Requirements Specification for an Elevator Controller

Assignment 1
CS846 - Requirements Engineering
Rolando Blanco
School of Computer Science
University of Waterloo

October 5th, 2005

1 Introduction
1.1 Purpose
This document partially describes the requirements and specification of a new Elevator Con-
troller for the two car elevator system located in the northeast side of the Math and Computer
building at the University of Waterloo. The intended audience of this document are the owners
of the current elevator system and individuals that may be interested in the the portion of the
functionality of the Elevator Controller that is visible to elevator passengers.

1.2 Scope
The product described in this document specification is an Elevator Controller which main
function is to command the operation of the two car elevator system in the northeast side of
the Math and Computer building. The functionality of the Elevator Controller here described
matches he functionality of the controller currently installed with with regards to:

• Operation of the elevator system by passengers using the interfaces visible to passengers
during normal operation

• Interaction between the elevator system and the fire alarm system in the Math building
(Note: It is assumed that this functionality currently exists).

• Interaction between the elevator system and the University of Waterloo security monitoring
system (Note: It is assumed that this functionality currently exists)

This document does not describe the requirements nor specification of the Elevator Controller
as it relates to devices on top of the elevator cars used during repair and maintenance of the
elevator system, even though these devices interact with the Elevator Controller.
This document does not describe the physical interface, sampling rates, wire protocol, and
other low level requirements needed by a Elevator Controller to command the operation of
the components of the elevator system. Only passenger-visible functionality is specified in this
document.

1
1.3 Acronym’s, Abbreviations, Definitions, Notational Conventions
DFD Dataflow Diagram
EC Elevator Controller. The System to be produced
MC Mathematics and Computer building. Location where the elevator system is located

1.4 References
[cod65] American Standard Safety Code for Elevators. The American Standards Association and
The American Society of Mechanical Engineers, 1965. This book describes the elevator
standards in place when the MC building was constructed and when the elevator system
first entered in operation.

[cod04] CSA B44-04 Canadian Safety Code for Elevators and Escalators. CSA International,
2004. (Bi-National standard – USA, with ASME A17.1), CSA International. 2004.
Current elevator standards.

2 General Description
The main function of the EC is to coordinate and control the operation of the components in
the elevator system. Through sensors and interfaces the EC controls the location and movement
of the cars in the system with the purpose of transporting passengers between floors in the MC
building. The EC is also in charge of providing feedback to the passengers to allow them to
use/operate the elevators.

2.1 Product Perspective

The elevator system controlled by the EC has two cars servicing floors 1 though 6 in the MC
building. The context diagram in Figure 1 (in DFD format) illustrates the components that are
controlled by the EC. Figures 2 to 5 show some of the user interfaces. Besides the EC itself, the
components of interest in the elevator system are:

• Two cars. Each car has a door (car door ) that the EC opens when passengers are to
enter/exit the car.

• Two doors (floor doors), one per car on each floor (Figure 2) . Each door allows access to
one of the cars when the car is parked at that floor and the car door is open. A mechanism
in the floor door opens/closes the floor door at the same time the car door is open/closed,
without direct intervention of the EC.

• Up and down push buttons (hall buttons) between the two doors on floors 2 to 5, Up
button only on floor 1, and Down button only on floor 6 (Figure 2). Buttons are pressed
by waiting passengers to call a car and to specify the direction they wish to travel. The
hall buttons stay illuminated until the car that will service the passenger arrives. Hall
buttons also serve to indicate to waiting passengers whether a car has already been called
for a given direction.

• A control panel on each car (Figure 3). Located by the car door, the control panel allows
passengers to control the operation of the car. Components in the control panel are:

2
 - Floor buttons allow passengers to select the floor they wish to go to. There are 6
floor buttons numbered 1 to 6.
- An open door button opens the door if the button is pushed and the car is parked on
a floor.
- An emergency button stops the car and rings an emergency bell while being pushed
- A bell button rings an alarm while being pushed by a passenger.
- A phone allows passengers to communicate with emergency personnel. The operation
of the phone is not controlled by the EC.
- A keyed operation switch allows to set the operation mode of the car to auto (normal
operation), or hold (service operation). When the switch is set to hold the car is
taken from regular service by the EC – i.e. the car is not considered by the EC when
servicing call requests by passengers. Moreover, the EC only responds to the devices
inside the elevator (floor buttons, open door button, etc), and the car door is kept
open while parked at a floor.

• Light indicators (direction indicators) inside the car indicate the direction the car is/will
travel when the car arrives to a floor (Figure 4). The direction indicators are visible to
waiting passengers outside the car when the car door opens.

• Floor indicators inside the car on top of the car door. Floor indicators are labelled 1 to 6
and indicate to passengers in the car the current location (floor number) of the car (Figure
5).

• An electric motor for each car. When directed by the EC, the motor lifts, lowers, slows
down, or stops the car.
Besides the components in the elevator system already mentioned, the EC also interfaces
with the fire emergency system in the MC building and a monitoring system in the campus
security office (UW’s monitoring system). In case of a fire alarm, the fire emergency system
informs the EC of the event. The EC then recalls the two cars to a designated floor. When the
fire alarm is turned off, the fire alarm system informs the EC which in turn reestablishes normal
operation of the elevator system (Note: it is assumed that this functionality currently exists –
To be confirmed ).
The interface with UW’s monitoring system is used by the EC to inform the monitoring
system when passengers use the emergency button in any of the two elevator cars (Note: it is
assumed that this functionality currently exists – To be confirmed ).

2.1.1 Hardware Interfaces

Communication of events between the components of the elevator system and the EC is done
via I/O interfaces to be determined (Note: description or reference to the actual wire protocol
should follow; sampling rates; etc).

2.1.2 Communication Interfaces

The EC shall support a TCP/IP network interface for communicating with UW’s monitoring
system. Note: The actual application protocol for the communication between the EC and
monitoring PC is to be determined.

3
 Passenger *

Hall Button Floor Button

Emergency
Light on/off Push Push Light on/off
Monitoring PC

Direction Building Fire

Indicator System
Light on/off

Closed
Being Pushed EC Car Door
Passenger * Bell Button
Open/Close
Being Pushed
Start Up
Emergency Start Down Motor
Stop Slowdown
Button Stop

Ring On/Off
Car Phone
Auto Hold
Alarm Bell
Light on/off

Floor Operation
Indicator Switch

Figure 1: Context Diagram for Elevator System

(a) Floors 2 to 5

(b) Floor 1

Floor door car 1 Floor door car 2

(c) Floor 6

Figure 2: Floor Doors and Hall Buttons

4
 FLOOR BUTTONS

5 6

3 4

1 2
SERVICE Figure 4: Direction Indicators
SERVICE
HOLD
AUTO HOLD
AUTO

EMERGENCY

EMERGENCY
1 2 3 4 5 6

BELL BUTTON
PHONE
ELEVATOR DOOR

Figure 5: Floor Indicators

Figure 3: Control Panel

2.2 Product Functions

The main function of the EC is to coordinate the operation of components in the elevator system
to allow passengers to use the elevator system for their transportation from one floor to another
in the MC building. More specifically the EC must be able to:

• Interact with the buttons passengers use to operate the elevator cars. The EC must be
able to recognise that a button has been pressed, and it must be able to turn on/off the
light of the button.

• Interface with the indicators that inform the passengers of the estates of the elevator
system of interest to them (e.g. floor and direction indicators, alarm bell).

• Select and deliver an elevator car to service passengers waiting on a given floor, and allow
the passengers to access the elevator car.

• Transport the elevator car where a passenger is in to the floor indicated by the passenger,
and allow the passenger to exit the car.

• Modify the behaviour of the elevator system based on the mode of operation selected by
the passenger (hold /auto).

• Stop an elevator car and sound and alarm bell if a passenger in the car announces an
emergency.

• Recall the elevator cars and suspend operation of the elevator system in case of a fire
alarm.

2.3 User Characteristics

A passenger is anyone that uses the elevator system with the purpose of going from one floor to
another in the MC building.

5
2.4 Constraints
Any physical specifications (e.g. dimensions), power consumption, and operation environmental
should be listed here or a reference to standards document (e.g. [cod65, cod04]).

2.5 Assumptions
• It is assumed that emergency mechanisms that stop the cars in case of a malfunction
of the elevator system operate autonomously without the involvement of the EC. These
emergency mechanisms include locking features in case of power outages.

• It is assumed that the EC currently installed interacts with UW’s security system and
MC’s fire alarm system.

3 Specific Requirements

4 Reference Tables and Descriptions

4.1 Functional Requirements Table and Traceability Document
Details/Constraints

Related Reqs

Related UCs
Description

Found In
Category

Sources
Name
ReqId

F1 E Control Car EC shall control the F2, UC1,

Movement movement (start, stop, F4, UC2,
slow down) and direc- F5, UC3,
tion of the elevator cars N2 UC7
F2 I Location EC shall know where Elevator cars are near a F1, UC3
Tracking the elevator cars are at floor, at a floor, or be- N3,
all times tween floors. EC must N4
be able to accurately
land an elevator car at
(exactly) a given floor.
F3 E Control EC shall be able to open When elevator car ar- F4, UC1,
Doors and close elevator car rives at floor, EC shall F5, UC2,
doors open car door; EC shall F10 UC3,
close car door before UC7
moving the elevator car

6
F4 E Service Call EC shall send an eleva- EC shall select an eleva- F1, UC1
Requests tor car to the floor from tor car to serve a call re- F3,
which the call request is quest. When the car ar- F6,
being made. rives at floor, EC shall F7,
let passengers into the N3
elevator car.
F5 E Service EC shall transport the When car arrives at F1, UC2
Delivery elevator car to the floor floor, EC shall let pas- F3,
Requests requested by a passen- sengers out the elevator F6,
ger in the elevator car car. F7,
N1,
N4
F6 E Status EC shall provide feed- EC turns on/off hall F4, UC1,
Feedback back to elevator passen- buttons, floor buttons, F5, UC2,
gers direction and floor indi- F9, UC3,
cators as a way to pro- N1, UC4,
vide feedback to passen- N5 UC5
gers of the elevator sys-
tem. This feedback al-
lows passengers to use
the elevator system
F7 I Request EC shall keep track of No requests should be F4, UC1,
Tracking all service requests (call skipped/dropped F5, UC2
and deliver to floor) N3,
N4
F8 E Response to EC shall recall eleva- UC7,
Fire Alarms tors to designated floor UC8
when fire alarm and
keep the elevator cars
out of service until fire
alarm off
F9 E Emergency EC shall stop car and F6, UC4
Stop ring a bell when emer- F11
gency is announced (via
emergency button)
F10 I Door Timer EC shall close car doors After car door opens F3 UC3
after a period of time if and operating in auto
no service is requested mode, the EC should
close doors after a con-
figurable amount of sec-
onds if no service (call
or delivery) is requested

7
 F11 I Interaction EC shall interact with In case of emergency F9 UC4
with Mon- UW’s security monitor- announcment EC shall
itoring ing system notify UW’s monitoring
System system

4.2 Non Functional Requirements Table and Traceability Document

Details/Constraints

Related Reqs

Related UCs
Description

Found In
Category

Sources
Name
ReqId

N1 M Weight EC shall avoid the op- EC must notify passen- F5

Overload eration of elevator cars gers (e.g. by sound-
Operation when load exceeds limit ing alarm bell twice and
keeping car door open)
of situation
N2 M Comfortable EC shall move/stop ele- F1
Ride vator cars in a way that
does not cause discom-
fort to passengers
N3 W Efficient Al- EC shall efficiently as- F2,
location sign requests for service F4,
to elevator cars F7
N4 M Efficient EC shall efficiently EC shall service de- F2,
Transporta- transport the passenger livery requests in F5,
tion in the elevator ascending floor order F7
when moving the el-
evator car upwards,
and in descending floor
order when moving the
elevator car downwards.
N5 M Similarity EC shall make elevator No new interfaces, ele-
to other system behave like ev- vator modes, ...
elevators ery other similar eleva-
tor system

4.3 Use Cases

4.3.1 Use Case Diagram
Figure 6 shows the use cases that relate to the EC. Most use cases are initiated by the interaction
of passengers with the elevator system, while a few cases are initiated by the direct interaction
between the MC fire alarm system and the EC.

8
 Recalling Cars

<<include>>
Direction Indicator
Returning to
Fire Alarm System Operation

<<include>> Travelling to
Car Door
Floor
Calling Elevator

Hall Button Motor

<<include>>

Delivering to
Floor Button Destination

Passenger Announcing
Emergency Button UW’s Monitoring System
Emergency

Alarm Bell
Bell Button Ringing Alarm
Bell

Setting
Operation Mode Switch Operation Mode

EC

ELEVATOR SYSTEM

Figure 6: Use Case Diagram

4.3.2 Use Case Descriptions

As mentioned before, several of the use cases for the EC are triggered by actions of passengers,
even though the interactions of the EC are with other components of the elevator system. In this
document the use cases are presented from the perspective of the elevator system as actor and
the EC as the system meeting the actor’s goals. But since the elevator system itself is trying
to meet the goals of the passenger, the use cases include an extra item in their description,
called “Global Context”, with the intention of putting the use cases in the context of the goals
passengers have.

Name: Calling Elevator

Use Case Id: UC1
Event/Precondition Hall button on floor F informs EC of push
System: EC
Actors: Hall button (initiator), motor, car door
Overview: The EC dispatches one of the elevator cars to the floor
where the hall button is located
Global Context: A passenger is requesting an elevator car on floor F .
The elevator system delivers a car to floor F that can
be used to later travel to other floors in the building
References: UC3 - Travelling to Floor; UC7 - Recalling Cars due
to Fire Alarm

9
Related Use Cases: UC2 - Delivering to Destination: UC2 typically occurs
after UC1
Typical Process Description:
Actor Action: System Response:
1. A hall button in Floor F
informs EC of push
2. EC turns on light of pushed hall button
3. EC selects elevator car to serve call request
4. EC sends selected car to floor F . Selected car may stop
on floors in direction to F. Eventually it arrives at F (see
UC3 - Travelling to Floor)

Exception 1:
4. If there are no cars available (all in hold mode; see UC6
- Setting Operation Mode; and UC7 - Recalling Cars due
to Fire Alarm), light of hall button is turned off by EC and
call request is discarded

10
Name: Delivering to Destination
Use Case Id: UC2
Event/Precondition Floor button in elevator car informs EC of push
System: EC
Actors: Floor button (initiator), motor, car door
Overview: EC delivers car to floor requested as determined by
floor button pushed
Global Context: A passenger is requesting that the elevator car, where
the passenger is in, travel to a given floor. The eleva-
tor system transports the passenger in the car to the
requested floor.
References: UC3 - Travelling to Floor
Related Use Cases: UC1 - Calling Elevator: UC1 typically occurs before
UC2
Typical Process Description:
Actor Action: System Response:
1. Floor button inside eleva-
tor car, corresponding to floor
F , informs EC of push
2. EC turns on light of pushed floor button
3. EC closes car door if open
4. EC turns off light of direction indicator
5. EC sends car to floor F (see UC3 - Travelling to Floor)

Variation 1: Floor button

pushed is not in the direc-
tion the car is travelling/will
travel:

6. If the car is not serving other requests, direction of the

car is changed towards selected floor and the car sent to
that floor (see UC3 - Travelling to Floor); If the car is serv-
ing other requests towards the current car direction, floor
request is served after all other requests currently assigned
to elevator car

11
Name: Travelling to Floor
Use Case Id: UC3
Event/Precondition: Elevator parked at a given floor
System: EC
Actors: Motor, car door, direction indicator
Overview: Car travels from a given floor Fo to a destination floor
Fd ; car door is open upon arrival
Global Context: Not applicable
References: UC4 - Announcing an Emergency
Related Use Cases:
Typical Process Description:
Actor Action: System Response:
1. Elevator car is at floor Fo
it shall go to Fd next

2. EC instructs motor to run on direction to Fd

3. EC commands floor indicators to light as the elevator car
passes by each floor between Fo and Fd
4. EC determines that car is about to arrive to floor Fd
5. EC commands car motor to reduce speed
6. EC determines that car is at destination floor Fd
7. EC commands car motor to stop
8. EC instructs car door to open (see Section 1 - Opening
Car Door)

Variation 1:
1. Elevator car is currently
parked at destination floor –
i.e. car floor (Fo ) and desti-
nation floor (Fd ) are the same
2. EC instructs car door to open (see Section 1 - Opening
Car Door)

Section 1 - Opening Car Door

1. EC commands car door to open
2. EC turns on light of floor indicator corresponding to floor
Fd
3. EC turns on light of direction indicator inside car
3. EC waits for push from any button (floor or hall), and
closes the door after a while if no event received. If eleva-
tor car is operating in hold mode the doors are kept open
indefinitely if no button pushes

Exception 1: Emergency Stop

In case of a emergency stop while travelling to Fd , see UC4
- Announcing an Emergency

12
Name: Announcing an Emergency
Use Case Id: UC4
Event/Precondition: Emergency button in elevator car informs EC is is be-
ing pressed
System: EC
Actors: Emergency button (initiator), alarm bell, motor,
UW’s monitoring system
Overview: While the emergency button inside the elevator car is
being pushed, the car is stopped and the alarm bell is
ringing
Global Context: A passenger is announcing an emergency. While the
passenger is pushing the emergency button, the eleva-
tor system stops operation of the car where the pas-
senger is in, sounds the alarm bell, and informs UW’s
monitoring system
References: None
Related Use Cases: None
Typical Process Description:
Actor Action: System Response:
1. Emergency button informs
EC it is being pushed

2. EC commands alarm bell to ring

3. EC commands button to slow down (if running at normal
speed)
4. EC commands motor to stop
5. EC informs UW’s monitoring system that an emergency
button is being used. The elevator car where the button
is located as well as the floor where the car has stopped is
provided to the monitoring system.

6. Emergency button informs

EC that is has been released
(no longer pushed)

8. EC commands the alarm bell to stop ringing

9. If the emergency button was pushed while the car was
moving, and the elevator car is not close to the destination
floor, the EC commands motor to start in direction of the
floor the car was going to. If the car is close to the destina-
tion floor, EC commands motor to run at slow speed.

13
 11. EC informs UW’s monitoring system that emergency
button is no longer being used

Variation 1:
3. Elevator car is parked at a floor. Door is kept at given
state (open or close).
5. EC informs UW’s monitoring system that an emergency
button is being used. The elevator car where the button
is located as well as the floor where the car has stopped is
provided to the monitoring system.

14
Name: Ringing Alarm Bell
Use Case Id: UC5
Event/Precondition: Alarm bell button in elevator car informs EC it is be-
ing pushed
System: EC
Actors: Bell button (initiator), alarm bell
Overview: Alarm bell rings while alarm bell button is being
pushed
Global Context: A passenger wishes to ring the alarm bell. Elevator
system rings the bell while the passenger is pushing
the bell button
References: None
Related Use Cases: None
Typical Process Description:
Actor Action: System Response:
1. Bell button informs EC
that it is being pushed

2. EC commands alarm bell to ring

3. Bell button informs EC is
has been released

4. EC commands alarm bell not to ring

15
Name: Setting Operation Mode
Use Case Id: UC6
Event/Precondition: Operation switch in one of the elevator cars informs
EC of new switch position
System: EC
Actors: Operation mode switch (initiator)
Overview: EC modifies behaviour of elevator system depending
on new operation mode. In hold mode elevator car
accepts inputs from control panel inside elevator car
only. In auto mode, input is accepted from hall but-
tons and elevator car control panel.
Global Context: A passenger wants to change the operation mode of the
elevator car and has the keys for the operation mode
switch. Passenger turns the switch in the direction of
the desired operation mode. Elevator system changes
the operation mode of the car as requested
References: None
Related Use Cases: None
Typical Process Description:
Actor Action: System Response:
1. Operation mode switch in-
forms EC that it has been
turned from auto to hold
2. EC reassigns any pending requests for elevator car taken
to hold mode to the other elevator car if the other car is
operating in auto mode; otherwise requests are discarded
(see section Discard Requests)
3. EC no longer considers cars taken to hold operating mode
when servicing call requests
4. When car is parked at a floor car door is kept open (see
UC3 - Travelling to Floor, Section 1: Opening Car Door)

Section: Discard Requests

2.a Light of hall buttons currently on are turned off
2.b Light of floor buttons currently on in the car are turned
off

Variation 1:
1. Operation mode switch in-
forms EC that it has been
turned from auto to hold
2. EC considers elevator car for servicing call requests
3. EC waits for push from any button (floor or hall), and
closes the door after a while if no event received

16
Name: Recalling Cars Due to Fire Alarm
Use Case Id: UC7
Event/Precondition: Fire alarm goes off
System: EC
Actors: Fire alarm system (initiator), floor sensors, motors,
car doors
Overview: Elevator cars are recalled to a predetermined floor
when the fire alarm in the MC building is activated
Global Context: Not applicable
References: UC3 - Travelling to Floor
Related Use Cases: UC8 - Returning to Operation after Fire Alarm
Typical Process Description:
Actor Action: System Response:
1. Fire alarm system informs
EC about the fire alarm
2. No elevator call requests are processed for neither car
3. EC discards all current hall button requests
4. EC commands all hall buttons with lights on to turn
button lights off
5. EC finishes all pending requests for both cars due to floor
button pushes
6. Elevator cars are sent to predetermined recalling floor
(UC3 - Travelling to Floor)
7. Both car doors are kept open
8. No pushes of hall buttons, floor buttons, emergency and
bell buttons are processed

17
Name: Returning to operation after fire alarm
Use Case Id: UC8
Event/Precondition: Fire alarm is turned off
System: EC
Actors: Fire alarm system (initiator), floor sensors, motors
Overview: Elevator operation is reestablished after a fire alarm
Global Context: Not applicable
References: None
Related Use Cases: UC7 - Recalling Cars Due to Fire Alarm: UC7 always
happens before UC8
Typical Process Description:
Actor Action: System Response:
1. Fire alarm system informs
EC there is no longer a fire
alarm
2. EC responds to hall buttons, floor buttons, emergency
buttons, and bell buttons
3. EC waits for push from any button (floor or hall), and
closes the door after a while if no event received

18