Lift Report

With the implementation of general safety rules in the lift directive and further opening the possibility to prove that a new technical solution can reach at least a comparable level of safety, by applying the new approach of using hazard analysis and an according risk assessment, the elevator industry experienced an obvious boost of innovation.

All this has been reported already many times. But only reflecting this background allows to report today about the application of new electronic control systems in the field of safety critical applications in the elevator technology.

Dealing with these terms, the basic standard IEC 61 508, titled “Functional security concerning the safety of electric/electronic/ programmable electronic systems” is coming across rapidly. In December 2001, seven parts of IEC 61 508 had been ratified and published by CENELEC as the European standard EN 61 508. Finally it was adopted to the national German standard portfolio as DIN EN 61 508.

All these standards mentioned describe the today’s state of the art technology. In contrary to the EN 81 1/1, the EN 61 508 has not been harmonised under an EU directive. Because of this, an automatic assumption of conformity when applying the EN 61 508 cannot be expected. For these reasons, it had been of a tremendous importance for the application of electronic systems in elevator technology that the product family standard EN 81- 1/2:A1, also known as “PESSRAL” has been worked out. PESSAL stands as a shortcut for “Programmable Electronic Systems in Safety Related Applications for Lifts.”

This standard, that has been harmonized in the meantime, refers in major parts and definitions to the basic standard EN 61508 as a so-called “co-applicable standard”.

If in this context the manufacturer of electronic components uses the EN 61 508 in safety relevant systems, he uses the assumption of conformity of PESSRAL as the referencing norm.

The structure of EN 61 508 is divided in 9 parts, Parts 2-4 have a normative character; parts 5-9 are informative.

Installations and machines may cause risks concerning people, environment and property damage by breakdowns and malfunctions.

By means of a risk analysis, the manufacturer of such installations has to define these hazards before putting the product on the market.

For the first time, EN 61 508 demands a quantitative confirmation for the remaining risks regarding the whole system, consisting of sensors, control and actuators.

Dependant on the described risks, hazard reducing measures have to be taken into account using error avoidance, error detection and error mastery methods. The aim of these requirements is to avoid or to master system errors and to limit the probability of dangerous breakdowns to defined values.

To reach this, 4 steps had been defined, characterised by the name Safety Integrity Level (SIL), describing the probability of the remaining risk of failures. SIL 4 is the highest safety level, SIL 1 the lowest. Figure 1 characterises the coherence of the SIL classification to the medium PFDav (Probability of Failure of Demand).

The SIL classifications shouldn’t at all be mixed up with safety categories as they are defined in the standard EN 954-1, also applicable for safety relevant control systems. Simplified it can be said that the SIL classification always goes along with a category raised by 1; SIL 1 for example accords with category 2 and so on. Such confusion between SIL and category took place also during the editorial revision of PESSRAL and lead again, after refusal of some countries, to another revision of the annex A of the standard. Within this important annex the relevant safety systems of an elevator system according EN 81-1/2 are assigned to the respective SIL level. SIL 3 is the highest classification of a safety component used within an elevator system. The highest SIL level 4 within EN 61 508 is not applicable for elevator systems for good reasons: This level is assigned for systems where failures would cause catastrophic impacts with many fatalities like it would happen at a breakdown of a nuclear reactor or something comparable.

As already mentioned, EN 61 508 and PESSRAL are standards based on a hazard definition and risk assessment.

The following 4 main risk parameters are basic definitions for such an assessment:

C1 minor injury

C2 serious permanent injuries to one or more persons, death to one person

C3 Death to several people

C4 very many people killed

F1 rare to more often

F2 frequent to permanent

P1 possible under certain conditions

P2 almost impossible

W1 very slight probability and only a few unwanted occurrences

W2 slight probability and few unwanted occurrences

W3 relatively high probability and frequent unwanted occurrences

This leads to the known risk graph, figure 2

After these preliminary notes, the application of PESSRAL and EN 61 508 shall be illustrated by means of the elevator system TWIN. TWIN is a new elevator system where 2 elevator cars operate on top of each other in the same hoist way. A four stage safety system permanently monitors the distance between the two cars and consequently avoids an approach closer than defined or even a collision. This safety distance monitoring system consists of sensors, evaluation control and actuators as generally used in many other systems. In the first generation of this control system, the safety relevant stages 3 and 4 were realized by means of electromechanical components and thus could be type tested according the well known criteria of the elevator standard EN 81.

On to the over-speed governor rope of each lift installation, a swelling tube is fixed safely.

This swelling moves ahead the lower car when it is driving upwards, while the swelling attached to the governor rope of the upper car speeds ahead when this car is driving downwards. Regarded under worst case conditions, the distance between the beginning of the swelling tube and the following car has to be bigger than the relevant braking distance and the distance needed as stopping distance for the safety gear. If the cars come too close to each other, the swelling tubes will hit a safety contact which is installed at each other car and activate it mechanically. (illustrated in Fig. 3)

The safety chains of both elevators will be disrupted and, caused by the release of the operational brakes, an emergency stop will be activated. This ensures that collisions are avoided, even when the cars move with rated speed onto each other and no deceleration command would be activated from the elevator control.

If one or even the two brakes and consequently the third stage of the safety system fail, the swelling tubes will activate the safety gear after passing another distance according to the braking distance needed for rated speed. This action also is inevitable and based on a purely mechanical activation principle. The described concept has been realized within the first TWIN installation, which is in operation in one of the buildings at the University of Stuttgart.

It can easily be understood that the necessary deceleration distances needed for the brake and the safety gear increase exponentially with higher speeds. Regarding elevator systems with higher nominal speeds for this reason much higher safety distances would have to be selected. A desirable approach of both cars no longer would be possible, for example during loading of the lower main landings.

For this reason, a new development of the safety relevant stages 3 and 4 of the distance monitoring system was achieved on the basis of an electronically and software based solution.

As a first step, the question had to be answered, in which Safety Integrity Level the characterised distance monitoring system has to be assigned.

As such a system cannot be found in PESSRAL annex A1 similar safety components had to be taken in to account as reference. Regarding EN 81 1/2, the clauses 8.15 b: emergency stop switch or 14.2.1.3.c: emergency stop switch for inspection operation come close to the risk of crushing when they would fail. Both safety components are assigned to the SIL level 3. Note: For comparison, the verification of the retardation at buffers with shortened stroke can be found in SIL 2. If a safety component like the TWIN distance monitoring system is not yet defined in the EN 81 and thus also cannot be found within PESSRAL also always the route can be taken to use a basic risk assessment. Figure 4

Both procedures however show that the distance monitoring system has to be assigned to SIL level 3

For the layout of an electronic/programmable safety component, tables 6-8 of PESSRAL have to be considered for all SIL levels.

Table 6 characterises general design criteria to the hardware, for example the application of a so called Watch Dog or the behaviour of the system regarding under-and over-voltage.

Table 7 defines the basic requirements for the creation of software, for example how to use interrupts.

Table 8 refers to the necessary measures that have to be considered in the different phases of specification, like the design documentation or test specification. As an example the implementation of a version control of hardware and software is has to be set up and consequently followed up.

As the distance monitoring system is assigned to SIL level 3, furthermore the particular measures for the design of hard- and software, as defined in table 11 of PESSRAL, have to be attended.

The most important basic requirement of a system that fulfils SIL 3 can already be found in the first line of this table.

The requirements for the processor unit, the memory, the in- and outputs, the interface and in addition the software can be found in further definitions in the annex.

Coming to the realization of all those requirements, the possibility of using control components that already have a certification according SIL 3 certainly eases the work load for the R&D teams. Within these type tested components the complex memory checks, for example by means of a so called “Galpat” test, are already included. Furthermore the detection of a wrong clock pulse or wrong programme flows are already included in such a processor unit acc. SIL 3 as basic features. Such free programmable control units are in the meantime on the market from different manufacturers.

When performing a complete in house development, all the requirements, characterized by PESSRAL in the above mentioned annexes, have to be certified and checked in cooperation with a notified body in order to prove the failure tolerance of the complete system. ThyssenKrupp Elevator has accomplished such an in house development for an electronic speed governor ESG and has received a type test certificate according to the lift directive in the meantime.

Also this component ESG has been classified in SIL level 3.

Reflecting the requirements described above the following structure according Fig. 6 for the distance monitoring system, Generation 2 of TWIN has been realized.

Two redundant sensor systems are required to detect the position of each car. The two sensors have a physically different working principle. These inputs signals are connected to two evaluation units that store the input data and derive from these position signals as well the actual speed of each of the two TWIN elevators. The two channels exchange their respective input signals received from the sensors via a safe serial link to each other.

Each evaluation unit now independentlydetermines the position and the speed of the elevator cars and calculates using memory stored, unchangeable mathematical terms the necessary braking and stopping distances, depending on the instantaneous speed that is driven.

While performing the different steps of calculation the two channels compare their intermediate values amongst each other. These calculated, theoretically needed, braking and stopping distances are compared to the current existing distance of the two elevator cars. The system will be secured by applying the operational brake if the cars fall below a defined first minimum distance. If the two cars come closer than a second minimum distance the safety gears are activated. The actuators for the safety levels 3 and 4 are insofar the same as they were used in the system generation 1. The only difference is that they are now triggered by electrical and not purely by mechanical means. The main advantages compared to the mechanical solution are based on the fact that the braking and stopping distances now can be dynamically adjusted to the current speed. A close approach of the cars is again possible even for high nominal speeds.

The new European standard PESSRAL now enables the engineers to take advantage of the electronic and programmable systems also in the elevator engineering. Safety relevant control systems, successfully applied in aviation and automotive engineering since many years, will also change the elevator control technology. However, such a replacement of safety components used today has also to be considered regarding economical aspects.

Not always it will be possible to substitute successfully (means technically and economically) the well proven electromechanical safety components, established since many decades. For example it seems to be quite difficult to design an electronic safety module that is cost wise in the same range than the well known safety switch. But regarding challenges as for example the distance monitoring system described earlier, or when several safety contacts can be integrated in one electronic safety system, new solution can be realized that really take advantage of improved technical features that are feasible when using electronic and software driven systems and also have no disadvantage from the cost side. It is for sure that other interesting examples according to this issue will be reported in the following years.