← All reports
PDF Excel ReqIF

Industrial Elevator Control System

System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org

About this report

This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.

Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.

Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.

Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.

Referenced Standards

StandardTitle
BS 1.1
EN 12015
EN 12015/12016
EN 12016
EN 61810-3
EN 81-20
EN 81-28
EN 81-50
EN 81-70
EN 81-72
EN 81-73
EN 81-77
EN 81-80
EN81-77
IEC 60364
IEC 60529
IEC 60896-11
IEC 60950
IEC 61000-4-3 Electromagnetic compatibility — Radiated, radio-frequency, electromagnetic field immunity test
IEC 61000-4-3/4-6 Electromagnetic compatibility — Radiated, radio-frequency, electromagnetic field immunity test
IEC 61000-4-6
IEC 61010-1
IEC 61439
IEC 61439-1
IEC 61439-compliant
IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61508-2 Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61508-3 Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61508-compliant Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61800-3
IEC 61800-5-2
IEC 62061
IEC 62133
ISO 13849-1
ISO 25745
ISO 25745-2
ISO 4190-5

Acronyms & Abbreviations

AcronymExpansion
ARC Architecture Decisions
ASC Advanced Application Specific Controller
BC Building Controller
CCCS Completeness, Consistency, Correctness, Stability
EARS Easy Approach to Requirements Syntax
IFC Interface Requirements
MCU Motor Control Unit
OSSD Output Signal Switching Device
PICS Protocol Implementation Conformance Statement
SFF Safe Failure Fraction
STK Stakeholder Requirements
STO Safe Torque Off
SUB Subsystem Requirements
SYS System Requirements
UHT Universal Hex Taxonomy
VER Verification Plan
223
Requirements
87
Classified Entities
6
Subsystems
8
Diagrams
157
Relationships
8
Hazards

Stakeholders

StakeholderRelationshipHex Code
Building Occupant / Elevator Passenger primary user, interacts via hall/car buttons, expects <30s wait, smooth ride, accurate levelling. Includes mobility-impaired users (EN 81-70). Derived from: Morning Rush, Power Failure, Fire Recall scenarios. 000C0081
Elevator Maintenance Technician performs EN 81-20 preventive/corrective maintenance, exclusive hoistway access, uses maintenance mode. Personal safety depends on interlocks. Derived from: Quarterly Maintenance scenario. 000420F8
Building Facility Manager day-to-day operation via BMS, monitors status, schedules maintenance, configures traffic patterns, coordinates emergency response. Derived from: all scenarios (BMS notifications). 00045AF8
Fire Service / Emergency Responder Phase I/II fire recall operation, manual hold-to-run control, trained per ASME A17.1. Derived from: Fire Alarm Recall scenario. 000D3AF9
Elevator Regulatory Inspector certifies EN 81-20/50 and local code compliance, annual statutory inspections, authority to condemn. Requires test records and modification history. 008428F9
Elevator OEM / System Integrator designs, installs, commissions, provides controller hardware/software, type examination certification (Lifts Directive 2014/33/EU), spare parts and updates over 20-25 year lifecycle. 40843A39

Operating Environment & Constraints

CategoryConstraint
Thermal hoistway 0-50°C ambient, machine room ≤40°C (EN 81-20), 5-95% RH non-condensing, controller derating above 40°C. Below-grade pits subject to flooding.
EMC VFD switching 4-16 kHz, co-located with HVAC drives and power distribution. EN 12015 emissions, EN 12016 immunity (10 V/m radiated). Shielded cabling mandatory for safety circuits.
Power 3-phase 400VAC/50Hz, dedicated switchboard, regenerative braking to grid or resistor. UPS 30min for controller, ARD batteries for 3 rescue cycles. IEC 60364 grounding.
Regulatory EN 81-20/50, EN 81-70 accessibility, EN 81-72 fire, EN 81-77 seismic, IEC 61508 SIL 3, EU Lifts Directive 2014/33/EU, ASME A17.1 (NA), local building codes.
Physical space controller in machine room (typically roof level) or machine-room-less (MRL) installation in hoistway overhead. IP54 minimum for pit equipment. Car top inspection station required.

External Interfaces

SystemInterfaceHex Code
Building Management System BACnet/IP or Modbus TCP, 1Hz polling, bidirectional — provides status (position, faults, energy), receives commands (VIP priority, floor lockout, schedules, fire alarm). Building operator owned. 50AD7B48
Building Fire Alarm Panel hardwired relay contacts (not software), Phase I recall, alternate floor, machine room and hoistway smoke detectors. EN 81-72 compliant. Fire system integrator owned. D4AD7858
Building Access Control System card reader/biometric at hall stations, RS-485 or IP, authorised floor list per credential. Security contractor owned. Must not override safety or fire recall. 50BD7819
Emergency Intercom / Telephone two-way voice in car to monitoring centre. Auto-dials on entrapment (>2min stationary between floors). Battery backed, GSM backup. EN 81-28. Telecom provider owned.

Hazard Register

HazardSeverityFrequencySILSafe State
H-001: Uncontrolled car movement — car moves without valid command due to contactor welding, drive fault, or logic failure catastrophic rare SIL 3 motor de-energised, mechanical brake engaged, UCMP device activated
H-002: Overspeed in down direction — car exceeds rated speed due to VFD/brake failure or rope slippage catastrophic rare SIL 3 overspeed governor trips, progressive safety gear engages on car guide rails, car decelerates to stop
H-003: Door zone entrapment — passenger trapped between closing doors or car/landing gap critical medium SIL 2 doors re-open within 3s, door force limited to 150N, car held stationary
H-004: Car levelling failure — car stops >±10mm from floor level major medium SIL 1 re-levelling active, car repositioned to ±5mm, doors remain closed until level
H-005: Power failure with passengers trapped — mains loss with car between floors critical low SIL 2 ARD battery drives car to nearest floor at reduced speed, doors open, intercom active
H-006: Hoistway flooding/fire exposure — water ingress or fire/smoke in hoistway critical low SIL 2 fire recall to designated floor, doors open, motor de-energised, pit sump pump active
H-007: Counterweight derailment — counterweight leaves rails during seismic event or structural failure catastrophic rare SIL 3 seismic mode activated, car stopped at nearest floor, mechanical brakes engaged, hoistway access locked
H-008: Drive EMI corrupts safety signals — VFD interference causes incorrect position or false safety status critical low SIL 2 safety controller detects signal discrepancy, emergency stop, car held at current position

System Context

flowchart TB
  n0["system<br>Industrial Elevator Control System"]
  n1["system<br>Industrial Elevator Control System"]
  n2["actor<br>Building Occupants"]
  n3["actor<br>Maintenance Technician"]
  n4["actor<br>Facility Manager"]
  n5["actor<br>Fire Service"]
  n6["actor<br>Building Management System"]
  n7["actor<br>Fire Alarm Panel"]
  n8["actor<br>Access Control System"]
  n9["actor<br>Emergency Intercom"]
  n10["actor<br>Building Power Supply"]
  n2 -->|Hall/car calls, destination requests| n1
  n1 -->|Floor indicators, door status, audio| n2
  n3 -->|Maintenance commands, test inputs| n1
  n1 -->|Diagnostics, fault codes| n3
  n1 -->|Status, alarms, energy data| n4
  n5 -->|Phase II manual commands| n1
  n6 -->|Schedules, floor lockout, VIP priority| n1
  n1 -->|Car position, door state, faults| n6
  n7 -->|Phase I recall, smoke alarm| n1
  n8 -->|Authorised floor list per credential| n1
  n1 -->|Auto-dial on entrapment| n9
  n10 -->|3-phase mains, UPS, ARD battery| n1

Industrial Elevator Control System — Context

System Decomposition

flowchart TB
  n0["system<br>Industrial Elevator Control System"]
  n1["subsystem<br>Traction Drive Subsystem"]
  n2["subsystem<br>Safety Controller Subsystem"]
  n3["subsystem<br>Door Operator Subsystem"]
  n4["subsystem<br>Group Dispatch Controller"]
  n5["subsystem<br>Power Distribution Subsystem"]
  n6["subsystem<br>Building Integration Gateway"]
  n7["external<br>Building Management System"]
  n8["external<br>Fire Alarm Panel"]
  n2 -->|Brake permit, STO| n1
  n2 -->|Interlock status| n3
  n4 -->|Target floor| n1
  n4 -->|Door commands| n3
  n5 -->|3-phase power| n1
  n6 -->|BMS commands| n4
  n6 -->|Fire relay| n2
  n7 -->|BACnet/IP| n6
  n8 -->|Hardwired relay| n6

Industrial Elevator Control System — Decomposition

Decomposition Tree

Spec Tree — Per-Subsystem Completeness

SubsystemDiagramSILStatus
Traction Drive Subsystem Traction Drive Subsystem — Internal SIL 3 complete
Safety Controller Subsystem Safety Controller Subsystem — Internal SIL 3 complete
Door Operator Subsystem Door Operator Subsystem — Internal SIL 2 complete
Group Dispatch Controller Group Dispatch Controller — Internal complete
Power Distribution Subsystem Power Distribution Subsystem — Internal SIL 2 complete
Building Integration Gateway Building Integration Gateway — Internal complete

Stakeholder Requirements (STK)

Ref Requirement V&V Tags
STK-REQ-001 The Industrial Elevator Control System SHALL provide a maximum average waiting time of 30 seconds during peak traffic periods for hall calls at any floor.
Rationale: Building Occupant, Morning Rush scenario: 200+ workers arriving 07:30-09:00 require group dispatch to maintain <30s wait. Exceeding this causes lobby congestion and occupant dissatisfaction in commercial buildings.
 Test stakeholder, stk-passenger, session-436, idempotency:stk-passenger-wait-time-436
STK-REQ-002 The Industrial Elevator Control System SHALL provide ride comfort with acceleration ≤1.5 m/s², jerk ≤2.0 m/s³, and floor levelling accuracy within ±5 mm of landing sill.
Rationale: Building Occupant, all operational scenarios: passengers expect smooth acceleration profiles and precise levelling for safe boarding. H-004 (levelling failure) derives from poor levelling causing trip hazards.
 Test stakeholder, stk-passenger, session-436, idempotency:stk-passenger-ride-comfort-436
STK-REQ-003 The Industrial Elevator Control System SHALL provide accessible operation for mobility-impaired users in compliance with EN 81-70, including tactile buttons, audible announcements, and minimum 1100 mm car door opening.
Rationale: Building Occupant (mobility-impaired), Power Failure scenario: wheelchair user at floor 18 requires ARD to bring car to safe landing. EN 81-70 mandates accessibility features. Lifts Directive 2014/33/EU requires compliance.
 Inspection stakeholder, stk-passenger, accessibility, session-436, idempotency:stk-passenger-accessibility-436
STK-REQ-004 The Industrial Elevator Control System SHALL provide exclusive hoistway access mode with all interlocks active, preventing car movement from group dispatch while a maintenance technician is working on the car top or in the pit.
Rationale: Maintenance Technician, Quarterly Maintenance scenario: technician riding car top at 0.3 m/s inspecting rails and ropes. Loss of exclusive access would expose technician to crushing hazard from adjacent car or unexpected car movement.
 Test stakeholder, stk-technician, session-436, idempotency:stk-technician-access-436
STK-REQ-005 The Industrial Elevator Control System SHALL provide maintenance mode with car top and machine room inspection controls operating at ≤0.3 m/s, enabling inspection of the full shaft height within the 2-4 hour per-car maintenance window.
Rationale: Maintenance Technician, Quarterly Maintenance scenario: EN 81-20 requires inspection speed ≤0.3 m/s for car-top inspection. Technician must traverse full shaft to inspect rails, ropes, doors, safety gear, and governor tension.
 Test stakeholder, stk-technician, session-436, idempotency:stk-technician-maintenance-mode-436
STK-REQ-006 The Industrial Elevator Control System SHALL provide real-time status reporting to the Building Management System including car position, fault codes, energy consumption, and operating mode at ≥1 Hz update rate.
Rationale: Facility Manager, all scenarios: BMS notifications trigger technician dispatch (45min ETA in Single Car Failure scenario). Without real-time status, facility manager cannot coordinate maintenance rotation or emergency response.
 Test stakeholder, stk-facility-manager, session-436, idempotency:stk-facility-bms-status-436
STK-REQ-007 The Industrial Elevator Control System SHALL allow the facility manager to configure traffic patterns, floor lockouts, VIP priority assignments, and maintenance schedules via the BMS interface without requiring controller software modification.
Rationale: Facility Manager, Morning Rush and Single Car Failure scenarios: operator must adjust dispatch behaviour for peak periods and redirect passengers when cars are out of service. Configuration changes must not require OEM intervention to control operating costs.
 Demonstration stakeholder, stk-facility-manager, session-436, idempotency:stk-facility-config-436
STK-REQ-008 When a fire alarm Phase I signal is received, the Industrial Elevator Control System SHALL cancel all car and hall calls and return all cars non-stop to the designated landing with doors open within 60 seconds.
Rationale: Fire Service, Fire Alarm Recall scenario: all cars must recall to ground floor for evacuation. Car 3 above fire floor must stop at floor 11 for passenger evacuation before continuing to ground. EN 81-72 mandates Phase I recall behaviour.
 Test stakeholder, stk-fire-service, session-436, idempotency:stk-fire-recall-436
STK-REQ-009 When a firefighter key is inserted and turned, the Industrial Elevator Control System SHALL provide exclusive manual hold-to-run control of a single car with door override capability, disabling all automatic dispatch and group functions for that car.
Rationale: Fire Service, Fire Alarm Recall scenario: Phase II firefighter control per EN 81-72 and ASME A17.1. Firefighter needs exclusive control to reach fire floor, hold-to-run prevents unintended movement, door override allows venting or access.
 Test stakeholder, stk-fire-service, session-436, idempotency:stk-fire-phase2-436
STK-REQ-010 The Industrial Elevator Control System SHALL maintain complete test records, fault logs, and modification history accessible to regulatory inspectors in compliance with EN 81-20 Annex A, retaining records for a minimum of 10 years.
Rationale: Regulatory Inspector: annual statutory inspections require brake torque records, ARD test results, safety circuit verification, and modification history. Inspector authority to condemn installation requires auditable evidence trail.
 Inspection stakeholder, stk-inspector, session-436, idempotency:stk-inspector-records-436
STK-REQ-011 The Industrial Elevator Control System SHALL comply with EN 81-20, EN 81-50, EN 81-70, EN 81-72, EN 81-77, and the EU Lifts Directive 2014/33/EU, and SHALL be certifiable to IEC 61508 SIL 3 for safety-critical functions.
Rationale: Regulatory Inspector and OEM: H-001 (uncontrolled movement) and H-002 (overspeed) both rated SIL 3 require the safety controller to meet IEC 61508 SIL 3 systematic capability. Non-compliance blocks market access in EU and condemns the installation.
 Analysis stakeholder, stk-inspector, regulatory, session-436, idempotency:stk-inspector-compliance-436
STK-REQ-012 The Industrial Elevator Control System SHALL use a modular controller architecture supporting component replacement and software updates over a 20-25 year service life without requiring full system replacement.
Rationale: OEM/System Integrator: elevator controllers have 20-25 year lifecycles. Discrete subsystems (drive, safety controller, dispatch) must be independently upgradeable. Non-modular designs force premature full-system replacement at 5-10x cost.
 Analysis stakeholder, stk-oem, session-436, idempotency:stk-oem-modular-436
STK-REQ-013 The Industrial Elevator Control System SHALL operate within the environmental envelope of 0-50°C hoistway ambient, ≤40°C machine room, 5-95% RH non-condensing, and withstand EMI from co-located VFD and HVAC drives per EN 12016 (10 V/m radiated immunity).
Rationale: Environment as stakeholder: thermal and EMC constraints from industrial building environment. H-008 (drive EMI corrupting safety signals) is SIL 2 — safety controller must reject interference. EN 12015/12016 mandatory for CE marking.
 Test stakeholder, stk-environment, session-436, idempotency:stk-environment-envelope-436
STK-REQ-014 The Industrial Elevator Control System SHALL operate from 3-phase 400 VAC/50 Hz supply with UPS sustaining the controller for a minimum of 30 minutes and ARD batteries providing at least 3 rescue cycles per car during mains failure.
Rationale: Environment as stakeholder, Power Failure scenario: UPS sustains controller for battery-powered car movement to nearest landing. H-005 (passengers trapped during power failure) rated SIL 2 requires defined ARD capacity. IEC 60364 grounding required.
 Test stakeholder, stk-environment, power, session-436, idempotency:stk-environment-power-436

System Requirements (SYS)

Ref Requirement V&V Tags
SYS-REQ-001 The Industrial Elevator Control System SHALL implement group dispatch that achieves ≤30 s average waiting time with 4 cars serving 20 floors at 150% rated load during up-peak traffic of ≥200 passengers per 5-minute interval.
Rationale: Derives from STK-REQ-001 (passenger wait time). 200 passengers/5min is the morning rush peak from ConOps. 4-car group with 150% rated load is the design configuration. Failure to meet this causes lobby congestion and occupant complaints.
 Test system, dispatch, session-436, idempotency:sys-group-dispatch-436
SYS-REQ-002 The Industrial Elevator Control System SHALL control car velocity to achieve acceleration ≤1.5 m/s², jerk ≤2.0 m/s³, and rated speed of 2.5 m/s, with floor-level positioning accuracy of ±5 mm maintained by closed-loop position control.
Rationale: Derives from STK-REQ-002 (ride comfort). ±5 mm levelling prevents trip hazards (H-004, SIL 1). 2.5 m/s rated speed enables 20-floor traverse within acceptable transit time. Jerk limit prevents passenger discomfort and load shifting.
 Test system, motion, sil-1, session-436, idempotency:sys-motion-control-436
SYS-REQ-003 The Industrial Elevator Control System safety controller SHALL detect overspeed conditions exceeding 115% of rated speed and initiate progressive safety gear engagement within 200 ms, achieving SIL 3 per IEC 61508.
Rationale: H-002 (overspeed in down direction), SIL 3. EN 81-20 mandates overspeed governor with progressive safety gear. 115% threshold from EN 81-20 Table 7. 200 ms response ensures deceleration within shaft overrun distance.
 Test rt-sil-gap, red-team-session-460
SYS-REQ-004 The Industrial Elevator Control System safety controller SHALL detect uncontrolled car movement exceeding 200 mm from floor level with doors open and engage the UCMP device within 300 ms, achieving SIL 3 per IEC 61508.
Rationale: H-001 (uncontrolled movement), SIL 3. UCMP per EN 81-20:2014 Clause 5.6.7.2. 200 mm threshold prevents passenger fall-through. Contactor welding or drive fault is the root cause — safety controller must be independent of main controller.
 Test rt-sil-gap, red-team-session-460
SYS-REQ-005 The Industrial Elevator Control System SHALL monitor door closing force not to exceed 150 N and re-open doors within 3 seconds when an obstruction is detected in the door zone, achieving SIL 2 per IEC 61508.
Rationale: H-003 (door zone entrapment), SIL 2. EN 81-20 Clause 5.3.6 mandates 150 N max force. 3-second re-open prevents passenger injury. Light curtain and force sensor provide redundant detection.
 Test rt-sil-gap, red-team-session-460
SYS-REQ-006 When mains power fails, the Industrial Elevator Control System SHALL drive each car to the nearest landing at ≤0.15 m/s using ARD batteries, open doors, and activate emergency lighting within 30 seconds of power loss, achieving SIL 2.
Rationale: H-005 (passengers trapped during power failure), SIL 2. Power Failure scenario: wheelchair user at floor 18 must reach landing. 0.15 m/s from ConOps. 30s limit ensures entrapment does not exceed EN 81-28 alarm trigger threshold.
 Test system, safety, sil-2, power, session-436, idempotency:sys-ard-rescue-436
SYS-REQ-007 When a fire alarm Phase I signal is received, the Industrial Elevator Control System SHALL cancel all pending calls and deliver all cars to the designated landing within 60 seconds with doors open, per EN 81-72.
Rationale: Derives from STK-REQ-008 (fire recall). Fire Alarm scenario: 60s budget accounts for car at highest floor plus door operations. Floor lock-out of fire floor prevents cars stopping at hazard. Car above fire floor stops one below for evacuation first.
 Test system, fire, sil-2, session-436, idempotency:sys-fire-recall-436
SYS-REQ-008 When a seismic P-wave is detected, the Industrial Elevator Control System SHALL decelerate all cars to the nearest floor within 10 seconds, open doors, and maintain safe-hold state for 60 seconds after the last trigger, per EN 81-77.
Rationale: H-007 (counterweight derailment), SIL 3 during active seismic event. Seismic scenario: P-wave detection gives 5-10s before S-wave arrival. 60s hold timer from ConOps. Post-event: low-speed inspection trip (0.3 m/s) required before normal service.
 Test system, safety, sil-3, seismic, session-436, idempotency:sys-seismic-response-436
SYS-REQ-009 When one car in the group reports a non-safety-critical fault, the Industrial Elevator Control System SHALL remove that car from group dispatch and rebalance remaining cars to maintain ≤50 s average waiting time with N-1 cars.
Rationale: Derives from STK-REQ-001 and STK-REQ-006. Single Car Failure scenario: 3 remaining cars must rebalance, wait time rises to 45-50s. Degraded performance threshold must be explicit for BMS alerting.
 Test system, dispatch, degraded, session-436, idempotency:sys-degraded-dispatch-436
SYS-REQ-010 The Industrial Elevator Control System SHALL provide a BACnet/IP interface to the Building Management System with ≥1 Hz status updates, supporting bidirectional command/status exchange per BACnet B-ASC device profile.
Rationale: Derives from STK-REQ-006 (BMS status). BACnet/IP from external interface definition. 1 Hz from ConOps. B-ASC profile provides standard object model for elevator status (position, faults, energy, mode).
 Test system, interface, bms, session-436, idempotency:sys-bms-interface-436
SYS-REQ-011 The Industrial Elevator Control System SHALL reject electromagnetic interference from co-located VFDs and HVAC drives per EN 12016, maintaining safety signal integrity with no spurious safety trips at 10 V/m radiated immunity, achieving SIL 2 for safety signal paths.
Rationale: H-008 (drive EMI corrupts safety signals), SIL 2. EMC constraint from concept phase. Safety controller must detect signal discrepancy caused by EMI rather than acting on corrupted data. Shielded cabling mandatory for safety circuits.
 Test system, safety, sil-2, emc, session-436, idempotency:sys-emi-immunity-436
SYS-REQ-012 The Industrial Elevator Control System SHALL achieve ≥99.5% availability measured over a rolling 12-month period, with mean time between failures ≥5000 hours for the complete system excluding scheduled maintenance windows.
Rationale: Derives from mission statement (>99.5% uptime). MTBF target derived from 4-car group: single car MTBF ≥1250h allows N-1 degraded operation within the 99.5% system availability budget.
 Analysis system, reliability, session-436, idempotency:sys-availability-436
SYS-REQ-013 The Industrial Elevator Control System SHALL log all safety events, fault codes, maintenance actions, and parameter changes with timestamps, retaining logs for ≥10 years in non-volatile storage accessible to regulatory inspectors.
Rationale: Derives from STK-REQ-010 (test records). EN 81-20 Annex A requires comprehensive event logging. 10-year retention covers two statutory inspection cycles and typical liability periods.
 Inspection system, logging, session-436, idempotency:sys-event-logging-436
SYS-REQ-016 The Industrial Elevator Control System SHALL comply with EU Lifts Directive 2014/33/EU, demonstrate conformity via the applicable conformity assessment route (Annex IV, VI, VII, or VIII), and carry CE marking prior to placing on the market, with a Declaration of Conformity maintained throughout the product lifecycle.
Rationale: EU Lifts Directive 2014/33/EU is the mandatory legal framework for lifts placed on the EU market. STK-REQ-011 requires compliance with 2014/33/EU as a non-negotiable regulatory constraint — failure to achieve CE marking makes the system unsaleable in the EU. The conformity assessment route is specified to avoid ambiguity about which Notified Body approval path applies.
 Inspection system, compliance, regulatory, session-443, idempotency:sys-lifts-directive-compliance-443
SYS-REQ-017 The Industrial Elevator Control System SHALL report to the Building Management System the following status data items at a minimum update rate of 1 Hz: car position (floor and direction), fault codes (ISO 4190-5 format), real-time energy consumption per car (kWh ±2%), and current operating mode (standard-operation, independent-service, fire-recall, out-of-service).
Rationale: STK-REQ-006 specifies four distinct data items (position, fault codes, energy consumption, operating mode) that the BMS requires for building automation integration and energy reporting compliance. SYS-REQ-010 establishes the BACnet/IP transport at 1 Hz; this requirement defines the payload content to ensure all four stakeholder-required data types are transmitted. Energy reporting at ±2% is required for EU Energy Performance of Buildings Directive compliance for lifts in Class A commercial buildings.
 Test system, interface, bms, session-443, idempotency:sys-bms-status-data-items-443
SYS-REQ-018 The Industrial Elevator Control System ARD batteries SHALL sustain at least 3 complete rescue cycles per car during mains failure, where one rescue cycle is defined as driving a fully loaded car from any floor to the nearest landing at ≤0.15 m/s with doors operated, after which the battery SHALL recover to ≥90% capacity within 8 hours of mains restoration.
Rationale: STK-REQ-014 requires 3 rescue cycles per car, which is the benchmark in EN 81-20 Annex D for ARD energy storage. SYS-REQ-006 only specifies that cars reach the nearest landing; it does not bound the number of sequential operations available in a blackout event. Three cycles covers worst-case: power fails during consecutive trip cycles before all cars complete rescue. The 8-hour recovery specification aligns with a standard work-shift interval to ensure the system is ready for the next workday.
 Test system, safety, power, ard, sil-2, session-443, idempotency:sys-ard-rescue-cycles-443

Subsystem Requirements (SUB)

Ref Requirement V&V Tags
SUB-REQ-001 The Safety Controller Subsystem SHALL implement a dual-channel Safety CPU certified to IEC 61508 SIL 3, with each channel independently executing safety logic and a cross-channel comparison that triggers a discrepancy fault within 20 ms of channel divergence.
Rationale: IEC 61508 SIL 3 requires hardware fault tolerance HFT=1 for Type B subsystems at the Safety Integrity Level demanded by the EN 81-20 safety functions (overspeed, UCMP). Dual-channel architecture is the standard realisation. 20ms discrepancy window is derived from the 10ms safety function reaction time plus one monitor cycle, ensuring faults are detected before a safety function miss-execution can propagate.
 Test rt-implausible-value, red-team-session-460
SUB-REQ-002 The Speed and Position Monitor SHALL detect car velocity exceeding 115% of rated speed and assert an overspeed trip signal to the Safety CPU within 50 ms of the threshold crossing.
Rationale: Derived from SYS-REQ-003. 115% rated speed is the EN 81-20 Clause 5.6 overspeed governor calibration trigger point. 50ms is allocated to the Speed and Position Monitor from the 100ms total safety function response time budget; the remaining 50ms covers Safety CPU decision and Safety Output Actuator brake engagement.
 Test rt-implausible-value, red-team-session-460
SUB-REQ-003 The Speed and Position Monitor SHALL detect uncontrolled car movement exceeding 200 mm from the landing level with the door zone open and assert a UCMP trip signal to the Safety CPU within 50 ms of threshold crossing.
Rationale: Derived from SYS-REQ-004. 200mm is the EN 81-20 Clause 5.6.7 maximum permitted uncontrolled movement before personnel entering or exiting the car are at risk of shear between car sill and landing sill. 50ms detection budget matches overspeed allocation, providing symmetric time-budget accounting.
 Test rt-implausible-value, red-team-session-460
SUB-REQ-004 The Safety Chain Interface Module SHALL monitor the series safety circuit at ≥20 Hz scan rate and assert a safety chain open fault to the Safety CPU within 50 ms of any safety device contact opening.
Rationale: Derived from SYS-REQ-003. EN 81-20 Clause 14.1.2 mandates that the opening of any electrical safety device in the series chain must result in immediate machine stoppage. 20Hz scan ensures detection within one scan cycle at the 50ms budget allocation. Contacts monitored include: pit stop, buffers, final limit switches, car top inspection, door electrical safety devices, car gate, and slack rope.
 Test rt-implausible-value, red-team-session-460
SUB-REQ-005 When the Seismic and Fire Interface receives a Phase I fire recall relay signal, the Safety Controller Subsystem SHALL command all cars to the designated recall floor and inhibit car operation within 5 s, per EN 81-72.
Rationale: Derived from SYS-REQ-007. EN 81-72 Clause 5.2 sets a 5-second maximum response time from fire recall signal to car motion towards recall floor. The Seismic and Fire Interface provides <5ms latency, leaving 4.995s for the Safety CPU command and drive response. Hardwired relay input (not software protocol) per IFC-REQ-002 ensures this path cannot be disrupted by network failure.
 Test subsystem, safety-controller, sil-2, session-437, idempotency:sub-sc-fire-recall-437
SUB-REQ-006 When the Seismic and Fire Interface receives a seismic P-wave event signal, the Safety Controller Subsystem SHALL initiate immediate car deceleration to the nearest floor within 1 s, per EN 81-77 Level 1 response.
Rationale: Derived from SYS-REQ-008. EN 81-77 Clause 5.3.1 Level 1 specifies that on P-wave detection the elevator must reach the nearest floor and open doors before the destructive S-waves arrive, typically 5-20 seconds after P-wave. 1-second response ensures the car is moving to safety well within the P-to-S window. Seismic and Fire Interface <5ms latency is critical to meeting this budget.
 Test subsystem, safety-controller, sil-2, session-437, idempotency:sub-sc-seismic-response-437
SUB-REQ-007 The Safety Output Actuator SHALL engage the electromechanical safety brake within 20 ms of receiving a brake-engage command from the Safety CPU, using two independent force-guided relays wired in series, with relay monitor contacts providing feedback confirmation to the Safety CPU.
Rationale: Derived from SYS-REQ-003. 20ms brake engagement is the Safety Output Actuator allocation within the 100ms total safety function response time. Force-guided relays per EN 61810-3 are required because they provide mechanical interlocking between normally-open and normally-closed contacts, preventing contact welding from causing undetected failure. Dual-relay series architecture achieves SIL 3 PFH requirement without relying on a single relay.
 Test rt-implausible-value, red-team-session-460
SUB-REQ-008 When the Safety CPU detects a discrepancy fault, watchdog timeout, or internal diagnostic failure, the Safety Controller Subsystem SHALL transition to safe state (brake engaged, VFD inhibited, all car motion stopped) within 100 ms.
Rationale: IEC 61508 SIL 3 requires that detected dangerous failures result in transition to a defined safe state within the fault reaction time specified in the safety requirements specification. 100ms is derived from the EN 81-20 safety function response time budget. Safe state is: brake engaged (power removed from brake coil), VFD enable open (drive inhibited), car motion zero.
 Test subsystem, safety-controller, sil-3, session-437, idempotency:sub-sc-safe-state-fault-437
SUB-REQ-009 The Safety Controller Subsystem SHALL perform a power-on self-test (POST) covering dual-channel RAM/ROM integrity, encoder signal plausibility, safety chain continuity, and relay coil drive circuits, and SHALL inhibit elevator operation until all POST checks pass.
Rationale: IEC 61508 Part 2 Clause 7.4.3 mandates periodic and start-up diagnostics for SIL 3 hardware. POST ensures that latent faults from the prior power-off period are detected before any motion is attempted. Elevator inhibition on POST failure prevents operation with an undetected fault condition; EN 81-20 requires that the elevator cannot be placed in service while a safety function is impaired.
 Test subsystem, safety-controller, sil-3, session-437, idempotency:sub-sc-post-test-437
SUB-REQ-010 The Motor Control Unit SHALL regulate car velocity to track the commanded profile within ±0.05 m/s steady-state error and achieve stopping accuracy of ±5 mm relative to floor datum.
Rationale: Derived from SYS-REQ-002 (±5 mm stopping, ≤4 m/s). ±0.05 m/s steady-state band at 1 kHz loop closure; tighter than the system-level 4 m/s ceiling to leave margin for mechanical compliance in the rope system. 5 mm levelling accuracy required by EN 81-20 clause 5.6.3 for accessible landing.
 Test subsystem, traction-drive, sil-3, session-439, idempotency:sub-traction-velocity-439
SUB-REQ-011 The Motor Control Unit SHALL generate velocity profiles with acceleration and jerk limited to ≤1.5 m/s² and ≤2.5 m/s³ respectively at all operating speeds.
Rationale: Derived from SYS-REQ-002. 1.5 m/s² acceleration cap from EN 81-20 occupant comfort limit and building structural load constraint. 2.5 m/s³ jerk limit prevents abrupt force transients on ropes and passengers.
 Test subsystem, traction-drive, sil-3, session-439, idempotency:sub-traction-accel-439
SUB-REQ-012 The Motor Control Unit SHALL detect encoder-measured car velocity exceeding 115% of rated contract speed and assert an OVERSPEED fault signal to the Safety Controller within 50 ms of threshold crossing.
Rationale: Derived from SYS-REQ-003 (overspeed >115%). 50 ms detection latency is the tightest budget allowed before the Safety Controller must engage the governor; longer latency risks exceeding the mechanical overspeed governor trip threshold before electronic detection. SIL-3 function per IEC 62061 Table D.5.
 Test rt-implausible-value, red-team-session-460
SUB-REQ-013 When mains power fails, the Electromagnetic Brake SHALL engage within 150 ms of 24 V DC coil de-energisation and hold the car stationary against 150% of motor rated torque.
Rationale: Derived from SYS-REQ-006 (power fail drives to nearest landing). Brake engages before MCU loses capacity to control velocity; 150 ms is within the UPS hold-up window. 150% torque hold accounts for maximum loaded car on maximum gradient rope wrap angle. Fail-safe spring-applied design is the safe state for SIL-3 power loss hazard.
 Test subsystem, traction-drive, sil-3, session-439, idempotency:sub-traction-brake-engage-439
SUB-REQ-014 The Variable Frequency Drive SHALL comply with EN 12015 Class C2 conducted and radiated emission limits and shall not cause encoder signal bit-error rate to exceed 1e-6 during rated switching frequency PWM switching.
Rationale: Derived from SYS-REQ-011 (EMI rejection from co-located VFDs). PWM switching at 8–16 kHz induces common-mode currents; line reactors and EMI filter are required. Encoder BER of 1e-6 ensures speed feedback integrity for the closed-loop controller; violations cause positional drift at the floor landing.
 Test subsystem, traction-drive, session-439, idempotency:sub-traction-emi-439
SUB-REQ-015 The Motor Control Unit SHALL detect encoder signal loss or quadrature error within 20 ms and assert an ENCODER_FAULT to the Safety Controller, transitioning the drive to zero-torque safe state.
Rationale: Loss of encoder feedback prevents accurate velocity or position computation; continued drive operation would produce uncontrolled acceleration. 20 ms fault detection is within the motor speed-change time constant at maximum jerk (motor inertia ~5 kg.m2), ensuring detection before runaway. SIL-3 diagnostic function per IEC 62061 clause 6.7.4.
 Test rt-implausible-value, red-team-session-460
SUB-REQ-016 The Traction Drive Subsystem SHALL achieve mean time between failures of at least 50000 hours for the Variable Frequency Drive and Motor Control Unit, verified by component reliability analysis.
Rationale: Derived from SYS-REQ-012 (99.5% availability over 12 months). MTBF of 50000 h for drive electronics contributes to system availability budget; lower MTBF would make the drive the dominant failure contributor to missed availability target. Value from EN 81-20 annex reliability targets and field data from PMSM drive installations.
 Analysis subsystem, traction-drive, session-439, idempotency:sub-traction-mtbf-439
SUB-REQ-017 The Electromagnetic Brake SHALL have dual independent coils such that failure of one coil does not reduce braking torque below 100% of motor rated torque.
Rationale: EN 81-20 clause 12.5.1 requires two independent braking elements for machine brakes. Each coil must independently hold full load to ensure a single-coil failure does not create an uncontrolled descent hazard. Inspection verified against manufacturer type-test certificate.
 Inspection subsystem, traction-drive, sil-3, session-439, idempotency:sub-traction-brake-dual-439
SUB-REQ-018 The Power Distribution Subsystem SHALL transfer from mains to UPS backup supply within 20 ms of mains voltage dropping below 85% of nominal, maintaining 24V DC safety bus within ±5% throughout the transfer.
Rationale: Derived from SYS-REQ-006 (power fail response). 20ms transfer time is within the MCU and Safety Controller hold-up capacitance hold-up; 85% threshold detects brownout before full dropout. ±5% voltage tolerance required by 24V DC relay and MCU power supply specifications.
 Test rt-implausible-value, red-team-session-460
SUB-REQ-019 The UPS Module SHALL maintain 24V DC output for at least 30 minutes at full elevator safety load after mains failure, as required to complete emergency evacuation procedures.
Rationale: Derived from SYS-REQ-006 and EN 81-20 clause 12.9 (rescue operation power). 30 minutes is the minimum time for emergency services to reach the site and manually release passengers in a worst-case scenario.
 Test subsystem, power-dist, sil-2, session-439, idempotency:sub-power-ups-holdtime-439
SUB-REQ-020 The Power Management Controller SHALL monitor battery State of Charge at 1 Hz and assert a LOW_BATTERY fault to the Safety Controller when SoC drops below 20%, triggering load shedding of non-critical loads.
Rationale: Deep discharge protection prevents battery damage and ensures the 30-minute hold-up budget is achievable on next power cycle. 20% threshold provides headroom against measurement uncertainty while leaving capacity for emergency brake operations.
 Test subsystem, power-dist, session-439, idempotency:sub-power-batt-monitor-439
SUB-REQ-021 The Variable Frequency Drive SHALL accept 400V AC three-phase supply in the range 380–420V, 50 Hz ±2 Hz, and shall not draw more than 63A RMS per phase at peak regenerative or motoring load.
Rationale: Power source and current limit requirements for the VFD address the lint finding that Powered entities must have power budget requirements. 63A at 400V AC matches the installation circuit breaker rating; exceeding this trips the MCB and causes unplanned outage against SYS-REQ-012.
 Test subsystem, traction-drive, power, session-439, idempotency:sub-vfd-power-439
SUB-REQ-022 The Building Integration Gateway SHALL reject any Building Management System command that would override a safety-critical elevator state (fire recall, seismic hold, emergency stop), and shall notify the BMS of the rejection within 500 ms via BACnet alarm object.
Rationale: Addresses lint finding that Functionally Autonomous BMS has no safety override constraints. The BMS operates independently and may issue conflicting commands; the gateway must enforce elevator safety state precedence to prevent BMS-commanded unsafe movements. 500ms notification enables BMS to log the event and alert building operators.
 Test subsystem, building-integration, session-439, idempotency:sub-bms-override-439
SUB-REQ-023 The Door Operator Subsystem SHALL limit door closing force to ≤150 N measured at the leading edge of the car door panel at all points during the closing travel, measured in accordance with EN 81-20 clause 5.3.12.
Rationale: EN 81-20 clause 5.3.12 mandates 150 N maximum closing force to prevent injury to trapped persons. The Door Motor Drive torque control loop enforces this continuously; the test verifies that the force limit holds under worst-case conditions (low supply voltage, worn belt, maximum payload).
 Test subsystem, door-operator, sil-2, session-440, idempotency:sub-door-closing-force-440
SUB-REQ-024 When the Multi-Ray Light Curtain or Safety Edge Contact Strip detects an obstruction during door closing, the Door Operator Subsystem SHALL reverse the door to the fully open position within 50 ms of signal activation.
Rationale: 50 ms reversal budget derived from EN 81-20 clause 5.3.11 reaction time allowance for powered closing devices. The light curtain and safety edge provide dual-channel detection per Cat 4 / PLe; reversal within 50 ms prevents contact force from exceeding the 150 N limit assuming approach speeds within the closing speed profile.
 Test rt-implausible-value, red-team-session-460
SUB-REQ-025 When a Fire Phase I Recall command is received from the Safety Controller, the Door Operator Subsystem SHALL complete the current door cycle within 3 seconds, then hold the car doors open and disable call-driven door closure for the duration of the recall.
Rationale: EN 81-72 clause 8.5.3 requires the car to land at the designated floor with doors open during Phase I. Holding doors open prevents passenger entrapment during firefighter evacuation. 3 second maximum cycle time bounds lobby arrival delay to acceptable limits.
 Demonstration subsystem, door-operator, sil-2, session-440, idempotency:sub-door-fire-recall-440
SUB-REQ-026 The Door Operator Subsystem SHALL verify that all monitored landing door interlock contacts are closed before issuing a car-movement-permitted signal to the Safety Controller, with detection of any open contact within 20 ms.
Rationale: EN 81-20 clause 8.9 prohibits car movement unless all landing doors are closed and locked. The 20 ms detection window is derived from the Safety Controller 50 ms reaction budget (SYS-REQ-003); interlock status must be valid before the Safety Controller acts on a move command.
 Test rt-implausible-value, red-team-session-460
SUB-REQ-027 The Door Operator Subsystem SHALL control door panel velocity to a profile with maximum closing speed ≤0.3 m/s and shall decelerate to ≤0.1 m/s during the final 50 mm of travel before the fully-closed position.
Rationale: EN 81-20 clause 5.3.11 limits door closing kinetic energy to control contact impact. The 0.3 m/s maximum and 0.1 m/s final-approach limit ensure panel kinetic energy is within the 150 N equivalent impulse threshold at all approach velocities. The Door Position Encoder at 0.5 mm resolution enables precise velocity profiling during the final 50 mm deceleration zone.
 Test subsystem, door-operator, sil-2, session-440, idempotency:sub-door-speed-profile-440
SUB-REQ-028 When the Door Control Unit detects a watchdog timeout, internal CPU fault, or loss of position encoder feedback, the Door Operator Subsystem SHALL de-energise the Door Motor Drive and open the safety chain within 100 ms, preventing car departure.
Rationale: SIL-2 safe state requirement. DCU failure must not result in a car departing with doors open. De-energising the motor drive defaults to mechanical brake applied; opening the safety chain is a redundant action that prevents Safety Controller from issuing a move command, achieving HFT=1 for the combined door safety function.
 Test subsystem, door-operator, sil-2, session-440, idempotency:sub-door-safe-state-440
SUB-REQ-029 The Door Operator Subsystem SHALL achieve a mean time between failures (MTBF) of ≥500,000 door cycles under the rated load conditions specified in EN 81-20 Annex A.
Rationale: Industrial elevator duty cycle averages 200 cycles/day in a heavy-use commercial building; 500,000 cycles equates to approximately 6.8 years before expected component replacement, matching the standard maintenance interval for door operator mechanical components (EN 81-80).
 Analysis subsystem, door-operator, session-440, idempotency:sub-door-mtbf-440
SUB-REQ-030 The Group Dispatch Controller SHALL achieve average passenger waiting time ≤30 seconds during up-peak traffic (200 persons/5 minutes on the entry floor) for a building served by ≥4 cars.
Rationale: SYS-REQ-001 mandates ≤30s average waiting time. The 200 persons/5 min loading rate is the EN 81-20 Annex B heavy-traffic standard for commercial buildings. At ≥4 cars, destination dispatch algorithms achieve this threshold; simulation and acceptance trial data from comparable installations confirm this bound.
 Test rt-missing-failure-mode, red-team-session-460
SUB-REQ-031 The Group Dispatch Controller SHALL re-evaluate car assignments within 100 ms of any new hall call registration or car state change.
Rationale: Responsiveness to new calls determines the system's ability to minimise waiting time. 100 ms re-evaluation cycle at 10 Hz allows the dispatch engine to react to new calls before the nearest car has travelled more than 0.15 m at rated speed, preventing assignment delay from causing missed stops.
 Test rt-missing-failure-mode, red-team-session-460
SUB-REQ-032 When one car in the group reports a non-safety-critical fault, the Group Dispatch Controller SHALL reassign all pending calls from the faulted car within 5 seconds and exclude the faulted car from future assignments until fault clearance.
Rationale: Derived from SYS-REQ-009. 5 second reassignment window prevents passengers from waiting at a faulted car indefinitely; in practice, call reassignment occurs within 1 dispatch cycle (100ms) but 5s allows for edge cases where multiple cars are simultaneously in door zones.
 Demonstration subsystem, group-dispatch, session-440, idempotency:sub-gdc-fault-reassign-440
SUB-REQ-033 The BACnet/IP Stack SHALL publish elevator group status (car positions, fault codes, operating mode, energy consumption) as BACnet analog and binary objects at ≥1 Hz update rate with ≤500 ms latency from subsystem state change to BACnet object update.
Rationale: SYS-REQ-010 requires ≥1 Hz BACnet/IP status updates to BMS. The 500 ms latency ceiling ensures BMS dashboards and HVAC integration reactions occur within human attention span; at 1 Hz update rate, a 500 ms latency still satisfies the 1 Hz requirement. B-ASC device profile mandates analog and binary presentation of status data.
 Test subsystem, building-integration-gateway, session-441, idempotency:sub-big-bacnet-status-441
SUB-REQ-034 The Event Logger SHALL record all safety events, fault codes, maintenance actions, and parameter changes with NTP-synchronised timestamps (±1 s accuracy), retaining records for a minimum of 10 years at the design event rate of ≤50 events per day, and SHALL protect record integrity using SHA-256 hash chaining detectable at export.
Rationale: SYS-REQ-013 requires logging of safety events, fault codes, maintenance actions, and parameter changes. EN 81-20 Clause 5.12 mandates tamper-evident records with 10-year retention. Hash chaining provides forensic integrity for incident investigation and insurance claims; a broken hash chain is detectable at export, meeting the tamper-evident requirement without requiring secure hardware enclaves.
 Inspection subsystem, building-integration-gateway, session-441, idempotency:sub-big-event-logger-441
SUB-REQ-035 The Access Control Interface Module SHALL validate per-credential floor authorisation requests within ≤500 ms using a locally cached authorisation table updated from the building access control system at ≤30 s intervals, and SHALL NOT permit access control commands to override fire recall or emergency stop states.
Rationale: SYS-REQ-010 requires bidirectional command exchange; IFC-REQ-003 specifies ≤500 ms credential validation response time. Local caching at 30 s intervals maintains operation during network intermittency while keeping authorisation current. The safety override prohibition derives from the requirement that only the Safety Controller may initiate or cancel safety states (SYS-REQ-007 and SYS-REQ-008).
 Test subsystem, building-integration-gateway, session-441, idempotency:sub-big-access-ctrl-441
SUB-REQ-036 The Emergency Communications Unit SHALL detect car entrapment (car stationary between floor zones for >2 minutes) and automatically initiate two-way voice communication to the 24/7 monitoring centre via PSTN primary connection within 30 s of entrapment detection, with automatic GSM fallback if PSTN is unavailable, and SHALL maintain this capability from internal battery for ≥24 hours standby and ≥1 hour active call.
Rationale: IFC-REQ-004 requires EN 81-28 compliant emergency communications with auto-dialling on entrapment (>2 minutes stationary between floors), battery backup, and GSM fallback. EN 81-28 specifies ≥24 h standby and ≥1 h active call for battery backup. The 30 s auto-dial initiation window ensures the monitoring centre receives notice while the entrapment cause is still recoverable (before passenger distress escalates).
 Test subsystem, building-integration-gateway, session-441, idempotency:sub-big-emergency-comms-441
SUB-REQ-037 When the Building Integration Gateway loses communication with the BMS for >5 s, the BACnet/IP Stack SHALL log the communication fault, cease forwarding BMS commands to the Group Dispatch Controller, and continue operating in the last-known safe state until connectivity is restored; it SHALL NOT initiate any car movement commands independently.
Rationale: A BMS communication failure must not leave the elevator in an ambiguous command state. Ceasing BMS command forwarding prevents stale or repeated commands from being executed after reconnection. The 5 s timeout balances detection speed against transient network interruptions; below 5 s, normal IP network retransmission would generate false faults.
 Test subsystem, building-integration-gateway, session-441, idempotency:sub-big-safe-state-441
SUB-REQ-039 The Speed and Position Monitor SHALL operate from a 24V DC safety-rail supply in the range 22-28V DC, with maximum power consumption of 5W at 24V, and shall remain operational when supply voltage drops to 20V DC for up to 100 ms during switching transients.
Rationale: Position monitor is SIL 3 Powered component per IEC 61508. The 24V safety rail is standard for safety-critical elevator subsystems. 5W budget covers FPGA-class dual-channel encoder decoding. The 100ms low-voltage tolerance covers ATS switchover per ARC-REQ-008.
 Test idempotency:sub-posmon-power-442
SUB-REQ-040 The Safety Output Actuator SHALL be powered from the 24V DC safety rail in the range 22-28V DC with maximum steady-state current draw of 2A, and shall maintain brake-hold state during supply brownout down to 18V DC for up to 50 ms.
Rationale: Safety Output Actuator has Powered trait with physical brake drive coils. The 24V safety rail provides UPS-backed power per ARC-REQ-008. The 2A peak reflects dual 24V brake coil energisation. The 50ms brownout tolerance is derived from UPS hold-up time under worst-case load.
 Test idempotency:sub-soa-power-442
SUB-REQ-042 The Safety Controller subsystem SHALL be implemented as a standalone DIN-rail mounted module within the controller cabinet, physically separated from the main controller PCB by at least 100mm, with the Safety Output Actuator relay drivers on a dedicated PCB segregated from logic circuits.
Rationale: Physical separation of safety controller from main controller is required by IEC 61508 SIL 3 to prevent common-cause failures from PCB manufacturing defects, thermal coupling, and EMC interference. A minimum 100mm separation is per IEC 61010-1 creepage and clearance requirements at 300V working voltage.
 Inspection idempotency:sub-safety-ctrl-physical-442
SUB-REQ-043 The Motor Control Unit SHALL be implemented as a PCB assembly within the Variable Frequency Drive enclosure, cooled by the VFD heatsink and cooling fan, with the MCU processor and gate driver circuits segregated on separate PCB layers to minimise switching noise coupling.
Rationale: Motor Control Unit is physically co-located with the VFD to minimise gate drive signal path length and reduce switching noise immunity requirements. PCB layer segregation between digital MCU and high-voltage gate drivers is required by IEC 61800-3 EMC category C2 for VFDs in residential environments.
 Inspection idempotency:sub-mcu-physical-442
SUB-REQ-044 The Group Dispatch Controller SHALL, upon receipt of a fire recall command from the Safety Controller, cancel all hall and car calls for all cars in the group, route each car via the most direct path to the designated fire service landing, and complete all car deliveries to the designated landing within 60 seconds of fire recall command receipt.
Rationale: SYS-REQ-007 requires all cars delivered to designated landing within 60 seconds; this SUB requirement decomposes that into the specific Group Dispatch Controller actions: call cancellation, optimal routing, and timing bound. The Group Dispatch Controller is the only subsystem that controls inter-car routing decisions; delegating fire recall logic here keeps the Safety Controller focused on safety signal processing rather than traffic management.
 Test rt-untestable, red-team-session-460
SUB-REQ-045 The Power Distribution Subsystem ARD battery bank SHALL provide energy capacity to sustain 3 complete rescue cycles per car at full rated load simultaneously for all cars in the group, with battery capacity verified at ≥100% SoC under maximum load during commissioning and re-verified at ≥80% SoC at annual maintenance intervals.
Rationale: SYS-REQ-018 requires 3 rescue cycles per car; this SUB requirement assigns the battery sizing obligation to the Power Distribution Subsystem which owns the UPS/ARD energy storage and capacity management. The simultaneous-all-cars worst case bounds the battery bank at group level, preventing undersizing when multiple cars lose mains simultaneously. Annual re-verification at 80% minimum SoC accounts for battery ageing per IEC 62133 cycle life specification.
 Test subsystem, power-distribution-subsystem, ard, sil-2, session-443, idempotency:sub-pds-ard-battery-3cycles-443
SUB-REQ-046 The Building Integration Gateway SHALL implement the BACnet B-ASC (Advanced Application Specific Controller) device profile per ASHRAE 135-2020, supporting BACnet/IP transport layer, with a minimum of 40 BACnet objects covering car status, fault log, energy metering, and floor lockout command objects for each car in the group.
Rationale: SYS-REQ-010 requires BACnet/IP with B-ASC device profile; this SUB requirement decomposes the specific BACnet object model required to carry the four data types from SYS-REQ-017 (position, faults, energy, mode) plus floor lockout commands from BMS. B-ASC is the appropriate profile for application controllers that interface to BMS servers — B-BC (Building Controller) would be over-specified. The 40-object minimum covers 4 cars × 10 objects each (present-value, reliability, event-state, out-of-service, status-flags plus 5 data-type specific objects).
 Test subsystem, building-integration-gateway, bacnet, session-443, idempotency:sub-big-bacnet-bASC-profile-443
SUB-REQ-047 The Safety Controller Subsystem SHALL, upon receipt of a seismic P-wave trigger from the seismic detector, issue a deceleration command to each car to bring it to a stop at the nearest accessible floor, complete all car stops within 10 seconds of P-wave trigger, hold all cars at the stopped floor with doors open for 60 seconds, and prevent car movement for the duration of the hold period regardless of car call and hall call dispatch commands.
Rationale: SYS-REQ-008 requires all cars stopped at nearest floor within 10 seconds and held for 60 seconds after seismic trigger per EN 81-77. The Safety Controller is the designated responder because it has authority to override normal dispatch commands and directly brake cars independently of the main controller. The 10-second bound is derived from EN 81-77 Section 4.6.1 maximum stopping distance limit for 1 m/s² deceleration from rated speed. The 60-second hold prevents cars re-entering service while aftershocks are still probable.
 Test subsystem, safety-controller-subsystem, seismic, sil-2, session-443, idempotency:sub-sc-seismic-decel-443
SUB-REQ-048 The Safety Controller Subsystem and all safety-critical signal paths SHALL maintain operational integrity under radiated electromagnetic fields of 10 V/m (80 MHz–1 GHz) per EN 12016:2013, with no spurious safety trips, nuisance stops, or false state transitions during or after exposure.
Rationale: SYS-REQ-011 mandates EN 12016 immunity at 10 V/m for safety signal integrity at SIL 2. Subsystem-level immunity testing is required by IEC 61508 Part 2 (Table A.17) for validation of immunity margins in co-located VFD and HVAC drive environments. Without this requirement, there is no traceable path from the system EMC mandate to subsystem acceptance criteria.
 Test subsystem, safety-controller, emc, sil-2, session-444, idempotency:sub-safety-emc-immunity-444
SUB-REQ-049 The Industrial Elevator Control System controller cabinet SHALL be housed in a steel enclosure rated IP54 per IEC 60529, with overall external dimensions not exceeding 800 mm H × 600 mm W × 250 mm D, installed in the designated machine room with a panel-mounted OLED display and membrane keypad for local parameter access.
Rationale: SYS-REQ-015 specifies the physical housing and installation constraints for the controller cabinet. IP54 protection is necessary to prevent dust ingress and water splash contamination in machine room environments. The dimension constraint ensures compatibility with standard machine room allocation as specified in EN 81-20 machine room layout requirements. Inspection verification is appropriate as the enclosure rating and dimensions are directly measurable at factory acceptance.
 Inspection rt-missing-failure-mode, red-team-session-460
SUB-REQ-050 The Industrial Elevator Control System SHALL comply with EU Lifts Directive 2014/33/EU and carry CE marking, with a signed Declaration of Conformity referencing the applicable conformity assessment module maintained throughout the product lifecycle and made available to regulatory inspectors within 48 hours of request.
Rationale: SYS-REQ-016 mandates EU Lifts Directive compliance and CE marking as a legal prerequisite for placing the system on the EU market. The Declaration of Conformity is a mandatory document under Article 13 of the Directive. Inspection verification is appropriate as compliance is demonstrated through documentation review and conformity assessment records rather than functional test.
 Inspection subsystem, building-integration-gateway, compliance, session-444, idempotency:sub-eu-lifts-directive-ce-444
SUB-REQ-051 The Safety Controller Subsystem SHALL implement a watchdog-supervised hot standby architecture where the secondary channel monitors primary channel health and asserts a safe stop output within 50 ms of detecting primary channel failure, ensuring no single-point failure causes loss of the safety function.
Rationale: IEC 61508 SIL-3 with System-Essential classification requires redundancy for any component whose failure could defeat all safety functions simultaneously. The 50 ms switchover budget is derived from the 100 ms total safety reaction time: 50 ms for detection and switchover leaves 50 ms for actuator engagement. Hot standby (vs cold) is required because elevator safety functions must be continuously active during car motion.
 Test rt-implausible-value, red-team-session-460
SUB-REQ-052 The Group Dispatch Controller SHALL implement stateful failover such that, when the active dispatch instance becomes unresponsive for more than 200 ms, the standby instance assumes dispatch authority without loss of in-progress car assignments, maintaining group dispatch throughput at ≥80% of rated capacity.
Rationale: The Group Dispatch Controller is System-Essential: its failure causes complete loss of group elevator service. 200 ms failover window is derived from the 1 s passenger perceived response latency budget; 800 ms for assignment re-evaluation leaves 200 ms for failover. 80% throughput floor maintains acceptable service during the switchover period. IEC 62061 requires that system-essential functions implement redundancy or monitored single-channel architectures.
 Test subsystem, group-dispatch-controller, session-445, idempotency:sub-gdc-redundancy-failover-445
SUB-REQ-053 The Variable Frequency Drive SHALL implement a defined state machine with states: Idle, Ready, Accelerating, Running, Decelerating, Braking, Fault, and Emergency-Stop; transitions between states SHALL be governed by command inputs and motor feedback, and an invalid transition request SHALL be rejected within 5 ms with a fault event logged.
Rationale: The VFD is State-Transforming (UHT trait): it changes motor energy state and elevator car kinetic state across a bounded set of operating modes. Undefined transitions are a root cause of elevator runaway incidents documented in NTSB elevator safety reports. The 5 ms rejection latency ensures fault detection within one motor control cycle at 200 Hz update rate. Explicit state machine is required by IEC 61800-5-2 SIL functional safety for drive systems.
 Test subsystem, traction-drive, session-445, idempotency:sub-vfd-state-machine-445
SUB-REQ-054 The Door Operator Subsystem SHALL implement a defined door state machine with states: Fully-Closed, Opening, Fully-Open, Closing, Obstructed, Fault; the system SHALL prevent a Closing-to-Opening transition in less than 200 ms to protect door mechanism, and SHALL enter Fault state if door position sensor disagreement persists for more than 500 ms.
Rationale: The Door Operator Subsystem is State-Transforming: it physically moves the door through a sequence of bounded mechanical states. The 200 ms minimum dwell on direction reversal is derived from motor inertia specifications for the brushless door motor to prevent mechanical stress. The 500 ms sensor disagreement timeout is the maximum tolerable period before a stuck-door hazard materialises, per EN 81-20 Clause 5.3.3 door protection requirements.
 Test subsystem, door-operator, session-445, idempotency:sub-dos-state-machine-445
SUB-REQ-055 The Industrial Elevator Control System controller cabinet SHALL be housed in a sheet steel enclosure rated IP54 per IEC 60529, with external dimensions not exceeding 800 mm height x 600 mm width x 250 mm depth, flush-mounted panel display and 16-key service keypad, and cable entry points sealed with IP54-rated glands on the underside.
Rationale: SYS-REQ-015 allocates the enclosure requirement to the system level; this subsystem requirement decomposes it to physical construction standards. IP54 is the minimum for machine rooms per EN 81-20 Annex B. The dimensional constraint is derived from the minimum machine room floor area (1.4 m2) mandated by EN 81-20 Clause 6.3.2, leaving clearance for maintenance access. Bottom cable entry prevents water ingress from above.
 Inspection rt-missing-failure-mode, red-team-session-460
SUB-REQ-056 The Building Integration Gateway SHALL publish to the BACnet/IP Building Management System the following data objects at a minimum update rate of 1 Hz: car position (AI, floor integer and direction BO), active fault codes in ISO 4190-5 format (MSI), per-car real-time energy consumption (AI, kWh, ±2% accuracy), and current operating mode (MV: Standard-Operation, Independent-Service, Fire-Recall, Out-of-Service).
Rationale: SYS-REQ-017 requires these four data items published at 1 Hz; this requirement decomposes the allocation to the Building Integration Gateway as the BACnet interface owner. BACnet object types (AI, BO, MSI, MV) are specified to enable BMS integrator point mapping without ambiguity. The 1 Hz rate is the minimum needed for real-time energy dashboards (per EN ISO 25745-2 energy measurement requirements for elevators). ±2% energy accuracy matches the meter class required by EN ISO 25745.
 Test subsystem, building-integration-gateway, session-445, idempotency:sub-big-bms-data-items-445
SUB-REQ-057 The Power Distribution Subsystem ARD battery bank SHALL sustain a minimum of 3 complete rescue cycles per car (each cycle: driving a fully loaded car from any floor to the nearest landing at 0.15 m/s with doors operated), and the battery management controller SHALL initiate a capacity self-test within 24 hours of mains restoration, reporting remaining capacity via BACnet AI to the Building Management System.
Rationale: SYS-REQ-018 defines the 3-cycle rescue endurance; this requirement decomposes it to the Power Distribution Subsystem and adds the self-test obligation. The 24-hour self-test window follows the battery recovery period (8 h charge) with 16 h margin. Reporting to BMS via BACnet AI ensures building operators receive battery health data without manual inspection, satisfying EN 81-20 maintenance requirements for ARD systems. Without the self-test, degraded battery capacity may go undetected until the next mains failure.
 Test rt-missing-failure-mode, red-team-session-460
SUB-REQ-058 While Maintenance Mode is active (key switch engaged and car-top control box connected), the Safety Controller SHALL limit car speed to ≤0.63 m/s (inspection speed per EN 81-20 Clause 5.12.1.4), disable group dispatch commands, and prevent door closure unless the car-top inspection control is held active.
Rationale: Maintenance mode at inspection speed is mandated by EN 81-20 Clause 5.12.1 to prevent injury to maintenance personnel working in the hoistway. The 0.63 m/s limit is the EN 81-20 maximum for inspection operation. Speed limiting must be enforced by the Safety Controller (SIL 3) to provide a safety-critical constraint independent of the drive system. This SUB requirement closes the gap identified by VER-REQ-050.
 Test
SUB-REQ-059 When the Motor Control Unit fails to receive a velocity command from the Safety Controller within two consecutive 10 ms scan cycles, the Motor Control Unit SHALL assert a drive-fault signal on the safety bus and transition the Variable Frequency Drive to Safe Torque Off (STO) state within 20 ms.
Rationale: MCU is System-Essential (ontological trait Bit 16); loss of MCU command link must not leave the VFD running uncontrolled. IEC 61508-3 Clause 7.4.2 requires watchdog timeout protection for safety-critical control loops. The 20 ms STO transition budget is derived from SYS-REQ-002 jerk limit: at maximum jerk 2.0 m/s³, 20 ms adds ≤0.8 mm/s velocity, well within the overspeed detection margin.
 Test rt-implausible-value, red-team-session-460
SUB-REQ-060 The Variable Frequency Drive SHALL assert STO and engage the electromagnetic brake within 150 ms of loss of MCU communication (no valid torque reference received for >50 ms) or receipt of a hardware STO signal from the Safety Output Actuator, and SHALL log the fault event with timestamp on the internal diagnostics port.
Rationale: VFD is System-Essential (ontological trait); safe-stop on MCU loss prevents uncontrolled drive. The 150 ms total budget (50 ms detection + 100 ms brake engagement) is consistent with EN 81-20 Clause 5.5 requirement for stopping device activation time. Logging is needed for incident investigation under EN 81-20 Clause 5.10.
 Test
SUB-REQ-061 The Safety Command Validator SHALL output a discrete go/no-go digital signal (24V DC logic, sourced from the safety bus) to the BACnet/IP Stack for each received BMS command, with signal transition time ≤5 ms and output impedance ≤100 Ω, and SHALL output a reject-code byte identifying the rejection reason when a command is blocked.
Rationale: Safety Command Validator is classified Outputs Effect (ontological trait Bit 10); without an output specification, no interface contract exists for the BACnet/IP Stack to consume. The 24V DC sourced output matches the safety bus standard in this design. The 5 ms transition time is derived from the 10 ms safety chain scan rate in SUB-REQ-004, ensuring the validator decision is captured within one scan.
 Test
SUB-REQ-062 The Safety Command Validator SHALL implement dual-channel validation logic, with each channel independently processing incoming BMS commands and cross-checking outputs; if the two channels disagree on a command decision, the Safety Command Validator SHALL default to rejection and log a validator-disagreement fault.
Rationale: Safety Command Validator is System-Essential (ontological trait Bit 16); a single-channel validator cannot achieve SIL 2 required for safety-neutral command interception per IEC 61508 Clause 7.6. Dual-channel with disagreement detection and fail-safe default provides the required diagnostic coverage for SIL 2 compliance.
 Test
SUB-REQ-063 The Event Logger SHALL store all safety event records simultaneously in two independent non-volatile storage devices (primary flash, secondary FRAM), and SHALL verify write integrity by reading back each record after write; if a write verification fails on the primary device, the Event Logger SHALL immediately write to the secondary device and raise a storage-fault alarm.
Rationale: Event Logger is System-Essential (ontological trait Bit 16); single-point-of-failure storage violates EN 81-20 Clause 5.12 requirements for tamper-evident audit trail. Dual-device storage with read-back verification provides fault tolerance against flash wear-out and bit-flip errors. FRAM provides write endurance >10^12 cycles vs flash ~10^5, ensuring secondary device remains available over system lifetime.
 Test
SUB-REQ-064 The Event Logger SHALL compute and store a SHA-256 HMAC over each event record (including timestamp, event code, and previous record hash) to form a hash-chained tamper-evident log, and SHALL provide a log-integrity verification API that can be invoked by authorised maintenance tools to detect any record modification or deletion.
Rationale: EN 81-20 Clause 5.12 mandates tamper-evident audit records; SHA-256 HMAC hash chaining provides cryptographic tamper detection. The hash chain ensures that deletion or modification of any record invalidates all subsequent records, providing verifiable evidence of log integrity for regulatory inspections. HMAC keyed with a device-specific key prevents hash recalculation by an attacker who replaces records.
 Test
SUB-REQ-065 The Safety Output Actuator SHALL perform a self-test cycle at each power-up and every 24 hours during operation, in which each output channel is briefly de-energised and re-energised in sequence while monitoring channel feedback for correct response; any channel that fails self-test SHALL be flagged and the Safety Controller notified, preventing car motion until the fault is cleared.
Rationale: Safety Output Actuator is System-Essential (ontological trait Bit 16); IEC 61508-2 Clause 7.4.6 requires diagnostic coverage for hardware safety functions. Self-test provides the automatic diagnostic coverage needed for SIL 3 certification of the safe-state output path. The 24-hour interval balances diagnostic frequency against interruption of service. Brief de-energisation (< motor coil release time) ensures test is non-intrusive during car rest.
 Test
SUB-REQ-066 The Power Distribution Subsystem ARD battery bank SHALL provide a minimum rated capacity of 2.5 kWh at the 1-hour discharge rate (C1 rating) at 20°C ambient, ensuring 3 complete rescue cycles per car at rated car load for a 4-car group with simultaneous ARD activation, with capacity derated per the battery manufacturer's temperature derating curve for ambient temperatures between -10°C and +40°C.
Rationale: SYS-REQ-018 mandates 3 rescue cycles per car at rated load for all cars simultaneously. Derivation: 1 rescue cycle at 0.15 m/s over 60 m hoistway (20-floor, 3 m spacing) ≈ 400 s; drive power at rated load at 0.15 m/s ≈ 0.15 kWh per car per cycle; 3 cycles × 4 cars = 12 cycles × 0.15 kWh = 1.8 kWh; 2.5 kWh includes 39% margin for battery ageing and control system overhead. Temperature derating required per IEC 60896-11 for VRLA cells.
 Test
SUB-REQ-067 The Building Integration Gateway SHALL revert to a degraded-communication mode within 10 seconds of detecting BACnet/IP network loss, in which it queues up to 512 event records in RAM for retransmission upon network restoration, continues accepting Safety Command Validator inputs locally, and raises a network-fault alarm; no safety function SHALL be disabled due to BACnet/IP network loss.
Rationale: Building Integration Gateway is System-Essential (ontological trait Bit 16); loss of BMS communication must not compromise safety functions. IEC 61508 Clause 7.4.3 requires that safety-rated components operate in a known safe state on communication loss. Queuing 512 records in RAM at 1 Hz = 512 s buffer prevents data loss during typical network outages. Safety Command Validator remaining active locally ensures commands can still be intercepted even without BMS connectivity.
 Test
SUB-REQ-068 The Safety Controller Subsystem SHALL comply with EN 81-72 Annex B Phase II firefighter service requirements: when a Phase II key switch on the car is set to ON, the Safety Controller SHALL transfer exclusive car movement control to the car-mounted firefighter panel, suppress all automatic door closing, and maintain car speed at ≤0.63 m/s; Phase II mode SHALL override but not disable Phase I recall until the Phase II key is set to OFF.
Rationale: STK-REQ-009 mandates firefighter control capability. EN 81-72 Clause 5.4.3 (Phase II) requires exclusive firefighter control from inside the car, suppression of automatic door closing, and maintained inspection speed. The 0.63 m/s limit is the EN 81-72 maximum for firefighter operation. Phase II cannot disable Phase I recall because EN 81-72 Clause 5.4.1 requires Phase I fire recall to remain active as a higher-priority function.
 Test
SUB-REQ-069 The Safety Controller Subsystem SHALL comply with EN 81-77 Clause 5.3.4 seismic Category 1 requirements: upon receipt of a P-wave trigger signal with amplitude ≥0.05g from the seismic detector, the Safety Controller SHALL initiate the seismic response sequence (decelerate, stop, hold) within 500 ms of P-wave arrival, regardless of car position or operating mode.
Rationale: SYS-REQ-008 specifies seismic response aligned with EN 81-77; SUB-REQ-047 covers the operational sequence but does not reference the standard trigger threshold. EN 81-77 Clause 5.3.4 Category 1 requires response initiation within 500 ms of P-wave detection at ≥0.05g. This threshold is chosen to avoid false triggers from building HVAC vibration while capturing seismic events above the damage threshold for the elevator guide rail system.
 Test
SUB-REQ-070 The Building Integration Gateway BACnet/IP Stack SHALL implement the BACnet B-ASC device profile (Annex L, BACnet Standard 135-2020), registering as a B-ASC device with device instance configurable in range 1–4194302, supporting COV subscriptions with maximum subscription lifetime of 3600 seconds, and responding to Who-Is/I-Am broadcasts within 200 ms.
Rationale: SYS-REQ-010 requires a BACnet B-ASC device profile; no SUB requirement currently decomposes the specific BACnet conformance requirements. BACnet Annex L B-ASC is the minimum profile for analog-output control applications. COV subscription lifetime of 3600 s is the EN 81-20 integration guideline maximum. The 200 ms Who-Is/I-Am response time is the ASHRAE standard BACnet network response guideline.
 Test
SUB-REQ-071 The Safety Controller Subsystem SHALL implement IEC 61508-2 Clause 7.4.3 SIL 3 hardware architectural constraints: the hardware fault tolerance (HFT) SHALL be ≥1 (dual-channel) for all safety functions with Safe Failure Fraction (SFF) <90%, and ≥0 for SFF ≥99%; the Safety Controller SHALL perform continuous online diagnostics with diagnostic coverage ≥99% for all safety-critical inputs.
Rationale: SYS-REQ-003 and SYS-REQ-004 require SIL 3 for overspeed and UCMP protection. No SUB requirement currently states the IEC 61508-2 architectural constraints that must be met to achieve SIL 3. HFT ≥1 (dual-channel) with SFF <90% is required by IEC 61508-2 Table 3 for Type B subsystems at SIL 3. Diagnostic coverage ≥99% is required by IEC 61508-2 Clause 7.4.3.2.2 for SIL 3 HFT=1 architectures.
 Analysis
SUB-REQ-072 The Group Dispatch Controller SHALL implement a traffic-load watchdog that detects degraded dispatch performance when average waiting time exceeds 50 s for three consecutive 5-minute sampling intervals, and SHALL generate a performance-degraded alarm to the Building Integration Gateway and log the event; the alarm SHALL clear automatically when average waiting time returns below 30 s for one consecutive 5-minute interval.
Rationale: SYS-REQ-001 mandates ≤30 s average waiting time. No existing SUB requirement covers performance monitoring and alarm for SYS-REQ-001 violations. The 50 s threshold (167% of SYS-REQ-001 limit) provides a warning before the system is substantially degraded. Hysteresis (alarm at 50 s, clear at 30 s) prevents alarm oscillation during transient peak loads. This requirement enables predictive maintenance escalation before a formal SLA breach.
 Test
SUB-REQ-073 The Power Distribution Subsystem SHALL be housed in a dedicated IP54-rated, flame-retardant (UL94 V-0) steel enclosure mounted within the elevator machine room, containing at minimum: an IEC 61439-compliant busbar assembly, UPS module, ARD battery bank, isolation contactors, and monitoring interface board, with all components accessible for maintenance via a front-hinged door without removing the enclosure from its mounting.
Rationale: The lint analysis identified that the power distribution subsystem entity (hex 54F51018) lacks the Physical Object trait despite requirements (SUB-REQ-018, SUB-REQ-045, SUB-REQ-057) imposing physical constraints. IEC 60950 and EN 81-20 require that safety-relevant electrical equipment in elevator machine rooms be housed in enclosed, rated enclosures. This requirement defines the physical form factor to reconcile the ontological classification and ensure inspection-based verification of the enclosure at commissioning.
 Inspection
SUB-REQ-074 The Power Distribution Subsystem enclosure SHALL be a physical LRU installed in the elevator machine room, rated IP54 per IEC 60529, constructed from flame-retardant steel (UL94 V-0), with defined dimensional envelope not exceeding 800mm × 600mm × 300mm and a maximum installed mass of 80 kg, accessible via a front-hinged maintenance door.
Rationale: The power distribution subsystem entity classification lacks the Physical Object trait, creating an ontological mismatch with SUB-REQ-066 which imposes physical capacity constraints. This requirement defines the enclosure as a physical object with dimensional and material constraints derived from EN 81-20 Section 6.3.3 (machine room clearance) and IEC 61439 LV switchgear assembly standards.
 Inspection
SUB-REQ-075 The Safety Controller Subsystem SHALL define and implement IEC 61508-compliant proof test intervals not exceeding 8760 hours (1 year) for all SIL 3 safety functions, including the dual-channel safety CPU, safety output actuators, and safety chain monitoring. Each proof test SHALL exercise the complete safety function from input sensing through to final element actuation and confirm PFDavg remains within SIL 3 target (≥10^-4 to <10^-3 per hour).
Rationale: IEC 61508-2 Clause 7.4.9 requires proof test intervals to be specified as part of the SIL verification. Cross-domain analog (nuclear reactor protection system, hex 50F77859) identified this gap: nuclear SIL 3 functions define proof test intervals explicitly whereas the elevator specification omitted this. Without stated proof test intervals, the PFDavg calculation for SIL 3 cannot be validated and the safety case is incomplete.
 Test
SUB-REQ-076 The Industrial Elevator Control System controller cabinet SHALL be housed in a steel enclosure rated IP54 per IEC 60529, installed in the machine room, with panel-mounted display and keypad, dimensions not exceeding 800mm H x 600mm W x 250mm D.
Rationale: System physical embodiment required per lift machinery directive 2006/42/EC and EN 81-20 Annex D for machine room installation. IP54 rating protects electronics in dusty machine room environments. Cabinet dimensions reflect standard DIN rail backplate sizing for the control PCBs.
 Inspection idempotency:sys-physical-cabinet-442

Interface Requirements (IFC)

Ref Requirement V&V Tags
IFC-REQ-001 The interface between the Industrial Elevator Control System and the Building Management System SHALL use BACnet/IP (ASHRAE 135) with B-ASC device profile, providing car position, fault codes, energy consumption, and operating mode at ≥1 Hz, and accepting VIP priority, floor lockout, and schedule commands.
Rationale: External interface: BMS is building-operator owned. BACnet/IP selected over Modbus TCP because BACnet B-ASC provides standard elevator object model (Lift Group Object per Addendum 135-2016bs). Failure of this interface triggers degraded mode (SYS-REQ-009) but does not affect safety functions.
 Test interface, external, bms, session-436, idempotency:ifc-ext-bms-436
IFC-REQ-002 The interface between the Industrial Elevator Control System and the Building Fire Alarm Panel SHALL use hardwired relay contacts (not software protocol) for Phase I recall, alternate floor designation, and machine room smoke detection, per EN 81-72.
Rationale: External interface: fire panel is fire system integrator owned. Hardwired relay mandated by EN 81-72 to ensure fire recall cannot be blocked by software or network failure. Safety-critical interface directly to Safety Controller Subsystem.
 Test rt-vague-interface, red-team-session-460
IFC-REQ-003 The interface between the Industrial Elevator Control System and the Building Access Control System SHALL use RS-485 or IP protocol providing per-credential authorised floor lists, with response time ≤500 ms per credential validation, and SHALL NOT override safety functions or fire recall.
Rationale: External interface: security contractor owned. Access control must not interfere with EN 81-72 fire recall or EN 81-20 safety chain. 500ms response ensures access validation does not add perceptible delay to hall call registration.
 Test interface, external, access-control, session-436, idempotency:ifc-ext-access-436
IFC-REQ-004 The interface between the Industrial Elevator Control System and the Emergency Intercom/Telephone SHALL provide two-way voice communication from the car to a monitoring centre, auto-dialling on entrapment (>2 minutes stationary between floors), with battery backup and GSM fallback, per EN 81-28.
Rationale: External interface: telecom provider owned. EN 81-28 mandates auto-dial on entrapment detection. GSM backup ensures communication when building landline fails. Battery backup per EN 81-28 Clause 5.2 ensures intercom survives power failure concurrent with entrapment.
 Test rt-vague-interface, red-team-session-460
IFC-REQ-005 The interface between the Speed and Position Monitor and the Safety CPU SHALL transmit speed data at ≥100 Hz, with absolute position resolution ≤1 mm, over a dedicated RS-422 differential serial link with CRC-16 error detection.
Rationale: Derived from SYS-REQ-003 and SUB-REQ-002. 100Hz sampling provides 10ms temporal resolution sufficient to compute position change and trip within the 50ms detection budget. RS-422 differential signalling provides noise immunity against the VFD switching fields present in the machine room (EN 12016 10 V/m immunity). CRC-16 detects single-burst errors up to 16 bits from EMI events.
 Test interface, safety-controller, session-437, idempotency:ifc-spm-cpu-437
IFC-REQ-006 The interface between the Safety Chain Interface Module and the Safety CPU SHALL use a 24 VDC isolated digital input, with open circuit detected as fault, and shall not share wiring with any non-safety-rated circuit.
Rationale: EN 81-20 Clause 14.1.2 mandates that the safety chain circuit operates on isolated 24VDC or equivalent low voltage, and that its wiring is segregated from power circuits to prevent shorts from masking an open safety device. Open = fault (de-energised = unsafe) is the fail-safe convention ensuring cable break or power loss causes safe shutdown.
 Inspection interface, safety-controller, session-437, idempotency:ifc-scim-cpu-437
IFC-REQ-007 The interface between the Seismic and Fire Interface and the Safety CPU SHALL be electrically isolated, with relay contact inputs on normally-energised circuits (de-energise on alarm) and signal propagation latency ≤5 ms.
Rationale: Derived from IFC-REQ-002 (fire panel interface) and SYS-REQ-008. Normally-energised (de-energise on alarm) convention ensures cable break or power supply failure to the fire panel results in an alarm condition, preventing the safe recall from being defeated by a wiring fault. 5ms latency is required to meet the EN 81-77 1-second seismic response budget; crossing 5ms allows at most 0.5% of the window for signal acquisition.
 Test interface, safety-controller, session-437, idempotency:ifc-sfi-cpu-437
IFC-REQ-008 The interface between the Safety CPU and the Safety Output Actuator SHALL use dual independent hardwired digital outputs, both required to be de-energised simultaneously to engage the safety brake, with relay monitor contacts wired back to Safety CPU as confirmation inputs.
Rationale: Derived from SUB-REQ-007. Single-channel output would mean a CPU output stuck-on could prevent brake engagement — dual independent outputs achieve the SIL 3 requirement for HFT=1 on the safety output path. Monitor contacts provide diagnostic coverage by detecting contact welding (both contacts should open when commanded); detected welding triggers safe state on the next demand.
 Test interface, safety-controller, sil-3, session-437, idempotency:ifc-cpu-soa-437
IFC-REQ-009 The interface between Motor Control Unit and Variable Frequency Drive SHALL transmit torque reference commands at 1 kHz via CAN bus at 1 Mbit/s with message latency not exceeding 1 ms and CRC error detection on every frame.
Rationale: 1 kHz command rate matches the velocity loop closure frequency; higher latency degrades control bandwidth and causes velocity overshoot. CAN CRC provides hardware error detection required for SIL-3 safety function integrity per IEC 62061 clause 6.7.4.
 Test interface, traction-drive, sil-3, session-439, idempotency:ifc-mcu-vfd-439
IFC-REQ-010 The interface between Rotary Encoder and Motor Control Unit SHALL deliver 2048 pulse/rev quadrature signals at 5V TTL with cable shielding such that total signal integrity maintains less than 1 error per million pulses at maximum motor speed.
Rationale: Encoder pulse integrity is the primary feedback signal for SIL-3 velocity control; errors translate directly to position drift at floor landings. 1 error per million pulses at 3000 rpm is equivalent to one missed pulse per 20 seconds — within correction capability of the position accumulator.
 Test interface, traction-drive, sil-3, session-439, idempotency:ifc-encoder-mcu-439
IFC-REQ-011 The interface between Motor Control Unit and Safety Controller SHALL transmit drive fault status via dual-channel hardwired relay outputs (NC logic) at 24V DC with maximum de-assertion to relay-open time of 50 ms.
Rationale: Derived from SYS-REQ-003 and SYS-REQ-006. Hardwired relay outputs provide hardware-level fault notification independent of bus communication, required for SIL-3 safety function. NC logic ensures brake engagement on wire break or MCU power loss (fail-safe). 50ms latency matches the safety controller reaction time budget.
 Test interface, traction-drive, sil-3, session-439, idempotency:ifc-mcu-safetyctrl-439
IFC-REQ-012 The interface between Safety Controller and Electromagnetic Brake SHALL provide 24V DC dual-coil supply with independent switching circuits for each coil, monitored for coil continuity at 100 ms intervals.
Rationale: Dual independent coil supply circuits implement the two-element brake requirement of EN 81-20 clause 12.5.1. 100ms continuity monitoring detects coil open-circuit faults before the next brake engagement event, preventing silent degradation of the fail-safe function.
 Test interface, traction-drive, sil-2, session-439, idempotency:ifc-safetyctrl-brake-439
IFC-REQ-013 The interface between Power Management Controller and Automatic Transfer Switch SHALL transmit source-select commands via CAN at 10 Hz with command acknowledgement within 5 ms, confirming output relay state.
Rationale: 10 Hz command rate allows PMC to confirm ATS state within 100ms of a mains transition event; 5ms ACK confirms relay has physically operated, not just received the command, preventing ghost-operation faults.
 Test interface, power-dist, session-439, idempotency:ifc-pmc-ats-439
IFC-REQ-014 The interface between UPS Module and Power Management Controller SHALL provide battery SoC, voltage, current, and fault status via SMBus at 100 kHz with data freshness not exceeding 2 seconds.
Rationale: SMBus is the industry standard for battery management (SBS 1.1). 2s freshness ensures PMC acts on current battery state when deciding load shedding; stale data could cause premature shed or miss a rapid discharge event.
 Test interface, power-dist, session-439, idempotency:ifc-ups-pmc-439
IFC-REQ-015 The interface between Door Control Unit and Door Motor Drive SHALL transmit velocity and torque reference commands at 200 Hz via CAN bus at 500 kbit/s, with maximum message latency of 5 ms and CRC error detection on every frame.
Rationale: 200 Hz command rate matches the DCU velocity control loop closure frequency; lower rates cause underdamped torque response and risk force limit exceedance on initial panel contact. CAN CRC provides hardware error detection required for SIL-2 safety function integrity per IEC 62061. 500 kbit/s chosen to fit within standard automotive-grade CAN while leaving headroom for diagnostic messages.
 Test interface, door-operator, sil-2, session-440, idempotency:ifc-dcu-dmd-440
IFC-REQ-016 The interface between Multi-Ray Light Curtain and Door Control Unit SHALL use a hardwired dual-channel safety output (OSSD1 and OSSD2), de-energising within 20 ms of beam interruption, with cross-channel monitoring by the DCU at each power cycle.
Rationale: OSSD (Output Signal Switching Device) dual-channel interface is the standard for Cat 4 / PLe safety devices per EN ISO 13849-1. Hardwired outputs rather than bus communication eliminate bus-level failure modes on the obstruction detection path. 20 ms de-assertion satisfies the 50 ms reversal budget (SUB-REQ-024) with 30 ms margin for door drive response.
 Test interface, door-operator, sil-2, session-440, idempotency:ifc-mlc-dcu-440
IFC-REQ-017 The interface between Safety Edge Contact Strip and Door Control Unit SHALL use a hardwired normally-closed contact on an isolated 24 VDC input, with a wiring fault (open or short) detected within 100 ms and treated as a demand for door reversal.
Rationale: Normally-closed convention ensures that cable damage results in reversal demand rather than masked obstruction. The safety edge provides the redundant detection channel to the light curtain (dual-means requirement of EN 81-20 clause 5.3.12). 100 ms wiring fault detection limits the exposure window to wiring faults between maintenance inspections.
 Test interface, door-operator, sil-2, session-440, idempotency:ifc-sec-dcu-440
IFC-REQ-018 The interface between Door Position Encoder and Door Control Unit SHALL deliver absolute panel position at 500 Hz with 0.5 mm resolution over RS-422 differential serial, with transmission error rate not exceeding 1 error per 100,000 frames.
Rationale: 500 Hz position updates support the DCU velocity profile calculations for the final-approach deceleration zone (SUB-REQ-027); at 0.3 m/s closing speed, 500 Hz yields 0.6 mm position increment per sample — within the 0.5 mm encoder resolution. RS-422 differential signalling provides noise immunity against motor drive switching fields in the car roof environment.
 Test interface, door-operator, session-440, idempotency:ifc-dpe-dcu-440
IFC-REQ-019 The interface between Landing Door Interlock Monitor and Door Control Unit SHALL use isolated 24 VDC normally-open contact inputs, one per floor landing, with contact state debounced at 10 ms and status reported to Safety Controller within 20 ms of state change.
Rationale: Normally-open contacts on a 24 VDC isolated supply ensure that contact contamination or cable damage defaults to 'open' (unsafe) state, consistent with fail-safe convention. 10 ms debounce eliminates contact bounce on new door installations. 20 ms reporting latency satisfies the SUB-REQ-026 interlock verification window.
 Test interface, door-operator, session-440, idempotency:ifc-ldim-dcu-440
IFC-REQ-020 The interface between Door Control Unit and Safety Controller Subsystem SHALL transmit door state (OPEN, CLOSING, CLOSED, FAULT) and interlock status via CAN at 10 Hz, with a hardwired car-movement-permitted output on a dedicated 24 VDC normally-open relay, de-energised in all non-CLOSED states.
Rationale: Dual-channel interface: CAN bus provides diagnostic state for the Safety Controller; the hardwired relay provides the safety-rated movement permission signal. The relay de-energises in non-CLOSED states (including FAULT and OPEN) to prevent car movement when door status is uncertain, achieving SIL-2 required diagnostic coverage on the door interlock path.
 Test interface, door-operator, sil-2, session-440, idempotency:ifc-dcu-safety-ctrl-440
IFC-REQ-021 The interface between Group Dispatch Controller and each Car Controller SHALL use CAN bus at 250 kbit/s transmitting car state (position, velocity, load, door status, fault flags) at 10 Hz from car to group, and car assignments (destination floor, direction) at ≤100 ms after each dispatch decision from group to car.
Rationale: 10 Hz car state reporting provides the Car State Aggregator with position data accurate to 0.03 m at rated speed; sufficient for dispatch decisions. Assignment latency ≤100ms matches the dispatch re-evaluation cycle (SUB-REQ-031), ensuring cars act on assignments before the next dispatch cycle.
 Test interface, group-dispatch, session-440, idempotency:ifc-gdc-car-ctrl-440
IFC-REQ-022 The interface between Hall Call Interface Unit and landing call panels SHALL use RS-485 multi-drop at 100 kbit/s with polling cycle completing within 50 ms for all floors, providing debounced button state and accepting indicator drive commands.
Rationale: 50 ms polling cycle ensures hall call latency from button press to dispatch engine registration is bounded to ≤50 ms; at passenger walking speeds, 50 ms latency is imperceptible. RS-485 multi-drop allows up to 32 floor panels on a single bus, covering standard building heights within cable length limits.
 Test interface, group-dispatch, session-440, idempotency:ifc-hciu-landing-440
IFC-REQ-023 The interface between the BACnet/IP Stack and the Safety Command Validator SHALL pass all received BMS command objects (VIP priority, floor lockout, schedule commands) through the Safety Command Validator before forwarding to the Group Dispatch Controller, using an internal synchronous API with response latency ≤50 ms, so that the BACnet stack cannot bypass safety validation.
Rationale: The Safety Command Validator must be architecturally in-line with every BMS command path to the elevator controller; an asynchronous or bypass-capable interface would allow commands to reach the Group Dispatch Controller without safety validation if the validator is slow or faulted. The 50 ms response budget ensures the 500 ms total rejection notification deadline (SUB-REQ-022) is met with margin.
 Test interface, building-integration-gateway, session-441, idempotency:ifc-bacnet-validator-441
IFC-REQ-024 The interface between the Building Integration Gateway and the Group Dispatch Controller SHALL use the internal CAN bus at 500 kbit/s, transmitting floor lockout masks and VIP priority assignments as structured messages with a maximum message period of 100 ms and a maximum end-to-end latency from BMS command receipt to Group Dispatch acknowledgment of ≤300 ms.
Rationale: Group Dispatch Controller processes hall calls on a 100 ms scheduling cycle (SUB-REQ-031); BMS commands must arrive within one scheduling cycle to be effective. The 300 ms end-to-end budget (50 ms validation + 100 ms CAN transfer + 100 ms GDC scheduling + 50 ms margin) fits within the IEC 61508 timing requirements for non-safety command interfaces.
 Test interface, building-integration-gateway, session-441, idempotency:ifc-big-gdc-441
IFC-REQ-025 The interface between the Event Logger and the internal CAN bus SHALL allow the Event Logger to receive event broadcasts from Safety Controller Subsystem, Traction Drive Subsystem, Door Operator Subsystem, and Group Dispatch Controller with ≤100 ms from event occurrence to log write commit, and SHALL be read-only (the Event Logger SHALL NOT transmit commands on the CAN bus).
Rationale: A read-only Event Logger cannot affect elevator behaviour through the logging interface, preventing a logging subsystem fault from disrupting safety-critical operations. The 100 ms log commit latency ensures events are captured before any watchdog-triggered state transition could overwrite transient state in subsystem memory buffers.
 Test interface, building-integration-gateway, session-441, idempotency:ifc-event-logger-can-441
IFC-REQ-026 The interface between the Safety Command Validator and the Safety Controller Subsystem SHALL provide the Safety Command Validator with the current safety state (fire recall active, seismic hold active, emergency stop active) via a push subscription at ≥10 Hz, with a maximum latency of 100 ms from safety state change to Safety Command Validator update.
Rationale: The Safety Command Validator requires current safety state to correctly block or permit BMS commands. A 10 Hz push rate ensures the validator has state fresher than its 500 ms rejection window (SUB-REQ-022); a 100 ms state latency means no BMS command can pass validation during an ongoing safety event even with worst-case timing.
 Test interface, building-integration-gateway, session-441, idempotency:ifc-validator-safety-ctrl-441

Architecture Decisions (ARC)

Ref Requirement V&V Tags
ARC-REQ-001 ARC: Safety Controller — independent SIL 3 processor separate from main controller. Safety monitoring (overspeed, UCMP) and fire/seismic response grouped because Jaccard similarity 0.842 and both require IEC 61508 SIL 3 certification. Alternative: safety functions distributed across subsystems — rejected because SIL 3 certification of distributed safety is prohibitively expensive and reduces diagnostic coverage. Constraint: EN 81-20 requires safety-critical functions independent of main controller failure.
Rationale: H-001 and H-002 both SIL 3. IEC 61508 Part 2 requires architectural independence of safety function from non-safety functions. Dual-channel safety processor with >99% diagnostic coverage is standard industry practice for elevator safety controllers.
 Analysis informational, architecture-decision
ARC-REQ-002 ARC: Traction Drive — dedicated VFD and motion control loop separate from dispatch logic. Motion control requires deterministic real-time loop (1 kHz) while dispatch operates at event-driven timescale (seconds). Alternative: integrated drive-and-dispatch — rejected because real-time jitter from dispatch computation degrades motion profile smoothness. VFD, motor, brake, and encoders are physically co-located and share failure modes (electrical insulation, thermal).
Rationale: Motion control at 2.5 m/s with ±5mm levelling requires deterministic 1 kHz loop. Mixing event-driven dispatch with real-time servo creates jitter that degrades ride comfort (STK-REQ-002). VFD switching at 4-16 kHz must be isolated from safety signal paths per H-008.
 Analysis informational, architecture-decision
ARC-REQ-003 ARC: Door Operator — separate subsystem from traction drive despite both having motors. Door motor is low-power AC/DC with belt drive operating at 0.3-0.5 m/s; traction motor is high-power PMSM at 2.5 m/s. Different failure modes (door entrapment vs overspeed), different SIL levels (SIL 2 vs SIL 3), different physical location (car vs machine room/hoistway). No engineering basis for grouping.
Rationale: H-003 door entrapment is SIL 2; H-001/H-002 overspeed/UCMP are SIL 3. Mixed SIL allocation within a single subsystem creates certification complexity. Door operator is a field-replaceable unit with distinct maintenance schedule.
 Analysis informational, architecture-decision
ARC-REQ-004 ARC: Building Integration Gateway — consolidates all external protocol translation (BACnet, RS-485, EN 81-28 intercom) and event logging. Alternative: each subsystem handles its own external interface — rejected because protocol translation is cross-cutting, BACnet object model requires aggregated status from all subsystems, and logging must be centralised for 10-year audit trail integrity.
Rationale: BACnet B-ASC profile requires a single IP endpoint aggregating car position, faults, energy, and mode from all subsystems. Distributed logging creates audit trail fragmentation that fails EN 81-20 Annex A inspection requirements.
 Analysis informational, architecture-decision
ARC-REQ-005 ARC: Power Distribution — separate subsystem for mains switching, UPS, and ARD. Alternative: power management embedded in traction drive — rejected because ARD rescue drive operates independently when main drive has faulted. UPS sustains controller when traction power is unavailable. Power subsystem must function during traction drive failure, requiring failure independence.
Rationale: H-005 (power failure with passengers) requires ARD to operate when traction drive subsystem has lost mains. IEC 60364 requires dedicated switchboard isolation. UPS and ARD have different battery chemistries and maintenance cycles.
 Analysis informational, architecture-decision
ARC-REQ-006 ARC: Group Dispatch Controller — software-only subsystem on main controller hardware. Alternative: dedicated dispatch hardware per car — rejected because group optimisation requires global view of all car positions and calls. Runs on main controller alongside BMS interface, but dispatch algorithm is logically independent module with configurable traffic patterns.
Rationale: ETA-based group dispatch requires simultaneous access to all 4 cars' position, load, and call data. Distributed dispatch per car would require consensus protocol adding latency to 30s wait time budget. Software modularity sufficient for functional separation.
 Analysis informational, architecture-decision
ARC-REQ-007 ARC: Traction Drive Subsystem — Gearless PMSM drive with closed-loop vector control. A gearless permanent-magnet synchronous motor (PMSM) with integral VFD was selected over a geared induction motor to eliminate gear wear and noise, reduce machine room footprint, and enable regenerative braking. Vector control with a Motor Control Unit (MCU) closes the velocity loop at 1 kHz, achieving ±5 mm stopping accuracy without a mechanical levelling device. Dual-coil electromagnetic brake provides fail-safe mechanical retention; spring-applied design ensures parking safety during power loss without relying on software. Rotary encoder on the motor shaft feeds both speed regulation and floor position computation, avoiding a separate landing sensor for the drive layer.
Rationale: Architecture decision documents the key trade-off (gearless vs geared, VFD vector control vs V/f) and explains the fail-safe brake choice. Essential for future maintainers and safety case arguments.
 Inspection informational, architecture-decision
ARC-REQ-008 ARC: Power Distribution Subsystem — UPS-backed ATS with SoC-managed load shedding. A UPS Module provides fail-safe 24V DC backup for safety-critical circuits; the Automatic Transfer Switch isolates loads from mains within 20ms. Load shedding priority (safety > drive > comfort) is implemented in the Power Management Controller rather than hardwired contactor sequence, enabling configurable adaptation for future car additions without rewiring.
Rationale: Records the load-shedding architecture choice and explains why software-managed priority beats hardwired sequencing for a multi-car elevator installation.
 Inspection informational, architecture-decision
ARC-REQ-009 ARC: Door Operator Subsystem — dual-channel obstruction detection with independent light curtain and safety edge. The subsystem uses a dedicated Door Control Unit separate from the Safety Controller to isolate door cycle logic from car movement logic, reducing the SIL-2 door safety functions from the SIL-3 overspeed protection scope. Light curtain (Cat 4 / PLe, EN ISO 13849-1) provides primary obstruction coverage; safety edge contact strip provides backup on physical contact, satisfying EN 81-20 clause 5.3.12 for dual-means reversal. The Door Motor Drive uses torque control rather than speed control to enforce the 150 N closing force limit without requiring a separate force sensor.
Rationale: Architectural trade-off: separating DCU from Safety Controller reduces the SIL-2 door functions scope and allows independent validation of door software, lowering certification cost. Using torque control eliminates a sensor (force load cell) while providing continuous force limiting — the alternative (force sensor with speed control) adds a hardware failure mode.
 Inspection informational, architecture-decision
ARC-REQ-010 ARC: Group Dispatch Controller — destination dispatch with traffic-adaptive algorithm. The subsystem separates real-time car state aggregation from the dispatch algorithm to allow algorithm updates without modifying the safety-neutral state aggregation layer. Hall Call Interface Unit is hardware-separated from the dispatch logic to isolate landing panel wiring failures from the dispatch processor. Traffic Analysis Module runs asynchronously at low priority, ensuring dispatch latency is bounded regardless of analysis load.
Rationale: Separation of car state aggregation from algorithm allows algorithm iteration without re-validating the state aggregation layer. Hardware separation of HCIU limits landing panel wiring fault blast radius to the hall call function only, not the dispatch processor.
 Inspection informational, architecture-decision
ARC-REQ-011 ARC: Building Integration Gateway — five-component decomposition (BACnet/IP Stack, Safety Command Validator, Access Control Interface Module, Event Logger, Emergency Communications Unit). Protocol translation isolated to single gateway per original ARC-REQ-004 rationale. Safety Command Validator is a dedicated component rather than logic inside BACnet/IP Stack because command interception must execute regardless of BACnet stack health — an independent fail-safe posture. Event Logger is separate from the main controller's diagnostic log because EN 81-20 Clause 5.12 mandates tamper-evident audit records with 10-year retention, requiring dedicated non-volatile storage and SHA-256 hash chaining. Emergency Communications Unit operates autonomously (battery-backed, GSM fallback) because entrapment detection must function even if the main controller has faulted.
Rationale: Protocol gateway decomposition isolates external interface complexity. Safety Command Validator independence ensures BMS cannot override safety states even if BACnet stack has a software fault. Event Logger independence required by EN 81-20 audit retention obligations.
 Analysis informational, architecture-decision

Verification Plan (VER)

Ref Requirement V&V Tags
VER-REQ-001 Verify IFC-REQ-005: Inject encoder quadrature signals at 100% rated speed into the Speed and Position Monitor and measure output data rate at Safety CPU input. Pass criterion: data frames received at ≥100 Hz with CRC error rate <10^-4 over 10,000 frames.
Rationale: Integration test to verify interface compliance at system boundaries. CRC error rate threshold aligns with IEC 61508 SIL 3 diagnostic coverage requirements for the communication channel.
 Test verification, safety-controller, session-437, idempotency:ver-ifc-005-437
VER-REQ-002 Verify IFC-REQ-006: Open each safety device contact in the series circuit one at a time and measure Safety CPU fault detection time. Pass criterion: each open detected within 50 ms; no false activations over 24h continuous monitoring.
Rationale: Integration test to verify interface compliance at system boundaries. Each safety device must be individually tested per EN 81-50 testing requirements to confirm independence of detection.
 Test verification, safety-controller, session-437, idempotency:ver-ifc-006-437
VER-REQ-003 Verify IFC-REQ-007: De-energise the fire recall relay contact and measure Safety CPU signal reception latency. Pass criterion: signal received within 5 ms; isolation verified to ≥500 V between relay input circuit and Safety CPU signal ground.
Rationale: Integration test to verify interface compliance at system boundaries. Isolation test ensures fire panel wiring faults cannot damage or corrupt the Safety CPU.
 Test verification, safety-controller, session-437, idempotency:ver-ifc-007-437
VER-REQ-004 Verify IFC-REQ-008: Command brake engagement from Safety CPU and measure: relay open time from command, relay monitor contact state change, brake mechanical engagement. Pass criterion: both relays open within 20 ms; monitor contacts reflect relay state within 2 ms of relay actuation.
Rationale: Integration test to verify interface compliance at system boundaries. Relay monitor contact timing verifies the diagnostic coverage path that detects contact welding.
 Test verification, safety-controller, session-437, idempotency:ver-ifc-008-437
VER-REQ-005 Verify SUB-REQ-002 (overspeed): Drive car at rated speed; inject encoder signal to simulate 116% rated speed; measure time from encoder threshold crossing to Safety Output Actuator brake engagement. Pass criterion: brake engages within 100 ms total.
Rationale: End-to-end system-level integration test exercising full chain: Speed and Position Monitor detection → Safety CPU decision → Safety Output Actuator engagement. 100ms total is the EN 81-20 safety function response budget. Tests the system as a whole under representative conditions.
 Test verification, safety-controller, sil-3, session-437, idempotency:ver-sub-002-overspeed-437
VER-REQ-006 Verify SUB-REQ-008 (safe state on fault): Inject a simulated Safety CPU dual-channel discrepancy; measure time to brake engagement and VFD inhibit. Pass criterion: both outputs enter safe state within 100 ms; car motion ceases within 100 ms of fault injection.
Rationale: Safety function self-test verifying that internal CPU faults result in safe state, per IEC 61508 SIL 3 requirement for fault reaction time. Must be performed in controlled test environment with car stationary or at low speed.
 Test verification, safety-controller, sil-3, session-437, idempotency:ver-sub-008-safe-state-437
VER-REQ-007 Verify SUB-REQ-009 (power-on self-test): Apply power to the Safety Controller Subsystem and observe POST execution. Pass criterion: POST completes all checks within 5 s; elevator remains inhibited until POST passes; a deliberate RAM corruption causes POST fail and maintains inhibit.
Rationale: POST verification ensures that the IEC 61508 SIL 3 start-up diagnostic requirement is met. Deliberate fault injection (RAM corruption) confirms that POST failure results in elevator inhibition rather than spurious release.
 Test verification, safety-controller, sil-3, session-437, idempotency:ver-sub-009-post-437
VER-REQ-010 Verify IFC-REQ-009: inject 1000 consecutive torque reference commands on the CAN bus at 1 MHz and measure latency distribution. Pass if 100% of messages arrive within 1 ms and zero CRC errors are reported by the VFD receiver.
Rationale: Integration test verifying CAN bus timing and error detection at the MCU-to-VFD boundary. 100% pass rate at rated message frequency confirms the interface performs adequately under normal load.
 Test verification, traction-drive, session-439, idempotency:ver-ifc009-439
VER-REQ-011 Verify IFC-REQ-010: run motor at rated speed for 60 minutes with shielded cable routed adjacent to live VFD output cables; compare encoder pulse count to reference counter. Pass if bit-error count is less than 60 pulses (1 per million at nominal 1000 pps).
Rationale: Integration test under realistic EMI conditions reproduced by co-routing encoder cable with VFD output. Time duration ensures statistically significant sample at rated speed.
 Test verification, traction-drive, session-439, idempotency:ver-ifc010-439
VER-REQ-012 Verify IFC-REQ-011: simulate ENCODER_FAULT on MCU while monitoring Safety Controller relay inputs; measure relay de-assertion time. Pass if relay opens within 50 ms of fault injection on each of 20 repeat trials.
Rationale: Functional safety test confirming the fault propagation path from MCU to Safety Controller meets the 50ms timing budget. 20 trials provide statistical confidence for SIL-3 validation.
 Test verification, traction-drive, sil-3, session-439, idempotency:ver-ifc011-439
VER-REQ-013 Verify SUB-REQ-012: inject synthetic encoder signal at 115.1% of rated speed via MCU test port; measure time from threshold crossing to OVERSPEED fault output. Pass if fault asserted within 50 ms on 10 consecutive trials with no false positives at 114.9%.
Rationale: Boundary condition test for the overspeed detection function with injection at threshold plus margin. Ten trials at two speeds (above and below threshold) confirm correct threshold implementation and response time.
 Test verification, traction-drive, sil-3, session-439, idempotency:ver-sub012-439
VER-REQ-014 Verify end-to-end Traction Drive: command a 12-floor run at rated speed; measure velocity profile against S-curve reference, stopping accuracy at destination floor, and OVERSPEED fault latency with injected 116% speed pulse. Pass if: velocity error <0.05 m/s throughout, stopping within 5 mm, fault asserted within 50 ms, acceleration never exceeds 1.5 m/s2.
Rationale: System-level integration test exercising the full chain from MCU velocity command through VFD, motor, and encoder feedback under a realistic duty cycle. Composite pass criteria confirm the subsystem meets SYS-REQ-002 and SYS-REQ-003 simultaneously.
 Test verification, traction-drive, integration, session-439, idempotency:ver-e2e-traction-439
VER-REQ-015 Verify SUB-REQ-018: disconnect mains supply while safety bus is loaded at rated current; measure 24V DC bus voltage from dropout to UPS output stabilisation. Pass if bus stays within ±5% throughout and transfer completes within 20 ms on 10 consecutive trials.
Rationale: Directly validates the power transfer time and voltage continuity requirement under worst-case instantaneous dropout.
 Test verification, power-dist, session-439, idempotency:ver-sub018-439
VER-REQ-016 Verify SUB-REQ-019: disconnect mains supply with UPS at 100% SoC and elevator in rated-load operation; measure time until output voltage drops below 21.6V (90% of 24V). Pass if measured hold-up time is at least 30 minutes.
Rationale: Acceptance test for minimum UPS hold-up duration under representative load. 21.6V lower limit matches the minimum input voltage of the 24V relay coils and MCU power supplies.
 Test verification, power-dist, session-439, idempotency:ver-sub019-439
VER-REQ-017 Verify SUB-REQ-023: apply calibrated load cell to car door leading edge during powered close cycle at rated supply voltage, reduced supply voltage (-10%), and with a worn belt simulation (15% tension reduction). Closing force SHALL NOT exceed 150 N in any condition.
Rationale: Worst-case electrical and mechanical conditions exercise the torque control loop at its performance boundaries; pass criterion directly maps to EN 81-20 clause 5.3.12 test method.
 Test verification, door-operator, sil-2, session-440, idempotency:ver-sub023-440
VER-REQ-018 Verify SUB-REQ-024: during powered close cycle, interrupt light curtain beam at 50%, 75%, and 95% of closing travel; separately activate safety edge at each position. Measure time from signal activation to door reversal initiation. All measurements SHALL be ≤50 ms.
Rationale: Tests reversal response at multiple points in the closing profile, ensuring the 50ms budget is met when the door is at maximum speed (midtravel) and during the deceleration zone (near-closed).
 Test verification, door-operator, sil-2, session-440, idempotency:ver-sub024-440
VER-REQ-019 Verify IFC-REQ-016: break beam of Multi-Ray Light Curtain and measure time from beam break to OSSD de-assertion at Door Control Unit input. Repeat for 10 random beams. All measurements SHALL be ≤20 ms. Verify cross-channel monitoring detects a failed OSSD channel on the next power cycle.
Rationale: Integration test verifying the safety interface meets the 20 ms de-assertion budget required by the reversal timing chain; cross-channel test verifies the diagnostic coverage requirement.
 Test verification, door-operator, sil-2, session-440, idempotency:ver-ifc016-440
VER-REQ-020 Verify IFC-REQ-020: with door in OPEN state, confirm car-movement-permitted relay is de-energised. Command door to CLOSE; confirm relay energises within 200 ms of CLOSED state reported on CAN. Simulate DCU FAULT; confirm relay de-energises within 100 ms. Verify CAN state messages received at ≥10 Hz.
Rationale: End-to-end integration test of the dual-channel door safety interface; exercises the safety-critical relay path and the diagnostic CAN path independently. Pass criteria verify the DCU safe-state timing required by SUB-REQ-028.
 Test verification, door-operator, sil-2, session-440, idempotency:ver-ifc020-440
VER-REQ-021 Verify Door Operator end-to-end: command 1000 consecutive open-close cycles under rated load with 20% of cycles including a simulated obstruction event. Verify that (a) no closing force exceeds 150 N, (b) all obstruction reversals complete within 50 ms, (c) no false movement-permission signals are issued during door travel, and (d) door position error at final close position is ≤2 mm.
Rationale: High-cycle integration test validates statistical reliability and verifies that the combination of torque control, obstruction detection, and position encoding meets all subsystem requirements concurrently under realistic operating conditions.
 Test verification, door-operator, sil-2, session-440, idempotency:ver-door-e2e-440
VER-REQ-022 Verify SUB-REQ-030: conduct 30-minute up-peak traffic simulation with 200 persons/5 minutes generated at entry floor using calibrated passenger simulator. Record waiting time for each simulated passenger. Average waiting time SHALL be ≤30 seconds. Minimum 3 runs required; all runs must pass.
Rationale: Traffic simulation is the standard acceptance method for elevator group dispatch performance; 30 minutes captures multiple peak cycles. Three-run requirement establishes statistical confidence and excludes outlier runs from natural traffic variation.
 Test verification, group-dispatch, session-440, idempotency:ver-gdc-waiting-440
VER-REQ-023 Verify IFC-REQ-023: With a BMS command simulator connected to the BACnet/IP Stack, inject 100 floor lockout commands in sequence. Measure time from command receipt at BACnet stack to Safety Command Validator pass/reject response. Pass criterion: all 100 commands processed ≤50 ms; no command reaches Group Dispatch Controller without a validator decision record in the Event Logger.
Rationale: Confirms that the Safety Command Validator intercepts 100% of BMS commands in the pipeline and that no bypass path exists; the Event Logger cross-check verifies audit completeness.
 Test verification, building-integration-gateway, session-441, idempotency:ver-ifc23-441
VER-REQ-024 Verify IFC-REQ-026: Activate fire recall relay on the Safety Controller; measure time from relay activation to Safety Command Validator receiving updated safety state. Pass criterion: state update received within 100 ms; subsequent BMS floor lockout command rejected within 500 ms total. Repeat for seismic hold and emergency stop.
Rationale: Confirms that safety state propagation latency is within the 100 ms budget, ensuring the Safety Command Validator correctly blocks commands during all three safety event types.
 Test verification, building-integration-gateway, session-441, idempotency:ver-ifc26-441
VER-REQ-025 Verify SUB-REQ-036: Simulate car entrapment by commanding the main controller to report car stationary between floor zones. Measure time from simulated entrapment trigger to Emergency Communications Unit initiating a PSTN test call. Pass criterion: call initiated within 30 s of 2-minute entrapment threshold. Then disconnect PSTN; verify automatic GSM fallback connection within 30 s. Separately: discharge battery to 10%; verify ≥24 h standby and ≥1 h active call remaining.
Rationale: EN 81-28 compliance requires verification of both auto-dial timing and battery backup duration. PSTN plus GSM fallback must both be tested because EN 81-28 mandates automatic switchover; measuring at 2-minute threshold plus 30 s dial margin verifies the full timing chain.
 Test verification, building-integration-gateway, session-441, idempotency:ver-sub36-441
VER-REQ-026 Verify Building Integration Gateway end-to-end: With a live BMS connected via BACnet/IP and access control system connected via RS-485, activate fire recall on the Safety Controller; verify: (1) all BMS car movement commands are rejected within 500 ms with BACnet alarm notification; (2) access control floor commands are also rejected; (3) fire recall event is logged to Event Logger within 100 ms; (4) BACnet status objects reflect fire recall mode within 500 ms. All four conditions must pass simultaneously.
Rationale: End-to-end integration test exercises the complete BIG command path under a realistic safety event. Testing all four conditions simultaneously confirms that the subsystem components do not interfere with each other during a concurrent high-activity period.
 Test verification, building-integration-gateway, session-441, idempotency:ver-big-e2e-441
VER-REQ-027 Verify SUB-REQ-003 (UCMP detection): With car at rest in the door zone, apply a simulated drive command to induce uncontrolled movement. Measure time from first encoder tick above 200mm displacement to Safety Output Actuator brake engagement. Pass criteria: detection and brake engagement within 50ms; no false triggers in 100 consecutive door-zone operations.
Rationale: End-to-end verification of UCMP detection chain per SUB-REQ-003. 200mm threshold and 50ms timing are the quantified acceptance criteria.
 Test
VER-REQ-028 Verify SUB-REQ-001 (dual-channel SIL 3 architecture): Review Safety CPU design documentation. Confirm two independent processors with separate power supplies, cross-channel comparison achieving >99% diagnostic coverage, discrepancy detection within 20ms, and safe state on discrepancy. Pass criteria: architecture analysis report signed by functional safety assessor confirming IEC 61508 SIL 3 HFT=1.
Rationale: Architecture analysis per IEC 61508-2 Clause 7.4.7: document review of Safety CPU design, fault injection analysis for diagnostic coverage >99%, and formal assessment sign-off by a functional safety assessor. Physical channel independence cannot be verified by run-time test alone; this is the recognised method for SIL 3 HFT=1 claim verification.
 Inspection
VER-REQ-029 Verify SUB-REQ-044 (fire recall routing): inject fire recall command via Safety Controller simulator; measure time for all 4 cars to arrive at designated landing with doors open. Pass: all cars at designated landing within 60 seconds, zero calls active on completion.
Rationale: Integration test confirming Group Dispatch Controller cancels all calls and routes all cars to designated landing within SYS-REQ-007 time bound. Must be tested with all 4 cars at dispersed floors to exercise worst-case routing.
 Test verification, group-dispatch-controller, session-443, idempotency:ver-sub-044-fire-recall-443
VER-REQ-030 Verify SUB-REQ-045 (ARD battery 3 rescue cycles): with battery at 100% SoC and all 4 cars loaded to rated capacity, disconnect mains; command 3 sequential rescue cycles per car; measure voltage profile and cycle completion. Pass: all 12 rescue operations (3 cycles × 4 cars) complete with car delivered to nearest landing, battery voltage ≥18V DC throughout.
Rationale: Acceptance test confirming battery bank energy capacity meets the group-level 3-cycle criterion under simultaneous worst-case load. The 18V DC lower bound represents 75% of nominal 24V, the minimum for relay hold-in across all relays in the safety circuit.
 Test verification, power-distribution-subsystem, session-443, idempotency:ver-sub-045-ard-battery-443
VER-REQ-031 Verify SUB-REQ-047 (seismic stop and hold): with all 4 cars at rated speed at mid-travel, inject P-wave trigger signal to Safety Controller; measure time for all cars to stop at nearest floor with doors open; verify no car movement for 60 seconds post-trigger. Pass: all stops completed within 10 seconds, no car moved during 60-second hold period.
Rationale: Integration test confirming the 10-second stop and 60-second hold requirements from SYS-REQ-008 and SUB-REQ-047. The mid-travel starting position maximises stopping distance and exercises the worst-case scenario for the 10-second constraint.
 Test verification, safety-controller-subsystem, seismic, session-443, idempotency:ver-sub-047-seismic-443
VER-REQ-032 Verify SUB-REQ-048: Subject Safety Controller Subsystem to 10 V/m radiated field per EN 12016:2013 (80 MHz-1 GHz). Pass criterion: no spurious safety trips, no fault log entries, all safety outputs remain nominal during and 60s after exposure.
Rationale: Integration test to verify interface compliance at system boundaries for EN 12016 radiated immunity at safety signal paths.
 Test verification, safety-controller, emc, session-444, idempotency:ver-sub-048-emc-444
VER-REQ-033 Verify SUB-REQ-049: Inspect controller cabinet at factory acceptance. Measure H x W x D dimensions, confirm IP54 rating certificate per IEC 60529, verify panel-mounted display and keypad. Pass criterion: dimensions within 800x600x250 mm, IP54 certificate present, display and keypad operational.
Rationale: Factory acceptance inspection to verify controller cabinet enclosure compliance with SYS-REQ-015 physical constraints.
 Inspection verification, power-distribution, enclosure, session-444, idempotency:ver-sub-049-enclosure-444
VER-REQ-034 Verify SUB-REQ-050: Inspect Declaration of Conformity, CE marking on product label, and conformity assessment records. Pass criterion: DoC references Directive 2014/33/EU with correct assessment module, CE mark visible on cabinet label, assessor identity and date recorded.
Rationale: Documentation review to verify EU Lifts Directive compliance and CE marking obligation per SYS-REQ-016.
 Inspection verification, compliance, session-444, idempotency:ver-sub-050-ce-444
VER-REQ-035 Verify SUB-REQ-051 (Safety Controller hot standby): inject a simulated primary channel failure while car is in motion, confirm secondary channel asserts safe stop within 50 ms and car comes to rest; repeat 20 times with no missed transitions. Pass: all 20 transitions within 50 ms, car stops safely each time.
Rationale: Integration test verifying the hot standby switchover under realistic operating conditions. 20 repetitions provide statistical confidence in the 50 ms timing requirement.
 Test verification, safety-controller, sil-3, session-445, idempotency:ver-sub-req-051-445
VER-REQ-036 Verify SUB-REQ-053 (VFD state machine): exercise all valid state transitions using HIL (hardware-in-loop) test bench; inject invalid transition commands and confirm rejection within 5 ms with fault logged; inject Emergency-Stop while in Running state and confirm Braking state entry within 5 ms. Pass: all valid transitions succeed, all invalid transitions rejected within 5 ms with fault event logged.
Rationale: HIL testing of the full state machine validates both functional transitions and rejection of invalid commands, addressing the safety concern about undefined drive behaviour.
 Test verification, traction-drive, session-445, idempotency:ver-sub-req-053-445
VER-REQ-037 Verify SUB-REQ-052 (GDC failover): with group at full dispatch load (4 cars active), terminate active dispatch process and measure time to standby takeover; confirm in-progress car assignments are preserved; measure group throughput 5 minutes post-failover. Pass: failover completes in less than 200 ms, no assignment loss, throughput at or above 80% rated.
Rationale: Live failover under load is the only reliable verification of stateful failover correctness; floor simulation provides repeatable conditions.
 Test verification, group-dispatch-controller, session-445, idempotency:ver-sub-req-052-445
VER-REQ-038 Verify SUB-REQ-054 (Door Operator state machine): actuate door through all valid state transitions; inject obstacle in door path during Closing state and confirm Obstructed state entry and re-open; command reverse within 200 ms of direction change and confirm rejection; disconnect position sensor and confirm Fault state entry within 500 ms. Pass: all transitions correct, 200 ms reversal protection confirmed, sensor fault detected within 500 ms.
Rationale: Functional test of all door state transitions and protection features. 200 ms reversal and 500 ms fault detection are directly measurable pass/fail criteria.
 Test verification, door-operator, session-445, idempotency:ver-sub-req-054-445
VER-REQ-039 Verify SUB-REQ-056 (BMS data items at 1 Hz): connect BACnet/IP analyser to gateway, operate elevator in Nominal operating mode for 60 s, capture BACnet COV notifications; verify all four AI/BO/MSI/MV objects present; measure inter-notification interval for each object. Pass: all four objects present, update rate for each object between 0.9 Hz and 1.1 Hz, energy reading within 2% of reference meter.
Rationale: BACnet integration test with protocol analyser provides direct verification of object presence, type, and update rate. Reference meter comparison verifies the ±2% energy accuracy requirement.
 Test verification, building-integration-gateway, session-445, idempotency:ver-sub-req-056-445
VER-REQ-040 Verify SUB-REQ-004 (safety chain scan rate): With the safety chain circuit assembled and all safety devices closed, disable each safety device contact individually at intervals of 50 ms, 20 ms, and 10 ms. Measure time from contact opening to Safety CPU SAFETY_CHAIN_OPEN fault assertion. Pass criterion: fault asserted within 50 ms of each contact opening; no missed detections over 100 consecutive tests per device.
Rationale: SIL 3 safety function diagnostic test. SUB-REQ-004 requires ≥20 Hz scan and ≤50 ms fault assertion; this test exercises the timing boundary directly. Testing at 10 ms intervals confirms margin beyond the 50 ms requirement. 100 repetitions per device provides statistical confidence for SIL 3 PFD claims.
 Test verification, safety-controller, sil-3, session-447, idempotency:ver-sub-004-447
VER-REQ-041 Verify SUB-REQ-010 (motor velocity control accuracy): With car loaded to rated capacity, command constant-speed runs at 25%, 50%, 75%, and 100% rated speed in both up and down directions. Measure steady-state velocity error against commanded profile using rotary encoder. Separately, measure stopping accuracy at all floor levels across a 10-floor run. Pass criteria: steady-state velocity error ≤±0.05 m/s at all speeds; stopping accuracy ≤±5 mm at all floors. Repeat each run 3 times.
Rationale: Performance verification of SIL 3 Motor Control Unit velocity regulation. SUB-REQ-010 specifies ±0.05 m/s steady-state error and ±5 mm stopping accuracy. Testing at four speed points covers the full operating envelope; worst-case is typically at low speed where slip is highest. Three repeats establish repeatability. EN 81-20 Annex D requires stopping accuracy verification by measurement.
 Test verification, traction-drive, sil-3, session-447, idempotency:ver-sub-010-447
VER-REQ-042 Verify SUB-REQ-012 (MCU overspeed detection): Drive car at rated speed; inject encoder signal offset to simulate 116% of rated contract speed into the Motor Control Unit. Measure time from encoder threshold crossing at MCU to OVERSPEED fault assertion on the MCU-to-Safety-Controller interface (IFC-REQ-011). Pass criterion: OVERSPEED fault asserted within 20 ms; no false asserts in 500 nominal speed runs. Verify independent of Safety CPU detection path.
Rationale: SIL 3 safety function verification of the MCU overspeed detection channel, independent of the Safety CPU detection tested in VER-REQ-005. SUB-REQ-012 specifies detection at 115% rated speed; testing at 116% confirms positive margin. Independence verification prevents common-cause failure between MCU and Safety CPU detection channels, required for SIL 3 dual-channel architecture.
 Test verification, traction-drive, sil-3, session-447, idempotency:ver-sub-012-447
VER-REQ-043 Verify SUB-REQ-013 (brake engagement under power failure): With car loaded to 150% rated capacity in up direction (worst-case backdrive load), disconnect 24V DC coil supply. Measure time from coil de-energisation to confirmed mechanical brake engagement using brake lining contact sensors. Verify car remains stationary against the 150% load for 60 seconds. Pass criteria: mechanical engagement within 150 ms; car displacement ≤2 mm during 60-second hold.
Rationale: SIL 3 safety function test per EN 81-20 Annex D brake test method. SUB-REQ-013 specifies 150 ms engagement and 150% rated load hold. The 150% load in the adverse direction represents the worst-case torque condition for brake holding. Displacement ≤2 mm confirms adequate brake torque margin per EN 81-20 minimum factor of 1.25 over rated load.
 Test verification, traction-drive, sil-3, session-447, idempotency:ver-sub-013-447
VER-REQ-044 Verify SUB-REQ-018 (ATS mains-to-UPS transfer): With elevator in rated operation, reduce mains voltage to below 85% of nominal using a programmable power supply. Measure time from undervoltage detection to stable 24V DC UPS output at controller load. Pass criterion: UPS output stable within 20 ms of voltage drop. Verify no spurious safety events or controller resets occur during transfer. Repeat 10 times at 85% threshold and 5 times at 50% (instantaneous loss).
Rationale: SIL 2 safety function performance test. SUB-REQ-018 specifies <20 ms transfer at 85% voltage threshold. Instantaneous loss tests (50%) expose any race conditions between transfer detection and UPS output rise time. Absence of spurious safety events confirms the transfer is transparent to the safety controller, which is the key system-level requirement from SYS-REQ-006.
 Test verification, power-dist, sil-2, session-447, idempotency:ver-sub-018-447
VER-REQ-045 Verify SUB-REQ-019 (UPS 30-minute holdup): With UPS battery at 100% SoC and elevator controller operating at full safety system load (all relays energised, Safety CPU active, BMS comms active), disconnect mains supply. Measure time until 24V DC output drops below 21.6V (90% of nominal). Pass criterion: output ≥21.6V for minimum 30 minutes. Also verify that after 30 minutes the Safety Controller enters safe state rather than experiencing an uncontrolled voltage drop.
Rationale: SIL 2 safety function capacity test. SUB-REQ-019 requires 30 minutes holdup at full safety load to enable operator-supervised evacuation per EN 81-73. Full-load test is required because most UPS sizing exercises assume partial load; the 90% voltage threshold ensures relay hold-in across the entire holdup period. Safe-state exit at capacity verifies no uncontrolled shutdown sequence.
 Test verification, power-dist, sil-2, session-447, idempotency:ver-sub-019-447
VER-REQ-046 Verify SUB-REQ-048 (EMC immunity of safety-critical paths): Subject Safety Controller Subsystem and all safety-critical signal cables to radiated electromagnetic fields at 10 V/m per IEC 61000-4-3 across 80 MHz–1 GHz and conducted immunity per IEC 61000-4-6 at 10 Vrms. During exposure, monitor Safety CPU outputs for false trips, command reversals, or loss of position data. Pass criteria: no spurious safety commands; no encoder position errors >5 counts; no communication frame errors >10^-4 rate during exposure.
Rationale: SIL 2 immunity test per IEC 61000-4-3/4-6 using the levels mandated by SYS-REQ-011 and SUB-REQ-048. The safety-critical signal paths are those most at risk from VFD switching noise in a common machine room enclosure. Acceptance criteria are function-specific: encoder position errors above 5 counts would cause levelling errors exceeding the ±10 mm safety margin for H-004.
 Test verification, safety-controller, emc, sil-2, session-447, idempotency:ver-sub-048-447
VER-REQ-047 Verify SUB-REQ-031 and SUB-REQ-032 (GDC call reassignment after fault): Simulate car fault on Car 1 while 3 hall calls and 2 car calls are active. Measure time from fault assertion to all pending calls from Car 1 being reassigned to remaining 3 cars. Pass criteria: reassignment completes within 100 ms; all pre-fault calls preserved in queue; wait time prediction updates visible on hall call panels within 500 ms. Run with 1 car faulted and repeat with 2 cars faulted (minimum degraded mode).
Rationale: Integration test covering the Single Car Failure During Peak ConOps scenario. SUB-REQ-031 specifies 100 ms reassignment latency and SUB-REQ-032 specifies fault reassignment behaviour; both are validated simultaneously. The 2-car fault case corresponds to the critical degraded operation mode requiring lobby attendant intervention, confirming the system behaves predictably before escalation threshold.
 Test verification, group-dispatch, degraded, session-447, idempotency:ver-sub-031-032-447
VER-REQ-048 Verify SUB-REQ-015 (encoder fault detection): With car in motion at rated speed, disconnect encoder signal cable to simulate encoder loss; separately inject quadrature error (channel A and B simultaneously asserted). Measure time from fault condition to MCU asserting ENCODER_FAULT to Safety Controller and VFD entering coast-stop state. Pass criteria: ENCODER_FAULT asserted within 20 ms for both fault types; car enters Degraded mode, not Emergency Shutdown, unless motion continues beyond 1 s.
Rationale: SIL 3 safety function test verifying fault detection speed and correct mode transition per SUB-REQ-015. The distinction between Degraded mode entry (encoder loss with car stopping normally) and Emergency Shutdown (car continues moving) is safety-critical: a premature Emergency Shutdown causes unnecessary entrapment while a missed detection risks uncontrolled movement.
 Test verification, traction-drive, sil-3, session-447, idempotency:ver-sub-015-447
VER-REQ-049 Verify Fire Service Phase II operation (EN 81-72): Insert firefighter key into Phase II switch on Car 1. Confirm: (a) car enters exclusive hold-to-run mode within 5 s; (b) hall calls are disabled for this car; (c) hold-to-run control operates car only while button held; (d) door close command requires sustained button hold; (e) removing key returns car to Phase I recall (lobby, doors open) within 30 s. Repeat for each car in group. Pass: all 5 behaviours confirmed for all 4 cars.
Rationale: EN 81-72 compliance test for Fire Service Phase II operation. The Fire Service stakeholder scenario requires firefighter exclusive manual control with hold-to-run — a life-safety feature with no existing VER entry. The 30-second return-to-Phase-I on key removal is mandated by EN 81-72 Clause 5.6 to prevent a car being stranded out of service after firefighter departure.
 Test verification, fire-service, sil-2, session-447, idempotency:ver-fire-phase2-447
VER-REQ-050 Verify Maintenance mode speed enforcement and car-top interlock: Insert maintenance key switch. Confirm car speed limited to 0.3 m/s in both directions by encoder measurement; confirm group dispatch disabled; confirm car-top stop button (EN 81-20 Annex F) immediately de-energises Safety Output Actuator and prevents Standard-operating-mode resumption via key switch. Pass criteria: maximum measured speed ≤0.3 m/s; car-top stop response within 100 ms; Standard operating mode NOT re-enterable while car-top stop is latched.
Rationale: Technician safety is the highest-risk aspect of the maintenance scenario: a car moving at normal speed (up to 1.0 m/s) while a technician is on top is catastrophic. EN 81-20 Annex F mandates a car-top stop device that cannot be bypassed from the machine room. The 0.3 m/s speed cap in maintenance mode is separately required by EN 81-20 Clause 6.5.3. Both must be verified by Test to satisfy SIL classification.
 Test verification, maintenance, sil-2, session-447, idempotency:ver-maintenance-mode-447
VER-REQ-051 Verify MCU watchdog and VFD safe-stop (REQ-SEINDUSTRIALELEVATOR-031): With car at rated speed, sever the MCU-to-Safety-Controller communication link. Measure time from link loss to VFD STO assertion on safety bus. Pass: STO asserted within 20 ms; drive-fault signal visible on safety bus; car decelerates under mechanical brake only.
Rationale: REQ-SEINDUSTRIALELEVATOR-031 requires VFD STO assertion within 20 ms of MCU watchdog expiry. This test directly measures the assertion latency using a protocol analyser on the safety bus while inducing the failure condition.
 Test
VER-REQ-052 Verify VFD safe-stop on MCU comm loss (REQ-SEINDUSTRIALELEVATOR-032): With car in motion at rated speed, remove MCU torque reference (simulate comm loss by injecting >50 ms gap). Measure time from last valid reference to STO assertion and brake engagement. Pass: STO within 150 ms of last valid command; brake engaged within 100 ms of STO; fault event logged with timestamp.
Rationale: REQ-SEINDUSTRIALELEVATOR-032 requires STO and brake engagement within 150 ms of MCU comm loss. Timing measurement requires synchronised oscilloscope on STO signal and brake current sensor, with protocol analyser timestamping the last valid torque command.
 Test
VER-REQ-053 Verify Safety Command Validator output specification (REQ-SEINDUSTRIALELEVATOR-033): Connect test BMS to gateway and send 20 valid and 20 invalid BMS commands. For each, measure go/no-go signal transition time and output impedance using calibrated oscilloscope and load resistor. Pass: all 20 valid commands produce 24V DC signal within 5 ms; all 20 invalid commands produce 0V with reject-code byte; output impedance ≤100 Ω.
Rationale: REQ-SEINDUSTRIALELEVATOR-033 specifies the Safety Command Validator output signal parameters. This test verifies signal levels, timing, and impedance against specification using traceable measurement instruments.
 Test
VER-REQ-054 Verify Safety Command Validator dual-channel integrity (REQ-SEINDUSTRIALELEVATOR-034): Inject a command that causes deliberate channel disagreement by corrupting the input to one channel via test interface. Verify that the validator defaults to rejection and logs validator-disagreement fault. Pass: command rejected within 10 ms; validator-disagreement fault logged; no spurious command accepted during 100-cycle soak test.
Rationale: REQ-SEINDUSTRIALELEVATOR-034 requires dual-channel disagreement to default to rejection. Injecting deliberate channel mismatch via hardware test interface validates the fail-safe behaviour. The 100-cycle soak ensures no intermittent false acceptance.
 Test
VER-REQ-055 Verify Event Logger dual-storage redundancy (REQ-SEINDUSTRIALELEVATOR-035): Trigger 100 safety events under test conditions. Then induce primary flash write failure (via test pin). Verify secondary FRAM receives subsequent events. Power-cycle and read back all 100 events from FRAM. Pass: all 100 events readable from FRAM; storage-fault alarm raised within 1 event cycle of primary failure; no data loss.
Rationale: REQ-SEINDUSTRIALELEVATOR-035 requires simultaneous dual-device write with failover to secondary. This test exercises the failover path by inducing primary device failure and verifying FRAM integrity.
 Test
VER-REQ-056 Verify Event Logger hash-chain integrity (REQ-SEINDUSTRIALELEVATOR-036): Log 50 events under test conditions. Export log via maintenance API. Modify event 25 in the export (alter timestamp by 1s). Re-import and run integrity verification API. Pass: integrity check fails and identifies the modified record; unmodified log passes integrity check; HMAC recalculation requires device-specific key.
Rationale: REQ-SEINDUSTRIALELEVATOR-036 requires SHA-256 HMAC hash chaining detectable by the integrity API. This test verifies that modification of a single record is detected and correctly identified.
 Test
VER-REQ-057 Verify Safety Output Actuator self-test cycle (REQ-SEINDUSTRIALELEVATOR-037): Power-cycle the Safety Output Actuator and monitor self-test sequence using oscilloscope on each output channel and feedback line. Inject a deliberate channel fault (disconnect one feedback line) and verify fault detection. Pass: self-test completes within 2 s of power-up; all channels cycle sequentially; injected fault detected and flagged to Safety Controller within 1 self-test cycle.
Rationale: REQ-SEINDUSTRIALELEVATOR-037 requires power-up self-test with channel verification and fault notification. This test validates self-test timing and fault detection coverage for each output channel.
 Test
VER-REQ-058 Verify ARD battery minimum capacity (REQ-SEINDUSTRIALELEVATOR-038): With battery at 100% SoC and ambient temperature 20°C, conduct 3 rescue cycles per car sequentially for all 4 cars simultaneously (12 total rescue cycles) at rated car load. After 12 cycles, verify battery terminal voltage remains above minimum operating threshold. Pass: all 12 rescue cycles complete; terminal voltage ≥21.6V (90% of 24V); capacity verified ≥2.5 kWh by integrating discharge current.
Rationale: REQ-SEINDUSTRIALELEVATOR-038 specifies 2.5 kWh minimum ARD capacity for 3 rescue cycles per car across 4 cars. This acceptance test verifies the capacity requirement directly by exercising the full rescue load profile.
 Test
VER-REQ-059 Verify Building Integration Gateway degraded-communication mode (REQ-SEINDUSTRIALELEVATOR-039): With elevator in rated operation and 10 events per second being logged, sever the BACnet/IP network connection. After 60 s, restore network. Verify queued events are retransmitted. Pass: Safety Command Validator remains active during outage; network-fault alarm raised within 10 s of loss; ≥512 events queued and retransmitted upon restoration without loss.
Rationale: REQ-SEINDUSTRIALELEVATOR-039 requires 512-event RAM buffer and safety function continuity on BACnet/IP loss. This test validates the degraded-mode buffer size and safety function isolation.
 Test
VER-REQ-060 Verify Fire Service Phase II EN 81-72 compliance (REQ-SEINDUSTRIALELEVATOR-040): Insert Phase II key on car panel and activate. Confirm exclusive control transferred to car panel; verify automatic door closure disabled; measure car speed in both directions during Phase II operation. Pass: car responds only to car-panel inputs; door closure remains suppressed; speed ≤0.63 m/s; Phase I recall not disabled during Phase II.
Rationale: REQ-SEINDUSTRIALELEVATOR-040 requires EN 81-72 Phase II firefighter service compliance. This test validates exclusive car control, door suppression, speed limit enforcement, and Phase I/II interaction as specified in EN 81-72 Clause 5.4.
 Test
VER-REQ-061 Verify EN 81-77 P-wave response timing (REQ for SUB-EN81-77): Using seismic simulator, inject a synthetic P-wave at 0.05g amplitude to the seismic sensor. Measure time from P-wave injection to Safety Controller initiating deceleration command (first VFD torque reduction). Pass: deceleration command issued within 500 ms of P-wave injection; car reaches nearest floor stop within 10 s; response occurs in all operating modes.
Rationale: The new EN 81-77 SUB requirement mandates 500 ms response initiation. This test validates the response time from P-wave injection to Safety Controller action using a calibrated seismic simulator traceable to EN 81-77 test procedures.
 Test
VER-REQ-062 Verify BACnet B-ASC profile conformance (REQ for BIG-BACnet): Using a BACnet protocol analyser and conformance test suite (per BACnet Standard 135-2020 Annex L), execute B-ASC Protocol Implementation Conformance Statement (PICS) validation. Pass: all mandatory B-ASC services supported; COV subscriptions accepted and notifications transmitted; Who-Is response within 200 ms; device instance configurable in specified range.
Rationale: The new BACnet B-ASC SUB requirement mandates specific protocol conformance. The B-ASC PICS validation using standardised test suite provides authoritative verification of conformance to BACnet Standard 135-2020.
 Test
VER-REQ-063 Verify IEC 61508-2 SIL 3 architectural constraints via FMEA analysis: Review Safety Controller hardware design against IEC 61508-2 Table 3 requirements. Verify dual-channel (HFT=1) architecture with Safe Failure Fraction computed from FMEA data. Verify online diagnostic coverage ≥99% via diagnostic coverage analysis. Pass: hardware FMEA report shows SFF <90% with HFT ≥1; diagnostic coverage analysis ≥99%; results traceable to published component failure rates.
Rationale: SIL 3 architectural constraint compliance cannot be fully verified by runtime test; it requires hardware FMEA analysis against IEC 61508-2 tables. Analysis method is appropriate for this verification. SFF is a function of failure mode distribution across safe, unsafe-detected, and unsafe-undetected categories.
 Analysis
VER-REQ-064 Verify Group Dispatch Controller performance watchdog (REQ for GDC-watchdog): Simulate peak-load traffic (150% rated passenger throughput using load simulator) for 15 minutes. Verify performance-degraded alarm is raised when average waiting time exceeds 50 s for 3 consecutive 5-minute intervals. Restore to rated load; verify alarm clears when waiting time returns below 30 s. Pass: alarm raised within 500 ms of 3rd consecutive interval breach; alarm clears automatically; events logged with timestamps.
Rationale: The GDC watchdog SUB requirement mandates alarm generation on dispatch performance degradation. This test validates the threshold detection, alarm latency, and automatic clearing behaviour using a traffic load simulator calibrated to rated passenger throughput.
 Test
VER-REQ-065 Verify SUB-REQ-005 EN 81-72 Phase I recall 5s response: de-energise fire recall relay; measure time to Safety Controller inhibiting all car operation. Pass: all cars inhibited within 5 s.
Rationale: EN 81-72 Clause 5.2 mandates 5-second response from fire signal to car inhibit. SIL-2 time bound for H-006. VER-REQ-029 tests 60-second arrival only.
 Test
VER-REQ-066 Verify IFC-REQ-001 (BACnet/IP BMS interface): Connect BMS simulator to elevator BACnet/IP port. Confirm ASHRAE 135-2020 BACnet/IP transport with BBMD registration. Transmit 1000 COV notifications; confirm zero dropped. Measure round-trip latency. Pass: all BACnet objects readable, COV delivery 100%, latency <200ms.
Rationale: BACnet/IP is the primary BMS interface per IFC-REQ-001; protocol conformance and throughput must be verified against ASHRAE 135-2020 to ensure interoperability with third-party BMS platforms.
 Test
VER-REQ-067 Verify IFC-REQ-002 (fire alarm hardwired relay): De-energise fire alarm relay contacts and measure Safety CPU signal acquisition latency. Confirm relay is fail-safe (de-energised = alarm). Pass: Safety CPU detects fire signal within 5ms of relay state change per IFC-REQ-002.
Rationale: Fire alarm relay interface is safety-critical (SIL-2 path); hardwired relay timing must be verified to confirm the Safety Controller can meet EN 81-72 5-second recall response.
 Test
VER-REQ-068 Verify IFC-REQ-003 (access control RS-485/TCP): Connect access control simulator via RS-485 and TCP/IP. Transmit 500 credential validation requests; measure response time and error rate. Pass: all requests processed within 500ms, zero communication errors per IFC-REQ-003.
Rationale: Access control interface must support both RS-485 and TCP/IP per IFC-REQ-003; response time verification confirms the 500ms credential validation SLA from SUB-REQ-035.
 Test
VER-REQ-069 Verify IFC-REQ-004 (emergency intercom interface): Simulate car entrapment. Confirm two-way voice connection established within 30s. Measure speech intelligibility (STIPA >0.45). Confirm backup battery powers intercom for 60 minutes. Pass: connection within 30s, intelligible speech, 60-min battery per IFC-REQ-004.
Rationale: Emergency intercom is a life-safety interface mandated by EN 81-28; must verify auto-dial, speech quality, and battery backup to confirm trapped passengers can communicate.
 Test
VER-REQ-070 Verify IFC-REQ-012 (Safety Controller to electromagnetic brake interface): Apply 24V DC to each brake coil independently. Measure coil current, relay switching time, and relay monitor feedback. Inject single-coil failure and confirm other coil holds rated load. Pass: independent coil operation confirmed, relay response <50ms per IFC-REQ-012.
Rationale: Brake interface carries SIL-3 safety function; dual-coil independent operation and relay monitor feedback must be verified to confirm single-fault tolerance.
 Test
VER-REQ-071 Verify IFC-REQ-013 and IFC-REQ-014 (power management interfaces): Command ATS source-select via Power Management Controller; measure transfer time. Read UPS SoC, voltage, current, and fault status. Pass: ATS transfers within 200ms, UPS telemetry accurate to ±2% per IFC-REQ-013/014.
Rationale: Power management interfaces are critical for ARD rescue operation; ATS transfer timing and UPS telemetry accuracy directly affect emergency power availability.
 Test
VER-REQ-072 Verify IFC-REQ-015, IFC-REQ-017, IFC-REQ-018, IFC-REQ-019 (door subsystem internal interfaces): Measure door motor drive command update rate (≥20 kHz PWM), safety edge contact response time (<10ms), door position encoder resolution (0.1mm at 500 Hz), and landing door interlock state change detection (<25ms). Pass: all interface parameters within IFC specification.
Rationale: Door subsystem internal interfaces are safety-relevant; obstruction detection response time (safety edge, light curtain) and interlock monitoring directly affect passenger safety per EN 81-20.
 Test
VER-REQ-073 Verify IFC-REQ-021 and IFC-REQ-022 (group dispatch CAN bus and hall call RS-485): With 4-car group at peak traffic, measure CAN bus utilization, message latency, and error frame rate. Verify hall call RS-485 polling completes within 100ms cycle. Pass: CAN utilization <60%, latency <10ms, RS-485 poll <100ms per IFC-REQ-021/022.
Rationale: Group dispatch communication performance directly affects passenger wait time; CAN bus overload during peak traffic would degrade dispatch algorithm performance.
 Test
VER-REQ-074 Verify IFC-REQ-024 and IFC-REQ-025 (BIG-to-GDC CAN and event logger CAN): Inject BMS floor lockout via BIG and confirm GDC receives command on CAN within 50ms. Generate 100 safety events and confirm Event Logger captures all on CAN bus. Pass: command latency <50ms, 100% event capture per IFC-REQ-024/025.
Rationale: BIG-to-GDC command path must be verified for latency to ensure BMS floor lockout commands take effect promptly; event logger bus capture must be complete for regulatory audit trail.
 Test
VER-REQ-075 Verify SUB-REQ-011 (velocity profile jerk limit): Command car to travel 6 floors with rated load. Capture position data at 100 Hz. Compute acceleration and jerk from position derivatives. Pass: acceleration ≤1.5 m/s², jerk ≤2.5 m/s³ throughout profile per SUB-REQ-011.
Rationale: Ride quality directly affects stakeholder satisfaction (STK-REQ-002); jerk limiting is the primary ride comfort parameter for industrial elevators and must be measured, not just inferred from motor control loop.
 Test
VER-REQ-076 Verify SUB-REQ-014 (VFD EMC compliance): Conduct EN 12015 Class C2 conducted emissions test (150 kHz–30 MHz) and radiated emissions test (30 MHz–1 GHz) on Variable Frequency Drive. Confirm no emissions exceed Class C2 limits. Pass: all measurements within EN 12015 Class C2 per SUB-REQ-014.
Rationale: EN 12015 EMC compliance is mandatory for CE marking; VFD is the primary emissions source in the elevator system and must be tested independently before system-level EMC.
 Test
VER-REQ-077 Verify SUB-REQ-016 (traction drive MTBF): Review manufacturer reliability data, field failure records, and FMEA for Motor Control Unit and Variable Frequency Drive. Confirm predicted MTBF ≥50,000 hours for VFD and ≥100,000 hours for Motor Control Unit per SUB-REQ-016.
Rationale: MTBF verification by analysis is standard practice for reliability requirements; field data from comparable installations provides the statistical basis for confirmation.
 Analysis
VER-REQ-078 Verify SUB-REQ-017 (electromagnetic brake dual coils): Inspect brake assembly drawings confirming dual independent coils. Test: disable one coil and verify brake holds 125% rated load. Repeat for other coil. Pass: each coil independently holds ≥125% rated load per SUB-REQ-017.
Rationale: Dual-coil brake is SIL-3 safety critical; single-fault tolerance must be demonstrated by physical test, not just design review, to confirm braking torque margin.
 Test
VER-REQ-079 Verify SUB-REQ-020 (battery SoC monitoring): Discharge UPS battery from 100% to 20% SoC while monitoring PMC SoC readings at 1 Hz. Compare against reference coulomb counter. Confirm LOW_BATTERY fault asserted at correct threshold. Pass: SoC accuracy ±5%, fault assertion at threshold per SUB-REQ-020.
Rationale: Battery SoC monitoring accuracy affects ARD rescue operation reliability; incorrect SoC reading could lead to rescue cycle failure with passengers trapped.
 Test
VER-REQ-080 Verify SUB-REQ-021 (VFD supply voltage tolerance): Apply 380V, 400V, and 420V three-phase supply at 48 Hz, 50 Hz, and 52 Hz. Confirm VFD operates without trip or derating at all 9 combinations. Pass: stable operation across full voltage/frequency range per SUB-REQ-021.
Rationale: Industrial environments experience significant supply voltage variation; VFD must be verified across the full 380-420V, 48-52 Hz envelope to prevent nuisance trips.
 Test
VER-REQ-081 Verify SUB-REQ-039 and SUB-REQ-040 (safety rail power supply): Measure 24V DC safety rail voltage under maximum load (Speed and Position Monitor + Safety Output Actuator + all safety devices). Confirm voltage remains within 22-28V DC range and power consumption within specified limits. Pass: voltage 22-28V DC, power within spec per SUB-REQ-039/040.
Rationale: Safety rail voltage must be verified under worst-case load to confirm safety devices operate within their specified input range; out-of-range voltage could cause safety function failure.
 Test
VER-REQ-082 Verify SUB-REQ-042 and SUB-REQ-043 (form factor inspection): Inspect Safety Controller DIN-rail module and Motor Control Unit PCB assembly. Confirm dimensions, mounting method, IP rating, cooling provisions, and conformal coating per SUB-REQ-042/043.
Rationale: Physical implementation requirements affect maintainability and environmental resilience; form factor must match cabinet design constraints.
 Inspection
VER-REQ-083 Verify SUB-REQ-049, SUB-REQ-055, SUB-REQ-073, SUB-REQ-074 (enclosure and cabinet inspection): Inspect controller cabinet and power distribution enclosure for IP54 rating, IEC 61439-1 compliance, flame retardant rating (UL94 V-0), dimensions, ventilation, and cable entry points per specifications.
Rationale: Cabinet and enclosure specifications are verifiable only by physical inspection; IP54, flame retardancy, and dimensional compliance are prerequisites for site installation approval.
 Inspection
VER-REQ-084 Verify proof test interval compliance (REQ-SEINDUSTRIALELEVATOR-081): Review proof test procedures for all SIL 3 safety functions. Execute one complete proof test cycle on the Safety Controller dual-channel CPU, safety output actuators, and safety chain monitoring. Confirm: (a) proof test interval ≤8760 hours documented in safety manual; (b) test exercises complete safety function chain; (c) post-test PFDavg calculation confirms SIL 3 target. Pass: all SIL 3 functions have documented proof test procedures with intervals ≤1 year.
Rationale: IEC 61508-2 Clause 7.4.9 mandates that proof test intervals are verified as part of the SIL validation. This test confirms the proof test procedures exist, are executable, and maintain PFDavg within SIL 3 bounds.
 Test

Internal Diagrams

flowchart TB
  n0["component<br>Safety CPU"]
  n1["component<br>Speed and Position Monitor"]
  n2["component<br>Safety Chain Interface Module"]
  n3["component<br>Seismic and Fire Interface"]
  n4["component<br>Safety Output Actuator"]
  n1 -->|speed/position data, trip signals| n0
  n2 -->|safety chain status| n0
  n3 -->|fire/seismic events| n0
  n0 -->|brake engage / VFD inhibit| n4

Safety Controller Subsystem — Internal

flowchart TB
  n0["component<br>Door Control Unit"]
  n1["component<br>Door Motor Drive"]
  n2["component<br>Multi-Ray Light Curtain"]
  n3["component<br>Safety Edge Contact Strip"]
  n4["component<br>Door Position Encoder"]
  n5["component<br>Landing Door Interlock Monitor"]
  n6["component<br>Door Control Unit"]
  n7["component<br>Door Motor Drive"]
  n8["component<br>Multi-Ray Light Curtain"]
  n9["component<br>Safety Edge Contact Strip"]
  n10["component<br>Door Position Encoder"]
  n11["component<br>Landing Door Interlock Monitor"]
  n6 -->|velocity ref 200Hz CAN| n7
  n8 -->|obstruction signal PLe| n6
  n9 -->|contact obstruction| n6
  n10 -->|position 500Hz RS-422| n6
  n11 -->|interlock status 24VDC| n6

Door Operator Subsystem — Internal

flowchart TB
  n0["component<br>Dispatch Algorithm Engine"]
  n1["component<br>Car State Aggregator"]
  n2["component<br>Hall Call Interface Unit"]
  n3["component<br>Traffic Analysis Module"]
  n1 -->|car state vector 10Hz| n0
  n2 -->|hall call queue| n0
  n3 -->|traffic mode| n0

Group Dispatch Controller — Internal

flowchart TB
  n0["component<br>BACnet/IP Stack"]
  n1["component<br>Safety Command Validator"]
  n2["component<br>Access Control Interface Module"]
  n3["component<br>Event Logger"]
  n4["component<br>Emergency Communications Unit"]
  n0 -->|BMS commands| n1
  n0 -->|event records| n3
  n1 -->|rejection audit| n3
  n2 -.->|access control cmds| n1

Building Integration Gateway — Internal

Classified Entities

Entity Hex Code Description
Access Control Interface Module 50F57818 Hardware/software module within the Building Integration Gateway providing RS-485 (Modbus RTU) and IP communication to the building access control system. Validates per-credential floor authorisation lists with response time ≤500 ms. Maintains a cached authorisation table updated every 30 s from the access control system, enabling operation during network intermittency. Translates authorised floor lists into floor lockout commands for the Group Dispatch Controller. Does not override safety functions or fire recall. Supports up to 10,000 credential entries.
Automatic Transfer Switch D6F53018 Solid-state automatic transfer switch that routes power from mains 400V AC or UPS 24V DC backup to the elevator subsystems based on commands from the Power Management Controller. Switching time less than 20 ms. Output ratings: 400V AC 63A for VFD feed; 24V DC 30A for control circuits. Galvanic isolation between sources. Integral monitoring of output voltage and current; overcurrent protection at 125% rated. DIN rail mounted in MCC panel.
BACnet/IP Stack 41F57318 Software protocol stack implementing ASHRAE 135 BACnet/IP with B-ASC device profile on the Building Integration Gateway. Runs on embedded Linux, manages the elevator's BACnet object model (analog inputs for car position and energy, binary inputs for fault states, event enrollment objects for alarms). Aggregates real-time status from all subsystems via internal CAN bus at 1 Hz and exposes it as BACnet objects to the Building Management System. Handles confirmed/unconfirmed service requests, generates ChangeOfState and Out-Of-Range event notifications. Connected via 100BASE-TX Ethernet to BMS network.
Building access control system interface 50BD7819 Access control interface for Industrial Elevator Control System: card reader or biometric system at hall stations controls floor access. Controller receives authorised floor list per credential. Integration via serial (RS-485) or IP protocol. Security system owned by building security contractor. Elevator controller restricts car operating panel — only authorised floors illuminate. Must not override safety functions or fire recall.
Building facility manager 000C5AF8 Operates Industrial Elevator Control System day-to-day via BMS interface. Monitors elevator status, schedules maintenance windows, configures traffic patterns (VIP floors, restricted access, weekend schedules). Receives fault notifications and decides whether to take car out of service. Responsible for emergency procedures — coordinates with fire service during fire recall. Not qualified to enter hoistway.
Building Facility Manager 00045AF8 Stakeholder of Industrial Elevator Control System: manages the building. Responsible for scheduling maintenance, monitoring energy, managing access control integration, responding to entrapment alarms
Building fire alarm panel interface D4AD7858 Fire panel interface for Industrial Elevator Control System: hardwired relay contacts from building fire alarm panel to elevator controller. Phase I recall signal (normally open, energise to recall). Alternate floor signal if primary recall floor compromised. Smoke detector inputs for machine room and hoistway top. Must be hardwired (not software-based) per EN 81-72. Owned by fire system integrator — coordination required during commissioning.
Building Integration Gateway 50F57A18 Subsystem of Industrial Elevator Control System: protocol gateway between elevator controller domain and building systems. BACnet/IP server (B-ASC profile) at 1Hz for BMS — provides car position, fault codes, energy consumption, operating mode; receives VIP priority, floor lockout, schedule commands. Fire alarm relay interface (hardwired contacts from building fire panel, EN 81-72). RS-485/IP connection to building access control for floor authorization per credential. EN 81-28 emergency intercom with auto-dial on entrapment (>2min stationary between floors), GSM backup. Event logging and diagnostic reporting — 10-year non-volatile retention. Interfaces: all internal subsystems (status collection), external building systems (protocol translation).
Building Interface Management 50F57118 System function of Industrial Elevator Control System: manages all external building system interfaces. BACnet/IP to BMS at 1Hz for status/command. Hardwired fire alarm relay inputs. RS-485/IP to access control for floor authorization. EN 81-28 emergency intercom auto-dial on entrapment. Translates between elevator domain protocols and building system protocols. Inputs: BMS commands, access credentials, fire panel contacts, intercom triggers. Outputs: BACnet status objects, floor authorization list, alarm notifications.
Building Management System interface 50AD7B48 BMS interface for Industrial Elevator Control System: bidirectional communication via BACnet/IP or Modbus TCP. Provides elevator status (car position, door state, fault codes, energy consumption) to BMS. Receives commands: VIP floor priority, access control floor lockout, weekend/holiday schedules, fire alarm inputs. Typical polling rate 1Hz. Owned by building operator, protocol specification agreed at design stage.
Building occupant / elevator passenger 00084011 Primary user of Industrial Elevator Control System. Office workers, visitors, delivery personnel, and residents who use elevators daily. Interacts via hall call buttons and car operating panel. Expects <30s wait time, smooth ride quality (<0.5 m/s² jerk), accurate floor levelling, and accessible car dimensions (EN 81-70). Includes mobility-impaired users requiring wheelchair access, tactile buttons, and audible floor announcements.
Building Occupant / Elevator Passenger 000C0081 Stakeholder of Industrial Elevator Control System: primary user expecting reliable safe accessible transportation between floors. Includes persons with disabilities EN 81-70, children, elderly
Car levelling failure at landing hazard 40352011 Hazard in Industrial Elevator Control System: car stops above or below floor level by >±10mm due to encoder drift, brake drag, or load compensation failure. Consequence: trip hazard for passengers, wheelchair accessibility failure, freight cart tipping. Re-levelling function must correct within ±5mm. Position feedback via incremental encoder with absolute reference at each floor.
Car State Aggregator 40B57308 Software module that collects, validates, and maintains the real-time state of each car in the group (position, velocity, door status, load, fault flags, destination queue). Receives car state messages from individual car controllers at 10 Hz via CAN bus. Detects stale data (>200 ms) and marks cars as unavailable for dispatch. Provides the consolidated car state vector to the Dispatch Algorithm Engine. Runs on Group Dispatch Controller hardware.
Counterweight derailment hazard 00040011 Hazard in Industrial Elevator Control System: counterweight leaves guide rails due to seismic event, guide rail bracket failure, or excessive building sway. Consequence: counterweight strikes car or hoistway equipment causing structural failure, rope tension loss, uncontrolled car movement. Mitigated by seismic restraint brackets, guide rail alignment monitoring, and seismic mode activation. Particularly critical in high-rise installations above 30 floors.
Degraded operation mode of Industrial Elevator Control System 50B67A08 Reduced-capability mode entered when non-safety-critical faults occur: encoder redundancy loss, single door operator fault, BMS communication failure, or partial group dispatch failure. Car continues serving calls but with restrictions: reduced speed, single-car operation if group controller fails, manual door operation on affected floors. Operator notification via BMS. Exit: fault cleared → normal operation; additional fault escalation → emergency shutdown.
Diagnostic and Logging 41F77358 System function of Industrial Elevator Control System: records all safety events, fault codes, maintenance actions, parameter changes with timestamps in non-volatile storage. 10-year retention per EN 81-20. Continuous self-diagnostics on encoder redundancy, door interlocks, brake wear, contactor state. Generates fault codes for BMS notification. Maintains modification history for regulatory inspection. Inputs: all sensor data, safety chain state, controller parameters. Outputs: fault codes, diagnostic reports, audit logs, BMS fault notifications.
Dispatch Algorithm Engine 51B77B08 Real-time software module implementing the group lift dispatch algorithm on the Group Dispatch Controller hardware. Evaluates hall calls against all car positions, velocities, load weights, and destination assignments using a destination dispatch algorithm (hall call allocation with energy-weighted cost function). Optimises for ≤30s average waiting time during peak traffic (200 persons/5min floor). Runs on a dedicated processor at 10 Hz decision cycle. Interfaces to car controllers via CAN network.
Door Control Unit 50F57A18 SIL-2 rated microcontroller running the elevator door state machine. Receives open/close commands from the Safety Controller, executes timed door cycles, monitors obstruction detection inputs, enforces 150N closing force limit (EN 81-20 clause 5.3.12), and controls the door motor drive. Outputs position commands at 100 Hz, interfaces to light curtain sensor, safety edge, and door position encoder. Transitions to held-open state on obstruction detection within 50 ms.
Door Management 50F73B18 System function of Industrial Elevator Control System: controls car and landing door opening/closing cycles. Light curtain obstruction detection with 3s re-open. Force limiting to 150N max closing force. Door zone interlocking with car position. Pre-opening when approaching floor. Nudging mode after timeout. Inputs: car position, call status, light curtain, door encoder, force sensor. Outputs: door motor drive, interlock status, obstruction alarm.
Door Motor Drive D5F57008 Three-phase brushless DC motor drive providing torque-controlled operation of the door panel. Receives velocity/position reference from Door Control Unit at 200 Hz via CAN. Drives the door belt/chain mechanism at up to 0.3 m/s panel velocity. Limits closing torque to maintain ≤150N contact force at the leading edge. Includes current sensing for torque feedback. Provides motor fault status to DCU within 10 ms of fault detection.
Door Operator Subsystem 55F77858 Subsystem of Industrial Elevator Control System: permanent-magnet door motor with belt drive for car doors, landing door coupling via vane/clutch mechanism. Light curtain (infrared, 2D array) for obstruction detection. Force sensor limiting closing force to 150N per EN 81-20. Door encoder for position/speed feedback. Door zone interlocking with car position via safety controller. Pre-opening when car within 200mm of floor. Nudging mode after 20s obstruction timeout. 3s re-open on obstruction. Interfaces: safety controller (interlock status, door zone signal), group controller (open/close commands, dwell time), building integration (access control floor lockout).
Door Position Encoder D4E57008 Magnetic linear encoder measuring car door panel position with 0.5 mm resolution at 500 Hz output rate. Tracks panel travel from fully open to fully closed (typically 800–1200 mm range). Provides absolute position data to Door Control Unit for landing zone calculation, interlock verification, and closing speed profiling. RS-422 differential output for noise immunity in motor-rich environment.
Door zone entrapment hazard 40842A51 Hazard in Industrial Elevator Control System: passenger trapped between closing doors or between car and landing doors. Consequence: crush injury, limb entrapment, fatality if dragged into hoistway. Door protection via infrared curtain, mechanical safety edge, and re-opening circuit. EN 81-20 requires doors to re-open within 3 seconds on obstruction detection. Door force limited to 150N.
Drive system electromagnetic interference hazard 40050859 Hazard in Industrial Elevator Control System: VFD-generated EMI corrupts safety controller inputs or encoder signals, causing incorrect position reporting or false safety chain status. Consequence: car moves to wrong floor, doors open outside door zone, safety functions fail to trigger. Mitigated by shielded cabling, EMC filters on VFD output, galvanic isolation of safety circuits from drive circuits. EN 12015/12016 EMC compliance required.
Electromagnetic Brake D6D51018 Spring-applied, electrically-released electromagnetic disc brake on the traction motor shaft. Engagement force 2000 N; hold torque 150% of motor rated torque. Released by 24 V DC coil current; spring-applied when power is removed (fail-safe). Response time: engage ≤150 ms from de-energise; release ≤100 ms from energise. Dual-coil redundant design per EN 81-20 clause 12.5. Provides primary mechanical stop when car is parked and secondary safety stop in power failure.
Electromagnetic compatibility environment for elevator 40853858 EMC environment for Industrial Elevator Control System: VFD switching at 4-16 kHz generates conducted and radiated emissions affecting encoder signals and safety controller inputs. Co-located with building power distribution, HVAC drives, and LED lighting drivers. Must comply with EN 12015 (emissions) and EN 12016 (immunity). Shielded cabling mandatory for safety circuits. Radiated immunity to 10 V/m required.
Elevator maintenance technician 00042AF8 Certified technician performing preventive and corrective maintenance on Industrial Elevator Control System per EN 81-20. Has exclusive access to machine room, car top inspection station, and pit. Uses maintenance mode key switch. Responsible for rope inspection, brake testing, safety gear verification, door gap measurement, and ARD testing. Quarterly inspections plus emergency callouts. Works alone in hoistway — personal safety depends on maintenance mode interlocks.
Elevator Maintenance Technician 000420F8 Stakeholder of Industrial Elevator Control System: performs routine maintenance, fault diagnosis, and repair. Requires safe access to machine room, hoistway, car top. Uses maintenance mode and diagnostics
Elevator OEM / system integrator 40A43A58 Manufacturer or integrator who designs, installs, and commissions Industrial Elevator Control System. Provides controller hardware, VFD, safety devices, and control software. Responsible for type examination certification (EU Lifts Directive 2014/33/EU). Supplies spare parts and software updates over 20-25 year lifecycle. Holds proprietary knowledge of controller firmware and diagnostic protocols.
Elevator OEM / System Integrator 40843A39 Stakeholder of Industrial Elevator Control System: designs, manufactures, and installs elevator systems. Responsible for system architecture, component selection, safety certification, and commissioning
Elevator power infrastructure 54853018 Power supply for Industrial Elevator Control System: 3-phase 400VAC 50Hz mains (or 480VAC 60Hz in NA), dedicated elevator switchboard with lockable isolator. VFD regenerative braking feeds energy back to building grid or braking resistor. UPS for controller logic (30min minimum). ARD battery bank for emergency rescue (3 cycles minimum). Grounding per IEC 60364 with equipotential bonding in machine room and pit.
Elevator regulatory framework 408538D9 Regulatory environment for Industrial Elevator Control System: EN 81-20/50 (safety rules for construction and installation), EN 81-70 (accessibility), EN 81-72 (fire service), EN 81-77 (seismic), ASME A17.1 (NA), IEC 61508 SIL 3 (safety functions), EU Lifts Directive 2014/33/EU (CE marking), local building codes, AS 1735 (Australia). Notified body type examination required for new installations.
Elevator regulatory inspector 000038F8 Government or notified-body inspector who certifies Industrial Elevator Control System compliance with EN 81-20/50, ASME A17.1, and local building codes. Performs annual statutory inspections and witnesses safety tests (overspeed governor trip, buffer test, door force measurement). Has authority to condemn elevator and prohibit operation if safety deficiencies found. Requires access to test records, maintenance logs, and modification history.
Elevator Regulatory Inspector 008428F9 Stakeholder of Industrial Elevator Control System: government-appointed inspector who certifies elevator installations meet EN 81-20. Conducts periodic inspections, witnesses tests, issues compliance certificates
Emergency Communications Unit D5FF7A58 EN 81-28 compliant emergency telephone and intercom controller within the Building Integration Gateway. Monitors car position state from the main controller; triggers entrapment detection when car is stationary between floors for >2 minutes. Auto-dials a 24/7 monitoring centre via PSTN primary and GSM fallback, maintaining voice connection until confirmed by an operator. Provides two-way voice via a car-mounted speaker/microphone. Has internal battery backup providing ≥24 hours of standby and ≥1 hour of active call operation. Performs weekly auto-test call per EN 81-28.
Emergency intercom and telephone system D4FD7A58 Emergency communication interface for Industrial Elevator Control System: two-way voice intercom in car connecting to building reception or 24/7 monitoring centre. Auto-dials on entrapment detection (car stationary between floors >2 minutes). Must work during power failure (battery backed). EN 81-28 compliance required. GSM backup if landline fails. Owned by telecom provider, maintained by elevator contractor.
Emergency Power Management 51F73A18 System function of Industrial Elevator Control System: manages UPS for 30-minute controller sustain and ARD batteries for car rescue during mains failure. Monitors battery charge state, initiates rescue drive at 0.15 m/s to nearest floor. Manages regenerative braking energy during normal operation — grid return or resistor dissipation. Switches between mains, UPS, and ARD modes. Inputs: mains voltage, battery SOC, car position, rescue trigger. Outputs: power bus selection, ARD motor drive command, battery charge control.
Emergency shutdown mode of Industrial Elevator Control System 50B73A50 Safety-critical mode entered on overspeed detection, uncontrolled car movement, safety chain break, seismic event, or fire alarm. Immediate response: regenerative braking to deceleration then mechanical brake application. Car brought to nearest floor if possible, doors opened, motor de-energised, brake locked. If fire mode: car sent to designated fire recall floor, doors opened, system handed to fire service. Cannot be exited without manual reset by qualified technician or fire service override.
Event Logger 40853258 Non-volatile event recording module within the Building Integration Gateway. Records all safety events, fault codes, maintenance actions, and parameter changes from all subsystems via the internal CAN bus. Uses flash-backed FIFO with 10-year retention capacity at expected event rates (≤50 events/day). Each record includes GPS/NTP-synchronised timestamp (±1 s accuracy), event code, subsystem source, and parameter snapshot. Provides USB and Ethernet export interfaces for maintenance terminals. Tamper-evident with SHA-256 hash chain for audit integrity. Compliant with EN 81-20 Clause 5.12 for record retention.
Fire alarm recall scenario 00B57A11 Emergency scenario for Industrial Elevator Control System: fire detected on floor 12. Building fire panel sends Phase I signal to elevator controller. All cars immediately cancel current calls and travel non-stop to designated recall floor (ground). Doors open and remain open. Floor 12 hall button locked out — car will not travel to fire floor. Car 3 was traveling upward past floor 10 — it continues to floor 11 (next available stop above fire floor, as it cannot stop at 12), opens doors briefly for evacuation, then proceeds to ground. Fire service arrives, inserts Phase II key in Car 1 for manual firefighter operation.
Fire and Seismic Response 55F77A18 System function of Industrial Elevator Control System: processes fire alarm Phase I recall signal (hardwired relay, not software) to cancel all calls and drive cars to designated floor within 60s. Processes P-wave seismic detector signal to stop cars at nearest floor with 60s hold timer. Fire floor lockout. Phase II firefighter key enables exclusive manual hold-to-run. Inputs: fire relay contact, seismic P-wave trigger, firefighter key switch, building sway sensor. Outputs: recall command, floor lockout, mode switch to fire service or seismic.
Fire service / emergency responder 01857AF9 Interacts with Industrial Elevator Control System during fire emergencies via Phase I recall (automatic) and Phase II manual operation (firefighter key). Requires elevator as vertical transport for equipment to fire floor. Needs reliable manual control — hold-to-run operation, door close override, independent car operation. Trained in elevator emergency procedures per ASME A17.1. Expects car to be at recall floor with doors open on arrival.
Fire Service / Emergency Responder 000D3AF9 Stakeholder of Industrial Elevator Control System: firefighters who use the elevator in fire recall mode EN 81-72. Need reliable Phase I/II recall and manual override under fire conditions
Fire service mode of Industrial Elevator Control System 40B57A50 Override mode activated by fire alarm input from building fire panel (Phase I recall) or firefighter key switch in car (Phase II operation). Phase I: all cars recalled to designated floor, doors open, normal service suspended. Phase II: firefighter has exclusive manual control — car moves only while button held, door close override enabled, automatic leveling disabled. Entered via hardwired fire alarm circuit (not software). Exit only via fire service key removal and manual reset. EN 81-72 and ASME A17.1 compliant.
Group Dispatch Controller 41F77B08 Subsystem of Industrial Elevator Control System: real-time dispatch software running on main controller hardware. Manages 4-car group assignment using estimated time of arrival (ETA) algorithms. Traffic modes: up-peak (lobby bias), down-peak, balanced, VIP priority. Load weighing input from each car (0-150% rated) for hall call bypass at 80%. Wait time optimisation target <30s normal, <50s N-1 degraded. Rebalances on car fault removal. Configurable traffic patterns, floor lockouts, scheduled modes. Inputs from hall/car call buttons, car position, car load, BMS commands. Outputs: car-to-floor assignment, door dwell adjustment, estimated wait time.
Group Dispatch Optimisation 41F77B08 System function of Industrial Elevator Control System: accepts hall calls and car calls from 20 floors, assigns calls to 4-car group using traffic pattern analysis. Implements up-peak, down-peak, and balanced modes. Inputs: hall call registration, car position, car load (0-150% rated), current traffic pattern. Outputs: car-to-call assignment, estimated wait time, door dwell time adjustment. Constraints: <30s average wait in normal, <50s in N-1 degraded, 3s door dwell.
Hall Call Interface Unit D6FD7008 Hardware module managing all hall call button inputs, indicators, and destination dispatch terminals across all floor landings. Collects UP/DOWN button presses and optional destination floor entries from floor terminals. Provides debounced, prioritised call queue to the Dispatch Algorithm Engine. Drives floor landing indicators (arrival chime, direction arrows) based on car assignments. Connected to landing panels via RS-485 bus at 100 kbit/s.
Hoistway flooding or fire exposure hazard 00000011 Hazard in Industrial Elevator Control System: water ingress from sprinkler activation or pipe burst, or fire/smoke penetration into hoistway. Consequence: electrical short circuits in controller/wiring, loss of safety functions, smoke inhalation by trapped passengers. Mitigation: IP-rated enclosures for pit equipment, smoke detection in machine room, fire recall function (Phase I). Particular risk in below-grade hoistways in flood zones.
Hoistway thermal environment 04000010 Enclosed vertical shaft environment for Industrial Elevator Control System: ambient temperature 0-50°C (machine room up to 40°C per EN 81-20), humidity 5-95% non-condensing, poor ventilation in shaft. Controller electronics derated above 40°C. Pit subject to flooding in below-grade installations. Vibration from traction machinery and building sway in high-rise installations.
industrial elevator control system D7F77858 Physical controller cabinet housing control PCBs, safety modules, power supply, and UPS. Installed in machine room per EN 81-20. The physical system controls elevator motion, door operation, and safety functions. Has physical power input, signal wiring to hoistway, and network connections to BMS.
Industrial Elevator Control System 51F77A58 Integrated electronic control system for industrial freight and passenger elevators in commercial buildings, factories, and warehouses. Manages traction motor drives, door operators, floor-level positioning, car and hall call dispatch, safety chain monitoring, and building management system integration. Operates continuously in enclosed hoistways with temperature extremes (0-50°C shaft ambient), vibration from machinery, and electromagnetic interference from variable-frequency drives. Safety-critical: must comply with EN 81-20/50, ASME A17.1, and IEC 61508 SIL 3 for overspeed protection and uncontrolled movement. Controls elevators carrying up to 5000 kg at speeds up to 6 m/s across 30+ floors. Lifecycle 20-25 years with modernisation cycles.
Initialisation mode of Industrial Elevator Control System 50B73A10 Power-on self-test and startup sequence for elevator controller. Checks safety chain continuity, encoder position, door interlocks, brake function, and communication links to BMS. Entered on power restoration or controller reset. Car remains stationary with doors locked until all checks pass. Exit: all diagnostics pass → transition to normal operation. Failure: any safety device fault → transition to out-of-service with fault code. Takes 15-60 seconds depending on car position relative to nearest floor.
Landing Door Interlock Monitor 54A53858 Monitors the electromechanical interlock contacts of all landing door panels at each floor level. Each interlock is a normally-open contact that closes only when the landing door is properly closed and latched (per EN 81-20 clause 8.9). Wired in series on the safety chain; any open contact prevents car movement. DCU reads landing interlock status independently via isolated 24 V DC digital inputs for diagnostic purposes.
Maintenance mode of Industrial Elevator Control System 50B43A10 Inspection and servicing mode entered via keyed maintenance switch on car top or in machine room. Car speed limited to 0.3 m/s, operated only from car-top inspection station or machine-room panel. Normal call dispatch disabled. Safety chain remains active but speed governor threshold lowered. Technician has direct control of door operations and car movement. Enables access to hoistway equipment, guide rails, counterweight, and door mechanisms. Exit: maintenance switch returned to normal → initialisation sequence.
Morning rush hour traffic scenario 44B63A08 Normal operations scenario for Industrial Elevator Control System: 07:30-09:00, commercial high-rise. Ground floor lobby fills with 200+ office workers arriving. Hall calls concentrated at ground floor. Group dispatch switches to up-peak algorithm: all cars return to lobby after serving highest call. Car loading monitored by load weighing — 80% capacity triggers bypass of further hall calls. Average wait time target: <30s. Door dwell time reduced to 3s. Energy consumption peaks due to continuous motor cycling.
motion control 40A53A08
motor control unit D6E51018 Physical PCB assembly mounted within the Variable Frequency Drive enclosure. Contains processor die, gate driver integrated circuits, and signal conditioning hardware. Physical component with physical connectors, heatsink interface, and power supply rails.
Motor Control Unit 51F57218 Embedded real-time controller that closes the velocity and torque control loop for the traction drive. Receives velocity setpoint from the Safety Controller at 100 Hz CAN messages; reads encoder feedback at 10 kHz; outputs torque reference to VFD at 1 kHz. Implements velocity profile generation (S-curve), current limiting, stall detection, and thermal management. Dual-core ARM Cortex-R5 processor for lock-step execution. SIL 3 per IEC 62061. Hosts diagnostic logging ring buffer (256 events). Communicates fault status to Safety Controller within 50 ms.
Multi-Ray Light Curtain D4F57858 Infrared safety light curtain spanning the full height of the door opening (typically 1800–2100 mm) with transmitter and receiver columns. Provides active obstruction detection across 48 horizontal beams at 20 ms scan cycle. Category 4 / PLe rated per EN ISO 13849-1. Outputs a safety-rated digital signal to Door Control Unit; any beam interruption triggers immediate door reversal command. Immune to sunlight and ambient IR per IEC 60947-5-3.
Normal operation mode of Industrial Elevator Control System 51F73B18 Primary operating mode handling car/hall call dispatch, floor-level positioning via encoder feedback, door open/close cycles, and passenger traffic management. Variable-frequency drive controls traction motor for smooth acceleration/deceleration profiles. Group dispatch algorithm optimises wait times across elevator bank. Continuous safety monitoring: overspeed governor, slack rope, car position, door zone detection. Entered from initialisation. Exit: fault detected → degraded/emergency; maintenance switch → maintenance mode; fire alarm → fire service mode.
Overspeed in down direction hazard 40852A51 Hazard in Industrial Elevator Control System: car exceeds rated speed in downward direction due to VFD failure, brake failure, or rope slippage. Consequence: high-energy impact at pit bottom, fatal injuries to occupants. Mitigated by centrifugal overspeed governor mechanically triggering safety gear (progressive type for >1 m/s). IEC 61508 SIL 3 safety function. Governor trip speed: 115% rated speed.
power distribution subsystem DE851018 A physical steel cabinet (Physical Object, LRU) bolted in elevator machine room. Welded IP54 steel enclosure containing: IEC 61439-compliant copper busbar assembly, sealed lead-acid 48V UPS battery bank (2.5 kWh ARD supply), mains isolation contactors, ARD battery management board, monitoring interface PCB. Physical dimensions: constrained by EN 81-20 machine room. Has mass. Thermal load. Bolted to structural wall. Front-hinged maintenance door. Distributes 3-phase 400V AC mains and 48V DC UPS power. Physical Line-Replaceable Unit.
Power Distribution Subsystem DE851018 Physical welded steel cabinet installed in elevator machine room. A discrete physical LRU (line-replaceable unit) with IP54 enclosure rating per IEC 60529, flame-retardant UL94 V-0 housing material, and front-hinged maintenance access door. Has physical mass, dimensional envelope, and thermal dissipation load. Contains: IEC 61439-compliant copper busbar assembly (physical conductors), sealed 48V VRLA battery bank (2.5 kWh ARD supply), mains isolation contactors (electromechanical physical devices), and monitoring PCB. Mounted to structural wall of machine room. This is a physical enclosure/cabinet that distributes 3-phase 400V AC mains power and 48V DC UPS power to elevator drive systems and safety subsystems.
Power failure during normal operation scenario 11F43211 Failure scenario for Industrial Elevator Control System: mains power fails during afternoon operation. UPS maintains controller logic for 30 minutes. ARD batteries activate on all cars between floors. Car 2 is at floor 18 with 6 passengers including a wheelchair user. ARD drives car 2 down at 0.15 m/s to floor 17 (nearest floor below), opens doors. Emergency lighting and intercom activate. Other cars already at floors — doors open, passengers exit. Building emergency generator starts in 12s, but elevator power restoration requires manual confirmation from building engineer to prevent restart with open hoistway doors.
Power failure with passengers trapped hazard 51071211 Hazard in Industrial Elevator Control System: mains power failure while car is between floors with passengers aboard. Consequence: entrapment (panic, medical emergencies for trapped elderly/disabled), potential for self-rescue attempts leading to falls into hoistway. Mitigated by automatic rescue device (ARD) with battery backup — drives car to nearest floor at reduced speed, opens doors. Battery must sustain 3 rescue cycles minimum.
Power Management Controller 15F77218 Embedded microcontroller managing power source switching, load shedding, and battery monitoring for the industrial elevator. Monitors mains presence (230V AC), UPS SoC via SMBus, and 24V DC bus voltage. Executes automatic transfer switch (ATS) logic within 20ms of mains failure. Controls solid-state relays for load groups (safety circuits, drive, lighting, ventilation). Communicates bus state to Safety Controller via CAN at 10 Hz. Implements battery deep-discharge protection below 20% SoC.
Quarterly preventive maintenance scenario 00843A58 Maintenance scenario for Industrial Elevator Control System: every 3 months, certified technician performs EN 81-20 mandated inspection. Technician arrives at machine room, switches Car 1 to maintenance mode via key switch. Car 1 removed from group dispatch — remaining cars handle traffic. Technician rides car top at 0.3 m/s, inspects guide rail alignment, rope condition, door gap clearances, safety gear, governor rope tension. Measures brake holding torque with test weight. Tests ARD by simulating power failure. Records all measurements in maintenance log. Duration: 2-4 hours per car. For 4-car group: full inspection takes 2 days with cars rotated through maintenance.
Rotary Encoder D4F57008 High-resolution optical rotary encoder mounted on the traction motor shaft for closed-loop speed and position feedback. Provides 2048 pulses/revolution via incremental A/B/Z quadrature signals at 5 V TTL. Maximum shaft speed 3000 rpm. Operating temperature −20 to +80 °C. Connects to Motor Control Unit via shielded cable to minimise VFD-induced noise. Used for both velocity regulation and absolute floor position computation via pulse counting from a reference datum.
Safety Chain Interface Module 54E57858 Series safety circuit monitor per EN 81-20 Clause 14.1. Reads the state of all electrical safety devices wired in series: pit stop switch, buffers, final limit switches, car top inspection station, door electrical safety devices (DSE) per landing, car gate contact, and slack rope switch. Provides discrete safety chain status (open/closed) to Safety CPU at 20Hz scan rate. Operates on isolated 24VDC safety loop; single-channel open detected as fail-safe (open = unsafe). Feeds into Safety CPU's trip logic for safety gear engagement.
Safety Command Validator 41F77B18 Software module within the Building Integration Gateway that intercepts all incoming BMS commands (floor lockout, VIP priority, schedule changes) and cross-checks each command against the current safety state published by the Safety Controller Subsystem. Rejects any command that would override or interfere with fire recall, seismic hold, or emergency stop states. On rejection, generates a BACnet alarm notification object within 500 ms and logs the rejection event. Consumes safety state via internal message bus at 10 Hz; outputs command pass/reject decision with timestamp.
Safety Controller Subsystem 51B73858 Subsystem of Industrial Elevator Control System: independent SIL 3 certified safety processor per IEC 61508. Dual-channel architecture with >99% diagnostic coverage. Monitors: overspeed governor (115% rated speed trip), UCMP device (200mm threshold with doors open), safety chain (interlocks, buffers, pit switch, car-top switch), fire alarm relay (hardwired Phase I recall), seismic P-wave detector. Controls: safety brake engagement, motor contactor (STO), UCMP mechanical device, fire recall mode, seismic safe-hold. Independent of main controller — hardwired safety chain can stop car even if main controller fails. Response time ≤200ms for overspeed, ≤300ms for UCMP.
Safety CPU 51F77858 Dual-channel SIL 3 certified safety processor (IEC 61508 SIL 3) running elevator safety logic. Executes overspeed detection (>115% rated speed), uncontrolled car movement detection (>200mm), safe state logic, and fire/seismic emergency response. Operates on separate power rail from main controller. Watchdog-monitored with 10ms safety function response time. Inputs from Speed/Position Monitor and Safety Chain Interface; outputs to Safety Output Actuator.
Safety Edge Contact Strip C6C41058 Mechanically actuated pressure-sensitive contact strip mounted on the leading edge of the car door panel. Provides a redundant, fail-safe obstruction detection channel independent of the light curtain. Triggers on contact forces ≥5 N. Hardwired output — de-energises on contact, directly connected to Door Control Unit safety input. Rated for EN 81-20 clause 5.3.12 and compliant with EN 81-70 accessible design requirements.
Safety Monitoring 51F77858 System function of Industrial Elevator Control System: continuously monitors safety-critical parameters independent of main controller. Overspeed detection at 115% rated speed via governor and encoder. UCMP detection of 200mm uncontrolled movement with doors open. Safety chain monitoring (interlocks, buffers, pit switch, governor). SIL 3 per IEC 61508. Dual-channel architecture with diagnostic coverage >99%. Inputs: encoder velocity, door state, interlock chain, governor switch. Outputs: safety brake engagement, motor contactor drop, UCMP device activation.
Safety Output Actuator D6E57058 Dual-channel safety relay output module controlling the elevator's electromechanical safety brake and VFD enable signal. Contains two independent force-guided relays (EN 61810-3) wired in series on the safety brake coil circuit. Both relays must open simultaneously to engage brake; relay monitor contacts feed back to Safety CPU. VFD enable output prevents drive from powering traction motor when tripped. SIL 3 rated output stage with 20ms maximum brake engagement time from trip command. Auto-restart inhibited until Safety CPU clears the trip condition.
Seismic and Fire Interface 50A57258 Hardwired relay contact input module interfacing external safety systems to the Safety Controller Subsystem. Receives Phase I fire recall relay from Building Fire Alarm Panel (EN 81-72), seismic P-wave detector digital output (EN 81-77), and alternate floor designation relay. Converts relay states to digital signals for Safety CPU. All inputs are fail-safe (normally energised, de-energise on alarm). Provides electrical isolation between external systems and safety CPU. Response latency <5ms to ensure seismic deceleration command meets the ≤1s P-to-S-wave window.
Seismic event during operation scenario 04B77A10 Emergency scenario for Industrial Elevator Control System: P-wave detector triggers seismic alert. All cars in motion begin deceleration to nearest floor. Car 4 at floor 22 moving down — stops at floor 21, doors open. Counterweight monitored for rail alignment. 60-second hold timer starts after last P-wave detection. Building sway sensor confirms structural integrity. After timer expires and sway below threshold, technician initiates low-speed inspection run: each car travels full shaft at 0.3 m/s while sensors check guide rail alignment, rope tension, and counterweight position. Cars passing inspection return to service one at a time.
Seismic operation mode of Industrial Elevator Control System 50B73A58 Earthquake response mode triggered by seismic sensor (P-wave detector) or building seismic monitoring system. On seismic trigger: car immediately stops at nearest floor, doors open, system enters safe hold. Prevents car movement during shaking to avoid derailment from guide rails. After seismic event clears (configurable hold timer, typically 60s after last trigger), system runs low-speed inspection trip before resuming normal operation. Required by EN 81-77 and California Building Code.
Single car failure during peak traffic scenario 40343208 Degraded scenario for Industrial Elevator Control System: during morning rush, one car in 4-car group reports encoder redundancy fault. Controller takes car out of group service, dispatches remaining 3 cars. Wait times increase from 30s to 45-50s. Building management notified. Technician dispatched — ETA 45 minutes. Group algorithm rebalances: cars skip low-traffic floors during peak. If second car fails, system enters critical degraded mode: lobby attendant redirects passengers to stairwells for floors <5.
Speed and Position Monitor 54F57218 Dual-channel incremental encoder interface module receiving quadrature encoder signals from two independent encoders mounted on the traction sheave and governor sheave. Continuously computes car velocity (resolution 1mm, rate 100Hz) and absolute position relative to landing zones. Detects overspeed at >115% rated speed within 50ms and uncontrolled car movement (creep/drift) exceeding 200mm from landing with doors open. Outputs speed/position data and discrete overspeed/UCMP trip signals to Safety CPU.
Traction Drive Subsystem 54F73018 Subsystem of Industrial Elevator Control System: gearless permanent-magnet synchronous motor with VFD operating at 4-16 kHz switching frequency. Dual redundant absolute encoders for closed-loop speed/position control. S-curve motion profiles (2.5 m/s rated, 1.5 m/s² accel, 2.0 m/s³ jerk). Floor levelling to ±5mm. Regenerative braking with grid return or resistor dissipation. Mechanical brake (normally-closed, spring-applied, electrically released). Machine-room or MRL mounting. Interfaces: safety controller (brake release permit), group controller (target floor), power subsystem (3-phase supply, regen bus).
Traction Motor D6D51018 Three-phase permanent-magnet synchronous motor (PMSM) driving the traction sheave of an industrial elevator. Rated 30 kW, 1500 rpm, 400 V, IP54. Receives three-phase AC from the VFD; drives the grooved traction sheave directly (gearless) via a bolted flange. Delivers constant torque from 0 to rated speed; regenerates energy during deceleration back to the DC bus. Mounted on a bedplate in the machine room. High-temperature winding insulation (class F) required.
Traffic Analysis Module 41F77B08 Software module performing statistical analysis of building traffic patterns to adapt dispatch strategy. Monitors hall call registration rates, waiting time histograms, and car utilisation over rolling 15-minute windows. Classifies traffic mode (up-peak, down-peak, inter-floor, light) and adjusts dispatch algorithm parameters accordingly. Stores 30-day traffic profiles for reporting. Provides traffic mode signal to Dispatch Algorithm Engine.
Uncontrolled car movement hazard 00010851 Hazard in Industrial Elevator Control System: car moves without valid command due to contactor welding, drive fault, or control logic failure. Consequence: crushing/shearing of passengers or maintenance personnel at floor landings or in hoistway. Most severe elevator hazard — EN 81-20 Clause 5.6 requires unintended car movement protection (UCMP) device as independent safety function. Dual-channel monitoring of motor torque vs position required.
UPS Module D6F51018 Sealed VRLA or lithium-ion uninterruptible power supply providing 24V DC backup power for elevator safety circuits and MCU. Rated 1.5 kWh capacity; minimum hold-up time 30 minutes at full load. Trickle charges from 230V AC mains via integrated charger. Monitors State of Charge (SoC) and battery health via I2C SMBus; reports status to Power Management Controller. Located in machine room. Temperature range 0-40 °C. Complies with EN 50272-2 battery safety standard.
Variable Frequency Drive D4F53018 Industrial-grade IGBT-based variable frequency drive (VFD) controlling a traction motor for elevator service. Receives velocity setpoint and current limits from the Motor Control Unit; outputs three-phase PWM waveform to the traction motor at up to 400 V AC, 0–50 Hz. Implements V/f and closed-loop vector control modes. Peak torque output 200% of rated for 10 s. Must reject input harmonic disturbances; fitted with line reactor and EMI filter for compliance with EN 12015. Operating temperature −10 to +55 °C, humidity 95% non-condensing.

Decomposition Relationships

Part-Of

ComponentBelongs To
Traction Drive SubsystemIndustrial Elevator Control System
Safety Controller SubsystemIndustrial Elevator Control System
Door Operator SubsystemIndustrial Elevator Control System
Group Dispatch ControllerIndustrial Elevator Control System
Power Distribution SubsystemIndustrial Elevator Control System
Building Integration GatewayIndustrial Elevator Control System
Safety CPUSafety Controller Subsystem
Speed and Position MonitorSafety Controller Subsystem
Safety Chain Interface ModuleSafety Controller Subsystem
Seismic and Fire InterfaceSafety Controller Subsystem
Safety Output ActuatorSafety Controller Subsystem
Variable Frequency DriveTraction Drive Subsystem
Traction MotorTraction Drive Subsystem
Electromagnetic BrakeTraction Drive Subsystem
Rotary EncoderTraction Drive Subsystem
Motor Control UnitTraction Drive Subsystem
UPS ModulePower Distribution Subsystem
Power Management ControllerPower Distribution Subsystem
Automatic Transfer SwitchPower Distribution Subsystem
Door Control UnitDoor Operator Subsystem
Door Motor DriveDoor Operator Subsystem
Multi-Ray Light CurtainDoor Operator Subsystem
Safety Edge Contact StripDoor Operator Subsystem
Door Position EncoderDoor Operator Subsystem
Landing Door Interlock MonitorDoor Operator Subsystem
Dispatch Algorithm EngineGroup Dispatch Controller
Car State AggregatorGroup Dispatch Controller
Hall Call Interface UnitGroup Dispatch Controller
Traffic Analysis ModuleGroup Dispatch Controller
BACnet/IP StackBuilding Integration Gateway
Safety Command ValidatorBuilding Integration Gateway
Access Control Interface ModuleBuilding Integration Gateway
Event LoggerBuilding Integration Gateway
Emergency Communications UnitBuilding Integration Gateway

Connections

FromTo
Speed and Position MonitorSafety CPU
Safety Chain Interface ModuleSafety CPU
Seismic and Fire InterfaceSafety CPU
Safety CPUSafety Output Actuator
Motor Control UnitVariable Frequency Drive
Rotary EncoderMotor Control Unit
Motor Control UnitSafety Controller
Safety ControllerElectromagnetic Brake
Variable Frequency DriveTraction Motor
Door Control UnitDoor Motor Drive
Multi-Ray Light CurtainDoor Control Unit
Safety Edge Contact StripDoor Control Unit
Door Position EncoderDoor Control Unit
Landing Door Interlock MonitorDoor Control Unit
Door Control UnitSafety Controller Subsystem
BACnet/IP StackSafety Command Validator
Building Integration GatewayGroup Dispatch Controller
Event LoggerSafety Controller Subsystem
Safety Command ValidatorSafety Controller Subsystem

Produces

ComponentOutput
Safety CPUsafety-state-commands
Speed and Position Monitorspeed-position-data
Safety Chain Interface Modulesafety-chain-status
Seismic and Fire Interfacefire-seismic-events
Safety Output Actuatorbrake-vfd-control-signals
Variable Frequency DriveThree-phase PWM motor voltage
Traction MotorMechanical torque on sheave
Electromagnetic BrakeShaft hold/release action
Rotary EncoderSpeed and position pulses
Motor Control UnitVelocity setpoint and fault status
Door Control Unitdoor-cycle-command
Multi-Ray Light Curtainobstruction-detection-signal
Safety Edge Contact Stripcontact-obstruction-signal
Door Position Encoderdoor-panel-position
Landing Door Interlock Monitorinterlock-status
Door Motor Drivedoor-panel-velocity
BACnet/IP StackBACnet status objects and alarm notifications
Safety Command Validatorcommand pass/reject decisions with audit events
Access Control Interface Modulefloor authorisation commands for Group Dispatch
Event Loggertamper-evident audit trail records
Emergency Communications Unittwo-way voice call to monitoring centre on entrapment

Traceability Matrix — Derivation

SourceTargetTypeDescription
SYS-REQ-013 ARC-REQ-011 derives SYS-REQ-013 drives ARC-REQ-011
SYS-REQ-001 ARC-REQ-010 derives SYS-REQ-001 drives ARC-REQ-010
SYS-REQ-005 ARC-REQ-009 derives SYS-REQ-005 drives ARC-REQ-009
SYS-REQ-006 ARC-REQ-008 derives SYS-REQ-006 drives ARC-REQ-008
SYS-REQ-002 ARC-REQ-007 derives SYS-REQ-002 drives ARC-REQ-007
SYS-REQ-001 ARC-REQ-006 derives SYS-REQ-001 drives ARC-REQ-006
SYS-REQ-006 ARC-REQ-005 derives SYS-REQ-006 drives ARC-REQ-005
SYS-REQ-010 ARC-REQ-004 derives SYS-REQ-010 drives ARC-REQ-004
SYS-REQ-005 ARC-REQ-003 derives SYS-REQ-005 drives ARC-REQ-003
SYS-REQ-002 ARC-REQ-002 derives SYS-REQ-002 drives ARC-REQ-002
SYS-REQ-004 ARC-REQ-001 derives SYS-REQ-004 drives ARC-REQ-001
SYS-REQ-003 ARC-REQ-001 derives SYS-REQ-003 drives ARC-REQ-001
REQ-SEINDUSTRIALELEVATOR-013 REQ-SEINDUSTRIALELEVATOR-080 derives Cabinet physical inspection covers IP54 enclosure requirement
SYS-REQ-001 SUB-REQ-030 derives Group Dispatch Controller waiting time
SYS-REQ-003 REQ-SEINDUSTRIALELEVATOR-081 derives SIL 3 safety controller requirement derives proof test interval requirement
REQ-SEINDUSTRIALELEVATOR-013 REQ-SEINDUSTRIALELEVATOR-059 derives SYS-REQ-015 mandates IP54-rated steel enclosure in machine room for elevator control system; SUB-REQ-073 decomposes this to the dedicated enclosure for Power Distribution Subsystem (UPS, ARD battery bank, busbars, contactors)
SYS-REQ-001 REQ-SEINDUSTRIALELEVATOR-054 derives GDC performance watchdog derives from SYS dispatch waiting time
SYS-REQ-003 REQ-SEINDUSTRIALELEVATOR-053 derives IEC 61508-2 SIL 3 arch constraint SUB derives from SYS SIL 3 safety
SYS-REQ-010 REQ-SEINDUSTRIALELEVATOR-052 derives BACnet B-ASC profile SUB derives from SYS BACnet interface requirement
SYS-REQ-008 REQ-SEINDUSTRIALELEVATOR-051 derives EN 81-77 seismic timing SUB derives from SYS seismic response requirement
SYS-REQ-007 REQ-SEINDUSTRIALELEVATOR-040 derives Phase II firefighter service SUB derives from SYS fire service requirement
SYS-REQ-009 REQ-SEINDUSTRIALELEVATOR-039 derives BIG degraded-comm mode derives from SYS fault tolerance requirement
SYS-REQ-018 REQ-SEINDUSTRIALELEVATOR-038 derives ARD battery capacity SUB derives from SYS ARD energy requirement
SYS-REQ-003 REQ-SEINDUSTRIALELEVATOR-037 derives SOA self-test derives from SYS SIL 3 safety requirement
SYS-REQ-013 REQ-SEINDUSTRIALELEVATOR-036 derives Event Logger hash-chain derives from SYS logging requirement
SYS-REQ-013 REQ-SEINDUSTRIALELEVATOR-035 derives Event Logger dual-storage derives from SYS logging requirement
SYS-REQ-003 REQ-SEINDUSTRIALELEVATOR-034 derives SCV dual-channel SUB requirement derives from SYS SIL 3 safety
SYS-REQ-010 REQ-SEINDUSTRIALELEVATOR-033 derives SCV output spec SUB requirement derives from SYS BACnet interface
SYS-REQ-002 REQ-SEINDUSTRIALELEVATOR-032 derives VFD safe-stop SUB requirement derives from SYS velocity control
SYS-REQ-002 REQ-SEINDUSTRIALELEVATOR-031 derives MCU watchdog SUB requirement derives from SYS velocity control
REQ-SEINDUSTRIALELEVATOR-013 SUB-REQ-055 derives Cabinet enclosure SUB req derives from SYS-REQ-015
SYS-REQ-005 SUB-REQ-054 derives Door Operator state machine derives from door safety requirement
SYS-REQ-018 SUB-REQ-057 derives ARD battery self-test derives from SYS-REQ-018 rescue cycle endurance
SYS-REQ-017 SUB-REQ-056 derives BMS data items derive from SYS-REQ-017 reporting mandate
SYS-REQ-003 SUB-REQ-053 derives VFD state machine derives from overspeed safety requirement
SYS-REQ-009 SUB-REQ-052 derives GDC failover derives from fault isolation requirement
SYS-REQ-003 SUB-REQ-051 derives Safety Controller redundancy derives from overspeed detection requirement
REQ-SEINDUSTRIALELEVATOR-013 SUB-REQ-049 derives Controller cabinet enclosure IP54
SYS-REQ-018 SUB-REQ-020 derives Power Management Controller battery SoC monitoring
SYS-REQ-018 SUB-REQ-045 derives ARD battery 3 rescue cycles and recovery
SYS-REQ-017 SUB-REQ-033 derives BACnet/IP Stack BMS data items
SYS-REQ-016 SUB-REQ-050 derives EU Lifts Directive CE marking compliance
SYS-REQ-013 SUB-REQ-034 derives Event Logger 10-year retention
SYS-REQ-012 SUB-REQ-029 derives Door Operator MTBF allocation
SYS-REQ-012 SUB-REQ-016 derives Traction Drive MTBF allocation
SYS-REQ-011 SUB-REQ-048 derives Safety Controller EMC immunity EN 12016
SYS-REQ-011 SUB-REQ-014 derives VFD emissions compliance EN 12015
SYS-REQ-010 SUB-REQ-046 derives BACnet B-ASC device profile
SYS-REQ-010 SUB-REQ-033 derives BACnet/IP Stack publish at 1 Hz
SYS-REQ-009 SUB-REQ-032 derives Group Dispatch Controller N-1 degraded operation
SYS-REQ-008 SUB-REQ-047 derives Safety Controller seismic safe-hold state
SYS-REQ-008 SUB-REQ-006 derives Safety Controller seismic P-wave response
SYS-REQ-007 SUB-REQ-025 derives Door Operator fire recall door open
SYS-REQ-007 SUB-REQ-044 derives Group Dispatch Controller fire recall routing
SYS-REQ-007 SUB-REQ-005 derives Safety Controller fire recall initiation
SYS-REQ-006 SUB-REQ-045 derives ARD battery rescue cycle capacity
SYS-REQ-006 SUB-REQ-018 derives Power Distribution mains-to-UPS transfer
SYS-REQ-005 SUB-REQ-024 derives Door Operator obstruction re-open
SYS-REQ-005 SUB-REQ-023 derives Door Operator closing force limit
SYS-REQ-004 SUB-REQ-003 derives Speed and Position Monitor UCMP detection
SYS-REQ-004 SUB-REQ-001 derives SIL 3 dual-channel Safety CPU for UCMP detection
SYS-REQ-003 SUB-REQ-002 derives Speed and Position Monitor overspeed trip
SYS-REQ-003 SUB-REQ-001 derives SIL 3 dual-channel Safety CPU for overspeed detection
SYS-REQ-002 SUB-REQ-011 derives Motor Control Unit accel/jerk profile
SYS-REQ-002 SUB-REQ-010 derives Motor Control Unit velocity tracking
SYS-REQ-001 SUB-REQ-031 derives Group Dispatch Controller assignment response time
SYS-REQ-003 SUB-REQ-007 derives Safety Output Actuator brake engagement implements safe state on overspeed trip
SYS-REQ-003 SUB-REQ-004 derives Safety chain monitoring implements EN 81-20 Clause 14 safety function
SYS-REQ-003 SUB-REQ-009 derives Power-on self-test mandated by IEC 61508 SIL 3 diagnostic coverage
SYS-REQ-003 SUB-REQ-012 derives Overspeed detection response time derived from system-level overspeed safety requirement
SYS-REQ-006 SUB-REQ-013 derives Brake engagement on power failure derived from system power-loss safe state requirement
SYS-REQ-003 SUB-REQ-015 derives Encoder fault detection derived from system safety monitoring requirement
SYS-REQ-006 SUB-REQ-019 derives UPS hold-up time derived from emergency evacuation power requirement
SYS-REQ-003 SUB-REQ-026 derives Interlock verification derived from safety controller requirement
SYS-REQ-003 SUB-REQ-028 derives Door subsystem safe state on failure
SYS-REQ-010 SUB-REQ-035 derives Access control credential validation derived from BMS bidirectional command exchange
SYS-REQ-010 SUB-REQ-022 derives BIG safety command rejection derived from BMS interface requirement
SYS-REQ-010 SUB-REQ-037 derives BIG safe state on BMS loss derived from BMS interface reliability requirement
SYS-REQ-003 SUB-REQ-017 derives SIL 3 overspeed safety derives dual-coil electromagnetic brake requirement
SYS-REQ-006 SUB-REQ-020 derives ARD rescue energy guarantee derives battery SoC monitoring requirement
SYS-REQ-002 SUB-REQ-021 derives Velocity control continuity derives VFD power supply tolerance specification
SYS-REQ-005 SUB-REQ-027 derives 150 N door closing force limit derives door panel velocity profile requirement
SYS-REQ-006 REQ-SEINDUSTRIALELEVATOR-011 derives Mains failure rescue drives position monitor 24V safety rail power spec
SYS-REQ-003 REQ-SEINDUSTRIALELEVATOR-011 derives SIL 3 overspeed monitoring requires position monitor power continuity spec
SYS-REQ-003 REQ-SEINDUSTRIALELEVATOR-012 derives SIL 3 brake engagement derives safety output actuator power spec
SYS-REQ-006 REQ-SEINDUSTRIALELEVATOR-012 derives ARD rescue switchover drives safety output actuator brownout tolerance
SYS-REQ-011 REQ-SEINDUSTRIALELEVATOR-013 derives EMC immunity requirement drives physical cabinet enclosure specification
SYS-REQ-003 REQ-SEINDUSTRIALELEVATOR-014 derives SIL 3 overspeed requirement drives physical isolation of safety controller
SYS-REQ-002 REQ-SEINDUSTRIALELEVATOR-015 derives Velocity control accuracy drives MCU physical integration with VFD
SYS-REQ-001 IFC-REQ-022 derives Group dispatch performance derives hall call interface bus specification
SYS-REQ-005 IFC-REQ-019 derives Door safety requirement derives landing door interlock monitor interface spec
SYS-REQ-006 IFC-REQ-014 derives ARD rescue drive energy requirement derives UPS SoC telemetry interface
SYS-REQ-006 IFC-REQ-013 derives Power failure rescue derives ATS command interface specification
SYS-REQ-003 IFC-REQ-012 derives Overspeed safety brake requirement derives electromagnetic brake interface spec
SYS-REQ-013 IFC-REQ-025 derives Event Logger CAN bus interface derived from centralised logging requirement
SYS-REQ-010 IFC-REQ-024 derives BIG-to-GDC command forwarding interface derived from BMS integration requirement
SYS-REQ-001 IFC-REQ-021 derives Car controller CAN interface derived from dispatch latency requirement
SYS-REQ-005 IFC-REQ-018 derives Door position encoder interface derived from closing speed profile requirement
SYS-REQ-005 IFC-REQ-017 derives Safety edge contact interface derived from obstruction detection requirement
SYS-REQ-005 IFC-REQ-015 derives Door motor command interface derived from force limit requirement
SYS-REQ-003 IFC-REQ-003 derives SYS-REQ-003 safety chain monitoring derives to IFC-REQ-003 access control
SYS-REQ-006 IFC-REQ-004 derives SYS-REQ-006 ARD power failure derives to IFC-REQ-004 emergency intercom
SYS-REQ-007 IFC-REQ-002 derives Fire panel hardwired relay interface derives from fire recall requirement
SYS-REQ-010 IFC-REQ-001 derives BMS BACnet/IP interface spec derives from SYS BMS requirement
STK-REQ-014 SYS-REQ-018 derives ARD rescue cycle count derived from maintenance stakeholder power-resilience requirement
STK-REQ-006 SYS-REQ-017 derives BMS status data item requirement derived from facility manager stakeholder need
STK-REQ-011 SYS-REQ-016 derives EU Lifts Directive compliance derived from regulatory requirement
STK-REQ-001 SYS-REQ-012 derives STK-REQ-001 passenger wait time derives to SYS-REQ-012 availability
STK-REQ-012 SYS-REQ-012 derives STK-REQ-012 modular architecture derives to SYS-REQ-012 availability target
STK-REQ-009 SYS-REQ-007 derives STK-REQ-009 Phase II firefighter control derives to SYS-REQ-007 fire recall
STK-REQ-007 SYS-REQ-001 derives STK-REQ-007 operator configuration derives to SYS-REQ-001 group dispatch
STK-REQ-005 SYS-REQ-002 derives STK-REQ-005 maintenance inspection speed derives to SYS-REQ-002 velocity control
STK-REQ-004 SYS-REQ-003 derives STK-REQ-004 exclusive hoistway access derives to SYS-REQ-003 safety chain
STK-REQ-010 SYS-REQ-013 derives Inspector records drives logging
STK-REQ-013 SYS-REQ-011 derives Environmental drives EMI immunity
STK-REQ-006 SYS-REQ-010 derives BMS status drives BACnet
STK-REQ-001 SYS-REQ-009 derives Wait time drives degraded dispatch
STK-REQ-013 SYS-REQ-008 derives Environmental drives seismic
STK-REQ-008 SYS-REQ-007 derives Fire recall need drives system req
STK-REQ-014 SYS-REQ-006 derives Power supply drives ARD rescue
STK-REQ-003 SYS-REQ-005 derives Accessibility drives door protection
STK-REQ-011 SYS-REQ-004 derives SIL3 compliance drives UCMP
STK-REQ-011 SYS-REQ-003 derives SIL3 compliance drives overspeed
STK-REQ-002 SYS-REQ-002 derives Ride comfort drives motion control
STK-REQ-001 SYS-REQ-001 derives Passenger wait time drives dispatch

Traceability Matrix — Verification

RequirementVerified ByTypeDescription
REQ-SEINDUSTRIALELEVATOR-039 REQ-SEINDUSTRIALELEVATOR-049 verifies BIG degraded-communication mode verified by network severance test
REQ-SEINDUSTRIALELEVATOR-081 REQ-SEINDUSTRIALELEVATOR-082 verifies Proof test interval verification for SIL 3 safety functions
REQ-SEINDUSTRIALELEVATOR-061 REQ-SEINDUSTRIALELEVATOR-080 verifies Power distribution LRU enclosure inspection
REQ-SEINDUSTRIALELEVATOR-059 REQ-SEINDUSTRIALELEVATOR-080 verifies Power distribution enclosure inspection
SUB-REQ-055 REQ-SEINDUSTRIALELEVATOR-080 verifies Controller cabinet IP54 enclosure inspection
REQ-SEINDUSTRIALELEVATOR-015 REQ-SEINDUSTRIALELEVATOR-079 verifies Motor Control Unit PCB assembly inspection
REQ-SEINDUSTRIALELEVATOR-014 REQ-SEINDUSTRIALELEVATOR-079 verifies Safety Controller DIN-rail module inspection
REQ-SEINDUSTRIALELEVATOR-012 REQ-SEINDUSTRIALELEVATOR-078 verifies Safety output actuator power supply test
REQ-SEINDUSTRIALELEVATOR-011 REQ-SEINDUSTRIALELEVATOR-078 verifies Safety rail voltage under load test
SUB-REQ-021 REQ-SEINDUSTRIALELEVATOR-077 verifies VFD supply voltage tolerance envelope test
SUB-REQ-020 REQ-SEINDUSTRIALELEVATOR-076 verifies Battery SoC monitoring accuracy test
SUB-REQ-017 REQ-SEINDUSTRIALELEVATOR-075 verifies Electromagnetic brake dual-coil single-fault test
SUB-REQ-016 REQ-SEINDUSTRIALELEVATOR-074 verifies Traction drive MTBF reliability analysis
SUB-REQ-014 REQ-SEINDUSTRIALELEVATOR-073 verifies VFD EN 12015 EMC emissions test
SUB-REQ-011 REQ-SEINDUSTRIALELEVATOR-072 verifies Dedicated velocity profile jerk measurement test
SUB-REQ-035 VER-REQ-026 verifies VER-REQ-026 BIG end-to-end test includes access control system integration, verifying credential-based floor authorization within 500ms
SUB-REQ-034 VER-REQ-026 verifies VER-REQ-026 BIG end-to-end test includes event logging verification, confirming events are recorded with timestamps during integration test
SUB-REQ-057 REQ-SEINDUSTRIALELEVATOR-048 verifies VER-REQ-058 verifies SUB-REQ-057 by testing ARD battery sustaining 3 rescue cycles per car at rated capacity
SUB-REQ-028 VER-REQ-038 verifies VER-REQ-038 door state machine test exercises fault injection states covering SUB-REQ-028 watchdog/CPU/encoder fault safe-state transitions
SUB-REQ-026 VER-REQ-020 verifies VER-REQ-020 verifies SUB-REQ-026 by checking car-movement-permitted relay state with door open and confirming enable only after interlock closure
SUB-REQ-046 REQ-SEINDUSTRIALELEVATOR-056 verifies VER-REQ-062 verifies SUB-REQ-046 BACnet B-ASC device profile implementation via protocol analyser conformance test
SUB-REQ-037 REQ-SEINDUSTRIALELEVATOR-049 verifies VER-REQ-059 verifies SUB-REQ-037 communication loss response by disconnecting BMS and confirming logging and degraded mode
SUB-REQ-033 VER-REQ-039 verifies VER-REQ-039 verifies SUB-REQ-033 BACnet status publishing at 1 Hz by connecting analyser and confirming data items
SUB-REQ-022 VER-REQ-023 verifies VER-REQ-023 tests BMS command injection including safety-override rejection path specified in SUB-REQ-022
SUB-REQ-011 REQ-SEINDUSTRIALELEVATOR-008 verifies VER-REQ-014 verifies SUB-REQ-011 acceleration/jerk limits by measuring 12-floor run velocity profile against S-curve reference
SUB-REQ-005 REQ-SEINDUSTRIALELEVATOR-062 verifies SUB-REQ-005 requires Safety Controller to inhibit all car operation within 5s of Phase I fire recall signal; REQ-SEINDUSTRIALELEVATOR-062 tests this exact time bound by measuring relay de-energisation to car inhibit timing
SUB-REQ-025 VER-REQ-029 verifies SUB-REQ-025 requires Door Operator to hold car doors open for duration of fire recall; VER-REQ-029 fire recall integration test verifies all cars arrive at designated floor with doors open — a pass confirms door hold behavior
SUB-REQ-006 REQ-SEINDUSTRIALELEVATOR-055 verifies SUB-REQ-006 requires Safety Controller to initiate car deceleration within 500 ms of P-wave detection; REQ-SEINDUSTRIALELEVATOR-055 directly tests this timing using a calibrated seismic simulator per EN 81-77
REQ-SEINDUSTRIALELEVATOR-054 REQ-SEINDUSTRIALELEVATOR-058 verifies GDC performance watchdog requirement verified by load simulation test
REQ-SEINDUSTRIALELEVATOR-053 REQ-SEINDUSTRIALELEVATOR-057 verifies IEC 61508-2 SIL 3 architectural constraint verified by hardware FMEA analysis
REQ-SEINDUSTRIALELEVATOR-052 REQ-SEINDUSTRIALELEVATOR-056 verifies BACnet B-ASC profile requirement verified by PICS conformance test
REQ-SEINDUSTRIALELEVATOR-051 REQ-SEINDUSTRIALELEVATOR-055 verifies EN 81-77 seismic response timing verified by seismic simulator test
REQ-SEINDUSTRIALELEVATOR-040 REQ-SEINDUSTRIALELEVATOR-050 verifies EN 81-72 Phase II requirement verified by firefighter service test
SUB-REQ-002 VER-REQ-005 verifies End-to-end overspeed detection verification
SUB-REQ-008 VER-REQ-006 verifies Safe state transition verification
SUB-REQ-009 VER-REQ-007 verifies POST test verification
SUB-REQ-007 VER-REQ-005 verifies VER-REQ-005 tests brake engagement timing required by SUB-REQ-007
SUB-REQ-003 VER-008 verifies VER-008 verifies UCMP detection in SUB-REQ-003
SUB-REQ-001 VER-010 verifies VER-010 verifies SIL 3 dual-channel architecture in SUB-REQ-001
SUB-REQ-012 REQ-SEINDUSTRIALELEVATOR-007 verifies Overspeed threshold and response time boundary test
SUB-REQ-018 REQ-SEINDUSTRIALELEVATOR-009 verifies ATS transfer time and voltage continuity test
SUB-REQ-019 REQ-SEINDUSTRIALELEVATOR-010 verifies UPS minimum hold-up duration acceptance test
SUB-REQ-023 VER-REQ-017 verifies Force limit test verifies SUB-REQ-023
SUB-REQ-024 VER-REQ-018 verifies Reversal timing test verifies SUB-REQ-024
SUB-REQ-030 VER-REQ-022 verifies Traffic simulation verifies waiting time KPI
SUB-REQ-036 VER-REQ-025 verifies EN 81-28 entrapment detection, auto-dial, and battery backup verification
SUB-REQ-027 VER-REQ-021 verifies Door cycle test verifies door panel velocity profile
SUB-REQ-029 VER-REQ-021 verifies 1000-cycle door test provides MTBF statistical evidence
SUB-REQ-044 VER-REQ-029 verifies Integration test verifying fire recall routing within 60 seconds
SUB-REQ-045 VER-REQ-030 verifies Full-load battery endurance test for 3-cycle rescue criterion
SUB-REQ-047 VER-REQ-031 verifies Seismic response integration test for stop time and hold duration
SUB-REQ-048 REQ-SEINDUSTRIALELEVATOR-016 verifies EMC immunity test for Safety Controller
SUB-REQ-049 REQ-SEINDUSTRIALELEVATOR-017 verifies Enclosure inspection for controller cabinet
SUB-REQ-050 REQ-SEINDUSTRIALELEVATOR-018 verifies CE marking documentation inspection
SUB-REQ-051 VER-REQ-035 verifies VER-REQ-035 verifies SC hot standby switchover
SUB-REQ-053 VER-REQ-036 verifies VFD state machine test verifies SUB-REQ-053
SUB-REQ-052 VER-REQ-037 verifies GDC failover test verifies SUB-REQ-052
SUB-REQ-054 VER-REQ-038 verifies Door state machine test verifies SUB-REQ-054
SUB-REQ-056 VER-REQ-039 verifies BACnet integration test verifies BMS data items SUB-REQ-056
SUB-REQ-004 REQ-SEINDUSTRIALELEVATOR-019 verifies SUB-REQ-004 safety chain scan rate verified by VER-REQ-040
SUB-REQ-010 REQ-SEINDUSTRIALELEVATOR-020 verifies SUB-REQ-010 motor velocity control accuracy verified by VER-REQ-041
SUB-REQ-012 REQ-SEINDUSTRIALELEVATOR-021 verifies SUB-REQ-012 MCU overspeed detection verified by VER-REQ-042
SUB-REQ-013 REQ-SEINDUSTRIALELEVATOR-022 verifies SUB-REQ-013 brake engagement under power failure verified by VER-REQ-043
SUB-REQ-018 REQ-SEINDUSTRIALELEVATOR-023 verifies SUB-REQ-018 ATS mains-to-UPS transfer verified by VER-REQ-044
SUB-REQ-019 REQ-SEINDUSTRIALELEVATOR-024 verifies SUB-REQ-019 UPS 30-minute holdup verified by VER-REQ-045
SUB-REQ-048 REQ-SEINDUSTRIALELEVATOR-025 verifies SUB-REQ-048 EMC immunity verified by VER-REQ-046
SUB-REQ-031 REQ-SEINDUSTRIALELEVATOR-026 verifies SUB-REQ-031 GDC call reassignment timing verified by VER-REQ-047
SUB-REQ-032 REQ-SEINDUSTRIALELEVATOR-026 verifies SUB-REQ-032 GDC fault car reassignment verified by VER-REQ-047
SUB-REQ-015 REQ-SEINDUSTRIALELEVATOR-027 verifies SUB-REQ-015 encoder fault detection verified by VER-REQ-048
SUB-REQ-044 REQ-SEINDUSTRIALELEVATOR-028 verifies SUB-REQ-044 fire recall GDC behaviour verified by VER-REQ-049
REQ-SEINDUSTRIALELEVATOR-030 REQ-SEINDUSTRIALELEVATOR-029 verifies New SUB maintenance mode speed enforcement requirement verified by VER-REQ-050
REQ-SEINDUSTRIALELEVATOR-031 REQ-SEINDUSTRIALELEVATOR-041 verifies MCU watchdog STO requirement verified by VER test
REQ-SEINDUSTRIALELEVATOR-032 REQ-SEINDUSTRIALELEVATOR-042 verifies VFD safe-stop requirement verified by VER test
REQ-SEINDUSTRIALELEVATOR-033 REQ-SEINDUSTRIALELEVATOR-043 verifies SCV output specification verified by interface test
REQ-SEINDUSTRIALELEVATOR-034 REQ-SEINDUSTRIALELEVATOR-044 verifies SCV dual-channel requirement verified by fault injection test
REQ-SEINDUSTRIALELEVATOR-035 REQ-SEINDUSTRIALELEVATOR-045 verifies Event Logger dual-storage requirement verified by failover test
REQ-SEINDUSTRIALELEVATOR-036 REQ-SEINDUSTRIALELEVATOR-046 verifies Event Logger hash chain requirement verified by tamper detection test
REQ-SEINDUSTRIALELEVATOR-037 REQ-SEINDUSTRIALELEVATOR-047 verifies Safety Output Actuator self-test requirement verified by power-up test
REQ-SEINDUSTRIALELEVATOR-038 REQ-SEINDUSTRIALELEVATOR-048 verifies ARD battery capacity requirement verified by full-load discharge test
IFC-REQ-025 REQ-SEINDUSTRIALELEVATOR-071 verifies Event logger CAN bus capture test
IFC-REQ-024 REQ-SEINDUSTRIALELEVATOR-071 verifies BIG-to-GDC CAN command latency test
IFC-REQ-022 REQ-SEINDUSTRIALELEVATOR-070 verifies Hall call RS-485 polling test
IFC-REQ-021 REQ-SEINDUSTRIALELEVATOR-070 verifies Group dispatch CAN bus performance test
IFC-REQ-019 REQ-SEINDUSTRIALELEVATOR-069 verifies Landing door interlock state detection test
IFC-REQ-018 REQ-SEINDUSTRIALELEVATOR-069 verifies Door position encoder resolution test
IFC-REQ-017 REQ-SEINDUSTRIALELEVATOR-069 verifies Safety edge contact response time test
IFC-REQ-015 REQ-SEINDUSTRIALELEVATOR-069 verifies Door motor drive command rate test
IFC-REQ-014 REQ-SEINDUSTRIALELEVATOR-068 verifies UPS telemetry interface test
IFC-REQ-013 REQ-SEINDUSTRIALELEVATOR-068 verifies ATS source-select command test
IFC-REQ-012 REQ-SEINDUSTRIALELEVATOR-067 verifies Safety Controller brake interface dual-coil test
IFC-REQ-004 REQ-SEINDUSTRIALELEVATOR-066 verifies Emergency intercom voice and battery test
IFC-REQ-003 REQ-SEINDUSTRIALELEVATOR-065 verifies Access control RS-485/TCP interface test
IFC-REQ-002 REQ-SEINDUSTRIALELEVATOR-064 verifies Fire alarm hardwired relay timing test
IFC-REQ-001 REQ-SEINDUSTRIALELEVATOR-063 verifies BACnet/IP BMS interface protocol conformance test
IFC-REQ-026 VER-REQ-024 verifies Safety state propagation latency test across three safety event types
IFC-REQ-023 VER-REQ-023 verifies Integration test for BACnet-to-Safety Command Validator pipeline
IFC-REQ-020 VER-REQ-020 verifies Safety interface integration test for IFC-REQ-020
IFC-REQ-016 VER-REQ-019 verifies OSSD interface test verifies IFC-REQ-016
IFC-REQ-011 REQ-SEINDUSTRIALELEVATOR-006 verifies Relay fault propagation timing test for MCU-Safety Controller interface
IFC-REQ-010 REQ-SEINDUSTRIALELEVATOR-005 verifies Encoder BER test under VFD EMI conditions
IFC-REQ-009 REQ-SEINDUSTRIALELEVATOR-004 verifies CAN bus latency and error detection test for MCU-to-VFD interface
IFC-REQ-008 VER-REQ-004 verifies Integration test for CPU-SOA dual relay interface
IFC-REQ-007 VER-REQ-003 verifies Integration test for SFI-CPU fire/seismic interface
IFC-REQ-006 VER-REQ-002 verifies Integration test for SCIM-CPU safety chain interface
IFC-REQ-005 VER-REQ-001 verifies Integration test for SPM-CPU interface
SYS-REQ-003 REQ-SEINDUSTRIALELEVATOR-008 verifies Traction end-to-end test validates overspeed detection latency
SYS-REQ-002 REQ-SEINDUSTRIALELEVATOR-008 verifies Traction drive end-to-end test verifies velocity requirements
SYS-REQ-013 VER-REQ-026 verifies Gateway end-to-end test validates fire event audit logging
SYS-REQ-010 VER-REQ-026 verifies Gateway integration test verifies BACnet/IP BMS interface
SYS-REQ-005 VER-REQ-021 verifies 1000-cycle door force test verifies door safety closing force requirement

Orphan Requirements (no trace links)

RefDocumentRequirement
SUB-REQ-039 subsystem-requirements The Speed and Position Monitor SHALL operate from a 24V DC safety-rail supply in the range 22-28V DC, with maximum power...
SUB-REQ-040 subsystem-requirements The Safety Output Actuator SHALL be powered from the 24V DC safety rail in the range 22-28V DC with maximum steady-state...
SUB-REQ-042 subsystem-requirements The Safety Controller subsystem SHALL be implemented as a standalone DIN-rail mounted module within the controller cabin...
SUB-REQ-043 subsystem-requirements The Motor Control Unit SHALL be implemented as a PCB assembly within the Variable Frequency Drive enclosure, cooled by t...
SUB-REQ-058 subsystem-requirements While Maintenance Mode is active (key switch engaged and car-top control box connected), the Safety Controller SHALL lim...
SUB-REQ-059 subsystem-requirements When the Motor Control Unit fails to receive a velocity command from the Safety Controller within two consecutive 10 ms ...
SUB-REQ-060 subsystem-requirements The Variable Frequency Drive SHALL assert STO and engage the electromagnetic brake within 150 ms of loss of MCU communic...
SUB-REQ-061 subsystem-requirements The Safety Command Validator SHALL output a discrete go/no-go digital signal (24V DC logic, sourced from the safety bus)...
SUB-REQ-062 subsystem-requirements The Safety Command Validator SHALL implement dual-channel validation logic, with each channel independently processing i...
SUB-REQ-063 subsystem-requirements The Event Logger SHALL store all safety event records simultaneously in two independent non-volatile storage devices (pr...
SUB-REQ-064 subsystem-requirements The Event Logger SHALL compute and store a SHA-256 HMAC over each event record (including timestamp, event code, and pre...
SUB-REQ-065 subsystem-requirements The Safety Output Actuator SHALL perform a self-test cycle at each power-up and every 24 hours during operation, in whic...
SUB-REQ-066 subsystem-requirements The Power Distribution Subsystem ARD battery bank SHALL provide a minimum rated capacity of 2.5 kWh at the 1-hour discha...
SUB-REQ-067 subsystem-requirements The Building Integration Gateway SHALL revert to a degraded-communication mode within 10 seconds of detecting BACnet/IP ...
SUB-REQ-068 subsystem-requirements The Safety Controller Subsystem SHALL comply with EN 81-72 Annex B Phase II firefighter service requirements: when a Pha...
SUB-REQ-069 subsystem-requirements The Safety Controller Subsystem SHALL comply with EN 81-77 Clause 5.3.4 seismic Category 1 requirements: upon receipt of...
SUB-REQ-070 subsystem-requirements The Building Integration Gateway BACnet/IP Stack SHALL implement the BACnet B-ASC device profile (Annex L, BACnet Standa...
SUB-REQ-071 subsystem-requirements The Safety Controller Subsystem SHALL implement IEC 61508-2 Clause 7.4.3 SIL 3 hardware architectural constraints: the h...
SUB-REQ-072 subsystem-requirements The Group Dispatch Controller SHALL implement a traffic-load watchdog that detects degraded dispatch performance when av...
SUB-REQ-073 subsystem-requirements The Power Distribution Subsystem SHALL be housed in a dedicated IP54-rated, flame-retardant (UL94 V-0) steel enclosure m...
SUB-REQ-074 subsystem-requirements The Power Distribution Subsystem enclosure SHALL be a physical LRU installed in the elevator machine room, rated IP54 pe...
SUB-REQ-075 subsystem-requirements The Safety Controller Subsystem SHALL define and implement IEC 61508-compliant proof test intervals not exceeding 8760 h...
SUB-REQ-076 subsystem-requirements The Industrial Elevator Control System controller cabinet SHALL be housed in a steel enclosure rated IP54 per IEC 60529,...
VER-REQ-010 verification-plan Verify IFC-REQ-009: inject 1000 consecutive torque reference commands on the CAN bus at 1 MHz and measure latency distri...
VER-REQ-011 verification-plan Verify IFC-REQ-010: run motor at rated speed for 60 minutes with shielded cable routed adjacent to live VFD output cable...
VER-REQ-012 verification-plan Verify IFC-REQ-011: simulate ENCODER_FAULT on MCU while monitoring Safety Controller relay inputs; measure relay de-asse...
VER-REQ-013 verification-plan Verify SUB-REQ-012: inject synthetic encoder signal at 115.1% of rated speed via MCU test port; measure time from thresh...
VER-REQ-014 verification-plan Verify end-to-end Traction Drive: command a 12-floor run at rated speed; measure velocity profile against S-curve refere...
VER-REQ-015 verification-plan Verify SUB-REQ-018: disconnect mains supply while safety bus is loaded at rated current; measure 24V DC bus voltage from...
VER-REQ-016 verification-plan Verify SUB-REQ-019: disconnect mains supply with UPS at 100% SoC and elevator in rated-load operation; measure time unti...
VER-REQ-027 verification-plan Verify SUB-REQ-003 (UCMP detection): With car at rest in the door zone, apply a simulated drive command to induce uncont...
VER-REQ-028 verification-plan Verify SUB-REQ-001 (dual-channel SIL 3 architecture): Review Safety CPU design documentation. Confirm two independent pr...
VER-REQ-032 verification-plan Verify SUB-REQ-048: Subject Safety Controller Subsystem to 10 V/m radiated field per EN 12016:2013 (80 MHz-1 GHz). Pass ...
VER-REQ-033 verification-plan Verify SUB-REQ-049: Inspect controller cabinet at factory acceptance. Measure H x W x D dimensions, confirm IP54 rating ...
VER-REQ-034 verification-plan Verify SUB-REQ-050: Inspect Declaration of Conformity, CE marking on product label, and conformity assessment records. P...
VER-REQ-040 verification-plan Verify SUB-REQ-004 (safety chain scan rate): With the safety chain circuit assembled and all safety devices closed, disa...
VER-REQ-041 verification-plan Verify SUB-REQ-010 (motor velocity control accuracy): With car loaded to rated capacity, command constant-speed runs at ...
VER-REQ-042 verification-plan Verify SUB-REQ-012 (MCU overspeed detection): Drive car at rated speed; inject encoder signal offset to simulate 116% of...
VER-REQ-043 verification-plan Verify SUB-REQ-013 (brake engagement under power failure): With car loaded to 150% rated capacity in up direction (worst...
VER-REQ-044 verification-plan Verify SUB-REQ-018 (ATS mains-to-UPS transfer): With elevator in rated operation, reduce mains voltage to below 85% of n...
VER-REQ-045 verification-plan Verify SUB-REQ-019 (UPS 30-minute holdup): With UPS battery at 100% SoC and elevator controller operating at full safety...
VER-REQ-046 verification-plan Verify SUB-REQ-048 (EMC immunity of safety-critical paths): Subject Safety Controller Subsystem and all safety-critical ...
VER-REQ-047 verification-plan Verify SUB-REQ-031 and SUB-REQ-032 (GDC call reassignment after fault): Simulate car fault on Car 1 while 3 hall calls a...
VER-REQ-048 verification-plan Verify SUB-REQ-015 (encoder fault detection): With car in motion at rated speed, disconnect encoder signal cable to simu...
VER-REQ-049 verification-plan Verify Fire Service Phase II operation (EN 81-72): Insert firefighter key into Phase II switch on Car 1. Confirm: (a) ca...
VER-REQ-050 verification-plan Verify Maintenance mode speed enforcement and car-top interlock: Insert maintenance key switch. Confirm car speed limite...
VER-REQ-051 verification-plan Verify MCU watchdog and VFD safe-stop (REQ-SEINDUSTRIALELEVATOR-031): With car at rated speed, sever the MCU-to-Safety-C...
VER-REQ-052 verification-plan Verify VFD safe-stop on MCU comm loss (REQ-SEINDUSTRIALELEVATOR-032): With car in motion at rated speed, remove MCU torq...
VER-REQ-053 verification-plan Verify Safety Command Validator output specification (REQ-SEINDUSTRIALELEVATOR-033): Connect test BMS to gateway and sen...
VER-REQ-054 verification-plan Verify Safety Command Validator dual-channel integrity (REQ-SEINDUSTRIALELEVATOR-034): Inject a command that causes deli...
VER-REQ-055 verification-plan Verify Event Logger dual-storage redundancy (REQ-SEINDUSTRIALELEVATOR-035): Trigger 100 safety events under test conditi...
VER-REQ-056 verification-plan Verify Event Logger hash-chain integrity (REQ-SEINDUSTRIALELEVATOR-036): Log 50 events under test conditions. Export log...
VER-REQ-057 verification-plan Verify Safety Output Actuator self-test cycle (REQ-SEINDUSTRIALELEVATOR-037): Power-cycle the Safety Output Actuator and...
VER-REQ-058 verification-plan Verify ARD battery minimum capacity (REQ-SEINDUSTRIALELEVATOR-038): With battery at 100% SoC and ambient temperature 20°...
VER-REQ-059 verification-plan Verify Building Integration Gateway degraded-communication mode (REQ-SEINDUSTRIALELEVATOR-039): With elevator in rated o...
VER-REQ-060 verification-plan Verify Fire Service Phase II EN 81-72 compliance (REQ-SEINDUSTRIALELEVATOR-040): Insert Phase II key on car panel and ac...
VER-REQ-061 verification-plan Verify EN 81-77 P-wave response timing (REQ for SUB-EN81-77): Using seismic simulator, inject a synthetic P-wave at 0.05...
VER-REQ-062 verification-plan Verify BACnet B-ASC profile conformance (REQ for BIG-BACnet): Using a BACnet protocol analyser and conformance test suit...
VER-REQ-063 verification-plan Verify IEC 61508-2 SIL 3 architectural constraints via FMEA analysis: Review Safety Controller hardware design against I...
VER-REQ-064 verification-plan Verify Group Dispatch Controller performance watchdog (REQ for GDC-watchdog): Simulate peak-load traffic (150% rated pas...
VER-REQ-065 verification-plan Verify SUB-REQ-005 EN 81-72 Phase I recall 5s response: de-energise fire recall relay; measure time to Safety Controller...
VER-REQ-066 verification-plan Verify IFC-REQ-001 (BACnet/IP BMS interface): Connect BMS simulator to elevator BACnet/IP port. Confirm ASHRAE 135-2020 ...
VER-REQ-067 verification-plan Verify IFC-REQ-002 (fire alarm hardwired relay): De-energise fire alarm relay contacts and measure Safety CPU signal acq...
VER-REQ-068 verification-plan Verify IFC-REQ-003 (access control RS-485/TCP): Connect access control simulator via RS-485 and TCP/IP. Transmit 500 cre...
VER-REQ-069 verification-plan Verify IFC-REQ-004 (emergency intercom interface): Simulate car entrapment. Confirm two-way voice connection established...
VER-REQ-070 verification-plan Verify IFC-REQ-012 (Safety Controller to electromagnetic brake interface): Apply 24V DC to each brake coil independently...
VER-REQ-071 verification-plan Verify IFC-REQ-013 and IFC-REQ-014 (power management interfaces): Command ATS source-select via Power Management Control...
VER-REQ-072 verification-plan Verify IFC-REQ-015, IFC-REQ-017, IFC-REQ-018, IFC-REQ-019 (door subsystem internal interfaces): Measure door motor drive...
VER-REQ-073 verification-plan Verify IFC-REQ-021 and IFC-REQ-022 (group dispatch CAN bus and hall call RS-485): With 4-car group at peak traffic, meas...
VER-REQ-074 verification-plan Verify IFC-REQ-024 and IFC-REQ-025 (BIG-to-GDC CAN and event logger CAN): Inject BMS floor lockout via BIG and confirm G...
VER-REQ-075 verification-plan Verify SUB-REQ-011 (velocity profile jerk limit): Command car to travel 6 floors with rated load. Capture position data ...
VER-REQ-076 verification-plan Verify SUB-REQ-014 (VFD EMC compliance): Conduct EN 12015 Class C2 conducted emissions test (150 kHz–30 MHz) and radiate...
VER-REQ-077 verification-plan Verify SUB-REQ-016 (traction drive MTBF): Review manufacturer reliability data, field failure records, and FMEA for Moto...
VER-REQ-078 verification-plan Verify SUB-REQ-017 (electromagnetic brake dual coils): Inspect brake assembly drawings confirming dual independent coils...
VER-REQ-079 verification-plan Verify SUB-REQ-020 (battery SoC monitoring): Discharge UPS battery from 100% to 20% SoC while monitoring PMC SoC reading...
VER-REQ-080 verification-plan Verify SUB-REQ-021 (VFD supply voltage tolerance): Apply 380V, 400V, and 420V three-phase supply at 48 Hz, 50 Hz, and 52...
VER-REQ-081 verification-plan Verify SUB-REQ-039 and SUB-REQ-040 (safety rail power supply): Measure 24V DC safety rail voltage under maximum load (Sp...
VER-REQ-082 verification-plan Verify SUB-REQ-042 and SUB-REQ-043 (form factor inspection): Inspect Safety Controller DIN-rail module and Motor Control...
VER-REQ-083 verification-plan Verify SUB-REQ-049, SUB-REQ-055, SUB-REQ-073, SUB-REQ-074 (enclosure and cabinet inspection): Inspect controller cabinet...
VER-REQ-084 verification-plan Verify proof test interval compliance (REQ-SEINDUSTRIALELEVATOR-081): Review proof test procedures for all SIL 3 safety ...