Making sure lifts are also safe after updates
When manufacturers change the firmware of safety-relevant electronic parts, such as controllers or sensors, this can on occasions have negative effects on the operational safety of lifts.
Under certain circumstances, the type approval test may lapse and along with it the operating permit. Software developers should bear this in mind when programming and installing update to keep the lift safe.
Can the lift be safely used until the next recurrent inspection? In Germany, experts have to answer this question once a year and per lift. In practice, this can sometimes be difficult in the case of modern lifts, especially if safety functions are realised, monitored and digitally controlled by software.
Inspectors on site cannot always determine which software is currently installed or whether it still corresponds to the version from the type approval test. Manufacturers may only install parts that have been successfully tested as safety components according to EN 81-20.
Software – a "safety component"?
At the moment, an increasing number of previously purely mechanically designed safety functions are being integrated and monitored and controlled by hard- and software systems (HW/SW systems). For example, a shaft information system could be used to detect safety-relevant malfunctions in the lift’s functioning, and in the event of defects, restore the lift reliably and sufficiently quickly to a safe condition.
The technical and procedural requirements are defined in IEC 61508. What now counts is that the software installed is compatible with the existing hardware of the shaft information system.
This means the safety-relevant parameters like lift weight, tripping speeds, shaft coding, etc. are correctly configured and simultaneously whether minimum requirements in terms of cyber security have been met. For example, the initial password from the operating instructions has to be changed and measures taken to ensure that the safety function is effective.
Checking the software is occasionally a challenge
However, it has emerged in the case of several systems on the market that checking the software on the spot "in the lift shaft" in terms of its version, correct parameter assignment and the effectiveness of the protective functions is occasionally a challenge. Here it is the task of the manufacturers to ensure that the safety requirements for their products can be tested. New issues also arise that were not spelt out in IEC 61508.
These are above all the questions of data integrity and IT security: did ‘over-the-air’ monitoring occur during the transmission to determine whether the software updates were transferred without false entries or even unauthorised manipulations?
Can unnoticed or unintentional manipulations or false entries be ruled out by the service technician or third party maintenance personnel? Here, other standards are relevant or applicable - such as the IEC 62443 series and IEC 27001.
Safety-relevant software requires management systems
Finally, application of the standards requires easy verification during the recurrent inspection. To sum up, it must be ensured that the manufacturers make the information, data, codes and reports available relevant to the inspection.
The methods are sufficiently well-known and required by IEC 61508. Among other things, these include a suitable safety life cycle in the software development, operating a configuration management system and release management system as well as producing a safety manual and other measures.
Synchronising functional safety and IT security
Effective systems for quality assurance and a management system for functional safety help to control systematic errors and false entries in software and software updates. IEC 61508 points the way here.
At the same time, the requirements of IT security will become even more important in future. A normative foundation already exists here in the form of the IEC 62443 series.
If both standards are applied effectively and in accordance with practice, this will not only result in safety functions that meet requirements but that are also easy to inspect. The main role here will of course always be assumed by functional safety.
Dr Rolf Zöllner
The author is the Head of Business Development in the Conveyance Technology Department, TÜV Süd Industrie Service GmbH