Risks of Using Software and Electronic Elements in Elevator Safety Devices

With the advancement of technology, the developments in software and electronics also affect elevators, as the control systems process more data in shorter time and get “smarter.”  Moreover, although sufficient measures are developed for mechanical risks (fall, rupture, burning, etc.), because software risk assessments are not comprehensive, taking preventive measures for providing safety related to software and electronic elements is still a developing issue.

All necessary protections for providing security are controlled by software and electronic devices. Software is used for all parts of an elevator, including monitoring safety components with an electric contact, communicating position of the elevator continuously, synchronizing operation of engine brakes and monitoring if the car door is closed.

Thanks to software and electronic elements, elevators have become lighter. For example, Controller Area Network (CAN) technology renders complicated wiring and electronic cards unnecessary, while Safe Torque Off (STO) drives eliminate the control of the motor with contactors and uses heat, proximity and photo sensors to dispense with the need for mechanical relays and various mechanical switches.

Functional safety methods used in many industries, especially in the automotive industry, replaced the mechanical protection elements used for elevators and are known as PESSRAL (Programmable Electronic Systems in Safety Related Applications for Lifts). By definition, PESSRAL is the system that provides any of the electrical safety devices listed in EN 81-20 Annex A1 with a system consisting of one or more programmable electronic elements. In this case, all parts of the system, such as sensors, data highways and integrated modules, are included in PESSRAL. Safety devices listed in Annex A1 (landing door locking device, overspeed governor, buffer contact, etc.) can be installed more than once.  As well as conventional safety contacts, sensors and electronic cards that process data and convert it into commands, can be used. For example, limit switches can be installed by using safety contacts, one at the top and one at the bottom, and the position of the cabin can be measured by the controller, which processes the continuous data coming from the encoder and the well information system. In the second case, since the safety contact does not use a mechanical lever to hold the contacts, it brings savings on material. Additionally, when PESSRAL is used, the whole system is regarded a safety component. Therefore, the elevator cannot be placed on the market without getting an EU Type Examination Certificate from a notified body. Additionally, PESSRAL is not a deviation from the standards. PESSRAL is an important innovation, as it leads to the development of electronical mechanisms that operate as standard elevator parts.  

When software is used in safety components, it introduces risks that are not covered by the standard or that do not have to be verified that they are eliminated. One of the risks is that the software content is not visible and examinable. As the use of software and electronics increases, the controller gets more important in terms of safety. For example, while simple electric contacts disconnect the power of the motor by opening the circuit mechanically, when software is used the control module has to activate a series of commands to disconnect power to the motor. These electronic parts and the software should meet the defined safety level standard called “SIL” — “Safety Integrity Level” — which basically determines the error frequency tolerance of the system. Additionally, while the standard requires testing the functionality of the safety components, it does not require a content test. Software updates we currently see in our computers, cars, smartphones and smart refrigerators are now available in elevators. Updated software is new software, and it indicates changes are made to the system verified by NOBO. According to the directive, in product inspections within Module C that NOBOs perform on safety components, changes in any part of the safety component require NOBO to suspend the certification. Although global manufacturers often make changes on the software, EU-certified PESSRAL systems are still used. It means it is not possible to know if the updated safety component is still “safe” or not. It will not be surprising when new provisions are added to the standard in the future.

Another issue is external intervention. Monitoring and intervention systems, which provide remote monitoring and predictive maintenance of elevators, essentially enable access to the control systems. Any external intervention protects the software — which gets more complicated and sometimes uses Linux-based operating systems — against viruses, but it is something ignored. Control systems detect external intervention and shut off. However, bypassing safety systems is a possible risk. Since the smart systems of high-security buildings are frequently monitored externally, harmful scripts such as Trojans can exploit vulnerabilities of the safety circuits.

Another defect of safety-related system parts that are mechanically eliminated by the software is the instructions in the maintenance guides. For example, the greatest risk for the limit switches that are deselected by using PESSRAL can be stretching of counterweight ropes. According to the standard, limit switches should be activated before the counterweight or cabin contacts the buffers. A system that activates the limit switch by calculating the cabin position is calibrated during the initial adjustment by considering the position of the counterweight. However, due to elongation of the rope, the counterweight contacts the buffer in the long run. Although EN 13015 requires a maintenance guide for safety components, there are defects considering the instructions of other parts that may indirectly impact the safety components. Therefore, it bears a risk if the manufacturer does not require a maintenance procedure inspected by a notified body to eliminate risks related to software-based safety components.

Software and electronics ensure the development of elevators and all other areas of our lives. However, the risks of this rapid progress are not yet fully under control. The EN 81 standard family, which guarantees safe installation of elevators, should bring new provisions and additional responsibilities for the manufacturer. For example, certain information (version, name, etc.) about the software should be visible and controllable. In any case, the number of risks defined in Chapter 4 should be increases, and the risk assessment should be expanded to manage current technologies.