When Software Takes Control
Verifying the operational safety of relevant firmware
by Dr. Rolf Zöllner
A rising number of mechanical safety features in lift systems are monitored and controlled by software. This monitoring and control software must be kept up-to-date and satisfy both product- and functional-safety criteria. This article points out what operators must look out for and how they can successfully establish operational safety.
Lifts contain an array of safety components to ensure travel is safe for passengers, even in cases of malfunction. These components are mostly mechanical or mechatronic units, such as speed governors and safety gears, which decelerate the lift car should the maximum speed of travel be exceeded. Nowadays, integrated hardware (HW) and software (SW) systems have increasingly taken over the monitoring and control of mechanical safety features, establishing independent circuits alongside the standard control systems for the lift’s state of operation. Their HW typically comprises sensors, logical units and actuators, delivering data that are processed and evaluated by SW products.
Making Use of Available Data
In regular operation, for example, the shaft information system monitors the position of a lift car (shaft coding). For example, this can be done with the help of a magnetic strip of tape installed in the lift shaft that continuously reports the current position of the car to the programmable logic controller (PLC). The PLC then gives the control command to the motor and drive system. This enables the lift to stop precisely at the landings on each floor without creating tripping hazards.
The shaft information system can also be used to identify safety-related malfunctions and reliably return the lift to a safe state of operation. As the position of the car is continuously recorded, the sensor recognizes any impermissible acceleration values from causes such as rope breakage, enabling the control unit to initiate appropriate counteractions.
Reliable System Due to Type Examination
To do so, the HW/SW system must ensure reliable and correct identification of all hazardous states of operation. If information is processed incorrectly, the necessary action might not be triggered in case of an emergency, or the safety gear might engage during regular lift travel.
Safety components must meet high safety standards. The reliability of their safety functions must be established before lift manufacturers can use them in their lift systems. This is why Notified Bodies (NBs) conduct type examinations in which they inspect the design and construction of the components, as well as their functions and validation and verification measures.
Software, Also After Updates
Testing the effectiveness of SW safety functions and excluding any unwanted interactions from standard operating equipment in the operational phase of a lift can be challenging.
In many instances, inspectors have nothing more to go on than a sticker on the control unit with the version number of the installed SW. In many cases, there are no reliable indications of whether the information is still applicable, or whether an update or new SW has been uploaded in the meantime (and, if so, by whom and how that impacts the safety functions).
Lift safety can only be confirmed if the expert can verify that the SW still corresponds to the type examination or that updates, if any, conform with the functional safety requirements defined in IC 61508-3. Given this, establishing correct functional safety management with its SW development safety lifecycle and ensuring thorough and traceable documentation of all changes are important measures.
Verification Made Easy by Complete Documentation
Configuration management helps achieve some of the above criteria. Under a well-established configuration management system, lift documentation includes a note or QR code sticker that can be quickly scanned by inspectors using a tablet or smartphone. Inspectors can access digital lift documentation, check the version number of the SW and its approval by an NB; track all servicing and maintenance activities performed; and, ultimately, document the results of their inspection under a secure login. This provides experts with all the information they need to confirm that use of the lift is safe until the next inspection.
This form of verification is already possible. Comprehensive and thorough documentation offers operators a solution for straightforward and continuous verification that their lift systems are safe.