Remote Interaction Operation and Cybersecurity Is Codified

by Kevin Brinkman and Vincent Robibero

RIO has the potential to take elevator safety and the user experience to the next level. 

Remote Interaction Operation (RIO), which permits interaction between off-site systems with the automatic operation features of elevators connected to the internet, has the potential to be one of the most significant technological introductions in the history of elevators due to its capability to enhance safety and the user experience. For example, remote systems can help building owners and managers secure building floors for events or for tenants, confirm an elevator is blocked at a floor or park elevators on desired floors in preparation for VIP or other planned building traffic. 

RIO can also work together with remote monitoring supporting service personnel’s troubleshooting and corrective actions. RIO is currently limited to traction and hydraulic elevators; however, future requirements for other elevator types or building transportation systems such as escalators and moving walks may be developed. 

Internet-connected systems in the market are expanding exponentially, from washers and dryers to automobiles. These new requirements establish the first minimum requirements for internet-enabled elevator systems in the ASME A17.1/CSA B44 code.

RIO Requirements

Prior to the 2022 edition of A17.1, the code did not address remote interaction with elevator equipment and did not contain any requirements for connectivity to the internet. The new requirements in A17.1-2022 are vital to ensuring that when elevators are connected to the internet and are enabled to be interacted with remotely, they meet the requirements developed by industry and ASME code committee experts.    

ASME A17.1-2022/CSA B44:22 (A17.1) introduced a new set of permissive requirements that address remote interaction operation for electric and hydraulic elevators. In addition to permitting interaction between off-site systems with the automatic operation features of elevators connected to the internet, cybersecurity requirements are provided in the code to protect elevator systems connected to the internet, including where RIO is involved. The requirements for RIO discussed here permit features and functions involving automatic operation to be invoked by signals exchanged between off-site systems and the elevator controllers of electric and hydraulic elevators within the limitations of the 2.26.13 and 3.26.12 sections of the A17.1 code. These requirements are not applicable to remote monitoring systems, which only collect data from elevator systems.

As noted earlier, RIO permits interaction between off-site systems with the automatic operation features of elevators connected to the internet. On-site elevator controllers that interact with off-site systems are subject to the requirements of RIO only when RIO is provided and enabled in an elevator. On-site devices, such as smart mobile phones, that interact with the off-site systems are not applicable or subject to the requirements for RIO. On-site mobile devices that interact directly with elevator controllers are also not subject to the requirements of RIO. These interfaces are subject to all other existing requirements of the code, as noted in FIG. 1.0.

Off-site systems may also perform other non-RIO actions such as service diagnostics interactions with on-site elevator personnel. These actions are also not subject to the requirements of RIO (see FIG 1.1).

The “actions” permitted for RIO are outlined in the requirement 2.26.13.2 and include:

Registering car and hall calls to unsecured floors, 

Activating, deactivating or setting the state of features, operations or functions associated with automatic or group automatic operation, and 

Removing the car from group automatic operation, except as limited by 2.26.13.3 and 2.26.13.4.

The above actions are restricted to the limitations specified in 2.26.13.3, 2.26.13.4, 2.26.13.5, 3.26.12.1 and 3.26.12.2. These requirements comprehensively cover all elevator operations RIO is not permitted to enable, disable, override, reset or interfere with and all safety devices, functions and means RIO is not permitted to interfere with, modify, reset, render ineffective nor render inoperative. Features, functions, devices and means not covered by these requirements are permitted to be modified, enabled, disabled, overridden and reset by RIO. Changes to parameters that are not prohibited by the requirements are permitted by RIO. These include, for example, changing parameters for the security for floors, door dwell time and supervisory modes such as the Sabbath operation are permitted utilizing RIO.

Requirement 2.26.13.6 also specifies that only elevator personnel and authorized personnel (as defined by A17.1) are permitted to utilize RIO. Authorized persons can be building tenants, employees or anyone entering the building that has been given authorization by the owner to utilize RIO with appropriate instructions on that utilization. On-site documentation is required to provide circuits relevant to RIO when it is provided, as well as procedures on how to disable RIO actions for elevator, authorized and emergency personnel.

When RIO is provided, signage is required that states “REMOTE INTERACTION OPERATION PROVIDED.” The signage is attached to the surface of the elevator controller or inside an inspection and test panel to alert elevator personnel of the presence of RIO. 

Cybersecurity

The mandatory requirements in A17.1 Section 8.14 were developed to address cybersecurity requirements for elevator controllers and apparatuses that provide a direct or indirect gateway to the internet for elevator controllers; for example, all elevator apparatuses that provide an enabled direct or indirect internet connection to the elevator controller (i.e., an elevator internet firewall between the elevator controller and internet). 

Requirement 8.14.1 in Section 8.14 provides the applicability of the requirements. This includes enabled internet connections directly to elevator controllers and enabled internet connections to all devices that are connected to elevator controllers. All points of enabled internet connectivity in both instances must comply with the requirements of Section 8.14.1. Note that RIO is neither specified nor required when there is internet connectivity. Section 8.14.1 requires process certification to the IEC standards referenced. Certification is normally demonstrated by certification documentation. 

Requirement 8.14.1(a)(2) requires one or more means be provided to disable the actions of RIO and disable connectivity to the internet for apparatuses covered under 8.14.1. These “means” may disable RIO and internet connectivity simultaneously or separately and may be implemented on individual elevators or groups of elevators. On-site documentation is required under 8.6.1.2.2(d)(4) to explain how to utilize these means to disable RIO and internet connectivity.

Finally, Section 8.14 provides for a means to download executable software specified in code sections 2.26.1.7.1 and 3.26.11.1 that will facilitate conformance with other requirements in the code for the downloading of such software. This means is not required for downloading software not addressed by the above two code sections on executable software, however. Section 8.14.1 will apply if the internet is utilized for the downloads.

Be Connected

As noted earlier, in the modern world, everything is being connected to the internet, from building management systems, home appliances and manufacturing tools to all forms of transportation systems. People want to interact with all types of building systems — from security systems to HVAC to fire alarm systems. RIO is now part of that connected experience for their elevator systems.

To learn more about how NEII is working to drive further change in the elevator industry, go to neii.org.