CN111788140A - Elevator safety control device - Google Patents
Elevator safety control device Download PDFInfo
- Publication number
- CN111788140A CN111788140A CN201880089881.5A CN201880089881A CN111788140A CN 111788140 A CN111788140 A CN 111788140A CN 201880089881 A CN201880089881 A CN 201880089881A CN 111788140 A CN111788140 A CN 111788140A
- Authority
- CN
- China
- Prior art keywords
- safety
- safety control
- task
- control
- control function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B66—HOISTING; LIFTING; HAULING
- B66B—ELEVATORS; ESCALATORS OR MOVING WALKWAYS
- B66B5/00—Applications of checking, fault-correcting, or safety devices in elevators
- B66B5/02—Applications of checking, fault-correcting, or safety devices in elevators responsive to abnormal operating conditions
Landscapes
- Maintenance And Inspection Apparatuses For Elevators (AREA)
Abstract
The elevator safety control device of the invention comprises: a storage unit that stores a plurality of safety control functions and a plurality of non-safety control functions as programs that are independent of each other, and stores safety schedule information; and a CPU for executing each program corresponding to the plurality of safety control functions and the plurality of non-safety control functions in sequence according to the safety scheduling information to perform control calculation of the elevator, wherein the CPU executes the safety control functions in sequence continuously without idle time according to the safety scheduling information in each control cycle, and executes the plurality of non-safety control functions in idle time in the control cycle after all the safety control functions are executed.
Description
Technical Field
The present invention relates to an elevator safety control device for controlling the operation of an elevator having a plurality of safety control functions.
Background
In recent years, various safety control functions have been introduced in elevators. As a specific example of the safety control function, the following example can be cited.
Terminal floor forced deceleration function (SETS)
Open door drive protection function (UCMP)
Self-diagnostic function (DIAG)
inter-System communication function (ICOM)
On the other hand, as a specific example of the non-safety control function, the following example can be cited.
Data entry function (DLOG)
Interface function with elevator operation control device (CCIF)
The application range of the safety control function as described above is expected to further expand in the future. When these safety control functions are separately installed, a plurality of substrates or devices must be prepared for each safety function. Therefore, the cost of the apparatus and the time and effort required for installation and maintenance of the apparatus increase.
In order to solve this problem, a method of mounting a plurality of safety control functions on one substrate or one device has been proposed (for example, see patent document 1).
When a plurality of safety control functions are mounted on one substrate or one device, it is necessary to ensure independence of the control functions so that an application of the safety control function or an application of the non-safety control function does not affect other safety control functions.
Therefore, there are the following prior arts: an application associated with a safety control function is made independent of an application associated with a non-safety control function by task scheduling (task scheduling) using time division (time classification) (for example, see patent document 2). The size of each time division is fixed for each cycle, and tasks are scheduled from a task group determined by each time division.
In the example of fig. 1 of patent document 2, the tasks ST1 of the safety control function are scheduled in time division TP1, the tasks ST2 of the safety control function are scheduled in time division TP2, and the tasks NST1 and NST2 of the non-safety control function are scheduled in time division TP 3. The scheduling method within each TP is free. However, in order to ensure independence, the tasks of the applications associated with the safety control function and the tasks of the applications associated with the non-safety control function cannot be mixed together within the same TP.
Documents of the prior art
Patent document
Patent document 1: japanese patent No. 550718
Patent document 2: japanese laid-open patent publication No. 2010-271759
Patent document 3: international publication No. 2011/158301
Patent document 4: japanese patent laid-open publication No. 2003-104646
Disclosure of Invention
Problems to be solved by the invention
However, the following problems exist in the prior art.
The time division used in patent document 2 is a division in which each period is divided into predetermined sizes, and a task of a predetermined type of application is scheduled in the divided division. The time required until the application completes processing varies depending on the reasons such as conditional branching and bus contention. Therefore, the size of the partition needs to be set in consideration of the worst execution time of each application.
Here, the worst execution time is a worst-case time in which the time required until the process is completed is longest. Therefore, in patent document 2, each partition is set to be large in consideration of the worst execution time, and when a task ends early, an idle time occurs in the partition.
However, to ensure independence, the tasks of the applications associated with the safety control function and the tasks of the applications associated with the non-safety control function must be scheduled into different divisions.
Therefore, even if an idle is generated in the division assigned to the application associated with the safety control function, the task of the application associated with the non-safety control function cannot be assigned to the idle time. As a result, the time division used in patent document 2 has a problem that the utilization efficiency of the CPU cannot be improved.
The present invention has been made to solve the above-described problems, and an object of the present invention is to obtain an elevator safety control device that realizes efficient task scheduling while ensuring independence between a task of a safety control function and a task of a non-safety control function.
Means for solving the problems
The elevator safety control device of the invention comprises: a storage unit that stores a plurality of safety control functions and a plurality of non-safety control functions as programs independent of each other, and stores safety schedule information that specifies in advance a schedule and an execution order for each control cycle when the plurality of safety control functions are executed in each control cycle; and a CPU that performs a control calculation of an elevator by sequentially executing programs corresponding to the plurality of safety control functions and the plurality of non-safety control functions in accordance with the safety schedule information, wherein the CPU sequentially executes the safety control functions in each control cycle continuously without an idle time in accordance with the execution sequence defined as the safety schedule information, and executes the plurality of non-safety control functions in idle times in control cycles after all safety control functions assigned in the control cycle are executed.
Effects of the invention
According to the present invention, the present invention has the following structure: the task of the safety control function can be executed preferentially, idle time after the execution of the safety control function is completed is collected into each control period, and the non-safety control function is executed by using the idle time. As a result, it is possible to obtain an elevator safety control device that can realize efficient task scheduling while ensuring independence between the tasks of the safety control function and the tasks of the non-safety control function.
Drawings
Fig. 1 is a configuration diagram of an elevator safety control device according to embodiment 1 of the present invention.
Fig. 2A is a diagram for explaining the contents of task processing executed in the 1 st control cycle based on the safety schedule information and the non-safety schedule information in the logic unit and the independence assurance unit according to embodiment 1 of the present invention.
Fig. 2B is a diagram for explaining the contents of the task processing executed in the 2 nd control cycle based on the safety schedule information and the non-safety schedule information in the logic unit and the independence assurance unit according to embodiment 1 of the present invention.
Fig. 3 is a flowchart summarizing a series of task processes executed by the logic unit and the independence assurance unit according to embodiment 1 of the present invention.
Fig. 4 is a diagram showing a modification example of the secure scheduling information and the non-secure scheduling information according to embodiment 1 of the present invention.
Fig. 5 is a diagram for explaining error processing when interrupt processing occurs during execution of a task of a safety control function in embodiment 1 of the present invention.
Fig. 6A is a diagram for explaining the operation of modification 5 of embodiment 1 of the present invention.
Fig. 6B is a diagram for explaining the operation of modification 5 of embodiment 1 of the present invention.
Fig. 7A is a diagram for explaining the operation of modification 6 of embodiment 1 of the present invention.
Fig. 7B is a diagram for explaining the operation of modification 6 of embodiment 1 of the present invention.
Fig. 7C is a diagram for explaining the operation of modification 6 of embodiment 1 of the present invention.
Fig. 8 is an overall configuration diagram of an elevator system to which an elevator safety control device according to embodiment 2 of the present invention is applied.
Fig. 9 is a block diagram showing the internal configuration of an elevator safety monitoring device according to embodiment 2 of the present invention in detail.
Fig. 10 is a configuration diagram common to the 1 st safety monitoring system and the 2 nd safety monitoring system according to embodiment 2 of the present invention.
Fig. 11A is an execution sequence diagram corresponding to an execution plan according to the secure schedule information and the non-secure schedule information in embodiment 2 of the present invention.
Fig. 11B is an execution sequence chart when executing the task processing of embodiment 2 of the present invention.
Fig. 11C is an execution sequence diagram when executing the task processing of the related art.
Detailed Description
Hereinafter, preferred embodiments of an elevator safety control device according to the present invention will be described with reference to the drawings.
First, as a term used in the description of the present invention, table 1 shows a summary of the meaning of "task", "predetermined time", "control cycle", "safe scheduling information", "unsafe scheduling information", "task interruption" and "task end".
[ Table 1]
Description of the statements of Table 1
Fig. 1 is a configuration diagram of an elevator safety control device according to embodiment 1 of the present invention. The elevator safety control device of embodiment 1 is configured to include an input unit 10, a logic unit 20, and an independence assurance unit 30. The CPU21 in the logic unit 20 acquires signals relating to the state of the elevator as input values and reads the program 40, the safe scheduling information 50, and the unsafe scheduling information 60.
Here, the program 40, the safe scheduling information 50, and the unsafe scheduling information 60 correspond to data stored in the storage unit, and the CPU21 in the logic unit 20 refers to the data to execute processing necessary for elevator control.
The program 40 has a plurality of tasks 41 of the safety control function and a plurality of tasks 42 of the non-safety control function.
The safety schedule information 50 is schedule information that specifies in which control cycle and in which order the tasks 41 of the plurality of safety control functions should be executed. Specifically, the safety schedule information 50 is information defining the execution order of each task of the safety control function, the predetermined time of the task, and a final flag indicating the final safety task executed at the end of each control cycle.
In the specific example of the safety schedule information 50 shown in fig. 1, the following is defined: tasks ST1, ST2 for executing the safety control function in the first control cycle, tasks ST1, ST3 for executing the safety control function in the next control cycle, and tasks ST1, ST2, ST3 are monitored for predetermined times T1, T2, T3, respectively.
The non-safety schedule information 60 is schedule information that defines the execution order of the tasks 42 of the plurality of non-safety control functions. Specifically, the non-safety scheduling information 60 is information that defines only in what order each task of the non-safety control function should be executed, regardless of the control cycle.
In the specific example of the non-safety scheduling information 60 shown in fig. 1, it is defined that tasks NST1, NST2, NST3, and NST1 of the non-safety control function should be executed in this order.
The CPU21 in the logic unit 20 performs elevator control calculation by sequentially executing, as independent programs 40, a plurality of safety control functions whose scheduling is defined by the safety scheduling information 50 and a plurality of non-safety control functions whose scheduling is defined by the non-safety scheduling information 60, using the input values.
The CPU21 in the logic unit 20 holds information on the execution state of each program 40 executed independently of each other in the context block 70 as necessary, and can read out the execution state information as necessary. Here, the context block 70 corresponds to readable and writable data stored in the storage unit.
The independence assurance unit 30 assures independence between control functions such that a certain control function does not affect other control functions with respect to all control functions including the tasks 41 of the plurality of safety control functions and the tasks 42 of the plurality of non-safety control functions. The independence assurance unit 30 is configured to include a predetermined time timer 31 that monitors an elapsed state of a predetermined time, a control cycle timer 32 that monitors an elapsed state of a control period, and a memory protection function 33.
The technical feature of the present invention is that the logic unit 20 and the independence assurance unit 30 are linked to each other, and each task defined by the safety scheduling information 50 and the non-safety scheduling information 60 is sequentially executed as a program 40 independent of each other, and as a result, the idle time of the task 41 that does not execute the safety control function can be summarized after each control cycle.
Also, unlike the conventional method, the idle time is independent of the safety control function. Therefore, the tasks 42 of the non-safety control function whose execution order is defined by the non-safety schedule information 60 can be sequentially allocated to the idle time of each control cycle. As a result, the present invention can improve the utilization efficiency of the CPU21 as compared with the conventional method.
Next, specific operations of the task processing executed by the logic unit 20 and the independence assurance unit 30 of embodiment 1 will be described in detail with reference to fig. 2A, 2B, and 3. Fig. 2A is a diagram for explaining the contents of task processing executed in the 1 st control cycle based on the safe schedule information 50 and the unsafe schedule information 60 in the logic unit 20 and the independence assurance unit 30 according to embodiment 1 of the present invention. Fig. 2B is a diagram for explaining the contents of the task processing executed in the 2 nd control cycle based on the safe schedule information 50 and the unsafe schedule information 60 in the logic unit 20 and the independence assurance unit 30 according to embodiment 1 of the present invention.
In fig. 2A, the 1 st control cycle is shown as a period from time t0 to time t3, and in fig. 2B, the 2 nd control cycle is shown as a period from time t3 to time t 6. Fig. 2A and 2B are diagrams illustrating results of task processing performed by the logic unit 20 and the independence assurance unit 30 according to the secure schedule information 50 and the non-secure schedule information 60 shown in fig. 1.
First, in the 1 ST control cycle shown in fig. 2A, the tasks ST1, ST2 of the safety control function are executed in order continuously without idle time in accordance with the safety schedule information 50. In the idle time after the execution of the tasks ST1 and ST2 of the safety control function, the tasks NST1, NST2, and NST3 of the non-safety control function are continuously and sequentially executed in accordance with the non-safety schedule information 60.
More specifically, at time T1, the processing at task ST1 is completed before the predetermined time T1 set at task ST1 has elapsed. Therefore, the CPU21 starts the process of task ST2 at time t1 before the interrupt of the timer 31 for a predetermined time in the independence assurance unit 30 occurs.
The time T2 corresponds to a time after a predetermined time T2 has elapsed from the time T1. The CPU21 receives the interrupt of the timer 31 for a predetermined time and interrupts the process of the task ST2 while the task ST2 is not completed at time t 2.
The period from time t2 to time t3 corresponds to an idle time after tasks ST1 and ST2 are processed in the 1 ST control cycle. Therefore, the CPU21 sequentially executes tasks NST1, NST2, and NST3 of the non-safety control function in accordance with the non-safety schedule information 60. However, at the end time t3 of the 1 st control cycle, the interrupt of the control cycle timer 32 occurs in a state where the processing of the task NST3 is not completed. Therefore, the task NST3 restarts the process after being interrupted during an idle time of the 2 nd control cycle described later.
Next, in the 2 nd control cycle shown in fig. 2B, the tasks ST1, ST3 of the safety control function are executed in order continuously without idle time in accordance with the safety schedule information 50. Further, during the idle time after the execution of the tasks ST1 and ST3 of the safety control function, the tasks of the non-safety control function are successively executed in sequence in accordance with the non-safety scheduling information 60. As described above, in the 1 st control cycle, the task NST3 is interrupted. Therefore, in the idle time in the 2 nd control cycle, the processing of the task NST3 starts from the beginning again, and then the task NST1 is executed in accordance with the non-safety schedule information 60.
More specifically, the time T4 corresponds to the time when the predetermined time T1 has elapsed from the time T3. Therefore, the CPU21 receives the interrupt of the timer 31 for the predetermined time and interrupts the process of the task ST1 while the task ST1 is not completed at time t 4. Then, the CPU21 starts the process of task ST3 at time t 4.
At time T5, the process at task ST3 is completed before the predetermined time T3 set at task ST3 elapses. The period from time t5 to time t6 corresponds to an idle time after tasks ST1 and ST3 are processed in the 2 nd control cycle. Therefore, the CPU21 restarts the continuation processing of the task NST3 at time t5 before the interruption of the predetermined time timer 31 in the independence assurance unit 30 occurs.
However, at the end time t6 of the 2 nd control cycle, the interrupt of the control cycle timer 32 occurs in a state where the processing of the task NST1 is not completed. Therefore, the task NST1 restarts the process after the interruption in the idle time of the 3 rd control cycle.
Fig. 3 is a flowchart summarizing a series of task processes executed by the logic unit 20 and the independence assurance unit 30 according to embodiment 1 of the present invention. In the following description, the flowchart of fig. 3 will be described based on the specific task scheduling shown in fig. 1 and 2.
After the initial setting is performed in step S301, the logic unit 20 assigns the first task ST1 among the tasks of the safety control function in the 1 ST control cycle, based on the safety schedule information 50, in step S302.
Next, in step S303, the logic unit 20 determines whether or not the end processing of the task ST1 is executed before the predetermined time T1 allocated to the task ST1 has elapsed, that is, before the interruption occurs by the predetermined time timer 31 in the independence assurance unit 30. If the logic unit 20 determines yes at step S303, the process proceeds to step S305, and if the logic unit determines no, the process proceeds to step S304.
When the process proceeds to step S304, the logic unit 20 interrupts the task ST1 by the occurrence of the interrupt of the predetermined timer 31, and the process proceeds to step S305.
When the process proceeds to step S305, the logic unit 20 determines whether or not a task of the safety control function to be executed in the 1 st control cycle remains based on the final flag. If the logic unit 20 determines yes at step S303, the process proceeds to step S302, and if the logic unit determines no, the process proceeds to step S306.
In the example shown in fig. 1 and 2, in the 1 ST control cycle, it is necessary to process task ST2 after task ST1 of the safety control function. Therefore, the process of step S302 to step S305 is performed on task ST2, and the process proceeds to step S306.
In the processing from step S306 onward, the logic unit 20 and the independence assurance unit 30 execute the tasks of the non-safety control function in order in the idle time after the tasks ST1, ST2 of the safety control function are executed in the 1 ST control cycle.
In step S306, the logic unit 20 determines whether or not there is a task of the non-safety control function to be executed in the idle time in the 1 st control cycle, based on the non-safety schedule information 60. If the logic unit 20 determines yes at step S306, the process proceeds to step S307, and if the logic unit determines no, the process proceeds to step S310.
When the process proceeds to step S307, the logic unit 20 assigns the first task NST1 among the tasks of the non-safety control function based on the non-safety schedule information 60.
Next, in step S308, the logic unit 20 determines whether or not the end processing of the task NST1 is executed before the end of the control cycle, that is, before the interrupt occurs by the control cycle timer 31 in the independence assurance unit 30. If the logic unit 20 determines yes at step S308, the process proceeds to step S306, and if the logic unit determines no, the process proceeds to step S309.
In the example shown in fig. 1 and 2, as the non-safety schedule information 60, a task NST2, a task NST3, and a task NST1, ·. Therefore, the logic unit 20 repeats the processing of step S306 to step S308 until the control cycle timer 32 is interrupted, thereby continuously and sequentially executing the tasks of the non-safety control function set as the non-safety scheduling information 60.
When the process proceeds to step S309, the logic unit 20 interrupts the task of the currently executed non-safety control function by the occurrence of the interrupt of the control cycle timer 32, ends the series of processes of the 1 st control cycle, and returns to step S302. In the example shown in fig. 1 and 2, during the execution of the task NST3 of the non-safety control function, the task NST3 is interrupted by the occurrence of an interrupt of the control cycle timer 32, and the 1 st control cycle is completed.
When the process proceeds to step S310 from step S306, the logic unit 20 waits until an interrupt of the control cycle timer 32 occurs because there is no task of the non-safety control function to be executed. Then, in step S311, the series of processing of the 1 st control cycle is ended by the occurrence of the interrupt of the control cycle timer 32, and the process returns to step S302.
In the example shown in fig. 1 and 2, the tasks ST1 and ST3 that should execute the safety control function in the 2 nd control cycle are specified by the safety schedule information 50. Therefore, in the case of returning to step S302 after the series of processes in the 1 st control cycle is ended, the respective task processes in the 2 nd control cycle are successively executed in sequence.
Next, several modifications of the basic technical idea for arranging the idle time in the latter half of the control cycle as described above will be described below.
[ modification 1]
A modified example of the secure scheduling information 50 and the non-secure scheduling information 60 will be described. Fig. 4 is a diagram showing a modification example of the secure scheduling information and the non-secure scheduling information according to embodiment 1 of the present invention.
The safety schedule information 50 shown in fig. 1 above is composed entirely of tasks of the safety control function. In contrast, the safety schedule information 50a shown in fig. 4 is configured to include 1 or more tasks having a non-safety control function.
Specifically, the safety schedule information 50a shown in fig. 4 specifies a task NST1 that executes the non-safety control function following the task ST1 of the safety control function in the 1 ST control period, and specifies a task NST2 that executes the non-safety control function following the task ST1 of the safety control function in the 2 nd control period. On the other hand, the non-safety scheduling information 60a shown in fig. 4 is configured to define an execution order for the tasks NST3, NST4, and NST5 of the other non-safety control mechanisms that are not incorporated in the safety scheduling information 50 a.
By using the safety scheduling information 50a configured to include 1 or more tasks of the non-safety control function in this way, the real-time performance of the tasks NST1 and NST2 of the non-safety control function can be ensured.
[ modification 2]
In the examples of fig. 1 and 4, the execution order of the tasks of the non-safety control function is previously determined by the non-safety schedule information 60. However, the task of the non-safety control function does not necessarily need to be determined in advance, and may be dynamically scheduled in each control cycle.
[ modification 3]
Among the tasks STn of the safety control function, a task that cannot tolerate an interrupt may be subjected to an error process when an interrupt occurs. For example, in the examples shown in fig. 1 and 2, a case is considered where the task ST2 of the safety control function is a task that cannot be interrupted. Fig. 5 is a diagram for explaining error processing when interrupt processing occurs during execution of a task of a safety control function in embodiment 1 of the present invention.
As shown in fig. 5, an interrupt of the timer 31 for a prescribed time occurs at time t2, whereby the CPU21 can then execute error processing. In order to perform such error processing, it is necessary to specify a task that cannot be interrupted among tasks of the safety control function in advance. Therefore, in order to make such a determination, it is considered that information indicating whether or not interruption is possible is stored as the safety scheduling information 50 or in the context block 70 in association with the task of each safety control function.
[ modification 4]
The CPU21 can also acquire the control cycle timer value from the control cycle timer 32 in real time when each task is executed, and use it for arithmetic processing.
[ modification 5]
With the idea of modification 4, the CPU21 can measure the elapsed time of the task processing over a plurality of control cycles by further counting the number of elapsed control cycles. Fig. 6A and 6B are diagrams for explaining the operation of modification 5 in embodiment 1 of the present invention.
At the time shown in [1] of fig. 6A, the CPU21 acquires the control cycle timer value ta from the control cycle timer 32 in the control cycle in which the control cycle elapsed number counter is N1. Further, at the time shown in [2] of fig. 6B, the CPU21 obtains the control cycle timer value tb from the control cycle timer 32 in the control cycle in which the control cycle elapsed number counter is N2. As a result, the CPU21 can calculate the elapsed time from the time shown in [1] to the time shown in [2] by the following equation.
Elapsed time (N2-N1) × T + (tb-ta)
[ modification 6]
With the idea of modification 4 and modification 5, the CPU21 can also avoid an interrupt when there is a task that is not intended to be interrupted in a specific section. Fig. 7A to 7B are diagrams for explaining the operation of modification 6 in embodiment 1 of the present invention.
In fig. 7A to 7C, task ST2 corresponds to a task that is not intended to be interrupted in a specific section. At the time shown in [1] of FIG. 7A, the CPU21 reads the control cycle timer value ta from the control cycle timer 32 at the start of task ST 2. Then, after the execution of task ST1 is started, the CPU21 reads the control cycle timer value tb from the control cycle timer 32 at a time indicated by [2] corresponding to the start of the specific section for which no interrupt is to be accepted.
Here, the specific section not to be subjected to interrupt may be predetermined as a period tc during which the assumed execution time is longest, and may be set in the memory 22 corresponding to the internal memory.
When the predetermined period T2 of the task ST2 is td, the CPU21 determines whether or not the following condition of the expression (1) is satisfied at the time shown in [2] in fig. 7A.
td<tb-ta+tc(1)
When the condition of expression (1) is satisfied, if task ST2 is continuously executed after the time indicated in [2], it is assumed that an interrupt of the predetermined cycle timer occurs in a specific interval in which the interrupt is not to be accepted. When the CPU21 determines that the condition of expression (1) is satisfied, the execution of task ST2 is interrupted at the time shown in [2], and task NST1 for executing the non-safety control function is started as shown in fig. 7B.
Then, the CPU21 starts execution of the interrupted task ST2 again in the period shown in [3] after executing the task ST1 in the 2 nd control cycle shown in fig. 7C. As a result, it is possible to prevent the occurrence of an interrupt in a specific section of task ST2 shown as a mesh portion in fig. 7A and 7C.
When executing the processing of the specific section in task ST2, CPU21 can take a countermeasure when an interrupt occurs in the specific section by performing the following processing. The CPU21 can execute the following flag processing: the start flag is set when the specific section is started, and the end flag is set when the processing of the specific section is ended.
By executing such flag processing, the CPU21 can determine that an interrupt has occurred in the specific section when it is determined that an interrupt of the timer has occurred a predetermined time after the start of the specific section, that is, when the start flag is set and the end flag is not set. On the other hand, if the CPU21 determines that an interruption has occurred in the specific section, it is possible to take measures such as executing safety actions of the elevator.
As described above, according to the task scheduling method of embodiment 1, it is possible to integrate the idle time of the task that does not execute the safety control function after each control cycle. As a result, the utilization efficiency of the CPU is improved, and it is possible to realize efficient task scheduling while ensuring independence between the task of the safety control function and the task of the non-safety control function.
In embodiment 2, a case will be described in which the task scheduling method described in embodiment 1 above is applied to a specific configuration of an elevator system.
Conventionally, there has been proposed a door-open travel protection device that, when a car travels abnormally with a car door or a landing door open, stops the car urgently to ensure a safe state (see, for example, patent document 3).
Further, a terminal floor forced deceleration device has been proposed which, when a car is out of control near a terminal floor, detects that the car is overspeed and activates a braking device, and decelerates the car to a safe speed or less before the car collides with a buffer (see, for example, patent document 4).
These safety devices require high reliability and are mounted as, for example, electronic safety devices. Such a configuration tends to increase the hardware cost due to a double configuration of the device, and a mode of installing as many security functions as possible in the same hardware is desired. As a means for realizing such a method, patent document 2 discloses a mechanism in which a plurality of safety function programs can be executed reliably without interfering with each other.
On the other hand, these security systems also preferably have a maintenance function such as internal data entry and data output to improve maintainability. On the other hand, these maintenance functions are non-safety functions, and have lower execution priority than the safety functions. Therefore, in order to improve the throughput of the maintenance function without hindering the execution of the security function, a mechanism for improving time efficiency is required that executes the non-security function by efficiently utilizing the time during which the security function is not executed.
Therefore, a case where the method described in embodiment 1 above is applied to an elevator safety control device will be described in detail below.
Fig. 8 is an overall configuration diagram of an elevator system to which an elevator safety control device according to embodiment 2 of the present invention is applied. The elevator system 200 shown in fig. 8 includes an elevator mechanism 210, an elevator drive device 220, a brake device 230, an elevator safety circuit 240, an elevator operation control means 250, and an elevator safety monitoring means 260.
The elevator mechanism 210 includes a car 211, a counterweight 212, a sheave 213, a diverting sheave 214, a rope 215, and an in-hoistway device 216.
The car 211 and the counterweight 212 are connected by a rope 215, and the rope 215 is suspended on a sheave 213 and a deflector sheave 214.
The in-hoistway device 216 includes a landing door switch 216a, a car door switch 216b, a door zone plate 216c, a door zone sensor 216d, a destination switch cam 216e, an upper reference position switch 216f in the hoistway, a lower reference position switch 216g in the hoistway, a governor sheave 216h, a governor rope 216i, and a governor encoder 216 j.
The landing door switch 216a is provided in a landing and detects the open state of a landing door. The car door switch 216b is provided in the car and detects the open state of the car door.
The door zone plate 216c is disposed near a landing in the hoistway. The door zone sensor 216d provided in the car 211 detects that the car floor is located within a predetermined distance from the landing floor by detecting the door zone plate 216 c.
The upper reference position switch 216f is provided at an upper portion in the hoistway, and the lower reference position switch 216g is provided at a lower portion in the hoistway, and has rollers coupled and fixed to switch contacts, respectively. The upper reference position switch 216f and the lower reference position switch 216g are in a detection state by pressing a pressing roller by a terminal switch cam 216e fixed to the car. Therefore, the upper reference position switch 216f and the lower reference position switch 216g can detect that the car is located at a predetermined position in the hoistway.
The governor sheave 216h is rotated by a governor rope 216i fixed to the car 211 being connected thereto. The governor encoder 216j detects the rotation of the governor sheave 216h, thereby detecting the amount of movement of the car.
The elevator drive device 220 includes a commercial power supply 221, an inverter 222, a motor 223, and a main contact 224 of a main circuit contactor # MC that cuts off power supply from the commercial power supply 221 to the inverter 222. The inverter 222 rotates the motor 223 in accordance with a command from an elevator operation control device (CC)251 to be described later, and drives the sheave 213.
The brake device 230 includes 1 st and 2 nd brake shoes 231, 1 st and 2 nd brake coils 232, 1 st and 2 nd brake choppers (brake choppers) 233, and a main contact 234 of a brake circuit relay (# BK), wherein the 1 st and 2 nd brake shoes 231 apply a brake torque by friction by contacting with the sheave 213, the 1 st and 2 nd brake coils 232 attract the brake shoes to drop the brake shoes, the 1 st and 2 nd brake choppers 233 control a current of the brake coils in accordance with a command from the elevator operation control device (CC)251, and the main contact 234 of the brake circuit relay (# BK) cuts off power supply from a brake power supply to the brake coils 232.
The elevator safety circuit 240 is configured such that main contacts of the safety relays # SF1 and # SF2 and other safety switch contacts are connected in series to a control power source. Electric power for driving the contactor/relay is supplied to the primary side of the coils # MC and # BK in accordance with the final output when all the contacts in the elevator safety circuit 240 are in the on state.
The elevator operation control unit 250 includes an elevator operation control device (CC)251 and a switching semiconductor 252, wherein the switching semiconductor 252 inputs commands from the coils # MC, # BK and the elevator operation control device (CC)251 to turn on/off power supply to the coils.
An elevator operation control device (CC)251 outputs commands to the inverter 222 and the switching semiconductors 252 of the 1 st and 2 nd brake choppers 233, # MC, and # BK, and controls the operation of the car 211.
The elevator safety monitoring unit 260 includes an elevator safety monitoring device (SF)261 and a switching semiconductor 262, wherein the switching semiconductor 262 inputs commands from the 1 st and 2 nd safety relays and the elevator safety monitoring device (SF)261 to turn on/off power supply to the coils.
The elevator safety monitoring device (SF)261 inputs the states of the landing door switch 216a, the car door switch 216b, the door zone sensor 216d, the upper reference position switch 216f, the lower reference position switch 216g, and the governor encoder 216 j. Then, based on these inputs, the elevator safety monitoring device (SF)261 executes a safety stop sequence when detecting at least 1 or more non-safety states including terminal floor overspeed, door-open travel, and failure of the own-unit constituent equipment, outputs a stop command to the elevator operation control device (CC)251 to stop the car 211, and cuts off the # SF1 and # SF2 to hold the car 211 stationary.
Fig. 9 is a block diagram showing the internal configuration of an elevator safety monitoring device (SF)261 in embodiment 2 of the present invention in detail. The elevator safety monitoring device (SF)261 includes a 1 st safety monitoring system 140a and a 2 nd safety monitoring system 140b as a dual system configured by the same equipment and function. The 1 st safety monitoring system 140a and the 2 nd safety monitoring system 140b input the respective states of the landing door switch 216a, the car door switch 216b, the door zone sensor 216d, the respective reference position switches 216f and 216g, and the governor encoder 216j, respectively.
Based on these inputs, the 1 st safety monitoring system 140a outputs a drive command to the switching semiconductor 262 of # SF1 and outputs a stop command to the elevator operation control device (CC) 251. Similarly, the 2 nd safety monitoring system 140b outputs a drive command to the switching semiconductor 262 of # SF2 and outputs a stop command to the elevator operation control device (CC)251, based on these inputs.
The 1 st security monitoring system 140a and the 2 nd security monitoring system 140b have the following 4 security control functions, respectively.
Terminal floor forced deceleration function (SETS)
Open door drive protection function (UCMP)
Self-diagnostic function (DIAG)
inter-System communication function (ICOM)
The 1 st safety monitoring system 140a and the 2 nd safety monitoring system 140b have the following two non-safety control functions as maintenance functions, respectively.
Data entry function (DLOG)
Interface function with elevator operation control device (CCIF)
SETS is a function of: the respective states of the reference position switches 216f and 216g and the governor encoder 216j are input, and when the current speed of the car exceeds a car overspeed monitoring level corresponding to the current position of the car, a safety stop sequence is executed.
UCMP is a function as follows: the safety stop sequence is executed when the respective states of the landing door switch 216a, the car door switch 216b, the door zone sensor 216d, and the governor encoder 216j are input, and when the car moves a predetermined distance or more from the landing floor in a state where the landing door or the car door is open, or when the current speed of the car becomes a predetermined value or more.
DIAG is a function that: an operation check is performed on a unit configuration device including at least a power supply, a clock, a WDT, a CPU, a memory, a bus, a program, and a safety relay, and when a failure is detected, a safety stop sequence is executed.
ICOM is a function of: when data such as the input/output state and the operation state are mutually transmitted between the systems of the 1 st security monitoring system 140a and the 2 nd security monitoring system 140b and a mismatch is detected, it is determined that an operation failure exists in one of the systems, and a security halt sequence is executed in both systems.
The maintenance function is a non-safety control function, and includes a data entry function (DLOG) and a CC interface function (CCIF), and is executed at a timing when the safety control function is not executed. Specifically, the log of the input/output state, the operation state, and the event history is recorded by DLOG and data is stored, and the stored data is transmitted by CCIF in accordance with a request from the elevator operation control device (CC) 251.
Fig. 10 is a configuration diagram common to the 1 st security monitoring system 140a and the 2 nd security monitoring system 140b according to embodiment 2 of the present invention. Fig. 10 corresponds to the configuration diagram of fig. 1 of embodiment 1. That is, the configuration common to the 1 st safety monitoring system 140a and the 2 nd safety monitoring system 140b in fig. 10 is equivalent to the configuration of the elevator safety control apparatus of the present invention described in fig. 1. Therefore, in order to facilitate understanding of the description, reference numerals of fig. 1 are added by 100 to reference numerals of fig. 1 for each configuration in fig. 10 corresponding to fig. 1.
The 1 st safety monitoring system 140a (the 2 nd safety monitoring system 140b) of embodiment 2 is configured to include the external device I/F110, the logic unit 120, and the independence assurance unit 130. The CPU121 in the logic unit 120 acquires a signal relating to the state of the elevator as an input value input via the external device I/F110, and reads the task 141 of the safety control function, the task 142 of the non-safety control function, the safety schedule information 150, and the non-safety schedule information 160.
Here, the task 141 of the safety control function, the task 142 of the non-safety control function, the safety schedule information 150, and the non-safety schedule information 160 correspond to data stored in the storage unit, and the CPU121 in the logic unit 120 refers to the data to execute processing necessary for elevator control.
The task 141 of the security control function is composed of security programs of a SETS task, a UCMP task, a DIAG task, and an ICOM task. In the following, these tasks are also sometimes referred to as "security tasks".
The task 142 of the non-safety control function is constituted by non-safety programs of the DLOG task and the CCIF task. In the following, these tasks are also sometimes referred to as "non-secure tasks".
The safety schedule information 150 is information defining the execution order of each safety task, the execution scheduled time, a final flag indicating whether the safety task is the final safety task in each control cycle, and an interruption flag indicating whether each safety task can be interrupted.
The non-secure scheduling information 160 is information that defines only the execution order of each non-secure task.
The external device I/F110 is an interface when signals of the landing door switch 216a, the car door switch 216b, the door zone sensor 216d, the reference position switches 216F and 216g, and the governor encoder 216j are input, or when a drive command is output to the safety relays # SF1 and S # SF 2.
The logic unit 120 includes a CPU121 and a memory 122. In the memory 122, as areas used when executing various security tasks, a SETS area, a UCMP area, a DIAG area, and an ICOM area are allocated as independent areas.
The independence assurance unit 130 includes a predetermined time timer 131, a control cycle timer 132, and a memory protection function 133.
When the secure task and the non-secure task are executed, the memory protection function 133 accesses the memory area of another secure task, protects the data in the area, and transmits a detected abnormal access to the CPU121 to execute the security halt sequence. For example, the case where the SETS task accesses the UCMP area corresponds to an abnormal access.
After the 1 st security monitoring system 140a (2 nd security monitoring system 140b) is started, the CPU121 refers to the security schedule information 150 and calls the security tasks in accordance with a predetermined execution order. In response to this, the independence assurance unit 130 starts task execution time measurement by the predetermined time timer 131. When starting the execution of the first task of each control cycle, the independence assurance unit 130 resets the control cycle timer 132 and then starts the timer count.
The CPU121 terminates or interrupts the task being executed by setting the execution time of the secure task to the predetermined time set in the secure scheduling information or by stating the task termination by the task itself being executed, and refers to the final flag.
When the final flag is FALSE, the CPU121 calls the next security task, and in response thereto, the independence assurance unit 130 resets the predetermined time timer 131 and starts measuring the execution time of the next task.
On the other hand, when the final flag is TRUE, the CPU121 refers to the non-secure scheduling information and calls the non-secure task in accordance with a predetermined execution order.
When the control cycle timer 132 reaches a predetermined control cycle, the CPU121 interrupts the non-safety task being executed, and shifts to the processing of the next control cycle. Then, the CPU121 refers to the safety schedule information to call the first safety task in the next control cycle. In response to this, the independence assurance unit 130 resets each of the predetermined time timer 131 and the control cycle timer 132 and starts the timer count of each.
When the CPU121 finishes executing the final secure task in the execution order of the secure scheduling information, it returns to the beginning of the execution order of the secure scheduling information at the timing of executing the next secure task.
Next, the effect of the task processing in embodiment 2 will be described using an execution time chart of each task for each control cycle. Fig. 11A is an execution sequence diagram corresponding to an execution plan according to the secure schedule information 150 and the non-secure schedule information 160 in embodiment 2 of the present invention.
In contrast, fig. 11B is an execution timing chart when the task processing according to embodiment 2 of the present invention is executed. Fig. 11C is an execution sequence chart when executing the task processing of the related art.
In the specific example shown in fig. 11A to 11C, the control cycle T is 1[ ms ] as 1 execution step, and it is assumed that the safe task and the unsafe task of 1 cycle are executed in 3 steps.
As shown in fig. 11A, in the execution plan based on the safe schedule information 150 and the unsafe schedule information 160, the following task assignment is performed in step 1 (step counter N is 1), step 2 (step counter N is 2), and step 3 (step counter N is 3).
< step 1 (step counter N ═ 1) >
ICOM task at time t of 0-0.1 [ ms ]
0.1 ~ 0.4[ ms ] at time t, DIAG task (1/3)
SETS task at time t of 0.4-0.7 [ ms ]
At time t equal to 0.7-1.0 [ ms ], non-secure task
< step 2 (step counter N ═ 2) >
ICOM task at time t of 0-0.1 [ ms ]
0.1 ~ 0.6[ ms ] at time t, DIAG task (2/3)
UCMP task at time t of 0.6-0.8 [ ms ]
Time t is 0.8-1.0 [ ms ], non-secure task
< step 3 (step counter N ═ 3) >
ICOM task at time t of 0-0.1 [ ms ]
0.1 ~ 0.8[ ms ] at time t, DIAG task (3/3)
At time t of 0.8 to 1.0[ ms ], non-secure task
As defined by the interrupt flag in the secure scheduling information 150 in fig. 10, the ICOM task, the SETS task, and the UCMP task are set to be uninterruptible, and the DIAG task is set to be only 3/3 uninterruptible. If the task that cannot be interrupted does not end within the predetermined time, the CPU121 detects a program abnormality and executes a safety stop sequence.
The predetermined time allocated to the safety scheduling information for executing each task is determined based on the execution path having the largest processing amount in the conditional branch combination of the task processing. In the case of a security task, only the abnormality monitoring process is executed during normal operation, and therefore the actual execution time is shorter than the predetermined time.
The execution time of the non-secure task is not defined in the non-secure scheduling information, and monitoring by a predetermined time timer is not performed. In fig. 11B and 11C, the processing time of the DLOG task is set to 0.1[ ms ], and the processing time of the CCIF task is set to 1.0[ ms ].
Next, a case where the task processing of embodiment 2 is actually executed will be described with reference to fig. 11B. In step 1, the ICOM task is executed when t is 0 to 0.1[ ms ], and then the DIAG task is executed from t being 0.1ms (1/3). Here, since the execution time of the DIAG task (1/3) is 0.3[ ms ], the DIAG task can be executed until t becomes 0.4[ ms ], but the DIAG task is finished when t becomes 0.3[ ms ] without detecting an abnormality.
Therefore, the CPU121 starts executing the SETS task, which is the next security task, at a time when t is 0.3[ ms ]. Although the SETS task can be executed when t is 0.3 to 0.6[ ms ], the SETS task is also ended when t is 0.5[ ms ] without detecting an abnormality.
The final flag of the SETS task is TRUE according to the security scheduling information 150, and therefore, the CPU121 can determine that the execution of the security task in this step has ended. Therefore, from t ═ 0.5[ ms ], the CPU121 executes the DLOG task in accordance with the non-secure schedule information 160. The DLOG task is completed at 0.1[ ms ], and the CCIF task is executed from t ═ 0.6[ ms ].
Although the CCIF task takes 1.0[ ms ] until it is completed, at T equal to 1.0[ ms ], the control period timer 132 reaches the control T equal to 1[ ms ], and an interrupt occurs. Thus, the CCIF task is interrupted at 0.4[ ms ] of execution.
In the next step 2, the ICOM task is executed at t0 to 0.1[ ms ], and the DIAG task (2/3) can be executed at t 0.1 to 0.6[ ms ], but ends at t 0.45[ ms ]. As a result, the UCMP task can be executed when t is 0.45 to 0.65[ ms ], but actually, the UCMP task ends when t is 0.6[ ms ].
Since the final flag of the UMCP is TRUE, the non-secure task is executed next, and from t being 0.6[ ms ], the CCIF task interrupted in the previous step 1 is started again. At 0.4[ ms ] after the CCIF task is further executed, the control period timer reaches the control T ═ 1[ ms ], and the execution of the CCIF task is interrupted again.
In the next step 3, the ICOM task is executed at t0 to 0.1[ ms ], and the DIAG task (3/3) can be executed at t 0.1 to 0.8[ ms ], but the process ends at t 0.6[ ms ]. Since the final flag of the DIAG task (3/3) is TRUE, the unsecure task is executed next, and from t ═ 0.6[ ms ], the CCIF task interrupted in the previous step 2 is started again.
Since the CCIF task has been executed in steps 1 and 2 for a total of 0.8[ ms ], the remaining 0.2[ ms ] processing is executed in step 3 at t 0.6 to 0.8[ ms ].
After the execution of the CCIF task is completed, since there is no next non-secure task, there is an idle time during which no processing is executed until step 3 is completed after t is 0.8[ ms ].
In addition, in the SETS task and the UCMP task, the current speed of the car needs to be calculated. Therefore, the CPU121 can calculate the car speed according to the following equation by using the governor encoder value x _ gov 'and the control cycle timer value T _ gov' obtained in the previous execution of the task, and the current values x _ gov and T _ gov, the control cycle T, and the speed normalization coefficient K, respectively.
Car speed K × (x _ gov-x _ gov ')/(3 × N + t _ gov-t _ gov')
As shown in fig. 11B, in the task processing according to the present invention, the idle time when the secure task is completed before the prescribed time can be efficiently utilized, and thus more time can be allocated to the non-secure task. As a result, the utilization efficiency of the CPU121 is improved, and the time efficiency of task processing can be improved.
On the other hand, when the same secure task or non-secure task as this time is executed by fixing the task allocation time according to the conventional technique, the execution sequence chart shown in fig. 11C is used. That is, since the processing of the security task is not executed during the idle time, the step of completing the CCIF task having the processing time of 1.0[ ms ] becomes step 5. That is, in the related art, it is necessary to execute more steps in a divided manner, and a case where the processing time is increased as compared with a case where the task processing according to the present invention is executed can be conceived.
As described above, according to the task scheduling method of embodiment 2, it is possible to integrate the idle time of the task that does not execute the safety control function after each control cycle. As a result, the utilization efficiency of the CPU is improved, and it is possible to realize efficient task scheduling while ensuring independence between the task of the safety control function and the task of the non-safety control function.
Description of the reference symbols
21: a CPU; 30: an independence assurance unit; 31: a prescribed time timer; 32: controlling a periodic timer; 33: a memory protection function; 40: carrying out a procedure; 41: a task of a safety control function; 42: tasks of non-safety control functions; 50. 50 a: safety scheduling information; 60. 60 a: non-secure scheduling information; 70: a context block; 121: a CPU; 130: an independence assurance unit; 131: a prescribed time timer; 132: controlling a periodic timer; 133: a memory protection function; 140a, 140 b: a security monitoring system; 141: a task of a safety control function; 142: tasks of non-safety control functions; 150: safety scheduling information; 160: non-secure scheduling information; 170: a context block.
Claims (9)
1. An elevator safety control device, comprising:
a storage unit that stores a plurality of safety control functions and a plurality of non-safety control functions as programs independent of each other, and stores safety schedule information that specifies in advance a schedule and an execution order for each control cycle when the plurality of safety control functions are executed in each control cycle; and
a CPU for performing elevator control calculation by sequentially executing programs corresponding to the plurality of safety control functions and the plurality of non-safety control functions in accordance with the safety scheduling information,
the CPU executes the safety control functions in each control cycle in a sequential manner without idle time in accordance with the execution sequence defined as the safety schedule information, and executes the plurality of non-safety control functions in idle time in a control cycle after all safety control functions assigned in the control cycle are executed.
2. The elevator safety control device according to claim 1, wherein the elevator safety control device further comprises:
an input unit that acquires a signal relating to the state of the elevator as an input value; and
an independence assurance unit that assures independence between control functions for all control functions including the plurality of safety control functions and the plurality of non-safety control functions so that a certain control function does not affect other control functions,
in the safety scheduling information, the execution order of the plurality of safety control functions, a predetermined time in which the arithmetic processing of the safety control function can be executed by the CPU is defined in association with each of the plurality of safety control functions, and a final flag indicating whether or not the safety control function is executed last in each control cycle are associated with each other,
the storage unit further stores non-safety schedule information that defines an execution sequence of the non-safety control function,
the independence assurance unit includes a predetermined time timer that monitors whether or not the arithmetic processing time of each safety control function exceeds the predetermined time, and a control cycle timer that monitors each control cycle,
the CPU performs, in each control cycle,
the operation processing of the safety control function is started in accordance with the execution sequence defined by the safety schedule information, the operation processing of the safety control function until the final flag is enabled is executed,
when the arithmetic processing of the safety control function ends before a predetermined time corresponding to the safety control function in the arithmetic processing or when the predetermined time is reached and the interruption of the predetermined time timer occurs, the arithmetic processing of the safety control function in the next execution sequence is started, thereby the arithmetic processing of the safety control function to be executed in the control cycle is executed continuously and sequentially without idle time,
executing the arithmetic processing of the non-safety control function in accordance with the execution sequence defined by the non-safety scheduling information during an idle time from the completion of the arithmetic processing of the safety control function to be executed in the control cycle to the completion of the control cycle,
when the control cycle has elapsed and the control cycle timer is interrupted, the non-safety control function being executed is interrupted, and the arithmetic processing in one control cycle is ended.
3. The elevator safety control apparatus according to claim 2,
the elevator safety control device is also provided with a context block which holds the execution state information of each program independently executed,
the CPU
When the predetermined time timer or the control cycle timer is interrupted, the control function in the arithmetic processing is interrupted, and the execution state information of the program related to the interrupted control function is stored in the context block,
when the interrupted control function is executed next time, the arithmetic processing of the control function in the interrupted state can be restarted by using the execution state information of the program stored in the context block.
4. The elevator safety control apparatus according to claim 2 or 3, wherein,
the CPU has an internal memory to which an area for executing each of the plurality of safety control functions is independently allocated,
the independence assurance unit has a memory protection function as follows: in the process of executing the arithmetic processing of any control function of all the control functions including the plurality of safety control functions and the plurality of non-safety control functions, the presence or absence of access to an abnormal access state of the internal memory other than the area to which the control function in the arithmetic processing is permitted is monitored, and when the abnormal access state is detected, a command for executing the safety operation of the elevator is output to the CPU.
5. The elevator safety control apparatus according to any one of claims 2 to 4,
the safety scheduling information is also associated with an interruptible flag which indicates whether the safety control function can be interrupted in the operation processing,
the CPU executes the safety operation of the elevator when the predetermined time timer is interrupted during the operation of the safety control function in which the interruptible flag is invalid.
6. The elevator safety control apparatus according to any one of claims 2 to 5,
the value of the control cycle timer can be inherently set corresponding to the respective independent programs,
the CPU can use the value of the control cycle timer set for a program corresponding to a control function for executing arithmetic processing.
7. The elevator safety control apparatus according to claim 6,
the CPU has a counter that holds the number of lapsed of the control period timer,
the CPU can measure the elapsed time from the previous time to the current time using the value and the number of elapsed times of the control cycle timer when the control cycle timer was acquired last time and the value and the number of elapsed times of the control cycle timer when the control cycle timer was acquired this time.
8. The elevator safety control apparatus according to claim 6 or 7, wherein,
for the task of the safety control function that wants to prohibit the interruption of the prescribed time timer only in a specific interval,
the CPU acquires a value ta of a control cycle timer at the start of the task, acquires a value tb of the control cycle timer at the start of the specific section, determines whether or not a relation td < tb-ta + tc is established based on a time width tc of the specific section and a set value td of a predetermined time timer of the task at the start of the specific section, interrupts the arithmetic processing of the task at the start of the specific section when the relation is established, shifts the processing to a next execution order, and resumes the execution of the task from the initial state of the specific section when the next execution order of the task is established, thereby prohibiting the interruption of the predetermined time timer in the specific section.
9. The elevator safety control apparatus according to claim 8,
the CPU
Setting a start flag in a case where the specific section has started, setting an end flag in a case where the specific section has ended, in the next execution order,
and when the start flag is set and the end flag is not set when the interruption of the timer for a predetermined time occurs after the start of the specific section, the safety operation of the elevator is executed.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/JP2018/008305 WO2019171424A1 (en) | 2018-03-05 | 2018-03-05 | Elevator safety control device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111788140A true CN111788140A (en) | 2020-10-16 |
Family
ID=67846574
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201880089881.5A Pending CN111788140A (en) | 2018-03-05 | 2018-03-05 | Elevator safety control device |
Country Status (3)
| Country | Link |
|---|---|
| JP (1) | JP7003217B2 (en) |
| CN (1) | CN111788140A (en) |
| WO (1) | WO2019171424A1 (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPS55156174A (en) * | 1979-05-18 | 1980-12-04 | Hitachi Ltd | Maintenance device for elevator |
| JPS6387435A (en) * | 1986-09-30 | 1988-04-18 | Toshiba Corp | Information transmission control method for elevator system |
| CN102781804A (en) * | 2010-03-12 | 2012-11-14 | 三菱电机株式会社 | Elevator safety control device |
| CN103052923A (en) * | 2011-01-31 | 2013-04-17 | 丰田自动车株式会社 | Safety control device and safety control method |
| CN103080858A (en) * | 2011-01-31 | 2013-05-01 | 丰田自动车株式会社 | Safety control device and safety control method |
| CN103403633A (en) * | 2011-03-15 | 2013-11-20 | 欧姆龙株式会社 | Cpu of plc, system program for plc, and recording medium storing system program for plc |
| JP2017137183A (en) * | 2016-02-05 | 2017-08-10 | 株式会社日立製作所 | Control system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH06305647A (en) * | 1993-04-23 | 1994-11-01 | Takenaka Komuten Co Ltd | Operation schedule determining device for lifting and transporting device |
| JP6366764B2 (en) | 2017-03-22 | 2018-08-01 | 三菱電機株式会社 | Elevator system |
-
2018
- 2018-03-05 WO PCT/JP2018/008305 patent/WO2019171424A1/en active Application Filing
- 2018-03-05 JP JP2020504489A patent/JP7003217B2/en active Active
- 2018-03-05 CN CN201880089881.5A patent/CN111788140A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPS55156174A (en) * | 1979-05-18 | 1980-12-04 | Hitachi Ltd | Maintenance device for elevator |
| JPS6387435A (en) * | 1986-09-30 | 1988-04-18 | Toshiba Corp | Information transmission control method for elevator system |
| CN102781804A (en) * | 2010-03-12 | 2012-11-14 | 三菱电机株式会社 | Elevator safety control device |
| CN103052923A (en) * | 2011-01-31 | 2013-04-17 | 丰田自动车株式会社 | Safety control device and safety control method |
| CN103080858A (en) * | 2011-01-31 | 2013-05-01 | 丰田自动车株式会社 | Safety control device and safety control method |
| CN103403633A (en) * | 2011-03-15 | 2013-11-20 | 欧姆龙株式会社 | Cpu of plc, system program for plc, and recording medium storing system program for plc |
| JP2017137183A (en) * | 2016-02-05 | 2017-08-10 | 株式会社日立製作所 | Control system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2019171424A1 (en) | 2019-09-12 |
| JP7003217B2 (en) | 2022-01-20 |
| JPWO2019171424A1 (en) | 2020-07-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9108823B2 (en) | Elevator safety control device | |
| CN101312898B (en) | Emergency stop system for elevator | |
| US5107964A (en) | Separate elevator door chain | |
| WO2015079976A1 (en) | Elevator safety system | |
| KR20090055031A (en) | Elevator apparatus | |
| EP2246285B1 (en) | Elevator system | |
| CN101027238B (en) | Elevator apparatus | |
| JP2003095555A (en) | Control device of elevator | |
| JP2014172714A (en) | Elevator system | |
| CN111788140A (en) | Elevator safety control device | |
| US8423681B2 (en) | Control apparatus for process input-output device | |
| CN113939774A (en) | Task scheduling management device | |
| JP6230729B2 (en) | Elevator safety control device and elevator safety control method | |
| CN106414293B (en) | Target dispatch covering including carriage positioning monitoring system | |
| CN111788139B (en) | Elevator safety control device | |
| JP2008054028A (en) | Control information transmission system | |
| JP7409567B2 (en) | Automotive computer control method and vehicle electronic control device | |
| JP7279836B1 (en) | CONTROL DEVICE, CONTROL METHOD, AND PASSENGER TRANSPORT CONTROL DEVICE | |
| JPWO2018025408A1 (en) | Safety monitoring device | |
| CN111422710B (en) | Elevator operation control method and device and elevator | |
| JPS6351954B2 (en) | ||
| CN111788138A (en) | Elevator control device and elevator control method | |
| JP2009091101A (en) | Emulation device of elevator | |
| KR0167209B1 (en) | Helping out operation control method and equipment for elevator | |
| JPS6242833B2 (en) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |