PESS, PESSRAL, and PESSRAE - a fast track to electronic safety in elevators
It is impossible to imagine modern cars and planes without electronics and software. It has not taken long at all for a lot of their control and safety systems to become software-based. Elevators and escalators are hot on their heels. Elevators and safety have been inseparably interconnected throughout the history of elevator technology. National and international standards have long prescribed an adequate level of safety on the basis of the specific state of the art. Since the introduction of the European Elevator Directive it has been possible to deviate from those standards as long as an equivalent level of safety is demonstrated. This is where Programmable Electronic Safety Systems came into play for the first time.
Innovative solutions given space
Safety components and safety circuits, for example the running with open doors, did not change over decades due to the lack of awareness and experience. Elevator standards EN 81-1/2: A3 and the new elevator standard EN 81-20 give us directly the opportunity for using PESS by pre-defining safety levels. If the wished function is not pre-defined, the Lifts Directive gives the freedom to do it yourself.
Risk assessments for PESS
When a safety function or electric safety device is not classified for PESS in the EN 81 series, the mother norm of PESS, IEC-61508, should be used. The manufacturer shall perform a risk analysis to identify risks of harm before a development starts. The identified dangers will be classified in Safety Integrity Levels (SIL). The more dangerous the fault, the higher the SIL level. For elevators SIL 3 is the maximum allowed level. If SIL 4 is needed than a different system should be designed.
The next four risk parameters are the basis for such an assessment.
C1: minor injury
C2: serious permanent injury to one or more persons; death to one person
C3: death to several people
C4: many people killed
Frequency in the presence of a dangerous zone (F)
F1: rare to more often exposure in the hazardous zone
F2: frequent to permanent exposure in the hazardous zone
Possibility to avoiding a dangerous event (P)
P1: possibly under certain conditions
P2: almost impossible
Probability of junk event (W)
W1: a very slight probability that the unwanted occurrences will come to pass and only a few unwanted occurrences are likely
W2: a slight probability that the unwanted occurrences will come to pass and few unwanted occurrences are likely
W3: a relatively high probability that the unwanted occurrences will come to pass and frequent unwanted occurrences are likely
This leads to these so-called risk graph, see the illustration.
Based on this risk graph from IEC 61508, SIL levels can be determined. IEC 61508 also describes how to demonstrate that the required SIL level is achieved. This is a combination of math, tests, and documentation.
Applications in the ELEVATOR
All new technologies should be at least as safe or safer than current technologies. To achieve an electronic safety system with this characteristics a couple of design strategies can be used:
- Redundant hardware: if one fails the other hardware can still perform the safety function
- Diagnostics: by monitoring the system we can detect when something is failing, and go to a safe state
- Fail safe design: make a design such, that when a component fails, the system automatically goes to a safe state
Electronic safety gives a whole new area of risks and failures. We separate those failures in 3 categories. Each of them have their own defence mechanism. The following error groups, and possible risk reduction (as an example) are present:
- Systematic failures: faults due to human errors. An example is faulty demands. Typical defence mechanisms are documentation and project management.
- Random failures: the failure of components. All components wear and will break down someday. Typical defence mechanisms are diagnostics and redundant design.
- Common causes: one condition that affects several points in the system which lead to multiple faults at the same time. For example temperature. Typical defence mechanisms is a good risk analyses or different technology’s in parallel systems.
Main design rule is that the system shall go to a safe state when a fault is detected.
Examples of applications PESS
Initially major world companies like Kone, Otis, ThyssenKrupp, Schindler and Mitsubishi, used PESS in safety components such as speed limiters and door bridging. However the development progressed quickly and today PESS finds its way into integral lift designs and opens whole new possibilities. For example the ThyssenKrupp twin lift is a concept only made possible by electronics.
The current structure of the Lifts Directive and the status of the associated lift standards provide engineers the tools and space for new innovative PES systems. These systems found their way already into aviation and the automotive industry, and are now the new game changer for lifts as well.