Lifts in the New Millennium‭

This paper was presented at the 2022 International Elevator & Escalator Symposium in Barcelona, Spain.

1. Abstract

Many aspects of our life and approach to doing things have been radically changing in the past few decades. Technology is moving human life in the direction of global connectivity of people and machines, where smart appliances make life easier by taking care of tedious tasks. This article looks at recent innovations in lift technology, placing them in the context of global trends in the industry. It touches on some of the benefits and challenges of new technologies, with an emphasis on safety and risk control. The article ends with a forecast of main features to be expected in new designs of lifts and escalators in the near future. 

Introduction

For the past few decades, world industry has been revolutionized with breakthroughs in software and electronics. This trend has been sustained by the intent of facilitating humankind in the execution of repetitive or burdensome tasks. Innovations in rapid succession have helped connect people with each other, people with machines and machines with machines, in ranges and at speeds that were unthinkable before the start of the new millennium. 

In this series of innovations, we can think, for example, of the revolution that made it possible to receive messages and notifications in real time on a wristwatch, or to execute 

payments with smart phones. And let’s not forget smart cars that are able to drive by themselves, home thermostats and ovens that can be started remotely before leaving the office, unmanned drones that deliver packages and, finally, technological infrastructure that made remote working and remote education possible on a large scale for the first time in history. 

Even intimate concepts such as “friendship” and “like” have assumed a whole new connotation after the advent of new technologies. Our approach to doing things is radically changing: Technology is moving human life in the direction of global connectivity of people and machines, where smart appliances make life easier by taking care of tedious tasks. With advancements in the field of AI, even tasks where some level of thinking and cognition might be involved can be automated and machines have already started advising on decisions or choices involving risks, based on the analysis of very large amounts of data over time. This (r)evolution has not spared the process and manufacturing industry. These have also been shifting toward remote control and the automation of operation and maintenance tasks. 

Also read: Elisha Otis’ “Improved Elevator”

1. What’s New in the Lift Industry? 

In 1853, the invention of the “safety gear” increased public confidence in the safe use of lifts. As a consequence, the elevator industry took off. With the successive inclusion of electric motors (Werner von Siemens, 1880), and counting on the integrated safety devices, lifts started to serve higher and higher floor levels and became an essential element in residential and industrial areas.

Since then, (traction) elevator design crystallized in a well-defined set of more-or-less fixed elements: car, suspension ropes, motor, counterweight, buffer and safety devices.  

With increasing concerns for public safety in society, requirements for installation and use of elevators (in Europe) were formalized and regulated by the “Lift Directive.” The Directive stipulates precise conditions to introduce elevators in the market. It is binding for all involved parties: manufacturers, installers, distributors and end users, for the public benefit of guaranteeing safe use of lifts. 

The creation of harmonized standards has helped installers and manufacturers understand and adhere to the Lift Directive when developing new components, both mechanical and electrical. 

2. Evolution in Lifts

At the turn of the new millennium, an innovation was introduced in the lift sector: PESS, or Programmable Electronic Safety System. This technology from the field of industrial automation was included in the lifts standards in 2005. EN 81-1/2: A1 Amendment defined the new application as PESSRAL*: Programmable Electronic System in Safety Related Applications for Lifts. 

Concerning the theory, definitions, techniques and measures to ensure that PESSRAL is engineered and operated in a way that satisfies the required risk reduction, EN 81-1/2 refers to IEC* 61508 (Ed1: 2000, Ed2: 2010), which is the leading standard for functional safety of E/E/PE** safety-related systems. (See notes at the end of presentation). 

3. Innovative Aspects of PESS 

PESS offers different new aspects and advantages, both in safety and operations. 

4. Safety Aspects

Probability of Dangerous Failure. PESS relies on fulfilling a degree of safety called SIL (Safety Integrity Level), which expresses the calculated measure of the probability of failing in a dangerous mode of a safety function. 

EN 81-20:2020 Annex A (normative) assigns required SIL levels for “electric safety devices,” replacing the traditional mechanical safety devices. 

Within the SIL framework, a PESSRAL safety function is seen as a chain of components. The chain connects the elements that perform the “detection” of a hazardous condition to those that are responsible for executing the corresponding “action” via a processor. In short, a given safety function involves all devices that perform the required (partial) functions needed to avert a hazard, from detection to action. 

Hardware Fault Tolerance. The SIL target of a safety function does not only set a hard requirement for the maximum total probability of dangerous failure of the safety function. It also imposes requirements for the safety quality of each element involved in the safety function. Each element in the safety function must meet a minimum quality related to its failure behavior in order to be applied as a single device in that function, or else it must be applied in a redundant architecture. 

This idea is called Hardware Fault Tolerance (HFT). It represents the minimum number of device failures that could cause the loss of the safety function. 

HFT implies that when an instrument has a low percentage of safe failures with respect to the total failures (where total failures include both dangerous and safe failures), it must be duplicated or triplicated, depending on the SIL target of the function. In case of a dangerous failure of one component, the redundant component(s) can guarantee the availability of the safety function. 

The maximum allowable safety integrity level that can be claimed for elements of a safety function is given below. Two different types of element are defined: Type A and Type B. An element is regarded as Type A (simple device) when the failure modes of all its components are known. In addition to this, the behavior of the element under fault condition is completely determined. All other devices can be considered Type B. 

Hardware Safety Integrity. Hardware Fault Tolerance, together with the probability of dangerous failure, helps demonstrate the hardware safety integrity of a safety function. 

Annex A of EN81-1/2 presents a list of so-called “electric safety devices” required in a lift to replace traditional safety devices. Some examples to consider are protection against overspeed, protection against traveling with doors open, detection of slack condition of traction means, etc.

According to the new update of the Lift Directive, the use of PESSRAL in a safety device makes it a “safety component,” which must also be verified according to EN 81-50 5.16 and Annex B. 

Lifecycle: the General 20-20-20 Rule. When producing an elevator and its safeguarding, the following lead times apply in general: 

• Analysis, Concept, Requirements (approximately 20 weeks)

• Engineering Design and Implementation (approximately 20 months)

• Operation and Maintenance (approximately 20 years) 

In the traditional approach, manufacturers pay exclusive attention to designing a reliable product until the installation and first inspection. Much less or no attention is paid to the 

operation and maintenance period, which is, in fact, the longest period of time in the whole lifecycle of the lift. In this period, the elevator is exposed to all sorts of events and stresses that may cause safety parts to fail their mission. Shortage of skilled technicians at the required time for preventive maintenance is also a factor of increased stress for the elevator, which directly results in increased risk for both users and owners. 

All the stressors accumulating during the operation and maintenance phase directly affect the safety performance of the lift, even though it was designed and put into operation with the highest reliability. 

For the above reasons, the SIL framework integrates the operation and maintenance phases and tracks the reliability of the safety functions through these exploitation stages until the decommissioning of the lift. This is the concept of the safety lifecycle. 

The (safety) lifecycle is a new approach for many lift manufacturers, end users and maintenance companies. It requires a paradigm shift in the traditional way of doing things. The classic approach followed in the sector is usually to not take into account factors pertaining to the installation, maintenance or operation phase at the time of design. In this approach, the handover between the design team and successive team(s) is found to contain several gaps in the ownership of responsibilities, even when the teams fall under the same manufacturing company (as is the case for large manufacturers). 

Gaps increase when the handover involves third-party maintenance companies. In this transaction, little or no guarantee is offered or discussed regarding sufficient training and knowledge on the part of the maintenance personnel. The traceability of actions and confidence in retaining the required safety integrity decrease dramatically. Grey zones and management of the responsibilities for maintaining the safety integrity of the system remain a point of attention for all parties involved in the design, production, installation, operation and maintenance of a lift containing SIL-rated safeguards. 

Systematic Capability. The SIL framework (supported by PESS) recognizes that simply calculating the integrity of the hardware components of a safety function does not suffice to guarantee the required availability and expected performance of a safety function. 

One intuitive way to understand this is to consider that a design error can cause a safety function to fail, even when its integrity is intact. One example could be designing a slow 

safety function. If the time required by the safety system to detect the hazardous condition, compute the logic and trigger the corresponding action is slower than the window of time available before incurring in the accident, the safety function will fail to avert the accident every time it acts. Even though it is possible to calculate a very low probability of failure based on the architecture and failure rates of the components, which is to say that we may claim the required SIL — or even a better SIL than required — was used, the safety function will still fail every time it is needed. 

Erroneous cognitive processes of personnel — which could result in incorrect handling — directly influence the behavior of a safety function and affect its safety integrity. Incorrect execution of any task in the safety lifecycle may introduce a possible failure in the safety system. All personnel functions and roles and all phases of the lifecycle are included, from design to testing, from installing to performing maintenance, from verification to software development, from planning to administration (for example when administration is intended as recording and archiving in order to provide an auditable trail for any safety assessor) and even procurement. 

All these influences are summarized in a parameter named “Systematic Capability (SC),” which is a confidence degree assigned to the whole system of training, guidance and controls of an organization, involving all company personnel participating in the safety lifecycle. All deliverables of the organization, whether materials or services, carry this quality mark, and for each element of a safety function, this parameter must match the required SIL level of the safety function. In short, all elements and all organizations involved in the lifecycle, including suppliers, are bound by this parameter. 

Wrap-up. The table below presents a summary of the innovations of PESS (SIL framework) in the approach to risk control.

5. Operational Aspects

PESS applications offer a series of operational advantages for manufacturers, users and end users. These include: 

• Flexibility: Updates can be carried out with no (or limited) modifications of the hardware.
• Possibility of handling more complex safety functions (implement interlocks, safety contacts, logic conditions), which can be updated according to need
• Reset/restart only with complete assurance that the system is fully restored
• Efficient maintenance (troubleshooting and fault management are facilitated and considerably reduced by self-diagnostics of the PESS)
• Record of events with timestamp 
• Automation of periodic tests 
• Simpler installation 

Overall, PESSRAL makes it possible to build effective elevators with a traceable and quantifiable measure of safety performance. When the potential for remote connectivity and automation is exploited, PESSRAL allows reducing costs by cutting downtimes and the frequency of service intervals. 

6. PESSRAL and the Millennium Driver: The Pursuit of Automation 

As long as PESSRAL functions remain relegated to one-time-programmable (OTP) memories, only a limited number of tasks can be conducted remotely, such as monitoring of status and a few other read-only activities. In this type of application, PESSRAL can be seen as a design alternative to the classic technology. In both approaches, the great majority of maintenance tasks and all updates (replacements) need to be performed locally by specialized personnel. 

7. Remote Access

By providing access points to the external world, wireless or remote connection to the machine is made possible. Besides monitoring activities (which can also be exploited with 

OTP controllers), the infrastructure currently available in the cloud allows the deployment of Internet of Things packages. These allow the lift to autonomously report data in real time, and/or to receive updates. Such updates could range from new firmware revisions to updates of configuration parameters based on analysis supported by machine learning. Elevator data harvesting can be automated and can help derive insights. Based on this, predictions can be made that help anticipate unforeseen events that could not be forecast previously. For example, the lift can report an impending down time due to imminent breakage of parts, and even book a manned maintenance service before the breakage occurs. 

All this can be tracked from a centralized location managing the whole network of lifts globally. The anticipated advantages of centralized control and scalability, with limited reliance on local specialistic intervention, provide sufficient return on investment to push the development of this technology further. 

8. Challenges

This new technology does not only offer benefits and advantages. The picture would not be complete without reflecting on the challenges it involves. Challenges come on multiple levels and involve developers, end users and manufacturers — even certification specialists. One of the main challenges of the new technology is related to the extended connectivity  of the lift. 

Connectivity. The extended connectivity of the lift in this new technology is a strength but at the same time a weakness, in that it exposes the lift to not only the intended parties. Technologies make the lift approachable by many unauthorized and often ill-intentioned actors globally. This is more than a call to caution, as newspapers and research bureaus report alarming statistics concerning the increase of cybercrime in all sectors and applications, from industry to healthcare, from strategic infrastructure to private appliances, from banking to the press. 

In the last few years it has become clear that the exploitation of tools and techniques for cybercrime has increased exponentially, driven by the prospect of gains through ransomware or for ideological reasons. A new class of young criminals is also being formed by youth that have taken up cybercrime as their pastime. 

Defense against cybercrime when IoT, remote updates and AI are involved, is not an option anymore: It has become a prime necessity in order to maintain safe operations. 

The Lift Specialist of the Future. When (cyber)security becomes a primary concern, end users have to deploy and maintain a security policy. Manufacturers have to keep account of security in their product design and implementation. Both have to become acquainted with the techniques and countermeasures to implement the required security. For small execution teams, this means hiring new personnel from outside or mastering a new field of knowledge from scratch. 

New concepts, techniques and tools a lift professional must become familiar with include conducting security threat analysis, understanding authentication and encryption, deploying intrusion detection systems, configuring firewalls and guaranteeing a secure ID for each device. 

The following standards can give the lift specialist guidance concerning the design and installment of an effective and proper security police: 

• NEII (National Elevator Industry, Inc.) “Elevator and Escalator Industry Cybersecurity Best Practices,” April 2019, revised 2020

• IEC62443, “Industrial Communication Networks – Network and System Security” Selected parts: Part 3-2: Security Risk Assessment for System, 2020; Part 3-3: System Security Requirements and Security Levels, 2013; Part 4-1: Secure Product Development Lifecycle Requirements, 2018. 

It is to be noted that the peculiarity of this particular field is that it changes very rapidly compared to other fields of technology. As new tools for conducting cyberattacks become available, the cybercrime community keeps increasing, perfecting and innovating their attacks. As hackers discover new vulnerabilities and increase their capacity and sophistication, tools and techniques quickly become obsolete. A dedicated specialist is needed to periodically assess the known threats versus the degree of effectiveness of the deployed countermeasures and keep the (cyber)security countermeasures up to date. 

For some people in the field who have usually relied on a (functional) safety specialist to safeguard their machine or process, the question may arise of how to manage the relation and responsibilities between safety and security. In this respect, the following technical report from the IEC is recommended. It offers guidance on questions concerning setting appropriate boundaries and correctly framing the relation and responsibilities between safety and security: IEC TR 63069, “Industrial-Process Measurement, Control and Automation – Framework for Functional Safety and Security,” 2019 

Challenges for Manufacturers. Industrial standards allow the use of alternative technologies in replacement of classic solutions, yet manufacturers must prove the new proposed design to be as safe as (or safer than) the traditional design. To achieve this, manufacturers need to use solid risk analysis to estimate and compare risk. 

When SIL claims are made by manufacturers, based on the requirements listed in EN81:1/2, the manufacturers are obliged to apply all the requirements of SIL consistently. This proves to be a challenge for many companies that have only recently started adopting PESSRAL. While the calculation of probability of (dangerous) failure is familiar and is seen as a straightforward task, many designers have more difficulties applying HFT requirements. 

Unaware organizations overlook the significance of implementing a functional safety management system of sufficient effectiveness to back the claim of Systematic Capability, which underlies all SIL claims. 

In many cases, we have also observed latency in the R&D groups of manufacturers to include considerations related to operation and maintenance during the design phase. Some examples are test techniques and relative test coverage for autonomous (automatic) tests, test frequency and competence requirements for operation and maintenance personnel. This is a legacy of “the way things have always been done” in this field, with design departments traditionally not being involved with operation activities, even within large manufacturers that have maintenance contracts with their clients. 

When SIL functions are involved, manufacturers need to review their processes and methodology in view of the lifecycle approach. Efforts need to be made to create sufficient documentation for effective handover of responsibilities between the involved parties, without gaps. 

Another challenge in the field of SIL application by manufacturers is the use of device failure rates in calculations. High demand mode and low demand mode have different dynamics and apply different calculation techniques. 

Devices employed in high or low demand mode of operation exhibit different failure modes and, consequently, different failure rates in the two regimes. Often, we have witnessed the use of one and the same failure rate to make calculations in both demand regimes. Moreover, many times failure rates for devices are derived from generic (wear) data or from assumptions with insufficient scientific backing for the SIL claim. Many times, a failure mode and effect analysis is missing or incomplete. 

Many manufacturers also tend to overlook the necessity of having a qualification policy for their suppliers. According to the concept of safety lifecycle, the same burden for systematic capability applies to all parties involved in a safety function, including the suppliers of elements of the PESSRAL, whether hardware or software. 

Challenges for Certification Specialists. With the rapid increase in the rate of technological advancements, industrial standards have become slow to evolve and catch up with the novelties in the market. The holdup in the update of standards is due to complex protocols for circulation, review, consensus and voting within technical committees, which become larger and larger as more and more parties become interested in the subject. 

On the other hand, irrespective of the update cycles of the industrial standards, as soon as innovations become commercially viable, they become available to be adopted and integrated by manufacturers and suppliers. This creates a gap — a disconnect — between the industrial standards and the industry itself. For new or alternative solutions, the basis for compliance may not be found in the current standard.

On the other hand, the same phenomenon may account for safety gaps in products launched on the market because of being in a status of compliance with the written form of the current version of the standards, without fulfilling the intended purpose of the requirements expressed in the standard. 

For these reasons, certification specialists who are called to verify the safety integrity of systems under the rule of standards are sometimes required to make personal judgements. 

This may result in different applications among different notified bodies. In some cases, this effect may create in manufacturers the perception of more or less work, depending on the notified body involved in the certification activity, which, in turn, may trigger dangerous dynamics in the market when key people from both parties react based on only face value. 

It is important to realize the importance of having standards that keep pace with the technology that is available to manufacturers. 

In addition, the increasing complexity of systems requires involvement of specialists hired from outside the industry, like IT security specialists, software engineers and functional safety experts. This makes the certification process more time-consuming and expensive than it used to be and may lead to dissatisfaction for those that consider certification activity as a task that is uniform in time. 

9. Conclusions 

Digital transformation is affecting the world of lifts, even if it used to be traditionally conservative. 

A peek into the future world of lifts, based on the trends that we have witnessed in past years, shows that, in the future, the sector will definitely see an increase in the application of PESSRAL in combination with Internet of Things, (big) data collection, and machine learning, featuring the following: 

• Smart lifts that can operate autonomously and predict their own failures and down times

• Automation of maintenance tasks, including firmware updates, monitoring, data reporting and analysis

• Lifts that can autonomously execute periodic tests at idle times, record and send test results

• Shift from OTP (one-time programmable memory) to OTA (re-writeable memory conducting over-the-air updates autonomously)

• Users can interact from home (similar to video cameras and thermostats) 

In addition, in the future we will witness more flexible lift designs, allowing the possibility of updating functionality without (or with minimal) modifications of the hardware. The exploitation of virtualization will progress, portending toward the use of the digital twin. This concept is already in use in other industries. Digital twins are real-time computer-generated versions of devices, used for modeling and testing. 

Green (ecological) designs will be popular and promoted, involving the use of less materials, less weight, less transportation (including transporting less specialists to the location to perform updates or maintenance) and less occupied space in a building. 

Lift specialists of the future will be occupied defending the lift from malfeasance as much as (or more than) they are currently busy defending it from the force of gravity and other physical hazards. As connectivity expands, cybersecurity will eventually become an integral part of the activities in this sector in all phases. 

Finally, industrial standards will have to find a way to catch up with the speed of developments in technology or they may risk becoming a stumbling block and be superseded in favor of fulfilling the directives of the Law. 

PESSRAL, by definition, is a system of control circuits used instead of safety-related devices listed in Annex A of standard EN 81-20. It allows manufacturers to replace mechanical safety devices, like a car door lock, buffer contact or even overspeed governor, with electronic loops deploying software.

Notes 

*IEC: International Electrotechnical Commission. 
**E/E/PE: Electrical/Electronic/Programmable Electronic.