirements to confirm independence of detection.

Rationale: Integration test to verify interface compliance at system boundaries. Isolation test ensures fire panel wiring faults cannot damage or corrupt the Safety CPU.

Rationale: Integration test to verify interface compliance at system boundaries. Relay monitor contact timing verifies the diagnostic coverage path that detects contact welding.

Rationale: End-to-end system-level integration test exercising full chain: Speed and Position Monitor detection → Safety CPU decision → Safety Output Actuator engagement. 100ms total is the EN 81-20 safety function response budget. Tests the system as a whole under representative conditions.

Rationale: Safety function self-test verifying that internal CPU faults result in safe state, per IEC 61508 SIL 3 requirement for fault reaction time. Must be performed in controlled test environment with car stationary or at low speed.

Rationale: POST verification ensures that the IEC 61508 SIL 3 start-up diagnostic requirement is met. Deliberate fault injection (RAM corruption) confirms that POST failure results in elevator inhibition rather than spurious release.

Rationale: Integration test verifying CAN bus timing and error detection at the MCU-to-VFD boundary. 100% pass rate at rated message frequency confirms the interface performs adequately under normal load.

Rationale: Integration test under realistic EMI conditions reproduced by co-routing encoder cable with VFD output. Time duration ensures statistically significant sample at rated speed.

Rationale: Functional safety test confirming the fault propagation path from MCU to Safety Controller meets the 50ms timing budget. 20 trials provide statistical confidence for SIL-3 validation.

Rationale: Boundary condition test for the overspeed detection function with injection at threshold plus margin. Ten trials at two speeds (above and below threshold) confirm correct threshold implementation and response time.

Rationale: System-level integration test exercising the full chain from MCU velocity command through VFD, motor, and encoder feedback under a realistic duty cycle. Composite pass criteria confirm the subsystem meets SYS-REQ-002 and SYS-REQ-003 simultaneously.

Rationale: Directly validates the power transfer time and voltage continuity requirement under worst-case instantaneous dropout.

Rationale: Acceptance test for minimum UPS hold-up duration under representative load. 21.6V lower limit matches the minimum input voltage of the 24V relay coils and MCU power supplies.

Rationale: Worst-case electrical and mechanical conditions exercise the torque control loop at its performance boundaries; pass criterion directly maps to EN 81-20 clause 5.3.12 test method.

Rationale: Tests reversal response at multiple points in the closing profile, ensuring the 50ms budget is met when the door is at maximum speed (midtravel) and during the deceleration zone (near-closed).

Rationale: Integration test verifying the safety interface meets the 20 ms de-assertion budget required by the reversal timing chain; cross-channel test verifies the diagnostic coverage requirement.

Rationale: End-to-end integration test of the dual-channel door safety interface; exercises the safety-critical relay path and the diagnostic CAN path independently. Pass criteria verify the DCU safe-state timing required by SUB-REQ-028.

Rationale: High-cycle integration test validates statistical reliability and verifies that the combination of torque control, obstruction detection, and position encoding meets all subsystem requirements concurrently under realistic operating conditions.

Rationale: Traffic simulation is the standard acceptance method for elevator group dispatch performance; 30 minutes captures multiple peak cycles. Three-run requirement establishes statistical confidence and excludes outlier runs from natural traffic variation.

Rationale: Confirms that the Safety Command Validator intercepts 100% of BMS commands in the pipeline and that no bypass path exists; the Event Logger cross-check verifies audit completeness.

Rationale: Confirms that safety state propagation latency is within the 100 ms budget, ensuring the Safety Command Validator correctly blocks commands during all three safety event types.

Rationale: EN 81-28 compliance requires verification of both auto-dial timing and battery backup duration. PSTN plus GSM fallback must both be tested because EN 81-28 mandates automatic switchover; measuring at 2-minute threshold plus 30 s dial margin verifies the full timing chain.

Rationale: End-to-end integration test exercises the complete BIG command path under a realistic safety event. Testing all four conditions simultaneously confirms that the subsystem components do not interfere with each other during a concurrent high-activity period.

Rationale: End-to-end verification of UCMP detection chain per SUB-REQ-003. 200mm threshold and 50ms timing are the quantified acceptance criteria.

Rationale: Architecture analysis per IEC 61508-2 Clause 7.4.7: document review of Safety CPU design, fault injection analysis for diagnostic coverage >99%, and formal assessment sign-off by a functional safety assessor. Physical channel independence cannot be verified by run-time test alone; this is the recognised method for SIL 3 HFT=1 claim verification.

Rationale: Integration test confirming Group Dispatch Controller cancels all calls and routes all cars to designated landing within SYS-REQ-007 time bound. Must be tested with all 4 cars at dispersed floors to exercise worst-case routing.

Rationale: Acceptance test confirming battery bank energy capacity meets the group-level 3-cycle criterion under simultaneous worst-case load. The 18V DC lower bound represents 75% of nominal 24V, the minimum for relay hold-in across all relays in the safety circuit.

Rationale: Integration test confirming the 10-second stop and 60-second hold requirements from SYS-REQ-008 and SUB-REQ-047. The mid-travel starting position maximises stopping distance and exercises the worst-case scenario for the 10-second constraint.

Rationale: Integration test to verify interface compliance at system boundaries for EN 12016 radiated immunity at safety signal paths.

Rationale: Factory acceptance inspection to verify controller cabinet enclosure compliance with SYS-REQ-015 physical constraints.

Rationale: Documentation review to verify EU Lifts Directive compliance and CE marking obligation per SYS-REQ-016.

Rationale: Integration test verifying the hot standby switchover under realistic operating conditions. 20 repetitions provide statistical confidence in the 50 ms timing requirement.

Rationale: HIL testing of the full state machine validates both functional transitions and rejection of invalid commands, addressing the safety concern about undefined drive behaviour.

Rationale: Live failover under load is the only reliable verification of stateful failover correctness; floor simulation provides repeatable conditions.

Rationale: Functional test of all door state transitions and protection features. 200 ms reversal and 500 ms fault detection are directly measurable pass/fail criteria.

Rationale: BACnet integration test with protocol analyser provides direct verification of object presence, type, and update rate. Reference meter comparison verifies the ±2% energy accuracy requirement.

Rationale: SIL 3 safety function diagnostic test. SUB-REQ-004 requires ≥20 Hz scan and ≤50 ms fault assertion; this test exercises the timing boundary directly. Testing at 10 ms intervals confirms margin beyond the 50 ms requirement. 100 repetitions per device provides statistical confidence for SIL 3 PFD claims.

Rationale: Performance verification of SIL 3 Motor Control Unit velocity regulation. SUB-REQ-010 specifies ±0.05 m/s steady-state error and ±5 mm stopping accuracy. Testing at four speed points covers the full operating envelope; worst-case is typically at low speed where slip is highest. Three repeats establish repeatability. EN 81-20 Annex D requires stopping accuracy verification by measurement.

Rationale: SIL 3 safety function verification of the MCU overspeed detection channel, independent of the Safety CPU detection tested in VER-REQ-005. SUB-REQ-012 specifies detection at 115% rated speed; testing at 116% confirms positive margin. Independence verification prevents common-cause failure between MCU and Safety CPU detection channels, required for SIL 3 dual-channel architecture.

Rationale: SIL 3 safety function test per EN 81-20 Annex D brake test method. SUB-REQ-013 specifies 150 ms engagement and 150% rated load hold. The 150% load in the adverse direction represents the worst-case torque condition for brake holding. Displacement ≤2 mm confirms adequate brake torque margin per EN 81-20 minimum factor of 1.25 over rated load.

Rationale: SIL 2 safety function performance test. SUB-REQ-018 specifies <20 ms transfer at 85% voltage threshold. Instantaneous loss tests (50%) expose any race conditions between transfer detection and UPS output rise time. Absence of spurious safety events confirms the transfer is transparent to the safety controller, which is the key system-level requirement from SYS-REQ-006.

Rationale: SIL 2 safety function capacity test. SUB-REQ-019 requires 30 minutes holdup at full safety load to enable operator-supervised evacuation per EN 81-73. Full-load test is required because most UPS sizing exercises assume partial load; the 90% voltage threshold ensures relay hold-in across the entire holdup period. Safe-state exit at capacity verifies no uncontrolled shutdown sequence.

Rationale: SIL 2 immunity test per IEC 61000-4-3/4-6 using the levels mandated by SYS-REQ-011 and SUB-REQ-048. The safety-critical signal paths are those most at risk from VFD switching noise in a common machine room enclosure. Acceptance criteria are function-specific: encoder position errors above 5 counts would cause levelling errors exceeding the ±10 mm safety margin for H-004.

Rationale: Integration test covering the Single Car Failure During Peak ConOps scenario. SUB-REQ-031 specifies 100 ms reassignment latency and SUB-REQ-032 specifies fault reassignment behaviour; both are validated simultaneously. The 2-car fault case corresponds to the critical degraded operation mode requiring lobby attendant intervention, confirming the system behaves predictably before escalation threshold.

Rationale: SIL 3 safety function test verifying fault detection speed and correct mode transition per SUB-REQ-015. The distinction between Degraded mode entry (encoder loss with car stopping normally) and Emergency Shutdown (car continues moving) is safety-critical: a premature Emergency Shutdown causes unnecessary entrapment while a missed detection risks uncontrolled movement.

Rationale: EN 81-72 compliance test for Fire Service Phase II operation. The Fire Service stakeholder scenario requires firefighter exclusive manual control with hold-to-run — a life-safety feature with no existing VER entry. The 30-second return-to-Phase-I on key removal is mandated by EN 81-72 Clause 5.6 to prevent a car being stranded out of service after firefighter departure.

Rationale: Technician safety is the highest-risk aspect of the maintenance scenario: a car moving at normal speed (up to 1.0 m/s) while a technician is on top is catastrophic. EN 81-20 Annex F mandates a car-top stop device that cannot be bypassed from the machine room. The 0.3 m/s speed cap in maintenance mode is separately required by EN 81-20 Clause 6.5.3. Both must be verified by Test to satisfy SIL classification.

Rationale: REQ-SEINDUSTRIALELEVATOR-031 requires VFD STO assertion within 20 ms of MCU watchdog expiry. This test directly measures the assertion latency using a protocol analyser on the safety bus while inducing the failure condition.

Rationale: REQ-SEINDUSTRIALELEVATOR-032 requires STO and brake engagement within 150 ms of MCU comm loss. Timing measurement requires synchronised oscilloscope on STO signal and brake current sensor, with protocol analyser timestamping the last valid torque command.

Rationale: REQ-SEINDUSTRIALELEVATOR-033 specifies the Safety Command Validator output signal parameters. This test verifies signal levels, timing, and impedance against specification using traceable measurement instruments.

Rationale: REQ-SEINDUSTRIALELEVATOR-034 requires dual-channel disagreement to default to rejection. Injecting deliberate channel mismatch via hardware test interface validates the fail-safe behaviour. The 100-cycle soak ensures no intermittent false acceptance.

Rationale: REQ-SEINDUSTRIALELEVATOR-035 requires simultaneous dual-device write with failover to secondary. This test exercises the failover path by inducing primary device failure and verifying FRAM integrity.

Rationale: REQ-SEINDUSTRIALELEVATOR-036 requires SHA-256 HMAC hash chaining detectable by the integrity API. This test verifies that modification of a single record is detected and correctly identified.

Rationale: REQ-SEINDUSTRIALELEVATOR-037 requires power-up self-test with channel verification and fault notification. This test validates self-test timing and fault detection coverage for each output channel.

Rationale: REQ-SEINDUSTRIALELEVATOR-038 specifies 2.5 kWh minimum ARD capacity for 3 rescue cycles per car across 4 cars. This acceptance test verifies the capacity requirement directly by exercising the full rescue load profile.

Rationale: REQ-SEINDUSTRIALELEVATOR-039 requires 512-event RAM buffer and safety function continuity on BACnet/IP loss. This test validates the degraded-mode buffer size and safety function isolation.

Rationale: REQ-SEINDUSTRIALELEVATOR-040 requires EN 81-72 Phase II firefighter service compliance. This test validates exclusive car control, door suppression, speed limit enforcement, and Phase I/II interaction as specified in EN 81-72 Clause 5.4.

Rationale: The new EN 81-77 SUB requirement mandates 500 ms response initiation. This test validates the response time from P-wave injection to Safety Controller action using a calibrated seismic simulator traceable to EN 81-77 test procedures.

Rationale: The new BACnet B-ASC SUB requirement mandates specific protocol conformance. The B-ASC PICS validation using standardised test suite provides authoritative verification of conformance to BACnet Standard 135-2020.

Rationale: SIL 3 architectural constraint compliance cannot be fully verified by runtime test; it requires hardware FMEA analysis against IEC 61508-2 tables. Analysis method is appropriate for this verification. SFF is a function of failure mode distribution across safe, unsafe-detected, and unsafe-undetected categories.

Rationale: The GDC watchdog SUB requirement mandates alarm generation on dispatch performance degradation. This test validates the threshold detection, alarm latency, and automatic clearing behaviour using a traffic load simulator calibrated to rated passenger throughput.

Rationale: EN 81-72 Clause 5.2 mandates 5-second response from fire signal to car inhibit. SIL-2 time bound for H-006. VER-REQ-029 tests 60-second arrival only.

Rationale: BACnet/IP is the primary BMS interface per IFC-REQ-001; protocol conformance and throughput must be verified against ASHRAE 135-2020 to ensure interoperability with third-party BMS platforms.

Rationale: Fire alarm relay interface is safety-critical (SIL-2 path); hardwired relay timing must be verified to confirm the Safety Controller can meet EN 81-72 5-second recall response.

Rationale: Access control interface must support both RS-485 and TCP/IP per IFC-REQ-003; response time verification confirms the 500ms credential validation SLA from SUB-REQ-035.

Rationale: Emergency intercom is a life-safety interface mandated by EN 81-28; must verify auto-dial, speech quality, and battery backup to confirm trapped passengers can communicate.

Rationale: Brake interface carries SIL-3 safety function; dual-coil independent operation and relay monitor feedback must be verified to confirm single-fault tolerance.

Rationale: Power management interfaces are critical for ARD rescue operation; ATS transfer timing and UPS telemetry accuracy directly affect emergency power availability.

Rationale: Door subsystem internal interfaces are safety-relevant; obstruction detection response time (safety edge, light curtain) and interlock monitoring directly affect passenger safety per EN 81-20.

Rationale: Group dispatch communication performance directly affects passenger wait time; CAN bus overload during peak traffic would degrade dispatch algorithm performance.

Rationale: BIG-to-GDC command path must be verified for latency to ensure BMS floor lockout commands take effect promptly; event logger bus capture must be complete for regulatory audit trail.

Rationale: Ride quality directly affects stakeholder satisfaction (STK-REQ-002); jerk limiting is the primary ride comfort parameter for industrial elevators and must be measured, not just inferred from motor control loop.

Rationale: EN 12015 EMC compliance is mandatory for CE marking; VFD is the primary emissions source in the elevator system and must be tested independently before system-level EMC.

Rationale: MTBF verification by analysis is standard practice for reliability requirements; field data from comparable installations provides the statistical basis for confirmation.

Rationale: Dual-coil brake is SIL-3 safety critical; single-fault tolerance must be demonstrated by physical test, not just design review, to confirm braking torque margin.

Rationale: Battery SoC monitoring accuracy affects ARD rescue operation reliability; incorrect SoC reading could lead to rescue cycle failure with passengers trapped.

Rationale: Industrial environments experience significant supply voltage variation; VFD must be verified across the full 380-420V, 48-52 Hz envelope to prevent nuisance trips.

Rationale: Safety rail voltage must be verified under worst-case load to confirm safety devices operate within their specified input range; out-of-range voltage could cause safety function failure.

Rationale: Physical implementation requirements affect maintainability and environmental resilience; form factor must match cabinet design constraints.

Rationale: Cabinet and enclosure specifications are verifiable only by physical inspection; IP54, flame retardancy, and dimensional compliance are prerequisites for site installation approval.

Rationale: IEC 61508-2 Clause 7.4.9 mandates that proof test intervals are verified as part of the SIL validation. This test confirms the proof test procedures exist, are executable, and maintain PFDavg within SIL 3 bounds.