2013 UKSim 15th International Conference on Computer Modelling and Simulation
FPGA Based Elevator Controller with Improved Reliability
Sithumini Ekanayake, Ruwan Ekanayake, Somasundaram Sanjayan, Sunil G. Abeyratne, S.D. Dewasurendra
Dept. of Electrical and Electronic Engineering
University of Peradeniya
Peradeniya, Sri Lanka
E-mail: [email protected], [email protected], [email protected], [email protected], [email protected]
Abstract— This paper introduces a novel method to improve
the reliability of a reconfigurable FPGA based elevator
controller, which can be used for an elevator with any number
of floors, with specified inputs and outputs. It was clear that by
simply changing a variable in the HDL code the controller can
be generated for an elevator with required number of floors.
Thus in this paper the primary implementation and
verification procedure is given in detail together with a method
to improve the reliability. The flexibility in expansion of
designs in an FPGA was considered thoroughly in the
proposed reliability improving method. The controller was
developed using Verilog HDL throughout the research and a
description on the code development is included in the paper.
The controller generated was successfully implemented on a
Xilinx Spartan 3AN FPGA and tested for a prototype elevator
with three floors.
Keywords- Elevator, FPGA, Verilog, reconfigurable
I. INTRODUCTION
In controller implementation for a system several factors
such as nature of the system, power consumption and
reliability play vital roles in design considerations. At
present, PLCs are commonly used in control and automation
industry where easy programming environment is highly
expected. But for a complex reactive system, Field
Programmable Gate Arrays (FPGAs) can be recommended
due to their inherently parallel processing capability.
An elevator (or lift) is a mechanism to transport human
beings or goods between floors of a building, vessel or other
structures. Since, mostly it is an arrangement that efficiently
moves people, safety and the convenience of the travelling
people should be certified. Therefore, implementation of
proper control systems for elevators is essential. An elevator
can be considered as a complex reactive system which
requires parallel event processing with large number of
inputs and outputs. Therefore FPGAs make a better solution
for implementing an elevator controller with added pros of
reconfigurability, less power consumption, low response
times and flexibility in expansion of designs.
In this research, our objectives were, developing an
elevator algorithm for an elevator with any number of floors
and improving its reliability. There Verilog HDL was used
due to its syntactical familiarity. Verilog is a hardware
description language (HDL) which is commonly used to
describe digital circuits in a textual manner in designing. For
coding, simulation and synthesis purposes Xilinx ISE
software was used. The final design was programmed to a
978-0-7695-4994-1/13 $26.00 © 2013 IEEE
DOI 10.1109/UKSim.2013.128
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on April 09,2023 at 08:27:06 UTC from IEEE Xplore. Restrictions apply.
Spartan 3AN FPGA which acts as the core of the controller
and tested on real hardware.
II. IMPLEMENTATION OF THE CONTROLLER
A. Preliminary Study
When developing a control algorithm it is always
advantageous to have a model based design approach since
initial specifications will be useful in later developments.
The study [2] shows a state chart model developed for a
prototype elevator with three floors which was developed
further to come up with a reconfigurable controller for any
number of floors. Also Zhao et al. [3] clearly illustrate the
basic functions and demands of an elevator system with
stages of development in detail. In this research the results
obtained in [2] were used in advancing the program
according to our requirements.
B. HDL Program Development
FPGA has inputs/outputs that can be used as a bit vector
in programming directly. In the program this property is used
in generating the data vectors. Also in the program, the data
vectors are defined with the no of bits in a vector as equal to
the number of floors. These vectors will be generated
automatically when the number of floors is given.
Eg. If number of floors is 3, the corresponding input
vector will be „xxx‟. If number of floors is 5 the input vector
will be „xxxxx‟
In the code, Proximity sensor inputs, Car call button
inputs and Hall call button inputs are the three input data
vectors. Then a common vector is generated as a variable for
any car button input or hall button input since any button
input can be considered as a request for elevator car to reach
a particular floor. The direction of the elevator car is decided
by comparing the integer values of the common vector and
the proximity sensor input vector. If the integer value of the
common vector is greater than the integer value of the
proximity sensor input vector the motion will be forward and
if the common vector integer value is less than the proximity
sensor input vector integer value the motion will be reverse.
At the moment the two integer values become the same the
elevator car will be stopped. The Verilog program for the
reconfigurable elevator controller was developed using this
logic.
260
 In Verilog, basic building blocks used are the modules.
Firstly we need to define input and output ports, then inputs
and outputs are separated and the data types are defined.
There are two families of fixed data types in Verilog, „nets‟
and „registers‟. Nets (i.e. wire, tri, wand & etc.) establish
structural connectivity whereas Registers (i.e. reg, integer,
real, time & etc.) store information.
C. Simulation
Xilinx ISE software provides full range of editing,
synthesis and simulation and implementation tools for
Verilog development environment. After HDL program was
written and synthesized in Xilinx ISE, simulation tools were
used to simulate the developed program before downloading
Figure 1. Test bench waveform
to the FPGA development board so that the code behavior
could be verified. Initially a test bench waveform had to be
created by adjusting clock frequencies and widths as
required. Then the assumed inputs were given to the test
bench as shown in Fig. 1.
Consider a situation where the elevator car is at floor 0.
So the proximity sensor input is made „high‟ as shown in the
Fig. 1. Then assume a request is made from a car button to
reach floor 2. So the inverter forward output and brake
output should be „high‟ in order to move the elevator car.
Also, the light used to indicate the request should become
„high‟. To represent the moment that the car passes
proximity sensor of floor 1, relevant input is made „high‟ and
then at floor 2, the proximity input of that floor is made
„high‟ again. Thus there should be no difference at the output Figure 2. Simulation output
until the car reaches floor 2. At floor 2, the light indicator of
the request should be „low‟. While the car is at floor 2,
assume another request is made from a car button to reach B. Hardware Interfacing
floor 0. So the light indicator output of the request made
The hardware design for this research contains mainly
should become „high‟. Then again the proximity sensor
four parts; input circuit, output circuit, core of the controller
values of floor 1 and floor 0 in the input are made „high‟
(FPGA board) and plant (elevator). The major problem that
respectively. Therefore the outputs of inverter reverse and
we faced from very beginning was interfacing the FPGA
brake should be „high‟ until it reaches floor 0. At floor 0, the
inputs and outputs to the existing prototype elevator system.
light indicator of the request becomes „low‟ as previously.
Since the existing system voltages and FPGA input and
In the simulation the output is observed to verify whether
output voltage levels are different we had to design
the expected output was obtained. Fig. 2 shows the
intermediate circuits for voltage conversions. In the system,
simulation results obtained for the given input.
working voltage of the plant is 24 V DC while working
III. HARDWARE FOR CONTROLLER IMPLEMENTATION voltage level of FPGA input and output is 3.3 V DC. Thus
necessary input and output circuits were made in accordance
A. Prototype Elevator with Fig. 3.
The 24 V plant input signals are stepped down to 3.3V
For the controller implementation a prototype elevator using 4n35 optocoupler in the input circuit as the transistor in
consists of three floors was used. the optocoupler is biased when a 24 V DC signal is given
To move the elevator car up and down, main induction from the plant, so the FPGA input pin receives 3.3 V from
motor is driven in forward and reverse directions, the board itself. The advantage of using optocouplers is that
respectively, by providing two control outputs to main it isolates the 24 V system and 3.3 V system so that the
inverter. Also at the same time it is required to release the protection of the FPGA board is guaranteed. The FPGA
electric brake which activates a solenoid to provide three board generates an output for the corresponding inputs
control inputs for another inverter. according to the code developed in Verilog. The output of
the FPGA board is connected to output circuit where a relay
circuitry is used to step up 3.3 V to 24 V.

261

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on April 09,2023 at 08:27:06 UTC from IEEE Xplore. Restrictions apply.
 IV. PROPOSED RELIABILITY IMPROVING METHODOLOGY
A. Soft Errors
Soft errors are the transient faults that affect the devices
causing a bit flip of a value stored in a memory cell so that
the error can be recovered by re-writing the correct value.
These types of faults may affect both combinatorial and
sequential logic. When considering FPGA devices, the
occurrence of soft errors is a more problematic issue since
the user-programmed functionality of an FPGA depends on
the data stored in millions of configuration latches within the
device.
Input Circuit
FPGA Board 24 V3.3 V
Plant 24 V
3.3 V
Output Circuit
3.3 V24 V
Figure 3. Hardware design
There can be two soft errors in common; Single Event
Transient (SET) and Single Event Upset (SEU). SET is a
pulse on the signal that if latched in a register produces an
erroneous value whereas SEUs may alter the logic-state of
any static memory element (latch, flip flop, or RAM cell) or
cause transient pulses in combinatorial logic paths. These
faults may corrupt the content of an application register
causing an error in the data or in the control of the running
application, implying an error in the computation. In another
case, faults may affect a configuration register, causing either
the functionality performed by a Look-Up Table (LUT) or a
routing cell between Combinatorial Logic Blocks (CLBs) to
change, resulting in a functionality alteration. While the first
situation may be recovered by a re-computation or
application reset, the second one requires a reconfiguration
of the FPGA.
The possibility of re-program the device has received a
lot of attention and improvements have been introduced to
support such a feature at run-time also, i.e., dynamically.
Furthermore, advances in the FPGA technology have come
to support re-configuration, at run-time, of only a portion of
the device, thus reducing the time necessary to re-program
the device and to avoid the necessity to halt the entire system
[5], [6].
B. Triple Module Redundancy (TMR)
TMR is a common hardware redundancy technique for
achieving fault masking properties. As discussed in [7], it
uses three replicas of the whole system as shown in the Fig.4
and adds a voter that identifies the correct result among the
three on the basis of a majority vote. TMR is used to mitigate
the effects of soft errors occurring in the memory elements
storing temporary data used during computation, as well as
in those storing the configuration bit stream. The technique
may be applied at different levels of abstraction, from the
whole system to the single component.
262
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on April 09,2023 at 08:27:06 UTC from IEEE Xplore. Restrictions apply.
C. System Requirements
The research presented in the current paper proposes a
methodology to improve the reliability of the Xilinx Spartan
FPGA based elevator controller through the knowledge of
Redundant logic 0
Redundant logic 1 Majority Voter
Redundant logic 2
Figure 4. TMR in a block diagram
TMR. Initially we identified the basic requirements of a
control system for reliable operation.
 The system should have the ability to detect the
faults in the running system
 If there is any fault in the running system the control
system should able to shift the operation to a
redundant circuit
Thus the reliability improving methodology was
developed under the constraint of earning maximum benefit
of available resources.
D. Proposed Methodology
In the proposed methodology there are three instances of
our basic code as instance A, instance B and instance C so
that three parallel processes are running simultaneously.
Fig. 5 shows the block diagram of the proposed
implementation. Since there are three instances, if an error
occurred in one instance it will only affect the specific
instance. The other two instances function properly. The
outputs of three instances are multiplexed by the mux and an
accurate instance output is connected to the actual plant
output. The process of which instance output to be connected
depends on the mux controller decision. There controller acts
as a majority voter.
Assume there is a bit error in instance A so that the
output differs from the actual one. Since the other two
instances, B and C, work properly, when the controller
compares the three outputs the majority result can be
considered as the error free actual output. Thus one of the B
and C instance outputs will be connected as the plant output.
V. RESULTS
A. Logic triplication
In implementation according to the described reliability
improving method first step undertook was triplicating the
basic code developed at initial stages. In Verilog HDL this
can be implemented by using a separate top module file. In
the top module file three instances of the code were defined
according to the following syntax.
rel #(.N(N)) rel1_A (
.reset_ins(reset),
.clk(clk),
.PROX_ins(PROX),
 .HBTNS_ins(HBTNS),
.CBTNS_ins(CBTNS),
.INV1F_ins(INV1F_A),
.INV1R_ins(INV1R_A),
.BRAKE_ins(BRAKE_A)
);

Instance A

I/P Instance B MUX O/P

Instance C
MUX Controller

Figure 5. Proposed reliability improving method

Here „rel‟ is the file name used for the basic code
whereas „rel1_A‟ is one of the instance names. „N‟ is the
Figure 6. Resource usage before triplication
parameter from the basic code which is used to change the
number of floors of the elevator as desired.
After triplication of the code, the design was observed
using one of the Xilinx ISE tools to estimate resource usage
on FPGA tiles. It can be clearly seen that logic triplication
has increased the level of resource usage but still at a
manageable level due to design simplicity.
The results obtained before triplication and after
triplication are shown in Fig. 6 and Fig. 7 respectively.
B. Verification Methodology
To validate the proposed reliability improving method
three vectors were defined as output register values of three
instances. Since the basic code generated three outputs at
each module three number of 4 bit registers were defined as
the output of each instance. The Verilog syntax is given
below.

reg[3:0] machine_A;
reg[3:0] machine_B;
Figure 7. Resource usage for logic triplication
reg[3:0] machine_C;

Then at each of the registers, bit0 is assigned as the

inverter forward signal, bit1 as the inverter reverse signal, bit
2 as the Brake signal and 3rd bit was taken as a manual input
to generate erroneous output value as shown in Fig. 8. Next,
according to the Verilog syntax shown three output vectors
from the instances A, B, and C were generated.
Then the process was carried out to check the output
register values of each module simultaneously and display if
there is an error in those outputs while the system is working
with another module. For that, firstly current working
module instance is kept at a register value.

always@* if(!fault_detect)
begin case(shift_reg)
machine_A[0] <= INV1F_A; 3'b001 : master_out <= machine_A;
machine_A[1] <= INV1R_A; 3'b010 : master_out <= machine_B;
machine_A[2] <= BRAKE_A; 3'b100 : master_out <= machine_C;
machine_A[3] <= 1; default: master_out <= machine_A;
end
Then the output is checked at real time and if there is an
error, the reg value is shifted to another module with an error
warning signal.
always@*

263

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on April 09,2023 at 08:27:06 UTC from IEEE Xplore. Restrictions apply.
 case(shift_reg)
3'b001:fault_detect=(machine_A!=machine_B)
&&(machine_A != machine_C);
3'b010:fault_detect=(machine_B!=machine_A)
&&(machine_B != machine_C);
3'b100:fault_detect=(machine_C!=machine_A)
&&(machine_C != machine_B);
default: fault_detect = 1'b0;
endcase
always@(posedge clk)
begin
if (fault_detect)
fault <= 1; // generate the warning signal
shift_reg <= {shift_reg[1:0],shift_reg[2]};
// shift the reg. value at an error
end
Error
generating Brake Reverse Forward
bit
Figure 8. Instance output register
Finally the developed code was downloaded to Spartan 3AN
FPGA for testing and verification. An input switch in the
development board was assigned to create an error manually
in the output bit vector. Also a LED light in the
development board was used as the fault indicator. When
the plant is connected and run it can be clearly seen that the
moment an error is injected to the working instance, it
switches to one of the error free instances, showing
successfully that the design is more reliable than before.
VI. CONCLUSION
We focused on implementation and verification of a
controller for the elevator with basic functions in a
reconfigurable structure and proposing a methodology to
improve the reliability of the controller. Since the
simulations could be done not only for the prototype elevator
with three floors, but for an elevator with „N‟ number of
floors by simply changing a variable in the code, it was
easier to develop the controller in a general concept.
The verification process which was carried out on a
Spartan 3AN FPGA to a prototype elevator with three floors
revealed modifications and developments to be done in later
work. Special attention needs to be paid to improvements in
hardware circuits. In addition, further research can be done
on developing the elevator algorithm for more functions with
increased efficiency and desirable aspects.
When considering reliability improving methodology the
controller multiplexes majority output of the instances as the
actual output. If an error occurred in two instances at the
264
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on April 09,2023 at 08:27:06 UTC from IEEE Xplore. Restrictions apply.
same time the output would be an erroneous one. Also if the
plant failed to give an accurate input (e.g. sensor failure) the
reliability of the elevator controller is disturbed. Thus this
research creates many fresh ideas in a broad area to develop
and modify a reliable FPGA based reconfigurable elevator
controller.
ACKNOWLEDGMENT
We are very appreciative of the encouragement and
support given us by many people throughout the research.
Especially we would like to thank Eng. Ajith
Vidanapathirana from Kandos Chocolates Pvt Limited and
Eng. Asanga Senerath from Airport and Aviation Services
Lanka Limited for helping us and sharing their knowledge
with us. We would like to extend our thanks to Eng.Asanga
Jayawardhana from Ceylon Biscuits Limited and
Ms.Kanchana Amarasekara, instructor of the Department of
Electrical and Electronic Engineering for supporting us from
the very beginning. We also acknowledge valuable support
received from Electrical & Electronic Engineering
Department staff.
REFERENCES
[1] Michael D.Ciletti, “Advanced digital design with the VERILOG
HDL”, Prentice-hall of India ltd, India
[2] H.P.A.P. Jayawardana, H.W.K.M. Amarasekara, P.T.S.
Peelikumbura, W.A.K.C. Jayathilaka, S.G. Abeyaratne, S.D.
Dewasurendra, “ Design and implementation of a statechart based
reconfigurable elevator controller”, International Conference on
Industrial and Information Systems - ICIIS , 2011 IEEE
[3] ZHAO Yuhang, MA Muyan, “Implementation of six-layer automatic
elevator controller based on FPGA”, Wireless Communications
Networking and Mobile Computing (WiCOM), 2010 IEEE
[4] Karl Schabas, Stephen D. Brown, “Using Logic Duplication to
Improve Performance in FPGAs”, University of Toronto, Toronto,
Canada
[5] Brian Pratt, Michael Caffrey, Paul Graham, Keith Morgan, Michael
Wirthlin, “Improving FPGA Design Robustness with Partial TMR”,
Reliability Physics Symposium Proceedings, 2006 IEEE
[6] Cristiana Bolchini, Antonio Miele, Marco D. Santambrogio, “TMR
and Partial Dynamic Reconfiguration to mitigate SEU faults in
FPGAs”, International Symposium on Defect and Fault-Tolerance in
VLSI Systems-DFT '07, 2007 IEEE
[7] “XILINX Triple Module Redundancy Design Techniques for Virtex
FPGAs”, Application Note (Virtex Series)
APPENDIX
The Verilog code developed for the principle operation
of an elevator with any number of floors is given below.
Module chk2(reset,clk,PROX,HBTNS_U,HBTNS_D,
CBTNS,INV1F,INV1R,BRAKE,HLBTNS_D,HLBTNS_U,
CLBTNS);
parameter N=3;
input clk;
input reset;
input[N-1:0] PROX;
input[N-2:0] HBTNS_U;
 input[N-2:0] HBTNS_D; if (!reset) begin
input[N-1:0]CBTNS; PROX_in<= PROX ;
output INV1F; if (PROX_in>0) begin
output INV1R; if (PROX_in==BTNS_in) begin
output BRAKE;
status<= 1;
output [N-2:0]HLBTNS_U;
end
output [N-2:0]HLBTNS_D;
else if (BTNS_in>PROX_in ) begin
output [N-1:0]CLBTNS;
reg [N-1:0] status; status<= 2;
integer i; end
reg[N-1:0]BTNS; else if (BTNS_in<PROX_in&&BTNS_in!=0)
reg[N-1:0]HBTNS_in; begin
reg[N-2:0]HBTNS_U_in; status<= 3;
reg[N-2:0]HBTNS_D_in; end
reg[N-1:0]CBTNS_in; else begin
reg[N-1:0]BTNS_in; status<=0;
reg[N-1:0]PROX_in; end
reg INV1F,INV1R,BRAKE; end
reg [N-2:0]HLBTNS_U; end
reg [N-2:0]HLBTNS_D; always @(posedge clk)
reg [N-1:0]CLBTNS;
if (!reset) begin
always @(posedge clk)
case(status)
if (!reset) begin
HBTNS_U_in=HBTNS_U;
1: begin
HBTNS_D_in=HBTNS_D; INV1F_ins <=0;
HBTNS_in = HBTNS_D_in*2 + HBTNS_U_in ; INV1R_ins <=0;
CBTNS_in = CBTNS ; BRAKE_ins<=0;
if(status==1) begin end
BTNS_in <=0; 2: begin
CLBTNS <=0; INV1F_ins <=1;
HLBTNS_D <=0; BRAKE_ins<=1;
HLBTNS_U <=0;
end
end
3: begin
else begin
INV1R_ins <=1;
BTNS_in<= BTNS;
end BRAKE_ins<=1;
if(HBTNS_in> 0 || CBTNS_in> 0 ) begin end
for (i = 0 ; i < N; i=i+1) begin default: begin
BTNS[i] <= HBTNS_in[i] | CBTNS_in[i] ; INV1F_ins <=0;
HLBTNS_U <= HBTNS_U_in; INV1R_ins <=0;
HLBTNS_D <= HBTNS_D_in ; BRAKE_ins<=0;
CLBTNS <= CBTNS_in; end
end end case
end end
end
end module
always @(posedge clk)

265

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on April 09,2023 at 08:27:06 UTC from IEEE Xplore. Restrictions apply.