Ensure software updates protect motion control
Product safety and operational safety of elevators require that software and software-updates are under control. See list of standards to help lower risk for motion control applications.
- Hardware and software systems are increasingly used to control, monitor or replace purely mechanical safety functions of motion control.
- Critical motion control applications are turning increasingly “smart” incorporating hardware, software, and connecting to other systems.
- Various standards help reduce risk for critical motion control applications, such as lifts.
The number of modern lifts [elevators] that are monitored and controlled by software systems is on the rise, making firmware and parameter configuration crucial for safe lift operation until the next periodic inspection. Lift owners and operators must verify that completed software updates do not adversely affect product safety and operational safety. Advice follows for managing safety and motion control software.
Lift systems in Germany are classified as installations subject to monitoring under Germany’s Ordinance on Industrial Safety and Health (Betriebssicherheitsverordnung, BetrSichV), which implements 2009/104/EC Use of Work Equipment Directive and, as such, are subject to periodic technical inspections (PTIs).
Motion control safety hardware and software
In the past, PTIs mostly focused on purely mechanical or mechatronic components. Take speed governors, for example. They are mechanically tripped when the lift car exceeds a certain speed and will ensure controlled deceleration of the lift car by means of the safety gear.
To confirm safety components function reliably and fulfil all relevant requirements, manufacturers commission notified bodies to verify functions before placing the products on the market. Notified bodies examine criteria such as materials, design, construction, manufacturing and load limits. Parts that have passed type examination may be used as safety components by lift manufacturers according to EN 81-20 safety rules for construction and installation of passenger and goods-passenger lifts.
Motion control: Safety test of hardware, software
Hardware and software systems are increasingly used to control, monitor or replace purely mechanical safety functions. To do this, purely operational functions establish independent “protective circuits,” generally comprising hardware such as sensors, control systems and actuators, including software for processing and evaluating digital data. However, the fact that parts have hardware and software components does not change tested approval procedures: Hardware and software must be assessed within the scope of type examination.
Shaft coding and shaft information systems
In regular lift operation, a shaft coding system controls and monitors the lift’s position while it is ascending or descending. The software installed in modern shaft information systems also can control acceleration, speed and braking processes. The data can be used for identifying safety-related malfunctions, initiate suitable countermeasures and bring the lift into a safe state. This requires the hardware and software system to identify critical operating conditions and trigger the appropriate function, yet not “overreact” in any way; safety gear must not engage during regular lift operation.
IEC 61508-3 relevant for software testing, motion control safety
The technical and procedural requirements for safety-relevant electrical, electronic and programmable electronic systems (known as E/E/EP systems) are defined in the IEC 61508 international series of standards on safety-related systems. Part 3 of this series of standards specifies aspects for safety-relevant software including requirements for the safety lifecycle, tools used and quality of documentation, and is relevant for software.
The software installed in a lift also must be configured exactly to the lift’s specific operation environment and to the shaft information system’s hardware. Parameters such as lift weight, tripping speeds and shaft coding must be correctly reflected and processed by the software. Steps LAO must be taken to ensure the software cannot be manipulated by unauthorized third parties. This requirement is not limited to smart systems connected to the internet or other networks; this applies to all lifts.
Motion control safety: Checking software updates, excluding manipulation
Even software changes by authorized parties, such as changes in parameter configuration, may prove challenging in inspections unless they are directly and immediately identifiable on the basis of a performance test or clear software information. Information about the software version installed in a system is often provided on a sticker.
However, it may not be easy to verify whether the information is still up to date or whether the software has been updated in the meantime and, if so, by whom. Inspectors may be unable to ascertain the consequences for safety functions with complete reliability or verify if the control system of the lift still uses the same software as in the type examination. This is documented as a non-conformity in a PTI.
Motion control interconnectivity – risks and opportunities
To make matters more complex, lifts are turning increasingly “smart.” Digitalization, interconnectivity and the Industrial Internet of Things (IIoT) are opening up new opportunities in servicing and maintenance. Centralized evaluation of lift data, for example, enables precise predictions of user behavior, wear or malfunctions and may help increase the availability of lift systems and also optimize maintenance practices for predictive maintenance.
On the other hand, these opportunities also raise new issues in areas such as data integrity and cybersecurity, which are not covered by the IEC 61508 standard. What if, for example, updates are sent over the air? Can we exclude faults and manipulations during data transmission with certainty? Have precautions been taken to prevent accidental changes being made to the software by service technicians or external servicing staff, or to ward off hacker attacks? These issues are addressed by other standards, such as the IEC 62443 series for security capabilities of control system components, and the ISO 27001 on managing information security.
Management systems inspire certainty and trust
If applied correctly, these safety standards ensure unambiguous verification during periodic technical inspection. Critical aspects in this context are the submission of the relevant information, codes and reports by manufacturers and thorough and traceable documentation of the system’s configuration. The methods requested in IEC 61508 include a suitable safety lifecycle in software development, operation of configuration and release management and the creation of a safety manual.
In practice, identification of the current software version is realized by methods such as a QR code, provided either on a sticker or as an annotation in the lift documentation. Inspectors scan this code using their tablets or smart phone and log into the system with their protected password. They can then access the documentation of the equipment, including all safety-relevant information about the software release (CRC value) used for the lift control system.
Interaction of functional safety and IT security
The IEC 61508 standard is pointing the way on how to prevent systematic errors and error entries in software and software updates. Quality-assurance systems and management systems in the field of functional safety make valuable contributions. However, as the interconnectivity of lift systems increases, so do the cybersecurity requirements. The IEC 62443 standard provides a relevant normative basis.
In the inspection of safety-related functions, both standards need to be applied together, with functional safety always taking the lead. This allows manufacturers, operators, maintenance service providers and testing organizations to effectively prove lift systems meet safe requirements.
Standards for critical motion control
Standards can help reduce risk for critical motion control applications, such as lifts. Standards mention in this article are:
- 2009/104/EC Use of Work Equipment Directive is used by Germany’s Ordinance on Industrial Safety and Health (Betriebssicherheitsverordnung, BetrSichV) to govern lift systems in Germany.
- EN 81-20 safety rules for construction and installation of passenger and goods-passenger lifts
- IEC 61508 international series of standards on safety-related systems defines the technical and procedural requirements for safety-relevant electrical, electronic and programmable electronic systems (known as E/E/EP systems).
- IEC 61508 Part 3 of this series of standards specifies aspects for safety-relevant software includes requirements for the safety lifecycle, tools used and quality of documentation, and is particularly relevant for software.
- IEC 62443 series for security capabilities of control system components
- ISO 27001 on managing information security.
Dr. Rolf Zöllner is head of business development in handling technology, TÜV SÜD Industrie Service GmbH; Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media and Technology, firstname.lastname@example.org.
KEYWORDS: Motion control safety, elevator safety, lift safety
Hardware and software systems are increasingly used to control, monitor or replace purely mechanical safety functions of motion control.
Critical motion control applications are turning increasingly “smart” incorporating hardware, software, and connecting to other systems.
Various standards help reduce risk for critical motion control applications, such as lifts.
What standards are you using to help with motion control safety designs, tests and inspections?