Infrastructure Deep Dive — Elevator Integration

Universal Elevator
Integration

The #1 infrastructure challenge for multi-floor robotics. Every robot vendor solves this alone, poorly, for one elevator brand at a time. We solve it once, for all of them.

8+
Elevator OEMs
4
Integration Layers
1
Unified API
N+M
vs N×M

The N×M Problem

Every robot vendor builds their own proprietary elevator integration. None of them talk to each other.

Today: N × M Custom Solutions

Keenon builds E-Box — only works with Keenon robots
Aethon builds ReadyElevator — only works with TUG
Diligent builds a mechanical arm — only works with Moxi
Relay Robotics builds dry-contact I/O — only works with Relay
6 robots × 8 elevators = 48
unique integrations to build and maintain

Accelerate: N + M

Each robot vendor connects once to Accelerate API
Each elevator brand connects once via OEM adapter
Any robot can use any elevator — instantly
New vendor? One integration, access to every elevator
6 + 8 = 14
integrations total — 70% less work
Case Study — Elevator Side

Inside an Elevator Controller

The ThyssenKrupp TAC32T is a real-world traction elevator system deployed in hospitals across the US. Here's what the platform must understand.

CPUA Card

The brain. Houses the User Interface Tool (UIT) — a 2-line text display + 4 buttons for all configuration and inspector commands.

UIT Display PIN Access

IOE Card

I/O Extension. Handles door disconnect switch, safety gear switch bypass, final limit jumpers, and all hoistway device signals.

I/O Signals SAFMR LED

FWIA Card

Fire/Safety wiring interface. Controls governor overspeed bypass, hoistway safety device bypass, and machine room relay connections.

Governor MR1/MR2 Jumpers

Car Call Commands

These are the UIT commands that actually move the car. A robot platform must translate high-level requests into these controller-specific calls.

SCCB Bottom terminal landing car call
SCCT Top terminal landing car call
SCC2 Floor 2 car call
SCC(n) Floor (TOP-1) car call (3+ floor buildings)
TFR Reset faults after test completion

Safety String

If any of these signals activate, the Safety String opens and the car stops immediately. The platform must monitor and respect every one.

SAFC

Safety circuit

CST

Car safety tripped

SAFGR

Governor switch

FTSD

Final terminal slowdown

SAFCAR

Car safety gear

SAFMR

Machine room relay

SAFSP

Speed protection

NOPROG

No program

Key insight: Every elevator brand has a completely different safety architecture. The platform must abstract all of these behind a unified status API.

This is one controller, from one manufacturer. Otis, KONE, Schindler, and Hyundai each have entirely different card architectures, command sets, and safety protocols. Accelerate absorbs all of this complexity so no robot vendor ever has to.

Case Study — Robot Side

How Robots Ride Elevators Today

Keenon's E-Box is a real-world robot-elevator bridge deployed in hotels and hospitals. It's smart, proven — and locked to one vendor.

Path 1: Direct LoRa

Low latency, local control

1
Robot
Sends elevator request via LoRa radio
2
E-Box Slave
Receives command, translates to elevator signals
3
Cabin Panel
Floor button pressed via IO cable (dry contact relay)
LoRa IO Cable Direct

Path 2: Internet + LoRa

Remote management, monitoring, fleet visibility

1
Robot → WiFi
2
Keenon Cloud → Internet
3
E-Box Master → LoRa
4
E-Box Slave → IO Cable
5
Cabin Panel
WiFi Cloud LoRa IO Cable
Live System Diagram
10-Story Elevator Shaft Cross-Section
THesis HOTEL ELEVATOR SHAFT THesis Hotel Miami — Cross Section ROOF / MACHINE RM FLOOR 10 FLOOR 9 FLOOR 8 FLOOR 7 FLOOR 6 FLOOR 5 FLOOR 4 FLOOR 3 FLOOR 2 LOBBY E-BOX MASTER INTERNET Cloud 1 Master at top of shaft 220V power + internet cable LoRa Radio Signal RFID RFID RFID RFID RFID RFID RFID RFID RFID RFID 10 RFID Tags one per floor 3 ELEVATOR CAR E-BOX SLAVE READER IO Cable (red) 2 Slave on cabin top 220V power 4 RFID Reader on cabin Reads tags as cabin moves W3 ButlerBot Linen Delivery WiFi CURRENT FLOOR L IDLE
E-Box Master
E-Box Slave
RFID Tags
RFID Reader
IO Wiring

Floor Detection: RFID

RFID Tags

The robot confirms which floor the elevator cabin is on using RFID readers mounted at each landing. This is independent of the elevator controller's own position tracking — a critical redundancy for autonomous operation.

RFID Tag
Passive tag at each floor landing
RFID Reader
Mounted on E-box slave in cabin
Floor ID
Confirmed position for robot navigation

The Keenon E-Box is a well-engineered solution. But it only works with Keenon robots. If a hospital also deploys Aethon TUGs and Bear Robotics Servi bots, those vendors must each build their own elevator bridge. Accelerate replaces every vendor-specific bridge with one universal platform.

The Accelerate Abstraction Layer

One API. Every elevator. Every robot.

LAYER 1

Unified Elevator API

The single interface every robot vendor calls. requestElevator(), getStatus(), holdDoors(), releaseElevator()

LAYER 2

OEM Cloud Adapters

Translates the unified API into each manufacturer's protocol: KONE WebSocket, Otis OID Azure, ThyssenKrupp touchless API, Schindler PORT

LAYER 3

Universal Hardware Adapter

For elevators without cloud APIs. LoRa, dry-contact relay, CANopen, RFID floor detection — like the Keenon E-Box, but vendor-agnostic

LAYER 4

Mechanical Fallback

Physical button-pressing actuator for legacy elevators with no electronic integration path. Last resort, always available.

Unified Elevator API

requestElevator
(fromFloor, toFloor, robotId, priority)
Requests an elevator car. Platform selects optimal car from available bank, dispatches it, returns session ID.
getElevatorStatus
(sessionId)
Returns: car position, door state, direction, estimated arrival, safety status, occupancy.
holdDoors
(sessionId, durationMs)
Holds doors open for robot entry/exit. Auto-releases after timeout as safety measure.
releaseElevator
(sessionId)
Ends the session. Car returns to normal passenger service. Logs ride for analytics.

A Robot Rides an Elevator

End-to-end sequence: Keenon delivery robot, ThyssenKrupp TAC32T elevator, Floor 1 to Floor 3.

Robot requests elevator
requestElevator(floor: 1, destination: 3, robotId: "keenon-K7", priority: NORMAL)
Robot is at Floor 1 lobby with a pharmacy delivery. Needs to reach Floor 3 nursing station.
Platform selects optimal car
Checks elevator bank status. Car B is idle at Floor 2 — closest. Dispatches Car B to Floor 1.
Platform sends car call to ThyssenKrupp adapter
TKE Adapter → TAC32T UIT → SCCB (bottom terminal call)
The OEM adapter translates the unified API call into the TAC32T-specific SCCB command.
Elevator arrives, platform holds doors
holdDoors(sessionId: "sess-4f2a", duration: 15000)
Car B arrives at Floor 1. Platform holds doors open for 15 seconds. Robot receives "DOORS_OPEN" event.
Robot enters, RFID confirms position
Robot rolls into the car. RFID reader confirms robot is inside cabin. Floor 1 RFID tag confirms current position.
RFID: Floor 1 confirmed Robot: IN_ELEVATOR
Platform sends Floor 3 call
TKE Adapter → TAC32T UIT → SCC(3) (Floor 3 car call)
Doors close. Car travels to Floor 3. Platform monitors safety string status throughout.
Arrival — robot exits
Car arrives at Floor 3. Doors open. RFID confirms Floor 3. Robot exits and resumes autonomous navigation to nursing station.
RFID: Floor 3 confirmed
Session complete
releaseElevator(sessionId: "sess-4f2a")
Elevator returns to normal passenger service. Ride logged: 47 seconds, 2 floors, no safety events.
Software Architecture

Middleware State Machine

Every elevator ride follows a deterministic state machine. The middleware orchestrates hardware, sensors, and robot commands through 11 states — from idle to complete.

Ride Lifecycle States

IDLE
CALL_REQUESTED
WAITING_FOR_ELEVATOR
DOOR_OPEN
ENTERING
INSIDE
SELECTING_FLOOR
MOVING
ARRIVED
EXITING
COMPLETE

State Transitions

IDLE → Robot sends POST /elevator/call
CALL_REQUESTED → Relay/API triggers elevator call
WAITING → Sensor detects elevator arrival
DOOR_OPEN → LIDAR confirms safe entry path
ENTERING → Robot crosses threshold via SLAM
INSIDE → Relay selects destination floor
SELECTING_FLOOR → Floor relay activated
MOVING → RFID detects destination floor
ARRIVED → Doors open, LIDAR confirms exit clear
EXITING → Robot clears elevator threshold
COMPLETE → Session logged, return to IDLE

Sensor Inputs by State

Door Open/Close Detection
Magnetic reed switch or camera confirms door state. Triggers DOOR_OPEN and blocks ENTERING if doors closing.
Elevator Arrival Confirmation
RFID floor tag + door sensor confirms correct car at requested floor before robot approaches.
Obstacle Detection (LIDAR/Camera)
Robot’s onboard LIDAR and cameras verify safe entry/exit path. Holds if humans in doorway.
Load / Weight Sensors (Optional)
Detect if elevator is at capacity. Robot waits for next car.

Relay-Based Hardware Interface

Each elevator button is a low-voltage circuit. A relay closes the circuit to simulate a button press — wired in parallel with the physical button so both human and robot control work simultaneously.

// Relay Mapping (per elevator)
Relay 1 → Call Up
Relay 2 → Call Down
Relay 3 → Floor 1 (Lobby)
Relay 4 → Floor 2
Relay 5 → Floor 3
... up to 28 floors
Relay N → Door Open
Normally Open (NO) relay logic — power loss = relays open = elevator operates normally without robot interference.

Edge Controller

An edge device (Raspberry Pi, industrial PLC, or E-Box) receives commands from the robot middleware, controls relays, and processes sensor inputs.

API REST / MQTT from robot fleet
I/O GPIO relay control (32 channels)
RFID Floor position from shaft tags
LoRa 4G / LoRa / Ethernet / RS-485
Control Logic: Use sensors over timers for reliability. Implement retry logic for missed calls. Handle multi-elevator banks with selection logic. Always confirm door state before entry.

Fleet-Scale Coordination

30 robots. 6 elevator banks. One platform managing it all.

Priority Queuing

Code Blue / Emergency Recall
Patient Transport
Medication Delivery
Supply Delivery
Cleaning / Routine
🔄

Batching & Deadlock Prevention

Multiple robots going to the same floor? Send them in the same car. Two robots requesting opposing directions? Queue by priority, prevent elevator lock-up.

📊

Real-Time Analytics

Average wait time, rides per hour, peak demand patterns, elevator utilization, robot throughput. Data that no single-vendor solution can provide across a mixed fleet.

Why This Is a Moat

Multi-OEM

One integration per elevator brand. Every robot benefits.

Hospital Logic

Priority queuing, fire recall, infection isolation. Generic platforms can't do this.

Fleet Optimization

Cross-vendor batching, deadlock prevention, capacity management.

Full Fallback

Cloud API → hardware relay → mechanical arm. Always a path forward.

Compliance & Resilience

Safety & Failure Handling

The system must fail safely, comply with elevator codes, and handle every edge case — because a stuck robot in an elevator shaft is everyone’s problem.

COMPLIANCE

Safety Standards

ASME A17.1 Compliance
Robot integration must comply with ASME A17.1 elevator safety standards. The system cannot modify or bypass any elevator safety circuit.
Fail-Safe Design
System fails safely without interfering with elevator operation. Normally Open (NO) relay logic means power loss = no robot control = elevator works normally for humans.
Human Priority
Human users always have priority over robot commands. Physical button presses override relay commands. Robots yield to occupied elevators.
Emergency Override
Fire service, maintenance mode, and emergency recalls always override robot control. System detects these modes and enters safe shutdown automatically.
RESILIENCE

Failure Modes & Recovery

Elevator does not arrive
Retry call after timeout. 3 failed retries → escalate to fleet manager, try alternate elevator in bank.
Doors close during entry
LIDAR detects closing doors. Robot aborts entry and reverses immediately. Re-triggers door open relay.
Elevator full
Load sensor or camera detects occupancy. Robot waits for the next available car. Queue position maintained.
Wrong elevator arrives
RFID + direction verification before entering. Mismatch → robot holds position and waits for correct car.
Network failure
Cloud path down → fall back to direct LoRa. LoRa down → robot enters safe shutdown, alerts fleet manager. Elevator continues normal operation.

Elevator Call API

Request
POST /elevator/call
{
"floor": 3,
"direction": "up",
"robotId": "keenon-w3-042",
"priority": "supply"
}
State Machine Lifecycle
1. Robot sends call → CALL_REQUESTED
2. Middleware triggers relay → WAITING_FOR_ELEVATOR
3. Door sensor confirms open → DOOR_OPEN
4. LIDAR clears path → ENTERING
5. Robot inside, door closes → INSIDE
6. Floor relay fires → SELECTING_FLOORMOVING
7. RFID confirms floor → ARRIVED
8. Robot exits → EXITINGCOMPLETE
Real-World Deployment

E-Box Installation Guide

Step-by-step hardware installation from the Keenon manufacturer's deployment manual. This is what it actually takes to bridge a robot fleet to an elevator.

1

Tools & Hardware Preparation

Hardware Kit

  • E-box Master unit
  • E-box Slave unit
  • T-BOX (configuration terminal)
  • RFID tags (one per floor)
  • RFID Reader (cabin-mounted)
  • Elevator Control Kit + 3x 12V 2A Power Adaptors
  • IO wiring cables (8 cable harnesses, 4 channels each)

Additional Tools

  • Windows 10 computer
  • USB flash drive
  • RJ45 Internet Cable (1m)
  • RJ11 Analog Telephone Cable (1m)
  • Power cable
  • Micro USB cable
  • Frosted film (if needed)
2

Physical Installation

A

E-box Master → Top of Elevator Shaft

Mount the E-box Master unit at the top of the elevator shaft, secured to the shaft structure. This is the cloud gateway.

Requires: 220V power Requires: Internet cable (RJ45)
Connection: Internet cable runs from E-box Master to building network for cloud connectivity. LoRa antenna communicates down the shaft to the Slave unit on the cabin.
B

E-box Slave → Top of Elevator Cabin

Mount the E-box Slave unit on top of the elevator cabin. This unit receives LoRa commands and controls the cabin panel via IO cables.

Requires: 220V power IO cables to cabin panel
Key detail: The Slave sits on the moving cabin — it rides up and down with the elevator. LoRa signal must penetrate through the shaft to reach the Master at the top.
C

RFID Tags → Shaft Wall (Every Floor)

Fix one RFID tag on the shaft wall at each floor level. Mount the RFID Reader on top of the cabin.

How it works: As the cabin passes each floor, the RFID Reader on top of the cabin passes in front of the RFID tag on the shaft wall. The reader detects which floor the cabin is at and reports position to the E-box Slave.
D

LoRa Antennas → Master & Slave (Parallel Orientation)

Both E-box units have LoRa antennas (black stub on top). These must be oriented parallel to each other for reliable signal through the elevator shaft.

Critical: The elevator shaft is a metal enclosure. LoRa signal propagation depends on antenna alignment. Parallel placement ensures maximum signal strength between Master (shaft top) and Slave (cabin top).
3

IO Cable Wiring — E-box Slave to Cabin Panel

Box logic: NO (Normally Open) — the E-box activates relay contacts to simulate button presses on the cabin panel.

The E-box Slave has 32 IO channels across 8 cable harnesses (4 channels per cable), supporting up to 28 floors + door open.

IO Port Function IO Port Function
1 Door Open 2 Reserved (0)
3 Normally Open 4 Normally Closed
5 Floor 1 6 Floor 2
7 Floor 3 8 Floor 4
9 Floor 5 10 Floor 6
11 Floor 7 12 Floor 8
13–16 Floors 9–12 17–20 Floors 13–16
21–24 Floors 17–20 25–28 Floors 21–24
29–32 Floors 25–28 Max: 28 floors + door
E-BOX physical ports: RJ45 (network), RS-485 (serial), FLOOR (indicator), USB (config), DC power input. IO cables connect via labeled cable harness groups (1–8).
4

Two Wiring Solutions

Solution 1 Simpler

IO Cable → Cabin Panel Buttons

Connect IO cables directly to the back of cabin panel buttons. The E-box relay contacts parallel the physical button press — electrically identical to a passenger pressing the button.

+ Non-invasive — doesn't touch elevator controller
+ Easy to install and verify
Requires access to back of panel
E-box Slave → IO Cable → Button Terminals → Cabin Panel
Solution 2 More integrated

IO Cable → Lift Control Board

Connect IO cables directly to the lift control board's terminal strip. Bypasses the cabin panel entirely and interfaces with the elevator controller PCB.

+ More reliable — direct controller access
+ Works even if panel buttons are modified
Requires elevator technician to wire
E-box Slave → IO Cable → Terminal Strip G → Lift Control Board
Both solutions require: 100–240V power adapter to E-box Slave, LoRa antenna for Master/Slave communication, RFID sensor for floor detection, floor label on shaft wall. Data cables (groups 1–8) carry floor call signals from E-box to the elevator system.
5

Complete System Topology

// Keenon E-Box Elevator Integration — Physical Layout
TOP OF SHAFT
  ┌─────────────────┐    ┌───────────┐
  │  E-BOX MASTER  │───>│  Internet  │───> Cloud
  │  220V + RJ45    │    │  Cable     │
  └────────┬────────┘    └───────────┘
           │ LoRa (parallel antennas)
  ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─ ─ ─ SHAFT WALL ─ ─ ─
           │
  [RFID]   │    Floor N
  [RFID]   │    Floor N-1
  [RFID]   │    Floor N-2
           │
TOP OF CABIN
  ┌─────────┴────────┐    ┌─────────────┐
  │  E-BOX SLAVE   │<──>│ RFID READER
  │  220V power     │    │ (reads tags) │
  └────────┬────────┘    └─────────────┘
           │ IO Cables (8 harnesses, 32 channels)
           │
  ┌────────┴────────┐
  │  CABIN PANEL   │    // Solution 1: wire to buttons
  │  (or Control    │    // Solution 2: wire to controller PCB
  │   Board)        │
  └─────────────────┘
  ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ LOBBY FLOOR ─ ─ ─ ─
  ┌─────────────────┐    LoRa (direct) or
  │     ROBOT      │<──> WiFi → Cloud → Master (cloud path)
  │  4G/WiFi       │
  └─────────────────┘
Direct Path (LoRa)
Robot → Slave → Panel
~200ms latency
Cloud Path (WiFi+LoRa)
Robot → Cloud → Master → Slave → Panel
~800ms latency
Floor Detection
RFID tag on wall ↔ Reader on cabin
Precise floor position
Implementation Blueprint

The Software Stack

Building a universal elevator integration platform requires software at every layer — from firmware running inside an elevator shaft to a cloud dashboard showing live ride status. Here’s the full technology map.

System Architecture — Bottom to Top

LAYER 1 Edge Firmware & Hardware

The code that runs on the physical devices inside the elevator shaft. Controls relays, reads sensors, communicates via radio.

ESP32 / STM32 FreeRTOS LoRa SX1262 RFID ISO 14443 GPIO Relays OTA Updates C / Rust
LAYER 2 Edge Gateway

A small computer in the building that bridges hardware to the cloud. Runs the state machine locally so rides continue even if the internet drops.

Raspberry Pi / PLC Python + asyncio Mosquitto MQTT Docker WireGuard VPN ChirpStack LoRa
LAYER 3 Middleware & State Machine

The brain of every elevator ride. Tracks the 11-state lifecycle, enforces safety rules, handles retries and timeouts, and coordinates with sensors at each step.

TypeScript + XState v5 Redis Streams Temporal.io PostgreSQL NATS JetStream
LAYER 4 API Gateway & Cloud Services

The single API that every robot vendor calls. Handles authentication, rate limiting, fleet coordination, and routes commands to the correct elevator adapter.

FastAPI / Hono REST + WebSocket + gRPC JWT Auth EMQX MQTT Redis Priority Queue
LAYER 5 Elevator OEM Adapters

A plugin for each elevator manufacturer that translates our universal API into the brand’s specific protocol. This is the key to N+M — add one adapter per brand, and every robot gets access.

KONE WebSocket Otis Azure IoT ThyssenKrupp REST Schindler PORT mTLS Generic Relay Fallback
LAYER 6 Dashboard & Monitoring

Real-time visibility into every elevator, every robot, and every ride. Building managers see queue status. Engineers see LoRa signal strength and relay timing.

Next.js 15 Tailwind + shadcn/ui D3.js Live Viz Grafana + Prometheus Sentry

Edge Firmware

The code inside the shaft

The E-Box Master and Slave each run real-time firmware on microcontrollers. Think of it like the software on a smart thermostat — small, fast, and it must never crash.

ESP32-S3 or STM32H7
Microcontroller with WiFi, BLE, and enough power to run LoRa radio + relay control simultaneously. Industrial temperature range for elevator shafts.
FreeRTOS / Zephyr
Real-time operating system. Guarantees relay activation within 10ms of receiving a command — critical when holding elevator doors open for a robot.
LoRa Radio (Semtech SX1262)
Long-range, low-power radio that penetrates concrete and steel elevator shafts. Master and Slave communicate wirelessly through the shaft.
Over-the-Air Updates
MCUboot bootloader enables remote firmware updates without climbing to the top of the shaft. Signed updates prevent tampered code from running.

State Machine Engine

The brain of every ride

Every elevator ride follows 11 deterministic states. The state machine ensures the robot never enters a moving elevator, never gets stuck between floors, and always has a recovery path.

XState v5 (TypeScript)
Formal statechart library. Every state, transition, and guard condition is defined in code — making it testable, debuggable, and provably safe.
Temporal.io (Durable Workflows)
Handles the “what if the server restarts mid-ride?” problem. Workflows survive crashes and resume exactly where they left off.
Redis Streams (Event Bus)
Sensor events (door opened, RFID read, floor reached) flow through Redis Streams to trigger state transitions in real time.
PostgreSQL (Audit Trail)
Every state transition is logged with timestamp, trigger, and sensor data. Required for ASME A17.1 compliance and debugging.

API & Fleet Coordination

One API for every robot

Robot vendors integrate once with our API. The fleet engine decides which elevator to send, handles priority queuing, and prevents 30 robots from calling the same car.

FastAPI / Hono (API Gateway)
REST endpoints for elevator calls, WebSocket for real-time ride status, gRPC for internal service-to-service communication.
Priority Queue (Redis Sorted Sets)
Emergency patient transport outranks linen delivery. Code Blue recalls override everything. Queue maintains fairness within each priority tier.
EMQX MQTT Broker
The messaging backbone. Robots publish requests, elevators publish status, and the fleet engine subscribes to both. Handles 10,000+ concurrent connections.
Robot Vendor SDK
Published packages for npm, PyPI, and ROS 2. A Keenon robot and an Aethon TUG call the same requestRide() function.

Elevator OEM Adapters

Speak every elevator’s language

Each elevator brand has its own proprietary protocol. Our adapter layer translates our universal commands into the specific format each manufacturer expects.

KONE WebSocket API — real-time bidirectional communication
Otis Azure IoT Hub — Microsoft cloud integration (OID platform)
ThyssenKrupp REST API — touchless dispatch with TAC32T controller commands
Schindler PORT Technology — mTLS certificate-based destination dispatch
Mitsubishi MELIPnet serial — RS-485 proprietary protocol (NDA required)
Legacy Direct relay hardware — no cloud API needed, just wires
The adapter pattern: Every adapter implements the same interface — callElevator(), getStatus(), holdDoors(), release(). Add a new elevator brand by writing one adapter. Every robot vendor benefits instantly.

Dashboard & Monitoring

See everything in real time

Building managers see a simple map of which robots are riding which elevators. Engineers see LoRa signal strength, relay latency, and RFID read rates. Both get alerts when something goes wrong.

Next.js 15 + Tailwind
Fast, modern web dashboard with the same design language as this website. Server-rendered for instant loads, WebSocket-connected for live updates.
Live Building Visualization
Interactive SVG building cross-section (like the animated diagram above) showing real elevator positions, robot locations, and active rides.
Grafana + Prometheus
Time-series metrics: rides per hour, average wait times, peak demand patterns, elevator utilization heatmaps. Alerts if hardware goes offline.
OpenTelemetry Tracing
Follow a single ride from API call → state machine → relay activation → sensor confirmation. Essential for debugging “why did this ride take 90 seconds?”

Security & Infrastructure

Hospital-grade reliability

Elevator control in a hospital is safety-critical infrastructure. The stack is designed for zero-trust security, encrypted communications, and survivability when things fail.

TLS 1.3 + mTLS Everywhere
All connections encrypted. Device-to-cloud uses mutual TLS — each E-Box has a unique X.509 certificate. No spoofing, no eavesdropping.
Ed25519 Firmware Signing
Over-the-air updates are cryptographically signed. The bootloader rejects any firmware not signed by our key — preventing malicious code injection.
Network Isolation
Elevator control traffic runs on an isolated VLAN with WireGuard tunnels. Completely separated from hospital guest WiFi and patient data networks.
Immutable Audit Log
Append-only PostgreSQL log of every command, state change, and safety event. Required for ASME A17.1 compliance. Cannot be modified or deleted.

Communication Protocols

The system uses multiple communication channels with automatic failover. If the primary path goes down, the next one picks up — all the way to a hardwired fallback.

1
OEM Cloud API
WebSocket / REST / Azure IoT
Preferred — Modern Elevators
2
MQTT over WiFi/4G
EMQX broker, pub/sub messaging
Robot ↔ Platform Communication
3
LoRa Direct Radio
Sub-GHz, penetrates shafts
No Internet Required
4
RS-485 Serial
Hardwired, zero latency
Last-Resort Fallback

Data Architecture

Different types of data need different storage engines. Hot state lives in memory for speed. Ride history goes to a relational database for querying. Time-series telemetry goes to a specialized store for trend analysis.

RELATIONAL
PostgreSQL 16
The source of truth for ride logs, robot registry, elevator configuration, building layouts, and the immutable audit trail.
robots • elevators • buildings • rides • state_transitions • safety_events
CACHE
Redis 7
In-memory store for real-time state. Current ride positions, priority queues, session tokens, and pub/sub event streaming.
Sorted Sets • Streams • Pub/Sub • Key-Value
TIME-SERIES
TimescaleDB
Optimized for sensor telemetry over time. LoRa signal strength trends, ride duration patterns, peak demand analysis, utilization heatmaps.
ride_duration • lora_rssi • rfid_reads • relay_latency

Build Roadmap

We don’t need all of this on day one. The stack is designed to start simple and scale. Each phase adds capabilities while the previous phase continues operating.

1
Proof of Concept
The Thesis Hotel, Miami
  • ESP32 firmware with LoRa + relay control
  • Python state machine on Raspberry Pi
  • REST API (FastAPI) on Railway
  • PostgreSQL + Redis
  • Basic Next.js dashboard
2
Production Single-Building
Hardened for 24/7 operation
  • OTA firmware updates + watchdog
  • TypeScript state machine with XState
  • EMQX MQTT broker
  • Prometheus + Grafana monitoring
  • Robot vendor SDK (npm + PyPI)
3
Multi-Building Scale
Multiple hospitals, multiple OEMs
  • Kubernetes deployment
  • OEM cloud adapters (KONE, Otis)
  • Fleet coordination engine
  • Multi-tenant dashboard
  • TLA+ formal safety verification
4
Platform
The universal elevator OS
  • Marketplace for OEM adapter plugins
  • Self-service building onboarding
  • Analytics-as-a-service for hospital ops
  • ROS 2 native SDK
  • Humanoid robot support

Ready to Go Deeper?

Explore the full V1 architecture or get in touch to discuss elevator integration partnerships.

Full Architecture Plan → Get in Touch