ANSWERS
MOTION CONTROL SAFETY Dr. Rolf Zöllner, TÜV SÜD Industrie Service GmbH
Ensure software updates protect motion control Product safety and operational safety of elevators require that software updates are under control. Standards help lower motion-control application risks.
T
he number of modern lifts [elevators] that are monitored and controlled by software systems is on the rise, making firmware and parameter configuration crucial for safe lift operation until the next periodic inspection. Lift owners and operators must verify that completed software updates do not adversely affect product safety and operational safety. Advice follows for managing safety and motion control software. Lift systems in Germany are classified as installations subject to monitoring under Germany’s Ordinance on Industrial Safety and Health (Betriebssicherheitsverordnung, BetrSichV), which implements 2009/104/EC Use of Work Equipment Directive and, as such, are subject to periodic technical inspections (PTIs). In the past, PTIs mostly focused on purely mechanical or mechatronic components. Take speed governors, for example. They are mechanically tripped when the lift car exceeds a certain speed
and will ensure controlled deceleration of the lift car by means of the safety gear. To confirm safety components function reliably and fulfil all relevant requirements, manufacturers commission notified bodies to verify functions before placing the products on the market. Notified bodies examine criteria such as materials, design, construction, manufacturing and load limits. Parts that have passed type examination may be used as safety components by lift manufacturers according to EN 81-20 safety rules for construction and installation of passenger and goods-passenger lifts.
Safety test of hardware, software
Hardware and software systems are increasingly used to control, monitor or replace purely mechanical safety functions. To do this, purely operational functions establish independent “protective circuits,” generally comprising hardware such as sensors, control systems and actuators, including software for processing and evaluating digital data. However, the fact that parts have hardware and software components does not change tested approval procedures: Hardware and software must be assessed within the scope of type examination. In regular lift operation, a shaft coding system controls and monitors the lift’s position while it is ascending or descending. The software installed in modern shaft information systems also can control acceleration, speed and braking processes. The data can be used for identifying safety-related malfunctions, initiate suitable countermeasures and bring the lift into a safe state. This requires the hardware and software system to identify critical operating conditions and trigger the appropriate function, yet not “overreact” in any way; safety gear must not engage during regular lift operation.
IEC 61508-3 relevant for software Transparency is important to ensure hardware and software in critical motion control applications, such as elevators, to lower risk for all involved. Images courtesy: TÜV SÜD Industrie Service GmbH
36
•
September 2020
control engineering
The technical and procedural requirements for safety-relevant electrical, electronic and programmable electronic systems (known as E/E/EP systems) are defined in the IEC 61508 international series of standards on safety-related systems. Part 3 www.controleng.com
