CN111788139A - Elevator safety control device - Google Patents
Elevator safety control device Download PDFInfo
- Publication number
- CN111788139A CN111788139A CN201880088986.9A CN201880088986A CN111788139A CN 111788139 A CN111788139 A CN 111788139A CN 201880088986 A CN201880088986 A CN 201880088986A CN 111788139 A CN111788139 A CN 111788139A
- Authority
- CN
- China
- Prior art keywords
- safety control
- function
- task
- group
- execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B66—HOISTING; LIFTING; HAULING
- B66B—ELEVATORS; ESCALATORS OR MOVING WALKWAYS
- B66B5/00—Applications of checking, fault-correcting, or safety devices in elevators
- B66B5/02—Applications of checking, fault-correcting, or safety devices in elevators responsive to abnormal operating conditions
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/05—Programmable logic controllers, e.g. simulating logic interconnections of signals according to ladder diagrams or function charts
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/48—Program initiating; Program switching, e.g. by interrupt
Abstract
The elevator safety control device can execute a plurality of functions in a multitasking mode, and when an abnormality is detected by the safety control function or the self-diagnosis function, the execution of the task of the self-diagnosis function is interrupted, and safety transfer processing corresponding to the abnormality detected within the execution time span of the interrupted task is executed. Further, when an abnormality is newly detected during execution of the secure migration processing and priority of the secure migration processing corresponding to the newly detected abnormality is higher than priority of the secure migration processing, execution of the secure migration processing is interrupted and the secure migration processing corresponding to the newly detected abnormality is executed.
Description
Technical Field
The present invention relates to an elevator safety control device, and more particularly to an elevator safety control device providing a plurality of safety control functions.
Background
In a conventional elevator safety control device, when a plurality of safety control functions are provided, it is necessary to prepare devices or boards in accordance with the number of safety control functions. For example, in patent document 1, each device is provided with a logic Unit including a CPU (central processing Unit) and a memory.
The technique of patent document 1 includes a monitoring board as a monitoring unit that monitors a position and a speed of an elevator car, and a brake control board as a brake control unit that controls a brake device when performing the 2 nd braking operation. That is, the technique of patent document 1 has two safety control functions, and devices or boards on which the logic portions are formed are provided for each number of safety control functions.
Documents of the prior art
Patent document
Patent document 1: international publication No. 2007/057973
Disclosure of Invention
Problems to be solved by the invention
In the technique of patent document 1, since devices or boards corresponding to the number of safety control functions are required, the cost is high. However, if a plurality of safety control functions are mounted on only one device or board, when an abnormality is detected by one safety control function and the safety transfer process is executed, the execution of the other safety control function is interrupted, and there is a possibility that a problem occurs in the safety control of the entire elevator. In other words, the independence of the plurality of safety control functions cannot be ensured.
The present invention has been made to solve the above-described problems, and an object thereof is to provide an elevator safety control device capable of ensuring independence of a plurality of safety control functions.
Means for solving the problems
In order to achieve the above object, an elevator safety control device according to the present invention is an elevator safety control device capable of executing a plurality of functions in a multitasking manner, the elevator safety control device including: an arithmetic processing unit that repeatedly executes processing at a predetermined cycle; and a scheduler that allocates task execution times to the arithmetic processing unit in each cycle, wherein the plurality of functions executed by the arithmetic processing unit are classified into a1 st group including the safety control function, a2 nd group including the self-diagnosis function, and a 3 rd group including the non-safety control function, the scheduler allocates execution times to tasks of at least one function from the 1 st group and the 2 nd group in each cycle, and allocates remaining execution times to tasks of functions included in the 3 rd group, and when an abnormality is detected by the safety control function or the self-diagnosis function, the arithmetic processing unit interrupts execution of tasks of the functions included in the 2 nd group, and executes a safety transition process corresponding to the detected abnormality within an execution time span of the interrupted task.
Effects of the invention
In an elevator safety control device according to the present invention, a plurality of functions can be executed in a multitasking manner, and the plurality of functions are classified into a1 st group including a safety control function, a2 nd group including a self-diagnosis function, and a 3 rd group including a non-safety control function, and when an abnormality is detected by the safety control function or the self-diagnosis function, execution of a task of the function included in the 2 nd group is interrupted, and a safety transfer process corresponding to the detected abnormality is executed within an execution time span of the interrupted task, whereby independence of the plurality of safety control functions can be ensured.
Drawings
Fig. 1 is a diagram showing the structure of an elevator according to embodiment 1 of the present invention.
Fig. 2 is a diagram showing a hardware configuration of an elevator safety control device according to embodiment 1 of the present invention.
Fig. 3 is a diagram showing a functional configuration of an elevator safety control device according to embodiment 1 of the present invention.
Fig. 4 is a flowchart illustrating the security transition process according to embodiment 1 of the present invention.
Fig. 5 is a diagram showing example 1 of scheduling according to embodiment 1 of the present invention.
Fig. 6 is a diagram showing a2 nd example of scheduling in embodiment 1 of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the drawings. However, the embodiments described below are merely examples, and the present invention is not limited to these embodiments.
Fig. 1 is a diagram showing a structure of an elevator apparatus 100 according to embodiment 1 of the present invention. In fig. 1, a car 1 and a counterweight 2 are suspended in a hoistway by suspension means 3. The suspension unit 3 comprises a plurality of ropes or belts.
A hoisting machine 4 for raising and lowering the car 1 and the counterweight 2 is provided at a lower portion in the hoistway. The hoisting machine 4 includes: a drive sheave 5 around which the suspension unit 3 is suspended; a hoisting machine motor (not shown) that generates a drive torque to rotate the drive sheave 5; a hoisting machine brake 6 as braking means for generating a braking torque to brake the rotation of the drive sheave 5; and a hoisting machine encoder 7 that generates a signal corresponding to the rotation of the drive sheave 5.
As the hoisting machine brake 6, for example, an electromagnetic brake device is used. When braking is performed by the electromagnetic brake device, the brake shoe is pressed against the braking surface by the elastic force of the brake spring to brake the rotation of the drive sheave 5, thereby braking the car 1. When the electromagnetic brake device is released from braking, the electromagnet is excited to separate the brake shoe from the braking surface, thereby releasing the braking force. In addition, the braking force applied by the hoisting machine brake 6 varies according to the value of the current flowing through the brake coil of the electromagnet.
The car 1 is provided with a pair of car suspension sheaves 8a and 8 b. The counterweight 2 is provided with a counterweight hanging wheel 9. Car return sheaves 10a and 10b and a counterweight return sheave 11 are provided in the upper part of the hoistway. One end of the suspension unit 3 is connected to a1 st rope hitch 12a provided in an upper part of the hoistway. The other end of the suspension unit 3 is connected to a2 nd head unit 12b provided in the upper part of the hoistway.
The suspension unit 3 is suspended around the car suspension wheels 8a and 8b, the car return sheaves 10a and 10b, the drive sheave 5, the counterweight return sheave 11, and the counterweight suspension wheel 9 in this order from one end side. That is, the car 1 and the counterweight 2 are moved by the "2: 1 roping ratio "is suspended in the hoistway.
A speed limiter 14 is provided in an upper portion of the hoistway. The speed governor 14 includes a speed governor sheave 15 and a speed governor encoder 16, and the speed governor encoder 16 generates a signal corresponding to the rotation of the speed governor sheave 15. A governor rope 17 is wound around the governor sheave 15. Both ends of the governor rope 17 are connected to an operation lever (not shown) of an emergency stop device mounted on the car 1. The lower end of the governor rope 17 is wound around a tension sheave 18 disposed in the lower portion of the hoistway. When the car 1 is raised and lowered, the governor rope 17 circulates and rotates the governor sheave 15 at a rotation speed corresponding to the running speed of the car 1.
An upper reference position switch 19a for detecting the position of the car 1 is provided at an upper portion in the hoistway. A lower reference position switch 19b for detecting the position of the car 1 is provided at a lower portion in the hoistway. The car 1 is provided with a switch operating member, such as a cam, for operating the reference position switches 19a and 19 b.
A car door switch 20 for detecting the opening and closing of a car door is provided above the car 1. Landing doors switches (not shown) for detecting the opening and closing of the landing doors are provided at the landings of each floor. In addition, a plurality of floor plates 21a to 21c are provided in the hoistway, and the floor plates 21a to 21c are used to detect that the car 1 is located at a position where passengers can safely get in and out of the car 1, that is, that the car 1 is located in the door area. The car 1 is provided with a leveling sensor 22 for detecting the leveling plates 21a to 21 c.
The hoisting machine encoder 7, the governor encoder 16, the reference position switches 19a and 19b, the car door switch 20, the landing door switch (not shown), and the leveling sensor 22 are sensors that generate signals corresponding to the state of the car 1.
A control panel 23 is provided in the hoistway. The control panel 23 is provided with a drive control unit 24 as an operation control unit and an elevator safety control device 25. The elevator safety control device 25 can control the stop of the car 1.
In an elevator apparatus, monitoring and control are performed on a system based on a plurality of viewpoints to ensure safety. Therefore, a plurality of safety control functions are installed in the elevator safety control device 25 to perform each monitoring and control. That is, the elevator safety control device 25 implements safety control of the elevator device from a plurality of viewpoints by executing calculations relating to a plurality of safety control functions in separate programs. Further, as specific examples of the safety control function, there are a door open travel protection function, an overspeed monitoring function, a maintenance switching function, a safety communication function, and the like.
The drive control unit 24 controls the operation of the hoisting machine 4, that is, the operation of the car 1. The drive control unit 24 controls the traveling speed of the car 1 based on a signal from the hoisting machine encoder 7.
The door-open drive protection function determines whether the car 1 is in the landing position based on the signal from the leveling sensor 22. The door open travel protection function determines the open/closed state of the car door and the landing door based on signals from the car door switch 20 and the landing door switch (not shown). The door open travel protection function determines whether or not the car 1 is traveling based on a signal from the hoisting machine encoder 7.
The open-door travel protection function detects a state in which at least one of the car door and the landing door is open although the car 1 does not reach the landing position, and a state in which at least one of the car door and the landing door is open although the car 1 is traveling, and outputs a braking operation command. That is, when the door-open travel protection function detects the door-open travel state, the traction machine brake 6 brakes the drive sheave 5 and stops the traction machine motor, thereby forcibly stopping the car 1.
Signals from the governor encoder 16 and the reference position switches 19a and 19b are input to an overspeed monitoring function as one of the safety control functions. The overspeed monitoring function determines the position and speed of the car 1 independently of the drive control section 24 based on signals from the governor encoder 16 and the reference position switches 19a and 19b to monitor whether the speed of the car 1 reaches a predetermined overspeed level.
In addition, the overspeed level is set to an overspeed monitoring mode that varies depending on the position of the car 1. When the speed of the car 1 reaches an overspeed level, the overspeed monitoring function brakes the drive sheave 5 by the hoisting machine brake 6 and stops the hoisting machine motor, thereby forcibly stopping the car 1.
The maintenance switching function disables the automatic operation when it is detected that a maintenance worker enters the hoistway for spot inspection by detecting an operation of a switch for detecting opening of a door for spot inspection or assembling of an armrest on the car. When the overtravel is detected by a position switch provided at a limit position in the hoistway, the elevator car 1 is stopped, and the lift stroke is limited during the spot inspection operation. The return to the automatic operation is performed by a return switch provided outside the hoistway.
The drive control unit 24 and the elevator safety control device 25 have independent microcomputers. The functions of the drive control unit 24 and the elevator safety control device 25 are realized by these microcomputers. The calculations of various safety control functions, i.e., the door-open travel protection function, the overspeed monitoring function, and the like, installed in the elevator safety control device 25 are executed by separate programs. Further, a maintenance function such as log collection, and an unsafe function such as operation control such as response to call assignment are also executed.
In the present application, the elevator safety control device 25 is referred to by the same name, although it is referred to by different names such as "elevator safety control device" and "safety control board".
In the above configuration, a plurality of safety control functions are installed in one elevator safety control device 25. However, as described above, if a plurality of safety control functions are installed in only one elevator safety control device 25, when an abnormality is detected by one safety control function and a safety transfer process is executed, the execution of the other safety control functions may be interrupted, which may cause a problem in the safety control of the entire elevator. In other words, the independence of the respective safety control functions cannot be ensured. Therefore, it is necessary to ensure the independence of the plurality of safety control functions so that each safety control function does not affect the other safety control functions.
In the present invention, the independence of the plurality of safety control functions is ensured by assigning execution times to the tasks of the plurality of safety control functions, respectively, and executing the plurality of safety control functions in a multitask manner by using a task scheduling (scheduling) function for time division (time division).
Fig. 2 shows a hardware configuration of the elevator safety control device 25. The elevator safety control device 25 includes an I/O, i.e., input/output unit 30, a CPU31, a ROM32 as a nonvolatile memory, a RAM33 as a volatile memory, a1 st timer 34 and a2 nd timer 35, and a memory protection means 36. In other words, the input/output unit 30, the CPU31, the ROM32, the RAM33, the 1 st and 2 nd timers 34 and 35, and the memory protection unit 36 are mounted on one safety control board 25.
A plurality of programs for executing the safety control function and the non-safety control function are stored in the ROM 32. The CPU31 reads out programs from the ROM32, expands them on the RAM33, and executes them while storing temporary data in the RAM 33.
In fig. 2, the input/output unit 30 is connected to an external component (not shown) of the safety control board 25.
The input/output unit 30 receives a signal related to the elevator state. As described above, various switches 19a, 19b are present in order to monitor and detect the state of the elevator. Similarly, various sensors including the governor encoder 16 are provided to monitor and detect the state of the elevator. The input/output unit 30 receives signals from the switches and the sensors, that is, signals relating to the state of the car 1.
The input/output unit 30 counts and digitizes pulse signals including encoder signals. The input/output unit 30 also compares the input signals that have been duplexed with each other, and compares the input signals with a signal from a reference sensor (not shown). When the result of the comparison in the input/output unit 30 is that a mismatch is detected, the CPU31 constituting the logic unit is notified of the mismatch.
The CPU31 reads signals from the sensors and the switches as input values via the input/output unit 30, and performs a plurality of calculations necessary for safety control relating to the elevator. That is, the CPU31 executes calculations relating to a plurality of safety control functions by independent programs based on input values from the sensors and the switches. Thereby achieving safety control of the elevator.
Further, these configurations can be multiplexed, and a failure can be detected by comparing the respective systems.
Further, the input signal may be acquired via a network. In this case, in order to detect an abnormality of the network, a check based on the transmission/reception address, the serial number, the error detection code, the reception monitoring timer (not shown), and the like is performed in the program. In the invention of the present application, these processes are classified into a secure communication function.
In the elevator safety control device 25, the CPU31 repeatedly executes processing at predetermined cycles. The task execution time to the CPU31 in each cycle is allocated by the scheduler 37 (see fig. 3). The scheduler 37 of the present embodiment is installed by software.
The scheduler 37 manages the functions performed by the CPU31 by dividing them into 3 groups. Group 1 includes various security control functions including the above-described security communication function. Group 2 contains self-diagnostic functions and secure transfer processes. Group 3 contains other non-safety control functions. In fig. 3, the safety control function, the self-diagnosis function, the safety transfer process, and the non-safety control function are represented as a safety control program 41, a self-diagnosis program 42, a safety transfer program 43, and a non-safety control program 44, respectively.
In each cycle, the scheduler 37 preferentially allocates the execution time of the CPU31 to the tasks of the functions included in the 1 st and 2 nd groups, and allocates the remaining execution time to the tasks of the functions included in the 3 rd group. Therefore, depending on the situation, the execution time may not be allocated to the task of the function included in group 3.
The safety schedule information 51 stores the execution sequence and predetermined time of each safety control function included in the 1 st group. The scheduler 37 allocates execution times to tasks of various safety control functions based on the safety scheduling information 51.
The safety shift schedule information 52 stores various self-diagnostic functions included in the group 2, and the execution sequence and predetermined time of the safety shift process. The scheduler 37 allocates execution times to the tasks of the various self-diagnostic functions and the secure migration processing based on the secure migration scheduling information 52.
The non-safety schedule information 53 stores the execution sequence and predetermined time of the various non-safety control functions included in group 3. The scheduler 37 allocates execution time to tasks of various non-safety control functions based on the non-safety scheduling information 53.
When a task of a certain safety control function starts to be executed in a certain cycle in accordance with the allocation of the scheduler 37, the execution time of the task is monitored by the 1 st timer 34 set to a predetermined time of the safety control function. The monitoring time of the 1 st timer 34 is variable and is set for each function. As the 1 st Timer 34, for example, a watchdog Timer (Watch Dog Timer) with a variable time window may be used.
When the execution of the task of the safety control function has ended normally, the task switching process, that is, the process of returning the execution state of the functional task to the execution state of the next functional task by avoiding the execution state of the functional task is performed within a predetermined time of the 1 st timer 34, and the execution of the task of the next safety control function is started in accordance with the scheduling of the scheduler 37.
When the execution of the task of the safety control function included in group 1 assigned to a certain cycle is finished, the execution of the task of the self-diagnosis function included in group 2 is started. At this time, also in the case of the self-diagnosis function, the execution time of the task is monitored by the 1 st timer 34 set to a predetermined time, as in the case of the safety control function.
When the 1 st timer 34 detects that the predetermined time has elapsed, the execution of the tasks of the safety control function and the self-diagnosis function is interrupted. When the interruption of execution occurs a predetermined number of times, the corresponding secure transfer process is executed.
When the execution of the task of the self-diagnosis function included in the group 2 is completed, the execution of the task of the non-safety control function included in the group 3 is started according to the schedule determined by the scheduler 37 based on the non-safety schedule information 53. However, in this case, the 1 st timer 34 does not monitor the execution time.
Further, the CPU31 monitors the execution time of the entire cycle by the 2 nd timer 35. The monitoring time of the 2 nd timer 35 is fixed and is set according to the cycle time. As the 2 nd timer, for example, a watchdog timer with a fixed time window may be used.
When the 2 nd timer 35 detects that the cycle time due to the task of the safety control function exceeds, the corresponding safety transfer process is executed. When the 2 nd timer 35 detects that the cycle time due to the task of the non-safety control function exceeds, the execution of the task is interrupted and the cycle shifts to the next cycle.
When detecting that the cycle time due to the safety shift processing has exceeded, the CPU31 immediately stops the hoisting machine 4 and performs a braking operation.
In addition, during execution of a task of a certain function, the memory protection unit 36 restricts access to a memory area used by a task of another function, that is, restricts reading from and writing to the memory. For each function, an accessible memory range is set in advance, and when an access exceeding the memory range is to be performed, a memory access violation is detected by the memory protection unit 36.
Direct access is prohibited for input and output, and similar protection is performed via the input and output memory. In addition, when a memory access violation is detected, for example, a secure transfer process of "nearest floor stop" is executed.
(safety transfer processing)
Next, the details of the safety transfer process in the elevator safety control device 25 according to embodiment 1 of the present invention will be described. The ROM32 of the elevator safety control device 25 stores a plurality of safety transfer process execution programs corresponding to the types of elevator abnormalities, that is, the safety transfer program 43 and the safety transfer priority 54 for which the priority of each safety transfer process is determined.
For example, when the position information of the overspeed monitoring function is lost due to a sensor failure or the like, the CPU31 performs "speed limitation" for limiting the maximum speed during the full trip as the safety shift processing.
When a slight arithmetic abnormality such as the above-described memory access violation is detected, the CPU31 performs a "nearest floor stop" that instructs the drive device to stop at the nearest floor and completely stop the car 1 after a certain time as a safety transfer process.
When a serious abnormality such as the above-described exceeding of the predetermined time, the exceeding of the cycle time, or the door open running is detected, the CPU31 performs "emergency stop" in which the hoisting machine 4 is immediately stopped and the braking operation is immediately performed as the safety shift processing.
In this case, the priority of the safety transfer process is in the order of "emergency stop", "nearest floor stop", and "speed limit". In other cases where secure transfer processing is required, the priority may be appropriately determined additionally.
Fig. 4 shows a flowchart of the safety transfer process in the elevator safety control device 25.
During the execution of the periodic processing in the elevator safety control device 25, the task of the safety control function or the task of the self-diagnosis function checks whether an abnormality of the elevator or an abnormality of the safety control function itself or the safety control device 25 itself has occurred (step S1). If no abnormality is detected (no in step S1), the process is executed according to the schedule.
When an abnormality is detected in step S1 (yes in step S1), execution of the task of the self-diagnosis function scheduled in advance is interrupted, that is, excluded from scheduling (step S2), and the security transition process corresponding to the abnormality detected this time is executed within the time span (step S3). In addition, when the time required for the security migration process is short and the execution time of both the security migration process and the self-diagnosis function can be ensured, the task of the self-diagnosis function can be continuously executed.
During execution of the secure migration processing, it is checked whether or not a recovery condition is satisfied (step S4). For example, it is checked whether the sensor input abnormality has been eliminated, and whether the overspeed state is eliminated by recovery of a maintenance person, or the like.
When the recovery condition is satisfied in step S4 (yes in step S4), the security transition process is ended (step S5), and the execution of the task of the self-diagnosis function is performed again within the time span (step S6).
When a new abnormality is detected by the task of the safety control function during execution of the safety shift process (yes at step S7), the priority of the safety shift process corresponding to the newly detected abnormality is checked (step S8), and when the priority of the safety shift process being executed is high (no at step S8), the current safety shift process is continued as it is (return to step S4).
On the other hand, if the priority of the new security transition process is high (yes in step S8), the current security transition process is interrupted, that is, excluded from the scheduling (step S9), and the security transition process corresponding to the abnormality newly detected in the time span is executed (step S10). Then, if the recovery condition is established, recovery is performed (steps S4 to S6).
(example 1 of scheduling)
Fig. 5 shows a1 st example of scheduling in the elevator safety control device 25 according to embodiment 1 of the present invention.
In a certain cycle, as shown in the mode (a1), the CPU31 of the elevator safety control device 25 executes the task of the safety communication function and the task of the overspeed detection function from the group 1. Next, the task of the self-diagnosis function is performed from group 2. At the last idle time, the task from group 3 to perform the maintenance function ends.
In the next cycle, as shown in the pattern (a2), the CPU31 executes the task of the secure communication function, the task of the door open travel protection function, and the task of the maintenance switching function from the 1 st group. Next, the task of the self-diagnosis function is performed from group 2. At the last idle time, the task from group 3 executed the run function ends.
Here, for example, when the overspeed detection function detects a sensor abnormality and requests the execution of "speed limitation" as the safety shift processing, the CPU31 first executes the task of the safety communication function and the task of the overspeed detection function from group 1 as shown in the pattern (b 1). Next, in the execution time of group 2, the processing of "speed limitation" is executed instead of the task of the self-diagnosis function. Then, at the last idle time, the task of performing the maintenance function from group 3 ends.
Here, when the door-open travel protection function further detects an abnormality of the elevator and requests the execution of "emergency stop" as the safety transfer process, the CPU31 first executes the task of the safety communication function, the task of the door-open travel protection function, and the task of the maintenance switching function from the 1 st group as shown in the mode (b 2). Next, the safety shift process is to be executed in the execution time of the group 2, but since the priority of the "emergency stop" is higher than the priority of the "speed limit" currently being executed, the process of the "emergency stop" is executed instead of the process of the "speed limit". Then, in the last idle time, the task of executing the function from group 3 ends.
Then, the maintenance personnel returns to the normal mode as shown in the mode (a1) again by recovery.
As described above, the elevator safety control device 25 according to embodiment 1 of the present invention can execute a plurality of safety control functions in a multitasking manner by using the task scheduling function using time division.
The functions performed by the CPU31 are classified into group 1 containing a safety control function, group 2 containing a self-diagnosis function, and group 3 containing a non-safety control function.
In each cycle, the scheduler 37 allocates execution time to each of the tasks of at least one function from the 1 st and 2 nd groups, and allocates the remaining execution time to the tasks of the functions included in the 3 rd group.
When an abnormality is detected by the safety control function or the self-diagnosis function, the CPU31 interrupts the execution of the task of the function included in the group 2, and executes the safety transition processing corresponding to the detected abnormality within the execution time span of the interrupted task.
This ensures the independence of the plurality of safety control functions.
Further, when an abnormality is newly detected during execution of the security migration processing and the priority of the security migration processing corresponding to the newly detected abnormality is higher than the priority of the security migration processing, the CPU31 interrupts execution of the security migration processing and executes the security migration processing corresponding to the newly detected abnormality.
This ensures independence of the plurality of safety control functions, and can appropriately cope with a case where a plurality of abnormalities are simultaneously detected.
(example 2 of scheduling)
Fig. 6 shows an example 2 of scheduling in the elevator safety control device 25 according to embodiment 1 of the present invention. The schedules (a1', a2') during normal operation of the elevator are the same as in example 1 described above.
In a case where it is difficult to continue execution of the task of the safety control function due to detection of an abnormality of the safety control function itself in a certain cycle, for example, when a fatal arithmetic error, an excess of execution time, or the like is detected, the CPU31 cancels the time allocation of the task of the safety control function as shown in the mode (b1') or the mode (b2'), and executes the safety transition processing as shown in the mode (b1') or the mode (b2') within the execution time span. That is, the security migration process in this case is executed not within the execution time span of the group 2 but within the execution time span of the security control function included in the group 1.
In addition, when it is difficult to continue the tasks of the plurality of safety control functions, the CPU31 cancels the time allocation of the tasks of the plurality of safety control functions, and executes the safety transfer process having the highest priority among the safety transfer processes corresponding to the abnormality in an idle time span. In this case, in the same cycle, there is a possibility that a plurality of execution time spans are allocated to the secure migration process.
Alternatively, the CPU31 may increase the execution time span of the group 2 by canceling the time allocation of the task of the safety control function and advancing the execution start time of the subsequent task of the safety control function, so as to execute the tasks of the safety transfer process and the self-diagnosis function within the execution time span of the group 2.
Claims (8)
1. An elevator safety control device capable of performing a plurality of functions in a multitasking manner, the elevator safety control device comprising:
an arithmetic processing unit that repeatedly executes processing at a predetermined cycle; and
a scheduler that allocates a task execution time to the arithmetic processing unit in each cycle,
the plurality of functions executed by the arithmetic processing unit are classified into a1 st group including a safety control function, a2 nd group including a self-diagnosis function, and a 3 rd group including a non-safety control function,
the scheduler allocates execution time to each of the tasks of at least one function from the 1 st group and the 2 nd group in each cycle, and allocates the remaining execution time to the tasks of the functions included in the 3 rd group,
when an abnormality is detected by the safety control function or the self-diagnosis function, the arithmetic processing unit interrupts execution of a task of a function included in the group 2, and executes a safety transition process corresponding to the detected abnormality within an execution time span of the interrupted task.
2. The elevator safety control apparatus according to claim 1,
when an abnormality is newly detected during execution of the secure migration processing and the priority of the secure migration processing corresponding to the newly detected abnormality is higher than the priority of the secure migration processing, the execution of the secure migration processing is interrupted and the secure migration processing corresponding to the newly detected abnormality is executed.
3. The elevator safety control apparatus according to claim 1 or 2, wherein,
when an abnormality of the safety control function itself is detected, the arithmetic processing unit cancels the execution time allocation of the task of the safety control function, and executes the safety transfer processing corresponding to the abnormality of the safety control function itself within the cancelled execution time span.
4. The elevator safety control apparatus according to any one of claims 1 to 3,
the elevator safety control device is also provided with a memory protection unit which detects memory access violation of the plurality of functions,
when the memory access violation is detected, the arithmetic processing unit executes a security transfer process corresponding to the memory access violation.
5. The elevator safety control apparatus according to any one of claims 1 to 4,
the elevator safety control device further comprises a1 st timer, wherein the 1 st timer detects that the predetermined time of the task of the function included in the 1 st group and the 2 nd group exceeds,
when the predetermined time exceeds the predetermined number of times, the arithmetic processing unit executes the corresponding security transition processing.
6. The elevator safety control apparatus according to any one of claims 1 to 5,
the elevator safety control device is also provided with a2 nd timer, the 2 nd timer detects the exceeding of the whole period time,
when it is detected that the cycle time exceeds the cycle time due to the task of the function included in the 1 st group or the 2 nd group, the arithmetic processing unit executes the corresponding security transition processing.
7. The elevator safety control apparatus according to claim 6,
when it is detected that the cycle time due to a task of a function included in the group 3 exceeds, execution of the task is interrupted.
8. The elevator safety control apparatus according to any one of claims 1 to 7,
the safety transfer process includes an emergency stop, a nearest floor stop operation, and a speed limit in order of the priority from high to low.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/JP2018/007000 WO2019163133A1 (en) | 2018-02-26 | 2018-02-26 | Elevator safety control device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111788139A true CN111788139A (en) | 2020-10-16 |
| CN111788139B CN111788139B (en) | 2021-09-14 |
Family
ID=67687012
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201880088986.9A Active CN111788139B (en) | 2018-02-26 | 2018-02-26 | Elevator safety control device |
Country Status (3)
| Country | Link |
|---|---|
| JP (1) | JP6824465B2 (en) |
| CN (1) | CN111788139B (en) |
| WO (1) | WO2019163133A1 (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH03109643A (en) * | 1989-09-22 | 1991-05-09 | Nec Corp | Execution system for data exception procedure |
| JP2001125797A (en) * | 1999-10-25 | 2001-05-11 | Seiko Epson Corp | Multitask system, recording medium with recorded program therefor and working device |
| CN1595368A (en) * | 2003-09-13 | 2005-03-16 | 华为技术有限公司 | Abnormal monitoring equipment and method for multi-task system |
| CN1953925A (en) * | 2005-03-31 | 2007-04-25 | 三菱电机株式会社 | Elevator device |
| CN1953926A (en) * | 2005-03-31 | 2007-04-25 | 三菱电机株式会社 | Elevator device |
| EP2256077A1 (en) * | 2008-03-27 | 2010-12-01 | Mitsubishi Electric Corporation | Elevator control system |
| JP2011121726A (en) * | 2009-12-11 | 2011-06-23 | Hitachi Ltd | Electronic safety elevator |
| CN102514988A (en) * | 2011-11-16 | 2012-06-27 | 上海领科实业发展有限公司 | Ultrahigh frequency elevator remote control system |
| US20120292136A1 (en) * | 2010-03-12 | 2012-11-22 | Mitsubishi Electric Corporation | Elevator safety control device |
| US20150338835A1 (en) * | 2012-06-26 | 2015-11-26 | Inter Control Hermann Kohler Elektrik Gmbh & Co., Kg | Apparatus and method for a security-critical application |
| CN105793182A (en) * | 2013-11-28 | 2016-07-20 | 株式会社日立制作所 | Elevator safety system |
| EP2672344B1 (en) * | 2011-01-31 | 2017-06-28 | Toyota Jidosha Kabushiki Kaisha | Safety control device and safety control method |
| CN206529179U (en) * | 2017-01-13 | 2017-09-29 | 内蒙古滋润广告传媒有限责任公司 | Elevator emergency equipment |
-
2018
- 2018-02-26 CN CN201880088986.9A patent/CN111788139B/en active Active
- 2018-02-26 WO PCT/JP2018/007000 patent/WO2019163133A1/en active Application Filing
- 2018-02-26 JP JP2020501987A patent/JP6824465B2/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH03109643A (en) * | 1989-09-22 | 1991-05-09 | Nec Corp | Execution system for data exception procedure |
| JP2001125797A (en) * | 1999-10-25 | 2001-05-11 | Seiko Epson Corp | Multitask system, recording medium with recorded program therefor and working device |
| CN1595368A (en) * | 2003-09-13 | 2005-03-16 | 华为技术有限公司 | Abnormal monitoring equipment and method for multi-task system |
| CN1953925A (en) * | 2005-03-31 | 2007-04-25 | 三菱电机株式会社 | Elevator device |
| CN1953926A (en) * | 2005-03-31 | 2007-04-25 | 三菱电机株式会社 | Elevator device |
| EP2256077A1 (en) * | 2008-03-27 | 2010-12-01 | Mitsubishi Electric Corporation | Elevator control system |
| JP2011121726A (en) * | 2009-12-11 | 2011-06-23 | Hitachi Ltd | Electronic safety elevator |
| US20120292136A1 (en) * | 2010-03-12 | 2012-11-22 | Mitsubishi Electric Corporation | Elevator safety control device |
| DE112010005384T5 (en) * | 2010-03-12 | 2012-12-27 | Mitsubishi Electric Corp. | Elevator safety control |
| EP2672344B1 (en) * | 2011-01-31 | 2017-06-28 | Toyota Jidosha Kabushiki Kaisha | Safety control device and safety control method |
| CN102514988A (en) * | 2011-11-16 | 2012-06-27 | 上海领科实业发展有限公司 | Ultrahigh frequency elevator remote control system |
| US20150338835A1 (en) * | 2012-06-26 | 2015-11-26 | Inter Control Hermann Kohler Elektrik Gmbh & Co., Kg | Apparatus and method for a security-critical application |
| CN105793182A (en) * | 2013-11-28 | 2016-07-20 | 株式会社日立制作所 | Elevator safety system |
| CN206529179U (en) * | 2017-01-13 | 2017-09-29 | 内蒙古滋润广告传媒有限责任公司 | Elevator emergency equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111788139B (en) | 2021-09-14 |
| JPWO2019163133A1 (en) | 2020-07-30 |
| WO2019163133A1 (en) | 2019-08-29 |
| JP6824465B2 (en) | 2021-02-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101366955B1 (en) | Elevator safety control device | |
| KR101014917B1 (en) | Elevator apparatus | |
| CN104080722B (en) | For reducing the system and method for the speed of elevator car | |
| EP3533748B1 (en) | Resetting governor sub-systems | |
| JP5350590B2 (en) | Elevator equipment | |
| CN111788139B (en) | Elevator safety control device | |
| WO2020255209A1 (en) | Task schedule management device | |
| JPH0840658A (en) | Control method and device for emergency brake of elevator | |
| JP7328866B2 (en) | multi car elevator | |
| JP3408953B2 (en) | Elevator diagnostic drive | |
| EP3650384B1 (en) | System for monitoring lobby activity to determine whether to cancel elevator service | |
| EP3495302B1 (en) | Elevator apparatus and method | |
| JP7396515B2 (en) | Elevator safety control device and elevator safety control system | |
| JP7003217B2 (en) | Elevator safety control device | |
| EP3878787B1 (en) | Managing elevator call assignments in response to elevator door reversals | |
| JP7124982B1 (en) | elevator equipment | |
| JP7188590B2 (en) | elevator equipment | |
| KR100891234B1 (en) | Elevator apparatus | |
| WO2021070325A1 (en) | Elevator system | |
| JPS6242833B2 (en) | ||
| KR20080110689A (en) | Elevator apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |