EP1792864A1

EP1792864A1 - Elevator apparatus

Info

Publication number: EP1792864A1
Application number: EP04788085A
Authority: EP
Inventors: Tatsu Mitsubishi Denki Kabushiki Kaisha MATSUOKA
Original assignee: Mitsubishi Electric Corp
Current assignee: Mitsubishi Electric Corp
Priority date: 2004-09-24
Filing date: 2004-09-24
Publication date: 2007-06-06
Anticipated expiration: 2024-09-24
Also published as: JP5350590B2; EP1792864A4; EP1792864B1; WO2006033153A1; CN101027238B; CN101027238A; JPWO2006033153A1

Abstract

In an elevator apparatus, an electronic safety apparatus detects abnormality of an elevator based on a detection signal from a sensor and outputs an instruction signal for shifting the elevator to a safe state. The electronic safety apparatus can detect abnormality of the electronic safety apparatus itself. When abnormality of the electronic safety apparatus itself is detected, the electronic safety apparatus also outputs the instruction signal for shifting the elevator to the safe state.

Description

Technical Field

The present invention relates to an elevator apparatus which employs an electronic safety controller for detecting abnormality of an elevator based on a detection signal from a sensor.

Background Art

In a conventional elevator safety system, sensors or the like are connected to bus nodes provided to a hoistway, a machine room, and a car, which allows information from the sensors or the like to be sent through the bus nodes and a communication network bus to a safety controller (see, for example, Patent Document 1).
Patent Document 1: JP 2002-538061 A

Disclosure of the Invention

Problem to be solved by the Invention

In the conventional elevator apparatus, information is inputted from the sensors to the safety controller through the communication network. Thus, to secure high reliability for a safety system, a considerably highly reliable communication network is required. This makes hardware and software that implement the communication network more complicated and more expensive.
The present invention has been devised to solve the problem as described above. It is an object of the invention to provide an elevator apparatus capable of improving the reliability of a safety system with a relatively simple structure.

Means for solving the Problem

An elevator apparatus according to the invention includes: a sensor that generates detection signal for detecting a state of an elevator; and an electronic safety controller that detects abnormality of the elevator based on the detection signal from the sensor to output an instruction signal for shifting the elevator to a safe state, in which the electronic safety controller can detect abnormality of the electronic safety controller itself and, when abnormality of the electronic safety controller itself is detected, the electronic safety controller also outputs the instruction signal for shifting the elevator to the safe state.

Brief Description of the Drawings

[Fig. 1] A diagram of an elevator apparatus according to a first embodiment of the invention.
[Fig. 2] A graph of a pattern of overspeed set in speed governor and an ETS circuit unit of Fig. 1.
[Fig. 3] A block diagram of a relation of connection among an electronic safety controller, an elevator control panel, and various sensors of Fig. 1.
[Fig. 4] A block diagram of the structure of a main part of the electronic safety controller of Fig. 1.
[Fig. 5] A explanatory diagram of a method of executing arithmetic processing by a microprocessor of Fig. 4.
[Fig. 6] A block diagram of the main part of the electronic safety controller of Fig. 1.
[Fig. 7] A diagram of a specific configuration of a clock abnormality detection circuit of Fig. 6.
[Fig. 8] An explanatory diagram of separated areas in a RAM of the electronic safety controller of Fig. 1.
[Fig. 9] A flowchart of an initial operation of the electronic safety controller of Fig. 1.
[Fig. 10] A flowchart of a first example of an interrupt computation of the electronic safety controller of Fig. 1.
[Fig. 11] A block diagram of the main part of the electronic safety controller of Fig. 1.
[Fig. 12] A block diagram of the main part of the electronic safety controller of Fig. 1.
[Fig. 13] A circuit diagram of an example of a specific configuration of a check function circuit of Fig. 12.
[Fig. 14] An explanatory diagram of meanings of data regarding the respective bits of data buses when the check function circuit of Fig. 12 is read by first and second CPUs.
[Fig. 15] A flowchart of a method of checking soundness of monitoring of a power source voltage at the first CPU of Fig. 12.
[Fig. 16] A flowchart of an operation when the CPUs are reset in the elevator control apparatus of Fig. 12.
[Fig. 17] A an explanatory diagram of a relation between a stage of an initialization operation of the ETS circuit unit of Fig. 1 and operations of the operation control unit and the safety circuit unit.
[Fig. 18] An explanatory diagram of movement of the car in an initialization operation mode of the elevator apparatus of Fig. 1.
[Fig. 19] A circuit diagram of an abnormal contact point detection unit of the electronic safety controller of Fig. 1.
[Fig. 20] A flowchart for explaining a method of operating the safety relay main contact point of Fig. 19.
[Fig. 21] A block diagram of the electronic safety controller of Fig. 1 connected to a history information recording unit and a soundness diagnosis unit.
[Fig. 22] An explanatory diagram of an example of information stored in a history information recording unit of Fig. 21.
[Fig. 23] A flowchart for explaining an operation of the electronic safety controller of Fig. 21.
[Fig. 24] A block diagram of the main part of the electronic safety controller of Fig. 1.
[Fig. 25] A circuit diagram specifically, showing a data comparison circuit for data abnormality check of Fig. 24.
[Fig. 26] A circuit diagram for specifically showing a designated address detection circuit for address bus abnormality check of Fig. 24.
[Fig. 27] A flowchart of a processing operation by designated address output software and a designated address detection circuit in a CPU of Fig. 24.
[Fig. 28] A flowchart of a processing operation by data bus abnormality check software in the CPU of Fig. 24.

Best Mode for carrying out the Invention

Preferred embodiments of the invention will be hereinafter described with reference to the drawings.

First embodiment

Fig. 1 is a diagram of an elevator apparatus according to a first embodiment of the invention. In the drawing, a hoistway 1 includes a pair of car guide rails 2 and a counterweight guide rail (not shown). A car 3 is raised and lowered in the hoistway 1 while being guided by the car guide rails 2. A counterweight 4 is raised and lowered in the hoistway 1 while being guided by the counterweight guide rail.
In a lower part of the car 3, a safety device 5 that engages with the car guide rails 2 to stop the car 3 in an emergency is provided. The safety device 5 has a pair of braking pieces (wedge members) 6 that are operated by mechanical operation and pushed toward the car guide rails 2.
In the upper part of the hoistway 1, a driving apparatus (traction machine) 7 that raises and lowers the car 3 and the counterweight 4 via a main rope is provided. The driving apparatus 7 has: a drive sheave 8; a motor unit (not shown) that rotates the drive sheave 8; a brake unit 9 that brakes the rotation of the drive sheave 8; and a motor encoder 10 that generates a detection signal according to the rotation of the drive sheave 8.
The brake unit 9 is, for example, an electromagnetic brake apparatus. In the electromagnetic brake apparatus, a spring force of a braking spring is used to push a brake shoe toward a braking surface to brake the rotation of the drive sheave 8 and an electromagnetic magnet is excited to separate the brake shoe from the braking surface to cancel the braking.
An elevator control panel 11 is provided, for example, in a lower part of the hoistway 1. The elevator control panel 11 includes: an operation control unit 12 that controls the operation of the driving apparatus 7; and a safety circuit unit (relay circuit unit) 13 that suddenly stops the car 3 when the elevator has abnormality. The operation control unit 12 is inputted with a detection signal from the motor encoder 10. Based on the detection signal from the motor encoder 10, the operation control unit 12 calculates the position and speed of the car 3 to control the driving apparatus 7.
When the relay circuit of the safety circuit unit 13 is opened, an electric current to the motor unit of the driving apparatus 7 is blocked and an electric current to the electromagnetic magnet of the brake unit 9 is also blocked, whereby the drive sheave 8 is braked.
In the upper part of the hoistway 1, a speed governor (mechanical speed governor) 14 is provided. The speed governor 14 includes: a speed governor sheave 15, an overspeed detection switch 16, a rope catch 17, and a speed governor encoder 18 serving as a sensor. The speed governor sheave 15 is wound at a speed governor rope 19. Both ends of the speed governor rope 19 are connected to the operation mechanism of the safety device 5. The lower end of the speed governor rope 19 is wound around a tightening pulley 20 provided in the lower part of the hoistway 1.
When the car 3 is raised or lowered, the speed governor rope 19 is rotated and the speed governor sheave 15 is rotated at a rotation speed corresponding to a traveling speed of the car 3. The speed governor 14 mechanically detects that the traveling speed of the car 3 reaches an overspeed. Overspeeds to be detected are set as a first overspeed (OS speed) that is higher than a rated speed and a second overspeed (Trip speed) that is higher than the first overspeed.
When the traveling speed of the car 3 reaches the first overspeed, the overspeed detection switch 16 is operated. When the overspeed detection switch 16 is operated, the relay circuit of the safety circuit unit 13 is opened. When the traveling speed of the car 3 reaches the second overspeed, the rope catch 17 grips the speed governor rope 19 to stop the rotation of the speed governor rope 19. When the rotation of the speed governor rope 19 is stopped, the safety device 5 provides a braking operation.
The speed governor encoder 18 generates a detection signal according to the rotation of the speed governor sheave 15. The speed governor encoder 18 is a dual sense type encoder that simultaneously outputs two types of detection signals, i.e., first and second detection signals.
The first and second detection signals from the speed governor encoder 18 are inputted to an ETS circuit unit 22 of an Emergency Terminal Slowdown apparatus (ETS apparatus) provided at an electronic safety controller 21. The ETS circuit unit 22 detects, based on a detection signal from the speed governor encoder 18, abnormality of an elevator to output an instruction signal for shifting the elevator to a safe state. Inotherwords, the ETS circuit unit 22 calculates, based on the signal from the speed governor encoder 18, the traveling speed and a position of the car 3 independent of the operation control unit 12 and monitors whether the traveling speed of the car 3 in the vicinity of a terminal landing reaches an ETS monitoring overspeed.
The ETS circuit unit 22 also converts the signal from the speed governor encoder 18 to a digital signal to perform a digital arithmetic processing and determine whether the traveling speed of the car 3 reaches an ETS monitoring overspeed. When the ETS circuit unit 22 determines that the traveling speed of the car 3 reaches the ETS monitoring overspeed, the relay circuit of safety circuit unit 13 is opened.
The ETS circuit unit 22 can also detect abnormality of the ETS circuit unit 22 itself and abnormality of the speed governor encoder 18. When the ETS circuit unit 22 detects abnormality of the ETS circuit unit 22 itself or abnormality of the speed governor encoder 18, the ETS circuit unit 22 outputs a nearest floor stop instruction signal as an instruction signal for shifting the elevator to a safe state to the operation control unit 12. The ETS circuit unit 22 can also have an interactive communication with the operation control unit 12.
In predetermined positions in the hoistway 1, there are provided first to fourth reference sensors 23 to 26 for detecting that the car 3 is located at a reference position in the hoistway. The reference sensors 23 to 26 can be top and bottom terminal landing switches. Detection signals from the reference sensors 23 to 26 are inputted to the ETS circuit unit 22. Based on the detection signals from the reference sensors 23 to 26, the ETS circuit unit 22 corrects the information for the position of the car 3 calculated in the ETS circuit unit 22.
Between a bottom face of the hoistway 1 and lower faces of the car 3 and the counterweight 4, a car buffer 27 and a counterweight buffer 28 are respectively provided. Here, the car buffer 27 and the counterweight buffer 28 are provided in the lower part in the hoistway 1. The car buffer 27 is provided just below the car 3 and reduces an impact caused when the car 3 collides with a bottom part of the hoistway 1. The counterweight buffer 28 is provided just below the counterweight 4 and reduces an impact caused when the counterweight 4 collides with a bottom part of the hoistway 1 . These buffers 27 and 28 may be, for example, an oil-filled-type or spring-type buffer.
Fig. 2 is a graph of overspeed patterns set in the speed governor 14 and the ETS circuit unit 22 of Fig. 1. In the drawing, when the car 3 travels at a normal speed (rated speed) from a bottom terminal landing to a top terminal landing, the car 3 draws a normal speed pattern V0. The speed governor 14 is associated with first and second overspeed patterns V1 and V2 by a mechanical position adjustment. The ETS circuit unit 22 is associated with an ETS monitoring overspeed pattern VE.
The ETS monitoring overspeed pattern VE is set to be higher than the normal speed pattern V0. The ETS monitoring overspeed pattern VE is also set to have an equal interval from the normal speed pattern V0 in the entire ascending/descending process. In other words, the ETS monitoring overspeed pattern VE changes according to a car position. More specifically, the ETS monitoring overspeed pattern VE is set to be fixed in the vicinity of an intermediate floor and is set to continuously and smoothly decline, in the vicinity of a terminal landing, while being closer to an end of the hoistway 1 (upper end and lower end). In this manner, the ETS circuit unit 22 monitors the traveling speed of the car 3 not only in a position in the vicinity of a terminal landing but also in a position in the vicinity of an intermediate floor (a fixed speed traveling zone in the normal speed pattern V0). However, the ETS circuit unit 22 does not always have to monitor the traveling speed of the car 3 in a position in the vicinity of the intermediate floor.
The first overspeed pattern V1 is set to be higher than the ETS monitoring overspeed pattern VE. The second overspeed pattern V2 is set to be higher than the first overspeed pattern V1. The first and second overspeed patterns V1 and V2 are fixed at all heights in the hoistway 1.
The counterweight buffer 28 has a buffer stroke that is set, according to a collision speed of the counterweight 4 to the counterweight buffer 28 limited by the ETS circuit unit 22, to be shorter than a stroke specified according to a collision speed limited by the speed governor 14. The car buffer 27 has a buffer stroke specified according to the collision speed limited by the speed governor 14.
The buffers 27 and 28 have a buffer stroke that is determined according to an initial speed at the time when the car 3 or the counterweight 4 first come into contact with the buffer 27 or 28 and an allowable deceleration until the car 3 or the counterweight 4 stops. Thus, the buffer stroke of the car buffer 27 is set to be shorter than the buffer stroke of the counterweight buffer 28. In other words, the buffer stroke of the counterweight buffer 28 is set to be shorter than the buffer stroke of the car buffer 27.
The counterweight buffer 28 has a sufficient capacity so as to not to be broken even when the counterweight buffer 28 collides with the counterweight 4 at speed higher than speed specified in the ETS monitoring overspeed pattern VE (e.g., when the main rope is broken). The sufficient capacity of the counterweight buffer 28 may be secured, for example, by using a buffer having a capacity higher than a general capacity or by using plural buffers having a general capacity.
A size of a clearance between the upper end part of the car 3 and the ceiling part of the hoistway 1 at the time when the car 3 reaches a top floor is set according to a collision speed of the counterweight 4 with the counterweight buffer 28 that is limited by the ETS circuit unit 22. In other words, the size of a clearance at the top part of the hoistway 1 is set so as to prevent, even when the counterweight 4 collides with the counterweight buffer 28, the car 3 from colliding with the ceiling part of the hoistway 1.
Fig. 3 is a block diagram of a relation of connection among the electronic safety controller 21, the elevator control panel 11, and various sensors of Fig. 1. In the figure, the electronic safety controller 21 is inputted with two types of detection signals from the speed governor encoder 18, that is, detection signals from the first to fourth reference sensors 23 to 26 and signals from other sensors (first to Nth sensor). The electronic safety controller 21 also has plural signal input ports corresponding to the respective sensors. In other words, the electronic safety controller 21 receives separate signals from the respective sensors as inputs. Thus, the electronic safety controller 21 can detect abnormality of the respective sensors.
When the electronic safety controller 21 detects some abnormality (e.g., overspeed, sensor failure, or abnormality of the electronic safety controller 21 itself) , a failure/abnormality content signal including content of the failure or abnormality is inputted to a control unit (not shown) of the elevator control panel 11 and a stop signal according to the content of the failure or abnormality is inputted to a driving/braking unit (not shown) of the elevator control panel 11.
Fig. 4 is a block diagram of the apparatus configuration of the main part of the electronic safety controller 21 of Fig. 1. The electronic safety controller 21 includes: a first microprocessor 31 that performs arithmetic processing for detecting abnormality of the elevator based on a first safety program; and a second microprocessor 32 that performs arithmetic processing for detecting abnormality of the elevator based on a second safety program.
The first safety program is a program that has the same content as that of the second safety program. The first and second microprocessors 31 and 32 can have mutual communication via an interprocessor bus and a dual port RAM 33. The first and second microprocessors 31 and 32 can also check the soundness of the first and second microprocessors 31 and 32 themselves by mutually comparing the results of the arithmetic processing. In other words, the soundness of the first and second microprocessors 31 and 32 is checked by causing the first and second microprocessors 31 and 32 to perform an identical processing and the processing results are communicated and compared via the dual port RAM 33 or the like.
In addition to the abnormality of the microprocessors 31 and 32 themselves, the microprocessors 31 and 32 can also detect abnormality of the electronic safety controller 21 by arithmetic processing.
Fig. 5 is an explanatory diagram of a method of performing arithmetic processing by the microprocessors 31 and 32 of Fig. 4. The microprocessors 31 and 32 repeatedly perform arithmetic processing with a predetermined computation cycle (e.g., 50 msec) based on a signal from a fixed-cycle timer and according to a program stored in a ROM. A program executed in one cycle includes a safety program for detecting abnormality of an elevator and a failure/abnormality check program for detecting the failure/abnormality of the electronic safety controller 21 itself and various sensors. The failure/abnormality check program may be executed only when predetermined states are satisfied.
In the elevator apparatus, the electronic safety controller 21 can detect abnormality of the electronic safety controller 21 itself and outputs, even when abnormality of the electronic safety controller 21 itself is detected, an instruction signal for shifting the elevator to a safe state. Thus, a relatively-simple structure can be used to improve the reliability of a safety system while improving speed to detect abnormality of an elevator and speed of the processing for the abnormality.
The electronic safety controller 21 can also detect abnormality of various sensors and can output, even when abnormality of the sensor is detected, an instruction signal for shifting the elevator to a safe state. Thus, the safety system can have a further improved reliability.
Furthermore, the electronic safety controller 21 includes first and second microprocessors 31 and 32. The first and second microprocessors 31 and 32 can check the soundness of the first and second microprocessors 31 and 32 themselves by mutually comparing results of the arithmetic processing. Thus, the safety system can have a further improved reliability.
Specific examples of a constitution and an operation of the electronic safety controller 21 will be hereinafter explained.

«Detection of clock abnormality»

Fig. 6 is a block diagram of the main part of the electronic safety controller 21 of Fig. 1. To secure a sufficient reliability, the electronic safety controller 21 adopts a double circuit configuration.
The electronic safety controller 21 uses first and second CPUs (processing units) 41 and 42 as the first and second microprocessors. The first CPU 41 outputs control signals to the operation control unit 12 and a first output interface (output unit) 43. The second CPU 42 outputs control signals to the operation control unit 12 and a second output interface (output unit) 44.
When receiving the control signals from the first and second CPUs 41 and 42, the operation control unit 12 is controlled by the control signals. Based on the control signals from the first and second CPUs 41 and 42, the first and second output interfaces 43 and 44 output signals for opening the safety circuit unit 13.
The first and second CPUs 41 and 42 are connected to a dual port RAM 45 to perform data transfer between the CPUs. The first CPU 41 is connected to a first watchdog timer 46. The second CPU 42 is connected to a second watchdog timer 47.
The first CPU 41 has two types of signals from the speed governor encoder 18 (Fig. 1) as inputs. The second CPU 42 has also two types of signals from the speed governor encoder 18 as inputs. The signals from the speed governor encoder 18 are subjected to the arithmetic processing by the CPUs 41 and 42, whereby speed and a position of the car 3 are calculated (Fig. 1) . In other words, the speed governor encoder 18 functions both as speed sensor and a position sensor. The CPUs 41 and 42 have also signals from various sensors as inputs as shown in Fig. 3.
The first CPU 41 has a first clock signal from the first clock 48 as an input. The second CPU 42 has a second clock signal from the second clock 49 as an input. The first and second clock signals are set to have an identical frequency.
The first and second clock signals are also inputted to a clock abnormality detection circuit 50. The clock abnormality detection circuit 50 counts the number of pulses of the first and second clock signals to detect, based on the difference of the number of pulses, abnormalities of the first and second clock signals.
The first and second CPUs 41 and 42 transmit, to the clock abnormality detection circuit 50, test mode signals 51 and 52 to check the soundness of the clock abnormality detection circuit 50. The first and second CPUs 41 and 42 also transmits, to the clock abnormality detection circuit 50, detection start instruction signals 53 and 54 to start the detection of clock abnormality.
When clock abnormality is detected, the clock abnormality detection circuit 50 inputs error signals 55 and 56 to the first and second CPUs 41 and 42.
Fig. 7 is a diagram of a specific structure of the clock abnormality detection circuit 50 of Fig. 6. The clock abnormality detection circuit 50 includes: a first monitoring counter 57 and a first monitored counter 58 for counting pulse edges of the first clock signal; and a secondmonitoring counter 59 and a second monitored counter 60 for counting pulse edges of the second clock signal.
The first clock signal is inputted to the first monitored counter 58 via a first selector 61. The first selector 61 can provide switching between a normal circuit and a test circuit. In the normal circuit, the first clock signal is directly inputted to the first monitored counter 58. In the test circuit, the first clock signal is multiplied in the first multiplication circuit 62 to be inputted to the first monitored counter 58. The switching to the test circuit is performed when the test mode signal 51 from the first CPU 41 is inputted to the first selector 61.
Similarly, the second clock signal is inputted to the second monitored counter 60 via the second selector 63. The second selector 63 can provide switching between the normal circuit and the test circuit. In the normal circuit, the second clock signal is directly inputted to the second monitored counter 60. In the test circuit, the second clock signal is multiplied by the second multiplication circuit 64 and then inputted to the second monitored counter 60. The switching to the test circuit is performed when the test mode signal 52 from the second CPU 42 is inputted to the second selector 63.
Ripple carry output signals (i.e., error signals 55 and 56) from the first and second monitored counters 58 and 60 are latched by first and second latch units 65 and 66. The first and second latch units 65 and 66 cancel the latch status when the latch units receive latch cancellation signals 67 and 68 from the first and second CPUs 41 and 42.
When error signals from the clock abnormality detection circuit 50 are inputted to the CPUs 41 and 42, the CPUs 41 and 42 output abnormality detection signals to the output interfaces 43 and 44. Then, the output interfaces 43 and 44 output operation signals to the safety circuit unit 13. The safety circuit unit 13 shifts the elevator to a safe state.
The electronic safety controller 21 includes a computer (microcomputer) including the CPUs 41 and 42 and a ROM shown in Fig. 6.
Next, the operation will be explained. Two types of pulse signals outputted from the speed governor encoder 18 are inputted to the CPUs 41 and 42. Then, the pulse signals are subjected to the arithmetic processing by the respective CPUs 41 and 42, whereby a position and speed of the car 3 are calculated. The calculated position and speed are compared with each other via the dual port RAM 45 to be subsequently compared with a set value (reference value) to determine abnormality (e.g., ETS monitoring overspeed).
When abnormality such as overspeed or an abnormal position is detected, a signal is outputted, according to the contents of the abnormality, to the operation control unit 12 or the safety circuit unit 13 to shift the elevator to a safe state. The expression "shift the elevator to a safe state" means, for example, suddenly stopping the car 3 or stopping the car 3 at the nearest floor. After shifting the elevator to a safe state, the operation control unit 12 is further controlled as required.
Shift of the elevator to a safe state is also performed when the CPUs 41 and 42 have different computation results and it is judged that any system of the CPUs 41 and 42 has abnormality.
When the calculated position and speed have no abnormality, a control signal for permitting the traveling of the car 3 is generated and is outputted to the operation control unit 12.
The CPUs 41 and 42 perform the computation to calculate a car speed by counting pulse signals inputted within a fixed time. A timer that measures the "fixed time" is generated by clock signals from the clocks 48 and 49. Thus, the frequency of a clock signal is very important.
When overspeed of the car 3 is monitored, attention must be paid to, in particular, abnormality causing a higher frequency. The reason is that, when a clock signal cycle is halved due to some failure when pulse signals are intended to be counted every 10ms, pulse signals are actually counted every 5ms despite the intention. In this case, the car speeds calculated by the CPUs 41 and 42 are mistakenly recognized as the halves of an actual car speed, thus causing a situation where the overspeed cannot be detected.
On the other hand, in this example, the clock signals from the first and second clocks 48 and 49 are inputted to the clock abnormality detection circuit 50 and it is monitored whether the clock signals have abnormality.
Next, an operation for monitoring a clock abnormality will be explained in detail. First, when a power source is reset, the counters 57 to 60 immediately start counting clock pulses as soon as the respective devices are stabilized. As a result, the error signals 55 and 56 are latched. However, at first, the CPUs 41 and 42 ignore these error signals 55 and 56.
Thereafter, the detection start instruction signals 53 and 54 are given with High signals. Then, the latch cancellation signals 67 and 68 are sent from the CPUs 41 and 42 to the clock abnormality detection circuit 50.
With the first ripple carry output signals from the monitoring counters 57 and 59 after the detection start instruction signals 53 and 54 are High, preset data values of the respective counters 57 to 60 are loaded to the respective counters 57 to 60 to start a countup. The preset data values are count values at which the count by the counters 57 to 60 is started.
Preset data values of the monitored counters 58 and 60 are set to be, for example, 0 in advance. As preset data values of the monitoring counters 57 and 59, threshold values for judging a clock abnormality are set in advance. The preset data values of the monitoring counters 57 and 59 are set to be higher than the preset data values of the monitored counters 58 and 60 (set to 4 in this example).
The monitoring counters 57 and 59 repeatedly count the number of pulses in a range smaller than those covered by the monitored counters 58 and 60 and reset the monitored counters 57 and 59 whenever the carryover thereof is caused. The monitored counters 58 and 60 also try to repeatedly count the number of pulses. However, when no abnormality is caused, the carryover of the monitoring counters 57 and 59 is caused prior to the carryover of the monitored counters 58 and 60 to reset the monitored counters 58 and 60.
The preset data values can be arbitrarily set by configuring the clock abnormality detection circuit 50 by, for example, an FPGA (field programmable gate array).
When the two clocks 48 and 49 have no abnormality, the monitored counters 58 and 60 are reset by the ripple carry output signals of the monitoring counters 57 and 59 at a counter value that is smaller by four than a counter value at which the carryover of the monitored counters 58 and 60 is caused and a ripple carry output signal (i.e., error signals 55 and 56) is outputted. Thus, the error signals 55 and 56 are not outputted.
On the other hand, when abnormality in which a frequency of, for example, the first clock 48 is increased is caused, prior to the reset of the first monitored counter 58 by the ripple carry output signal of the second monitoring counter 59, the ripple carry output signal of the first monitored counter 58 (i.e. , error signal 55) is outputted and the error signal 55 is latched by the latch unit 65.
When abnormality is caused in which a frequency of the second clock 49 is increased, the error signal 56 is similarly outputted from the second monitored counter 60 and the error signal 56 is latched by the latch unit 66.
Furthermore, when the clocks 48 and 49 are stopped, the stop can also be detected by the clock abnormality detection circuit 50. However, the watchdog timers 46 and 47 work to provide a forced reset to prevent a dangerous state.
This mechanism eliminates the need to use an exclusive clock for detecting a clock abnormality and can directly use the clocks 48 and 49 used for the double CPUs 41 and 42 for detecting a clock abnormality. This makes it possible to efficiently use of hardware resource. Therefore, a simple circuit configuration can be used to improve the reliability.
Since it is also possible to arbitrarily set preset data values of the counters 57 to 60, a critical frequency drift can also be detected. As a result, time during which the operation is delayed until the safety circuit unit 13 is driven and controlled can be reduced and a safer design can be realized.
Furthermore, since the four counters 57 to 60 and the watchdog timers 46 and 47 are used in combination, it is possible to easily specify in which of the clocks 48 and 49 abnormality of an increasing frequency has occurred.
Next, a function to check the soundness of the clock abnormality detection circuit 50 will be explained. For example, when the test mode signal 51 is sent from the first CPU 41 to the clock abnormality detection circuit 50, the selector 61 provides switching to the test circuit and the first clock signal is multiplied by the first multiplication circuit 62. In other words, the first clock signal inputted to the first monitored counter 58 is put in an abnormal state purposely. As a result, when the clock abnormality detection circuit 50 has no abnormality, the first monitored counter 58 will output the error signal 55.
Therefore, in the CPU 41, the error signal 55 is received in response to the transmission of the test mode signal 51. As a result, the soundness of the clock abnormality detection circuit 50 can be checked. Similarly, the soundness of the second clock 49 can also be checked.
By adding the function to check the soundness of the clock abnormality detection circuit 50, such a failure that a final output pin of the clock abnormality detection circuit 50 is fixed to the normal side can be detected and the reliability can be further improved.
Although the double circuit configuration using two CPUs is described in this embodiment, a multiple circuit configuration using three or more CPUs may be used.
In this manner, the electronic safety controller 21 of this example includes: the first and second processing units to doubly perform a computation for the control of the elevator; the first clock that sends the first clock signal to the first processing unit; the second clock that sends the second clock signal to the second processing unit; and the clock abnormality detection circuit that is inputted with the first and second clock signals to detect abnormality of the first and second clock signals. The clock abnormality detection circuit counts the number of pulses of the first and second clock signals to detect, based on the difference in the number of pulses, the abnormality of the first and second clock signals.
The clock abnormality detection circuit has amonitored counter that counts the number of pulses of any one of the first and second clock signals and a monitoring counter that counts the number of pulses of the other of the first and second clock signals. A preset data value as a count value at which the counting by the monitored counter is started is set to be higher than a preset data value as a count value at which the counting by the monitoring counter is started. When the carryover of the monitoring counter is caused, the number counted by the monitored counter is reset and the carryover of the monitored counter is caused. Abnormality of the first and second clock signals is detected.
Furthermore, the monitoring counter includes the first monitoring counter that counts the number of pulses of the first clock signal and the second monitoring counter that counts the number of pulses of the second clock signal. The monitored counter includes a first monitored counter that counts the number of pulses of the first clock signal and a second monitored counter that counts the number of pulses of the second clock signal.
Furthermore, the preset data value of the monitoring counter can be arbitrarily set. By putting a clock signal inputted to the monitored counter in the test mode in an abnormal state purposely, the soundness of the clock abnormality detection circuit can be checked. Furthermore, the clock abnormality detection circuit includes the multiplication circuit that multiplies the clock signal inputted to the monitored counter in the test mode.

<<Detection of abnormality of stack area>>

Next, detection of abnormality of a stack area in a RAM used in the electronic safety controller 21 will be explained. Fig. 8 is an explanatory diagram of separated areas of the electronic safety controller 21 of Fig. 1. The RAM includes a stack area that stores information required for computation by the CPU. The stack area stores therein, for example, a return address of a subroutine call, a return address of a timer interrupt, and an argument of a subroutine call.
The ROM stores therein a program for monitoring a predetermined monitored area in the stack area of the RAM. In other words, the stack area monitoring unit has a CPU and a ROM.
In this example, areas of C000H to FFFFH are set as stack areas. Areas of D000H to D010H are set as monitored areas.
A method of using a stack area is determined according to a microcomputer and is generally provided such that data is accumulated from an end address to preceding addresses in this order by a stack pointer owned by the microcomputer. In the case of Fig. 8, an initial value of the stack pointer is FFFFH and data is accumulated to addresses in an order of FFFFH, FFFEH, FFFDH, ..., C001H, and C000H. Thus, monitored areas D000H to D010H are areas that are used when 75% of the stack areas is used.
A monitored area in a position where 50% or more stack areas are used is preferable. A monitored area in a position where 60% or more stack areas are used is particularly preferable. A monitored area in a position where 90% or less stack areas are used is also preferable. A monitored area in a position where 80% or less stack areas are used is particularly preferable.
Stack areas are set to be 0 in advance. The stack area monitoring unit monitors whether the entirety of a monitored area is 0. When the monitored area includes data other than 0, the stack area monitoring unit judges that a stack over is caused.
Fig. 9 is a flowchart of an initial operation of the electronic safety controller 21 of Fig. 1. When the elevator is started, the electronic safety controller 21 is initialized. When the initialization is started, all interrupt computations are prohibited (step S1) . Thereafter, the microcomputer is initialized (step S2) and the RAM area is set to be 0 (step S3) . After that, an interrupt computation becomes possible (step S4) and an interrupt is waited (step S5) . An interrupt computation is repeatedly performed at every computation cycle time.
Fig. 10 is a flowchart of a first example of an interrupt computation by the electronic safety controller 21 of Fig. 1 . When the interrupt computation is started, first, the state of monitored areas is checked (step S31). In other words, it is checked whether a state of the monitored areas D000H to D010H is 0000H.
When the monitored areas are not 0000H, it is judged that the RAM has a stack over or is highly likely to be in a stack over. In other words, values of the monitored areas other than 0 lead to a judgment that a time to process an interrupt computation has small margin to prevent the interrupt computation from being completed within a computation cycle time, causing a stack over. When the stack over is detected, a computation for suddenly stopping the car 3 is performed (step S32) and an emergency stop instruction is outputted to the safety circuit unit 13. When the stack over is detected, abnormality detection signal is sent to an elevator monitoring room.
When the monitored areas have no abnormality, an input computation for inputting a signal required for a computation is performed (step S33). A car position computation for calculating a current position of the car 3 and a distance from the current position to a terminal landing (step S34), a car speed computation for calculating the speed of the car 3 based on a travel distance of the car 3 (step S35), and a judgment criterion computation for calculating a judgment criterion value for an abnormal speed according to the distance to the terminal landing (e.g., Fig. 2) (step S36) are performed.
Thereafter, a safety monitoring computation is performed to detect, based on the car speed and the judgment criterion value, an abnormal car speed (step S37). When the safety monitoring computation or a sudden stop computation is performed, a monitor computation for displaying a state of the elevator on a monitor is performed (step S38). Finally, an output computation for outputting an instruction signal required for permitting the traveling of the car 3 or suddenly stopping the car 3 is performed (step S39).
In such an electronic safety controller 21, the stack area monitoring unit monitors the state of monitored areas. When it is judged that the monitored areas have abnormality, the car 3 is suddenly stopped. Thus, an abnormal program execution due to the stack over of the RAM is prevented. This prevents damage to machines. In other words, a computation by a computer regarding an operation control can be performed more securely and the reliability can be improved.
Here, an investigation of a cause of a stack over (stack accumulation) is difficult, requiring a long time to recover a failure. The stack over may be caused by abnormality of a microcomputer or a program. However, if the microcomputer or the program has no abnormality, the most probable cause of the abnormality is considered to be that an interrupt computation is not completed within a computation cycle time (computation time out).
The computation time out is generally not caused but is caused when a computation time is increased temporarily (e.g., when a great number of call buttons are operated to require a long period of time to perform a call scan computation) . The computation time out may be caused when repeated modifications or improvements of software gradually increases the computation time.
When the computation time over is caused, the stack over is caused and a stack area is used improperly and a return address from a timer interrupt may be broken. When the return address is broken, an abnormal program execution may be caused or RAM data may be broken to make it impossible to control the elevator.
In view of the above, the electronic safety controller 21 of this example can detect the stack over at an earlier stage to prevent the generation of a second failure to improve the reliability.
The stack area monitoring unit also checks the pattern of processing information for each predetermined computation cycle. Thus, presence or absence of stack over can be always monitored to further improve the reliability.
Furthermore, when it is judged that there is abnormality in the monitoring area, the car can be suddenly stopped to prevent the abnormality from causing more severe failure.
In the example, the car 3 is suddenly stopped when the abnormality in the monitoring area is detected. However, a nearest floor stop instruction may be outputted to the operation control unit 12 to stop the car 3 at the nearest floor. As a result, passengers in the car 3 can get out of the car 3 to a landing smoothly.
Alternatively, when abnormality of a monitored area is detected, a signal for shifting the elevator to a safe state may be outputted and the state of the electronic safety controller 21 at the time may be recorded as a history (history computation). The history is recorded in, for example, an area other than a RAM stack area. This can prevent the generation of stack over and can use the history to investigate the reason of stack over. This can also reduce the time required to recover a failure.
In this manner, the electronic safety controller 21 in this example includes the RAM having stack areas for storing therein information required for the computation for monitoring the safety of the elevator and the stack area monitoring unit for monitoring a predetermined monitored area in the stack areas. According to the state of the monitored area detected by the stack area monitoring unit, the electronic safety controller 21 controls the operation of the elevator.
The stack area monitoring unit also checks the state of the monitored area for each predetermined computation cycle. Furthermore, the check of the state of the monitored area is performed as a part of an interrupt arithmetic processing for monitoring the safety of the elevator.

«Detection of abnormality in order of execution of arithmetic processing»

Next, a method of detecting abnormality in an order of the execution of arithmetic processing by the electronic safety controller 21 will be explained. Fig. 11 is a flowchart of a second example of the flow of an interrupt computation by the electronic safety controller 21 of Fig. 1.
When the interrupt computation is started, first, a pattern of processing information written in the RAM is checked (step S41). Here, the processing information is a value predetermined for each arithmetic processing task (functional unit) (identification value). The processing information is written in a table set in a predetermined area in the RAM. In this example, identification values of 1 to 7 are allocated to seven arithmetic processing and are written in corresponding TBL[0] to [6]. Values of TBL[7] to [9] are still set to be 0 because there is no corresponding arithmetic processing.
When the processing information pattern has no abnormality, TBL [0] to [6] and a storage pointer of the table are initialized to be 0 (step S42). Thereafter, an input computation to input a signal required for the computation (step S43), the car position computation to obtain a current position of the car and a distance from the current position to a terminal landing (step S44), the car speed computation to calculate the car speed based on the travel distance of the car (step S45), and the judgment criterion computation for obtaining a judgment criterion value for an abnormal speed according to the distance to the terminal landing (e.g., Fig. 2) (step S46) are performed.
Thereafter, the safety monitoring computation is performed to detect, based on the car speed and the judgment criterion value, an abnormal car speed (step S97). When the safety monitoring computation or the sudden stop computation is performed, the monitor computation to display a state of the elevator on a monitor is performed (step S48). Finally, the output computation for outputting, according to the result of the safety monitoring computation, an instruction signal required to permit the traveling of the car 3 or to suddenly stop the car 3 is performed (step S49) .
Immediately after the execution of each of the computations, an identification value is written in the corresponding table (steps S50 to S56). In other words, arithmetic processing and the writing of an identification value are performed alternately.
In other words, immediately after the execution of an initial input computation, 1 is written in TBL[P] and 1 is added to the storage pointer P (step S15). Next, immediately after the execution of the car position computation, 2 is written in TBL[P] and 1 is added to the storage pointer P (step S16). Immediately after the sequential execution of the processing and the execution of the final output computation, 7 is written in TBL[6].
The pattern of the identification values thus written is checked when the next interrupt computation is started (step S41) . In other words, by checking the pattern of the identification values, it is judged whether an order of the execution of the arithmetic processing is correct.
When abnormality is detected in the order of the execution of the arithmetic processing, the sudden stop computation to suddenly stop the car is performed (step S57). At the same time, when abnormality is detected in the order of the execution of the arithmetic processing, abnormality detection signal is also transmitted to an elevator monitoring room. When the sudden stop computation is performed, the monitor computation is performed (step S58), the output computation for outputting an instruction signal required to suddenly stop the car is performed (step S59), and the interrupt arithmetic processing ends.
The electronic safety controller 21 can quickly detect abnormality in an order of the execution of arithmetic processing. This allows a computation for the control of an operation by a computer to be performed more securely, thus improving the reliability. The electronic safety controller 21 can also detect abnormality of a program such as a self loop. In other words, the present invention can be applied to both of an operation control apparatus and a safety apparatus.
Here, an investigation of a cause of abnormality in an order of the execution of arithmetic processing is difficult, requiring a long time to recover a failure. Abnormality in an order of the execution of arithmetic processing may be caused by abnormality of a microcomputer or a program. However, if a microcomputer or a program has no abnormality, the most probable cause of the abnormality in an order of the execution of arithmetic processing is considered to be that an interrupt computation is not completed within a computation cycle time (computation time out).
The computation time out is generally not caused but is caused when a computation time is increased temporarily (e. g. , when a great number of call buttons are operated to require a long period of time to perform a call scan computation) . The computation time out may be caused when repeated modifications or improvements of software gradually increases the computation time.
In view of the above, the electronic safety controller 21 can detect abnormality in an order of the execution of arithmetic processing at an earlier stage to prevent the generation of a second failure to improve the reliability.
The electronic safety controller 21 also checks the pattern of processing information for each predetermined computation cycle. Thus, presence or absence of abnormality can be always monitored to further improve the reliability.
Furthermore, when it is judged that there is abnormality in an order of the execution of arithmetic processing, the car can be suddenly stopped to prevent the abnormality from causing more severe failure.
In the example, the car 3 is suddenly stopped when it is judged that there is abnormality in an order of the execution of arithmetic processing. However, a nearest floor stop instruction may be outputted to the operation control unit 12 to stop the car 3 at the nearest floor. As a result, passengers in the car 3 can get out of the car 3 to a landing smoothly.
Alternatively, when abnormality is found in an order of the execution of arithmetic processing, a signal for shifting the elevator to a safe state may be outputted and the state of the electronic safety controller 21 may be recorded as a history (history computation).
Furthermore, in the example, pieces of processing information are allocated to all arithmetic processing. However, pieces of processing information are not always required to be allocated to all arithmetic processing. In other words, pieces of processing information may be allocated only to arithmetic processing for which an order of the execution is desired to be monitored.
In this manner, the electronic safety controller 21 in this example includes a controller body that has a program storage unit for storing a RAM and a program regarding a safety monitoring and a processing unit for executing plural arithmetic processing based on the program. The controller body writes, to the RAM, processing information corresponding to the respective arithmetic processing when arithmetic processing is executed, and monitors, based on the pattern of the processing information written in the RAM, whether an order of the execution of arithmetic processing is normal.
Processing information is a numeric value set for each arithmetic processing. The control apparatus body also checks the pattern of processing information for each predetermined computation cycle. Furthermore, the writing of processing information and the check of the pattern of processing information are executed as a part of an interrupt arithmetic processing to monitor the safety of the elevator.

«Detection of abnormality of power source voltage»

Next, a method of detecting abnormality of a power source voltage in the electronic safety controller 21 will be explained. Fig. 12 is a block diagram of the main part of the electronic safety controller 21 of Fig. 1. In this example, two types of instruction signals are outputted to the elevator control panel 11 to improve the reliability. Thus, a double circuit configuration is used and the first and second CPUs (processing units) 41 and 42 are used.
The first CPU 41 outputs an instruction signal via the first output interface 43 to the elevator control panel 11. The second CPU 42 outputs an instruction signal via the second output interface 44 to the elevator control panel 11. When receiving the instruction signals from the first and second output interfaces 43 and 44, the elevator control panel 11 shifts the elevator to a safe state.
The first and second CPUs 41 and 42 are connected to the dual port RAM 45 to perform data transfer between the CPUs. The first CPU 41 is inputted with a signal from the first sensor. The second CPU 42 is inputted with a signal from the second sensor.
The signals from the first and second sensors are subjected to arithmetic processing by the CPUs 41 and 42 to calculate speed and a position of the car 3. The first and second sensors may be, for example, the speed governor encoder 18.
Data obtained by arithmetic processing by the CPUs 41 and 42 are exchanged between the CPUs 41 and 42 via the dual port RAM 45. Then, the CPUs 41 and 42 compare the respective pieces of data. When the results of the computations show a significant difference or overspeed, an instruction signal is outputted via the output interfaces 43 and 44 to the elevator control panel 11 to shift the elevator to a safe state.
This elevator control apparatus also includes a +5-V power source voltage monitoring circuit 71 and a +3. 3-V power source voltage monitoring circuit 72 for monitoring the power source voltages of the CPUs 41 and 42. The power source voltage monitoring circuits 71 and 72 are constituted, for example, by an IC (integrated circuit) .
The power source voltage monitoring circuits 71 and 72 monitor whether a stable power source voltage is supplied to the CPUs 41 and 42. When an abnormal power source voltage enough to deviate from a rated voltage of the CPUs 41 and 42 is caused, the CPUs 41 and 42 are forcedly reset based on the information from the power source voltage monitoring circuits 71 and 72 and the car 3 is suddenly stopped by the safety circuit unit 13 designed to have a fail-safe configuration.
The +5-V power source voltage monitoring circuit 71 is inputted with a monitoring voltage from the first monitoring voltage input circuit 73. The +3.3-V power source voltage monitoring circuit 72 is inputted with a monitoring voltage from the second monitoring voltage input circuit 74.
The power source voltage monitoring circuits 71 and 72 and the CPUs 41 and 42 are connected to a voltage monitoring soundness check function circuit 75 (hereinafter simply referred to as check function circuit 75) that monitors the soundness of the power source voltage monitoring circuits 71 and 72. The check function circuit 75 is constituted by a programmable gate IC such as an FPGA (field programmable gate array). The check function circuit 75 can also be realized by, for example, ASIC, CPLD, PLD, or a gate array.
When an abnormal power source voltage is detected, the power source voltage monitoring circuits 71 and 72 output voltage abnormality detection signals 81 and 82 to the check function circuit 75. The check function circuit 75 outputs reset signals 83 and 84 to the CPUs 41 and 42.
The check function circuit 75 is inputted with the control signals 85 and 86 from the CPUs 41 and 42 . The check function circuit 75 outputs monitoring-purpose input voltage forced change signals 87 and 88 to forcedly change voltage input pins of the power source voltage monitoring circuits 71 and 72 to have a low voltage.
When the monitoring-purpose input voltage forced change signals 87 and 88 are outputted, themonitoring-purpose input voltage forced change circuits 76 and 77 forcedly cause the voltage input pins of the power source voltage monitoring circuits 71 and 72 to have a low voltage.
The check function circuit 75 is also connected to the first data bus 78 for the first CPU 41 and the second data bus 79 for the second CPU 42.
A program to calculate the position and speed of the car 3, a program for judging abnormality of the elevator, a program for checking the soundness of the power source voltage monitoring circuits 71 and 72, and the like are stored in a ROM as a storage unit connected to the CPUs 41 and 42.
Fig. 13 is a circuit diagramof an example of a specific structure of the check function circuit 75 of Fig. 12. The control signals 85 and 86 include selection signals 89 and 90, output permission signals 91 and 92, and chip select signals 93 and 94.
The selection signals 89 and 90 are two bit signals for selecting the power source voltage monitoring circuit 71 or 72 for which the soundness should be checked. The output permission signals 91 and 92 are signals for permitting the output of the monitoring-purpose input voltage forced change signals 87 and 88 from the check function circuit 75 and latching the contents selected by the selection signals 89 and 90. In other words, the output permission signals 91 and 92 also work as a latch trigger signal.
When abnormality of a power source voltage is detected, a voltage abnormality signal latch circuit 101 in the check function circuit 75 latches the voltage abnormality detection signals 81 and 82. The latch status by the voltage abnormality signal latch circuit 101 is cancelled when latch cancellation signals 95 and 96 as a part of the control signals 85 and 86 are inputted.
The selection signals 89 and 90 are inputted to the first and second selectors 102 and 103. The first and second selectors 102 and 103 switch, based on the selection signals 89 and 90, the power source voltage monitoring circuits 71 and 72 for which the soundness should be checked. The contents selected by the selectors 102 and 103 are latched by the first and second selection contents latch circuits 104 and 105.
The former stage of the output of the monitoring-purpose input voltage forced change signals 87 and 88 includes a change signal output buffer 106.
. The check function circuit 75 includes plural data bus output buffers 107 of the first CPU 41 and plural data bus output buffers 108 of the second CPU 42.
Here, Fig. 14 is an explanatory diagram of the meanings of data regarding the respective bits of the data buses 78 and 79 when the check function circuit 75 of Fig. 12 is read by the first and second CPUs 41 and 42.
Next, Fig. 15 is a flowchart of a method of checking the soundness of the monitoring of a power source voltage at the first CPU 41 of Fig. 12. The electronic safety controller 21 executes, for each computation cycle (e.g., 5 msec), an interrupt computation including arithmetic processing to monitor abnormality of the car 3, e.g., overspeed. Then, when executing a main routine of the interrupt computation, the electronic safety controller 21 judges whether the soundness check of the power source voltage monitoring circuits 71 and 72 is performed (step S11).
The soundness check is performed at a predetermined timing. In other words, the soundness check is performed when the car 3 is stopped for a period of time longer than a predetermined time. In other words, the soundness check is performed, for example, in an off time during which the elevator is used by few users or which the elevator is out of service at night.
When the soundness check is not performed, the processing returns to the main routine. When the soundness check is performed, first, the latch status of the voltage abnormality detection signals 81 and 82 as an error signal in the check function circuit 75 is cancelled. In other words, the electronic safety controller 21 outputs the latch cancellation signal 95 to the check function circuit 75 (step S12) . The latch cancellation signal 95 is inputted to the voltage abnormality signal latch circuit 101 and the latch status of the voltage abnormality detection signals 81 and 82 is cancelled.
Next, the electronic safety controller 21 checks whether the output permission signal 91 of the first CPU 41 is High (step S13) . Then, the electronic safety controller 21 requests the second CPU 42 via the dual port RAM 45 to change the output permission signal 92 to High (step S14).
Thereafter, the electronic safety controller 21 outputs the select signal 89 for selecting which of the power source voltage monitoring circuits 71 and 72 for the soundness check to the check function circuit 75 and latches the circuit (step S15).
Next, the electronic safety controller 21 requests the second CPU 42 via the dual port RAM 45 to change the output permission signal 92 to Low (step S6). When it is checked that the output permission signal 92 is Low, the electronic safety controller 21 changes the output permission signal 91 to Low (step S7). As a result, in the check function circuit 75, the select signal 89 is latched by the selection contents latch circuit 104 in synchronization with the fall of the output permission signal 91. Then, the check function circuit 75 outputs the monitoring-purpose input voltage forced change signal 87 to the power source voltage monitoring circuit 71.
As a result, the power source voltage monitoring circuit 71 detects an abnormal voltage and the voltage abnormality detection signal 81 is inputted to the check function circuit 75. Then, in the check function circuit 75, the voltage abnormality signal latch circuit 101 latches the voltage abnormality detection signal 81. At the same time, the CPUs 41 and 42 are inputted with the reset signals 83 and 84 from the check function circuit 75 (step S8). Consequently, the CPUs 41 and 42 are reset.
In this process, only one power source voltage monitoring circuit is always checked through one soundness check operation. Thus, when one soundness check operation is continuously followed by another soundness check of a power source voltage monitoring circuit, one soundness check operation of a power source voltage monitoring circuit is completed before the soundness check of another power source voltage monitoring circuit is performed. Even when one CPU is supplied with plural power sources having plural different voltages and thus plural power source voltage monitoring circuits are provided, the respective power source voltage monitoring circuits are subjected to a soundness check one by one in a sequential manner. The sequential execution of the soundness check of plural power source voltage monitoring circuits can be set in a program (software) in advance.
Fig. 16 is a flowchart of an operation when the CPUs 41 and 42 are reset in the elevator control apparatus of Fig. 12. It goes without saying that the CPUs 41 and 42 may be reset not only due to the soundness check but also due to an actual abnormal power source voltage or other causes.
When the CPUs 41 and 42 are reset, first, the CPUs 41 and 42 start software initialization processing (step S19). Next, in the initialization processing, the CPUs 41 and 42 read data of the check function circuit 75 (step S20) . Then, the CPUs 41 and 42 check the status before the reset based on the latched contents to judge whether an abnormal power source voltage or a failure of the power source voltage monitoring circuits 71 and 72 is present (step S21). In other words, it is judged whether the reset is caused by the soundness check or by an actual abnormal power source voltage.
When an abnormal voltage is shown in spite of the fact that the outputs of the output permission signals 91 and 92 are not set to be Low, it is judged that an actual abnormal power source voltage is caused. Furthermore, when the data of check function circuit 75 does not show an abnormal voltage in spite of the fact that the outputs of the output permission signals 91 and 92 are set to be Low, it is judged that the power source voltage monitoring circuits 71 and 72 or the check function circuit 75 itself has a failure. When the monitoring-purpose input voltage forced change signals 87 and 88 are outputted in this state, it is judged that the power source voltage monitoring circuits 71 and 72 have a failure. When the monitoring-purpose input voltage forced change signals 87 and 88 are not outputted, it is judged that the check function circuit 75 itself has a failure.
As a result of reading the data of the check function circuit 75, abnormality or a failure is not detected, the CPUs 41 and 42 permit the transition to the main routine (step S22). However, although this section describes only the reset for the power source voltage, the reset may be triggered by the detection of another failure and the soundness check of another circuit. In this case, all abnormalities and failures are checked and then the transition to the main routine is permitted.
As a result of reading the data of the check function circuit 75, some abnormality or failure is detected, the CPUs 41 and 42 output an instruction signal to the elevator control panel 11 (step S23) to shift the elevator to a safe state.
The electronic safety controller 21 can monitor the soundness by monitoring not only an abnormal power source voltage but also a failure of the power source voltage monitoring circuits 71 and 72. Thus, the reliability of the monitoring of a power source voltage can be further improved.
Although a conventional design has used a double circuit configuration also for each power source voltage monitoring circuit to provide a fail-safe function or to secure the safety, the electronic safety controller 21 does not require the double circuit configuration. Thus, the electronic safety controller 21 can use a simple structure and can suppress an increase in cost. The electronic safety controller 21 can also provide reliability equal to that provided when each power source voltage monitoring circuit has a double circuit configuration.
Furthermore, the double circuit configuration using the two CPUs 41 and 42 is used and the soundness check operations by the respective CPUs 41 and 42 can be checked via the dual port RAM 45. Thus, failures of the check function circuit 75 and software can also be detected.
In this manner, the electronic safety controller 21 in this example includes a processing unit for performing a processing regarding a monitoring of the safety of an elevator and a power source voltage monitoring circuit for monitoring a power source voltage supplied to the processing unit. The electronic safety controller 21 further includes a voltage monitoring soundness check function circuit that outputs, according to a control signal from the processing unit, a monitoring-purpose input voltage forced change signal for forcedly changing the power source voltage inputted to the power source voltage monitoring circuit and that is inputted with a voltage abnormality detection signal from the power source voltage monitoring circuit. The voltage monitoring soundness check function circuit retains at least a part of the contents exchanged between the processing unit and the power source voltage monitoring circuit. The processing unit reads the data retained by the voltage monitoring soundness check function circuit to check the soundness of the power source voltage monitoring circuit.
The processing unit also includes the first and second CPUs. The first and second CPUs can mutually check the soundness check operations via the dual port RAM.
Furthermore, the electronic safety controller 21 further includes a monitoring-purpose input voltage forced change circuit that forcedly lowers, by inputting a monitoring-purpose input voltage forced change signal, a power source voltage inputted to the power source voltage monitoring circuit.
Furthermore, the power source voltage monitoring circuit includes plural power source voltage monitoring circuits for monitoring different voltages of plural power sources. A control signal from the processing unit to the voltage monitoring soundness check function circuit includes a selection signal for selecting one of plural power source voltage monitoring circuits which is to be subjected to the soundness check.
The processing unit can subject the respective power source voltage monitoring circuits to the soundness check one by one sequentially.
Furthermore, the voltage monitoring soundness check function circuit can be constituted by a programmable gate IC.

«ETS initialization»

Next, an initialization operation of the ETS circuit unit 22 will be explained. As described above, the ETS circuit unit 22 detects the position of the car 3 independent of the operation control unit 12. Thus, for example, when the elevator is started, the initialization operation of the ETS circuit unit 22 (initialization operation step) is performed. Furthermore, when some difference is caused between the position information of the car 3 in the operation control unit 12 and the position information of the car 3 in the ETS circuit unit 22 due to some reason, the initialization operation of the ETS circuit unit 22 is performed. When the initialization operation is performed, the operation mode of the operation control unit 12 is switched to the initialization operation mode.
Fig. 17 is an explanatory diagram of a relation between a stage of the initialization operation of the ETS circuit unit 22 of Fig. 1 and the operations of the operation control unit 12 and the safety circuit unit 13. First, through the initialization operation, an initialization of speed detection is performed and then an initialization of position detection is performed.
When an initialization operation is started, the safety circuit unit 13 puts the driving apparatus 7 in an emergency stop state. In other words, a power source of a motor of the driving apparatus 7 is blocked to bring the brake unit 9 of the driving apparatus 7 into a braking state. The ETS circuit unit 22 outputs an operation-prohibition instruction to the operation control unit 12.
Until the initialization of speed detection is completed, the safety circuit unit 13 is put in an emergency stop state and the operation control unit 12 is also in an operation-prohibited state. Thus, the monitoring by the ETS circuit unit 22 is impossible.
When the initialization of speed detection is completed, the electronic safety controller 21 outputs, to the operation control unit 12, a permission signal to permit a low-speed operation. The emergency stop state of the safety circuit unit 13 can also be cancelled. In this state, the ETS circuit unit 22 performs an operation for initializing position detection.
In the operation to initialize position detection, the car 3 is caused to travel from the lower part to the upper part of the hoistway 1 at speed equal to or lower than the allowable collision speeds of the buffers 27 and 28. Then, the ETS circuit unit 22 sets the relation between a signal from the speed governor encoder 18 and the position of the car 3 in the hoistway 1.
When the initialization operation is completed, the electronic safety controller 21 outputs, to the operation control unit 12, a permission signal for permitting a high-speed operation (rated speed operation). The ETS circuit unit 22 makes it possible to perform a high-speed monitoring.
Next, Fig. 18 is an explanatory diagram of the movement of the car 3 in the initialization operation mode of the elevator apparatus of Fig. 1. In the initialization operation mode, the completion of the initialization of speed detection is followed by the movement of the car 3 to a floor writing start position in the lower part of the hoistway 1. The floor writing start position is a position where the car 3 is lower than a bottom floor position P_BOT and is higher than the car buffer 27. When the car 3 is located at the floor writing start position, the car 3 (specifically, operation plates of reference sensors 23 to 26 provided at the car 3) is in a position lower than that of the fourth reference sensor 26.
The hoistway 1 includes plural end point switches (not shown) for detecting the position of the bottom floor or the top floor using the operation control unit 12. The movement of the car 3 to the floor writing start position is controlled by the operation control unit 12.
Thereafter, while causing the car 3 to ascend from the floor writing start position, a temporary current position P_current temp of the car 3 corresponding to the signal from the speed governor encoder 18 is obtained. In other words, the floor writing start position is assumed as 0. $P_{current temp} \leftarrow 0$

Thereafter, the temporary current position is updated with every computation cycle (e.g., every 100 msec).
Here, the ETS circuit unit 22 includes an updown counter for counting encoder pulses of the speed governor encoder 18. Assuming that a travel distance in one computation cycle of the updown counter is GCl, the temporary current position P_current temp at the Nth computation cycle is calculated by the following formula. $P_{current temp N} \leftarrow P_{current temp N - 1} + GC 1$

In other words, the temporary current position and the travel distance in one computation cycle are calculated as the number of encoder pulses.
In this manner, the temporary current position is updated according to the ascent of the car 3. Positions at which the operation plates enter the reference sensors 23 to 26 and positions at which the operation plates exit from the reference sensors 23 to 26 are written in a table of a storage unit (memory) provided in the ETS circuit unit 22.
When an enter of an operation plate to the fourth reference sensor 26 is detected with, for example, the Nth computation cycle, the entering position P_{tmp ETSD} is calculated by the following formula. $P_{tmp ETSD} \leftarrow P_{current temp N - 1} + GC 1 - GC 2$

The term "GC2" represents a travel distance of an updown counter after the enter to the fourth reference sensor 26.
The entering positions to other reference sensors 23, 24, and 25 are similarly written in the table.
When the exit from the reference sensor 26 is detected at the Nth computation cycle, the exit position P_{tmp ETSU} is calculated by the following formula. $P_{tmp ETSU} \leftarrow P_{current temp N - 1} + GC 1 - GC 3$

The term "GC3" represents the travel distance of the updown counter after the exit from the fourth reference sensor 26.
The exit positions from other reference sensors 23, 24, and 25 are similarly written in the table.
When the writing of all entering positions and exit positions is finished, the car 3 is stopped at a top floor position P_TOP.
Here, the operation control unit 12 is associated with the data of the bottom floor position P_BOT and the top floor position P_TOP based on an ideal zero point. Then, when the car 3 is stopped at the top floor position P_TOP, the data of the bottom floor position P_BOT and the top floor position P_TOP based on the ideal zero point is transmitted from the operation control unit 12 to the electronic safety controller 21. The electronic safety controller 21 converts, based on the information transmitted from the operation control unit 12, the position data calculated as the temporary current position and written in the table to data based on the ideal zero point. As a result, detection of the current position P_current based on the ideal zero point is possible.
A correction amount δ to the current position is calculated by the following formula. $δ = P_{TOP} - P_{current temp N}$

Thus, adding the correction amount δ to the position data written in the table provides position data based on the ideal zero point. The corrected position data is written in E²PROM of the electronic safety controller 21 and is subsequently used.
When the car 3 is stopped at the top floor, the following processing is performed to change a position control from the position based on the temporary current position to the one based on the current position. $P_{current 0} \leftarrow P_{TOP}$
$P_{current N} \leftarrow P_{current N - 1} + GC 1$
When this correction is completed and the position control is switched to the position control based on the current position, the electronic safety controller 21 outputs, to the operation control unit 12, an instruction for permitting a high-speed operation to permit the execution of a high-speed automatic operation (i.e., normal operation mode). The ETS circuit unit 22 performs a normal monitoring operation. The normal monitoring operation uses the following formulae for calculating, with each computation cycle, a distance L1 between the upper face of the car buffer 27 and the car and a distance L2 between the upper face of the counterweight buffer 28 and the counterweight 4. $L 1 = P_{current N} - (P_{BOT} - L_{KRB})$
$L 2 = (P_{BOT} - L_{KRB}) - P_{current N}$
In the formulae, L_KRB represents the distance between the upper face of the buffer 27 and the bottom floor positions P_BOT, and L_CRB represents the distance between the top floor position P_TOP and the position of the car 3 at which the counterweight 4 collides with the counterweight buffer 28 (CWT collision position of Fig.18).
In this elevator apparatus, the car 3 is caused to travel at a speed equal to or lower than the allowable collision speed of the car buffer 27 until the initialization operation is completed. This can more securely prevent the car 3 from colliding with the car buffer 27 at a speed exceeding the allowable collision speed, thus improving the reliability.
Although, in the example, the initialization operation is performed in two steps of the initialization of speed detection and the initialization of position detection, the initialization operation may be performed in three or more steps and an allowable car traveling speed may be determined for each step.
Further, the initialization operation is not limited to the initialization of speed detection and the initialization of position detection.
In this manner, the elevator apparatus in this example includes the elevator control apparatus that includes an operation control unit for controlling the operation of the car and a monitoring unit (electronic safety controller 21) for detecting an abnormal traveling of the car. When the monitoring unit is initialized, the operation control unit causes, according to a stage of the initialization, the car to travel at a speed lower than that in a normal operation.
The monitoring unit outputs a permission signal regarding a car speed to the operation control unit according to a stage of the initialization.
Furthermore, the operation control unit controls the operation of the car by selectively switching plural operation modes including a normal operation mode and an initialization operation mode for initializing the monitoring unit while causing the car to travel. In the initialization operation mode, the operation control unit causes, according to a stage of the initialization, the car to travel at a speed lower than that in a normal operation mode.
The method of controlling the elevator apparatus in this example includes an initialization operation step to initialize the monitoring unit for detecting an abnormal traveling of the car while causing the car to travel. The initialization operation step causes, according to a stage of the initialization, the car to travel at a speed lower than that in a normal operation.

«Detection of abnormal relay contact point»

Next, Fig. 19 is a circuit diagram of an abnormal contact point detection unit of the electronic safety controller 21 of Fig. 1. The safety circuit unit 13 includes: a brake power source contactor coil 111 for supplying power to the brake unit 9; a motor power source contactor coil 112 for supplying power to the motor unit of the driving apparatus 7; a safety relay main contact point 113 for turning ON and OFF the application of a voltage to the contactor coils 111 and 112; and a bypass relay main contact point 114 connected in parallel to the safety relay main contact point 113.
The brake power source contactor coil 111, the motor power source contactor coil 112, and the safety relay main contact point 113 are connected to the power source so as to be arranged in series. The safety relaymain contact point 113 is closed in a normal operation. When the elevator has abnormality (e.g., when the traveling speed of the car 3 exceeds a predetermined speed), the safety relay main contact point 113 is opened. The bypass relay main contact point 114 is opened during a normal operation.
The electronic safety controller 21 includes: a controller body 115; a safety relay coil 116 for operating the safety relay main contact point 113; a bypass relay coil 117 for operating the bypass relay main contact point 114; a safety relay monitor contact point 118 opened or closed while being mechanically connected to the safety relay main contact point 113; and a bypass relay monitor contact point 119 opened or closed while being mechanically connected to the bypass relay main contact point 114.
The safety relay coil 116, the bypass relay coil 117, the safety relay monitor contact point 118, and the bypass relay monitor contact point 119 are connected to the controller body 115 so as to be arranged in parallel.
The safety relay main contact point 113 is mechanically coupled to the safety relay monitor contact point 118 by a link mechanism (not shown) . Thus, when any one of the contact points 113 and 118 cannot operate due to adhesion or the like, the other of them cannot operate either.
The bypass relay main contact point 114 is mechanically connected to the bypass relay monitor contact point 119 by a link mechanism (not shown). Thus, when any one of the contact points 114 and 119 cannot operate due to adhesion or the like, the other of them cannot operate either.
The controller body 115 includes: a processing unit 120; a storage unit 121; an input/output unit 122; a safety relay monitor contact point receiver circuit 123; a bypass relay monitor contact point receiver circuit 124; a safety relay driver circuit 125; and a bypass relay driver circuit 126.
The processing unit 120 is, for example, a CPU. The storage unit 121 is, for example, a RAM, a ROM, and a hard disk apparatus. The storage unit 121 stores, for example, data for judging abnormality of the elevator or a program for performing an operation test of the safety relay main contact point 113.
The processing unit 120 performs transmission and reception of signals with the operation control unit 12 and various sensors via the input/output unit 122.
The safety relay monitor contact point receiver circuit 123 is serially connected to the safety relay monitor contact point 118 and detects the open/close state of the safety relay monitor contact point 118. The bypass relay monitor contact point receiver circuit 124 is serially connected to the bypass relay monitor contact point 119 and detects the open/close state of the bypass relay monitor contact point 119.
The safety relay driver circuit 125 is serially connected to the safety relay coil 116 and switches between the excitation and non-excitation of the safety relay coil 116. The bypass relay driver circuit 126 is serially connected to the bypass relay coil 117 and switches between the excitation and non-excitation of the bypass relay coil 117.
The switching of the excitation or non-excitation of the safety relay coil 116 is performed by outputting a safety relay instruction signal from the processing unit 120 to the safety relay driver circuit 125. The switching between the excitation or non-excitation of the bypass relay coil 117 is performed by outputting a bypass instruction signal from the processing unit 120 to the bypass relay driver circuit 126.
The receiver circuits 123 and 124 and the driver circuits 125 and 126 are connected to the processing unit 120 so as to be arranged in parallel to each other.
Next, the operation will be explained. During the operation of the elevator, the controller body 115 monitors the presence or absence of abnormality of the elevator based on the information from various sensors. When the processing unit 120 detects abnormality of the elevator, the safety relay driver circuit 125 stops the drive of the safety relay coil 116.
As a result, the safety relay main contact point 113 is opened and the conduction to the contactor coils 111 and 112 is blocked. As a result, the rotation of the drive sheave 8 is braked by the brake unit 9 and the conduction to the motor unit is blocked to thereby suddenly stop the car 3.
Next, a method of testing an operation of the safety relay main contact point 113 will be explained. Fig. 20 is a flowchart for explaining the method of testing an operation of the safety relay main contact point 113 of Fig. 19. In this embodiment, the operation test is performed whenever the car 3 is stopped at a stop floor in a normal operation. Thus, at the time of normal operation, the processing unit 120 monitors whether the traveling speed of the car 3 becomes 0 according to the information from various sensors (stop detection step S61).
When the speed of the car 3 is 0 and a safe state is provided, the bypass relay driver circuit 126 excites the bypass relay coil 117. Thereafter, the processing unit 120 is on standby for a predetermined time (100 ms in this example) (step S62). Then, it is checked by the bypass relay monitor contact point receiver circuit 124 whether the bypass relay monitor contact point 119 is closed (step S63).
When the bypass relay monitor contact point 119 is not closed, this means that the bypass relay main contact point 114 is also not closed. Thus, the processing unit 120 determines a failure of the bypass relay and the controller body 115 outputs abnormality detection signal to the operation control unit 12 (step S64).
When it is confirmed that the bypass relay monitor contact point 119 is correctly closed, the safety relay driver circuit 125 excites the safety relay coil 116. Thereafter, by the bypass relay monitor contact point receiver circuit 124 is on standby for a predetermined time (100 ms in this example) (test instruction step S65). Then, whether the safety relay monitor contact point 118 is opened is checked by the safety relay monitor contact point receiver circuit 123 (abnormality detection step S66).
When the safety relay monitor contact point 118 is not opened, this means that the safety relay main contact point 113 is also not opened due to adhesion or the like. Thus, the processing unit 120 determines a failure of the safety relay and the controller body 115 outputs abnormality detection signal to the operation control unit 12 (step S64).
When it is judged that the safety relay monitor contact point 118 is correctly opened, the safety relay coil 116 is now brought into a non-excitation state. Thereafter, by the bypass relaymonitor contact point receiver circuit 124 is on standby for a predetermined time (100 ms in this example) (step S67). Then, it is checked by the safety relay monitor contact point receiver circuit 123 whether the safety relay monitor contact point 118 is closed (step S68).
When the safety relay monitor contact point 118 is not closed, the processing unit 120 judged that a failure of the safety relay has occurred, and the controller body 115 outputs an abnormality detection signal to the operation control unit 12 (step S64).
When it is checked that the safety relay monitor contact point 118 is correctly closed, the bypass relay coil 117 is brought into a non-excitation state. Thereafter, the processing unit 120 is on standby for a predetermined time (100 ms in this example) (step S69) . Then, it is checked by the bypass relay monitor contact point receiver circuit 124 whether the bypass relay monitor contact point 119 is opened (step S70).
When the bypass relay monitor contact point 119 is not opened, the processing unit 120 determines a failure of the bypass relay and the controller body 115 outputs abnormality detection signal to the operation control unit 12 (step S64).
When the test of open and close operations of the safety relay main contact point 113 and the bypass relay main contact point 114 are completed, the processing unit 120 is on standby until the traveling speed of the car 3 increases to be equal to or higher than a predetermined set value (step S71). Next, the ETS circuit unit 22 monitors the traveling speed until the car 3 stops. Then, whenever the car 3 stops, the operation test is carried out to check the soundness of the safety circuit unit 13.
In the elevator safety apparatus, timing at which the car stops in a normal operation is used to perform an operation test of the safety relaymain contact point 113 . Thus, abnormality of the safety relaymain contact point 113 can be detected without causing hindrance in the normal operation and the reliability can be improved.
The operation test is carried out whenever the car stops, thereby making it possible to check the operation of the relay main contact point 113 with a sufficient frequency and further improve the reliability.
Furthermore, the bypass relay main contact point 114 is closed when the operation test of the safety relay main contact point 113 is performed, it is possible to prevent the conduction to the safety circuit unit 13 from being blocked during the operation test. Thus, it is possible to carry out the operation test while maintaining the safety circuit unit 13.
Furthermore, it is also checked whether the safety relay main contact point 113 and the bypass relay main contact point 114 are correctly returned. Thus, the reliability can be further improved.
In the above example, the brake unit 9 provides a braking operation when the safety relay main contact point 113 is opened. However, the brake unit may provide a braking operation when the safety relay main contact point is closed. In this case, the operation test of a safety relay main contact point can also be carried out.
In the above example, the safety relay main contact point for operating the brake unit 9 provided at the driving apparatus 7 is described. However, the safety relay main contact point can also be applied to operate, for example, a rope brake to brake the car by gripping the main rope and a safety relay main contact point to operate a safety device provided at a counterweight.
Furthermore, in the example, the operation test is performed every time the car 3 stops. However, timing at which the operation test is performed is not limited to this. For example, a counter for counting the number of stops of the car may be provided in the detection circuit body such that the operation test is performed at every number of stops set in advance. Alternatively, the detection circuit body may include a timer such that the operation test is performed at the first stop of the car after the elapse of a predetermined time. Further, the operation test may be performed only when the normal operation of the elevator is started (at the starting). Furthermore, the operation test may be performed only when the car stops at a predetermined floor.
In this manner, the electronic safety controller 21 in this example generates, when the car stops during the normal operation, a safety relay instruction signal to operate the safety relay main contact point in a direction along which the brake unit provides a braking operation. The electronic safety controller 21 also detects whether the safety relay main contact point has operated according to the safety relay instruction signal.
The electronic safety controller 21 also includes the safety relay monitor contact point that is opened and closed while being mechanically linked with the safety relay main contact point. Based on the state of the safety relay monitor contact point, the electronic safety controller 21 detects the state of the safety relay main contact point.
Furthermore, the safety relay main contact point is closed during the normal operation, and is opened when the elevator has abnormality. The bypass relay main contact point connected in parallel with the safety relay main contact point and opened during the normal operation is provided in the safety circuit. The electronic safety controller 21 generates, prior to the generation of a safety relay instruction signal, a bypass instruction signal to close the bypass relay main contact point.
Furthermore, the electronic safety controller 21 includes the bypass relay monitor contact point that is opened and closed while being mechanically linked with the bypass relay main contact point. Based on the state of the bypass relay monitor contact point, the electronic safety controller 21 detects the state of the bypass relay main contact point. The electronic safety controller 21 also detects whether the bypass relay main contact point has operated according to the bypass instruction signal.
Furthermore, when abnormality of the safety relay main contact point is detected, the electronic safety controller 21 outputs abnormality detection signal to the operation control unit.

«Record of operation history»

Fig. 21 is a block diagram of the electronic safety controller 21 of Fig. 1 connected to a history information recording unit and a soundness diagnosis unit. The electronic safety controller 21 is connected to a history information recording unit 131 for recording the history of information regarding a judgment processing in the electronic safety controller 21 (processing process). The history information recording unit 131 is a nonvolatile memory that continues to retain the information even when the power source of the elevator control apparatus is cut off. The memory includes, for example, a flush memory or a hard disk device.
Furthermore, the electronic safety controller 21 and the history information recording unit 131 are connected to a soundness diagnosis unit 132 for automatically diagnosing the soundness of the electronic safety controller 21. The soundness diagnosis unit 132 can also diagnose the soundness of the entirety of a system such as various sensors or the safety circuit unit 13. The result of the diagnosis by the soundness diagnosis unit 132 is recorded in the history information recording unit 131.
Fig. 22 is an explanatory diagram of an example of information stored in the history information recording unit 131 of Fig. 21. History information includes time, a car position, a car speed, a set value (threshold value) calculated according to a car position, a judgment result, and analysis data such as an internal variable.
The history information recording unit 131 accumulates combinations of data such as data of car positions, data of car speeds, data of set values, data of judgment results, and analysis data that are divided for each corresponding time. A data table as shown in Fig. 22 is prepared.
Fig. 23 is a flowchart for explaining an operation of the electronic safety controller 21 of Fig. 21. First, data of the current time is outputted to the history information recording unit 131 (step S81). Next, the position of the car is detected (step S82). The detected car position data is outputted to the history information recording unit 131 (step S83). Thereafter, the speed of the car 3 is detected (step S84). The detected car position data is outputted to the history information recording unit 131 (step S85) .
Next, a set value corresponding to the car position is calculated (step S86). The data of the set value is outputted to the history information recording unit 131 (step S87) . Thereafter, a detected speed "v" is compared with a set value "f (x)" (stepS88). When the detected speed "v" is lower than the set value "f(x)", the judgment result is "no abnormality" (Good) and is outputted to the history information recording unit 131 (step S89). When the car speed has no abnormality, this operation is repeated with every computation cycle.
When the result of the comparison judgment shows the detected speed "v" equal to or higher than the set value "f(x)", a stop instruction signal is outputted to the safety circuit unit 13 (step S90) . In this case, the judgment result is "abnormality found (Bad) and is outputted to the history information recording unit 131 (step S91).
The history information recording unit 131 sequentially stores the data sent from the electronic safety controller 21.
According to this elevator apparatus, when the car 3 is suddenly stopped according to an instruction from the electronic safety controller 21, it is possible to check the soundness of the electronic safety controller 21 by checking the history recorded in the history information recording unit 13. When the car 3 is suddenly stopped in spite of a judgment result of "no abnormality", it can be judged that the elevator control panel 11 has a failure.
Therefore, a cause of the sudden stop of the car 3 can be judged efficiently. This can provide an efficient recovery operation.
Furthermore, instead of a procedure in a periodic inspection operation for actually inputting inspection signals for any possible states to judge whether the computation results of set values and judgment results are correct, the history information can be checked to obtain a part of an inspection result, thereby making it possible to simplify the inspection operation. Simply by checking the calculation result of set values and the comparison and judgment results stored in the history information recording unit 131, it is possible to complete a part of the periodic inspection, thereby reducing the number of inspection items.
Furthermore, the set value set by the electronic safety controller 21 is set with a margin taking into account vibration of the car due to mischief. The range of the margin can also be adjusted for each elevator. By analyzing the data of the judgment result recorded in the history information recording unit 131, a level of the margin required for an actual operation circumstance can be checked and the margin can be minimized. This makes it possible to provide a higher car speed and improve the service efficiency. This can also simplify an operation for adjusting the margin. In other words, history information during a normal operation can be analyzed to reduce items in an adjustment operation.
Next, specific examples of contents to be diagnosed by the soundness diagnosis unit 132 are described below.

1. Diagnosis of failure of sensor
- · Check of the behavior of a position to time (continuousness, amount of change, presence or absence of noise or the like)
- · Check of the behavior of a speed to time (continuousness, amount of change, presence or absence of noise or the like)
- · Check of failure of a sensor
2. Diagnosis of operation of speed monitoring unit
- · Timing of the operation (operation interval) (from times t1 and t2)
- · Check of the result of the computation of a set value to a car position
- · Check of the result of the judgment according to a comparison between a detection speed and a set value
- · Diagnosis of a failure of an electronic element (e.g., CPU, ROM, RAM)
3. Diagnosis of output value of speed monitoring unit
- · Check of the behavior of an output value (presence or absence of noise or the like)
- · Check of the output to a safety circuit corresponding to a judgment result
4. Check of operation of self-diagnosis function of safety device · Check of the self-diagnosis operation (timing, diagnosis item) · Check of the history of detected abnormalities
5. Diagnosis of presence or absence of operation for suddenly stopping car and state during operation
- · Check of the detection of a failure of a safety device by a self-diagnosis (position of failure detection, check of cause of failure)
- · Check of an incorrect output (check of consistency between an output and a logic computation)
- · Check of a position and speed immediately before the operation (check of the behavior leading to an abnormal speed, presence or absence of mischief or the like)

By adding the processing to compile information for the history of the diagnosis results to thereby record the result of the compiling processing in the history information recording unit 131, it is also possible to alleviate an operation to check the history information. Specific examples of the result of the compiling processing to be recorded are described below.

· Right and wrong of the timing of an operation
· Right and wrong of the soundness of an input function based on the history of sensor inputs
· Right and wrong of the soundness of a logic computation
· Right and wrong of an output function
· Right and wrong of a self-diagnosis operation and its result
· Presence or absence of abnormality of the apparatus

In this elevator apparatus, the result of the diagnosis of the soundness of a system can be checked by the history information recording unit 131. Thus, when the car 3 is suddenly stopped because of a failure of an electronic element, the electronic element that has caused the failure can be identified efficiently.
Furthermore, the diagnosis results recorded in the history information recording unit 131 and the compiled results thereof can be checked to thereby reduce the number of inspection items of a periodic inspection. Items to be checked in a periodic inspection are as follows.

· Check of areas for which the soundness of the operation is already checked based on a car position and a car speed (areas for which an inspection regarding "x" and "v" is already performed)
· Check of inspection items that are already checked by self-diagnosis
· Check of a margin between a detection speed and a set value

In this manner, when, for example, an electronic element (e.g., CPU, ROM, RAM) is diagnosed with regards to the soundness, the diagnosis result recorded in the history information recording unit 131 can be checked. Thus, an inspection of the electronic element in a periodic inspection can be omitted.
In addition to the recording of history information and the recording of the result of the diagnosis of soundness, items that are checked in a periodic inspection may be recorded in the history information recording unit 131. In this case, the inspection history can be retained in the history information recording unit 131 such that the contents carried out in the periodic inspection can be checked easily. Inspection histories to be recorded include, for example, time at which the inspection is carried out and inspection items.
In this example, the history information recording unit 131 and the soundness diagnosis unit 132 are provided outside the electronic safety controller 21. However, at least one of the history information recording unit 131 and the soundness diagnosis unit 132 may be provided in the electronic safety controller 21.
Furthermore, in this example, information of the history of the monitoring of an abnormal speed is recorded. However, information on the history of rope-cut monitoring for monitoring damages to or cut of a main rope may be recorded. Alternatively, information of the history of the temperature of a motor of a traction machine, the temperature of an inverter, or the temperature of a control panel may be recorded.
In this manner, the elevator apparatus in this example includes: the abnormality monitoring unit (electronic safety controller 21) that judges, based on information from a sensor, presence or absence of abnormality of the elevator to output a signal for stopping the car when abnormality is detected; and the history information recording unit that records the history of information regarding the judgment processing in the abnormality monitoring unit.

«Detection of abnormality of data bus»

Next, Fig. 24 is a block diagram of the main part of the electronic safety controller 21 of Fig. 1. The electronic safety controller 21 has: a memory data abnormality check circuit 141 for checking abnormality of memory data; a CPU 142; and a designated address detection circuit 143 for checking abnormality of an address bus.
The memory data abnormality check circuit 141 has: a main memory 141a and a sub memory 141b (RAM) having a parallel configuration in which the main memory 141a and the sub memory 141b are allocated to the same address space in a superimposed manner; a data buffer 141c for preventing the collision with output data of the sub memory 141b; and a data comparison circuit 141d for comparing the respective pieces of data of the main memory 141a and the sub memory 141b to thereby check abnormality of the data.
Although not shown, the memory data abnormality check circuit 141 also has an error-correcting code check circuit as in the case of a conventional system.
The CPU 142 has: designated address output software 142a for outputting a designated address during a data abnormality check; data bus abnormality check software 142b executed during a data bus abnormality check; and a ROM for storing a program (not shown).
In the memory data abnormality check circuit 141, the main memory 141a and the sub memory 141b are connected to the CPU 142 via an address bus BA and a data bus BD, respectively. Data of the electronic safety controller 21 is written in the main memory 141a and the sub memory 141b from the CPU 142, and the data are read from the main memory 141a and the sub memory 141b by the CPU 142.
In the memory data abnormality check circuit 141, the data bus BD branches into a main memory data bus BD1 and a sub memory data bus BD2. The main memory 141a and the sub memory 141b are connected to the data comparison circuit 141d via the main memory data bus BD1 and the sub memory data bus BD2, respectively. The data buffer 141c is interposed at the sub memory data bus BD2.
When abnormality of memory data is checked, the data comparison circuit 141d compares the respective pieces of memory data inputted via the main memory data bus BD1 and the sub memory data bus BD2, respectively. When it is judged that the memory data has abnormality, the data comparison circuit 141d outputs a data abnormality signal ED.
The designated address detection circuit 143 is connected to the CPU 142 via the address bus BA. When abnormality of the address bus BA is checked, the designated address detection circuit 143 detects a designated address and, when it is judged that the address bus BA has abnormality, outputs an address bus abnormality signal EBA.
The designated address output software 142a in the CPU 142 operates when abnormality of the address bus BA is checked, and outputs, as described later, a designated address to the designated address detection circuit 143 in a cyclic manner. The data bus abnormality check software 142b in the CPU 142 operates when abnormality in the data bus BD is checked and, when it is judged that the data bus BD has abnormality, outputs a data bus abnormality signal EBD.
Fig. 25 specifically shows the data comparison circuit 141d for the data abnormality check of Fig. 24. Fig. 25 shows a case in which the data comparison circuit 141d includes plural exclusive OR gates 151, an AND gate 152, and a D-type latch circuit 153 that uses a memory read signal RD.
In Fig. 25, the data comparison circuit 141dhas: the exclusive OR gates 151 provided in parallel; the AND gate 152 to calculate a logical product of the respective output signals of the exclusive OR gates 51; and the D-type latch circuit 153 to use the output signal of the AND gate 152 as a D terminal input to output a H (logic "1") level signal as the data abnormality signal ED.
Each of the exclusive OR gates 151 receives data from the main memory data bus BD1 as an input signal from one side, and also receives the data from the sub memory data bus BD2 as an input signal from the other side. When those input signals are identical, the respective exclusive OR gates 151 output L (logic "0") level signals and, when those input signals are not identical, output H (logic "1") level signals.
The AND gate 152 accepts inversion signals of output signals from the respective exclusive OR gates 151 to output, when the respective input signals are all at H level (i.e., output signals of the exclusive OR gates 151 are all at L level), the H (logic "1") level signal.
The D-type latch circuit 153 operates in response to the memory read signal RD and changes the level of the output signal (data abnormality signal ED) in response to the D terminal input (output signal of AND gate 152) and is reset to the initial state in response to a reset signal RST.
Fig. 26 is a specific illustration of the designated address detection circuit 143 for the address bus abnormality check of Fig. 24.
In Fig. 26, the designated address detection circuit 143 has: plural exclusive OR gates 161 that receive the H level signal as one input signal; plural exclusive OR gates 162 that receive the L level signal as the other input signal; a NAND gate 163 that calculates a logical product of the respective output signals of the exclusive OR gates 161 and an address strobe signal STR; a NAND gate 164 that calculates a logical product of the respective output signals of the exclusive OR gate 162 and an address strobe signal STR; a D-type latch circuit 165 for providing the output signal of the NAND gate 163 as an input signal of a set terminal; a D-type latch circuit 166 for providing the output signal of the NAND gate 164 as an input signal of a set terminal; anANDgate 167 that calculates a logical product of the respective output signals of the D-type latch circuits 165 and 166; a D-type latch circuit 168 that operates in response to a reset signal RST1 of the designated address detection circuit 143; a D-type latch circuit 169 that operates in response to a mask signal MSK of the designated address detection circuit 143; and an OR gate 170 that calculates a logic product of the output signal of the AND gate 167 and the output signal of the D-type latch circuit 169.
The other input terminals of the exclusive OR gates 161 and 162 provided in parallel are inputted with designated addresses via the address bus BA, respectively.
When a designated address of the H level signal is inputted from the address bus BA, each of the exclusive OR gates 161 outputs the L level signal. When a designated address of the L level signal is inputted, each of the exclusive OR gates 161 outputs the H level signal.
In contrast, when a designated address of the H level signal is inputted from the address bus BA, each of the exclusive OR gates 162 outputs the H level signal. When a designated address of the H level signal is inputted, each of the exclusive OR gates 162 outputs the L level signal.
An output signal from each of the exclusive OR gates 161 is level-inverted together with the address strobe signal STR and is inputted to the NAND gate 163. Similarly, an output signal from each of the exclusive OR gates 162 is level-inverted together with the address strobe signal STR and is inputted to the NAND gate 164.
Thus, when the address bus BA is sound, by designated addresses ("FFFF", "0000") periodically inputted via the address bus BA, the NAND gates 163 and 164 output H level signals with a fixed cycle and in a complementary manner such that the NAND gates 163 and 164 are in synchronization with the address strobe signal STR.
In the D-type latch circuit 168, the D input terminal is applied with the L level signal, and the D-type latch circuit 168 is operated by the first reset signal RST1. An output signal of the D-type latch circuit 168 is applied to the respective reset terminals of the D- type latch circuits 165 and 166. In the D-type latch circuit 169, the D input terminal is applied with a 0 bit signal BTO of the data bus BD ("0" at mask ON and "1" at mask OFF) and the D-type latch circuit 169 is operated by the mask signal MSK. The respective D- type latch circuits 168 and 169 are reset by the second reset signal RST2, respectively.
When the output signal of the AND gate 167 or the output signal of the D-type latch circuit 169 show the H level, the OR gate 170 outputs an address bus abnormality signal EBA.
In the electronic safety controller 21 having this configuration, not only the data abnormality check by the memory data abnormality check circuit 141 but also the abnormality check of the address bus BA by the designated address output software 142a and the designated address detection circuit 143 and the abnormality check of the data bus BD by the data bus abnormality check software 142b are performed.
Next, the three types of abnormality check operations will be explained in further detail with reference to Fig. 24 to Fig. 28.
Fig. 27 is a flowchart of the processing operation by the designated address output software 142a and the designated address detection circuit 143 in the CPU 142 of Fig. 24. Fig. 27 shows an operation procedure when a designated address is outputted to the designated address detection circuit 143 to check abnormality of the address bus BA.
Fig. 28 is a flowchart of the processing operation by the data bus abnormality check software 142b in the CPU 142 of Fig. 24.
First, an operation for checking abnormal data by the memory data abnormality check circuit 141 will be explained with reference to Fig. 24 and Fig. 25.
In the memory data abnormality check circuit 141, the main memory 141a and the sub memory 141b are allocated with the same address space in a superimposed manner. When the CPU 142 writes data to the main memory 141a and the sub memory 141b, the same data is written in the same address of the main memory 141a and the sub memory 141b, respectively.
On the other hand, when the CPU 142 reads data from the main memory 141a and the sub memory 141b, the data of the main memory 141a is read onto the main memory data bus BD1 and is sent to the CPU 142 via the data bus BD. However, the data of the sub memory 141b is read onto the sub memory data bus BD2 but is blocked by the data buffer 141c and thus is not sent to the data bus BD.
Thus, only the data of the main memory 141a is sent to the CPU 142 without causing the collision of two memory outputs from the main memory 141a and the sub memory 141b, and writing and reading are performed correctly.
Simultaneously with this operation, the main memory data read onto the main memory data bus BD1 and the sub memory data read onto the sub memory data bus BD2 are inputted to the data comparison circuit 141d and the comparison between the former and the latter is performed.
The data comparison circuit 141d checks abnormality of the data and, when abnormality (data inconsistency) is detected, outputs the data abnormality signal ED.
Next, an operation for checking abnormality of the address bus BA by the designated address output software 142a and the designated address detection circuit 143 in the CPU 142 will be explained with reference to Fig. 24, Fig. 26, and Fig. 27.
With regards to all of the respective bit signals used for a memory system in the address bus BA, the CPU 142 executes the designated address output software 142a using designated addresses for check with which both cases of "0" and "1" can be checked (e.g., "FF" and "00" in the case of 8 bits) to repeatedly perform the processing of Fig. 27 (steps S101 to S104) in a cyclic manner. At the same time, the designated address detection circuit 143 provided on the address bus BA is caused to detect the designated address. When the designated address detection circuit 143 cannot detect all of the designated addresses, the designated address detection circuit 143 judges that the address bus BA has abnormality to output the address bus abnormality signal EBA.
In Fig. 27, first, the CPU 142 turns ON the mask of the designated address detection circuit 143 (step S101) to operate the D-type latch circuit 169 in the designated address detection circuit 143 and applies the 0 bit signal BTO (=0) to the D input terminal. Next, the first reset signal RST1 is used to reset the designated address detection circuit 143 (stepS102) to operate the D-type latch circuit 168.
Next, the maximum address "FFFF" at which all addresses are "1" (or the minimum address at which all addresses are "0") is read (step S103) . Finally, the mask of the designated address detection circuit 143 is turned OFF (step S104). A 0 bit signal BTO(=1) is applied to the D input terminal of the D-type latch circuit 169 to invert the operation state of the D-type latch circuit 169 to thereby complete the processing routine of Fig. 27.
Next, an operation for checking abnormality of the data bus BD by the data bus abnormality check software 142b in the CPU 42 will be explained with reference to Fig. 24 and Fig. 28.
With regards to all of the respective bit signals used for a memory system in the data bus BD, the CPU 142 repeatedly executes, in a cyclic manner, a read/write check operation by the processing (S105 to S111) of Fig. 28 using designated addresses for check with which both cases of "0" and "1" can be checked (e.g., "AA" and "55" or pairs of values of "01", "02", "04", "08", "10", "20", "40", and "80" in the case of 8 bits).
When all pieces of specified data are inconsistent in the judgment processing by the data bus abnormality check software 142b, the CPU 142 judges that the data bus BD has abnormality to output the data bus abnormality signal EBD.
In Fig. 28, first, the CPU 142 initializes a variable N to identify specified data to be "1" (step S105) and writes Nth (N=1) specified data (=01) to a test address of the RAM (main memory 141a and sub memory 141b) (step S106). Next, the CPU 142 reads the specified data written in step S12 from the test address (step S107) to judge whether the data is consistent with specified data before being written (step S108).
When, it is judged in step S108 that the specified data after being read is inconsistent with the specified data before being written (i.e., NO), the CPU 142 assumes that the data bus BD has abnormality to output the data bus abnormality signal EBD (step S109) to cause an abnormal end.
When step S108 judges that the specified after being read is consistent with the specified data before being written (i. e. , YES), then the variable N is incremented (step S110) and it is judged whether the variable N is "8" or less (step S111).
When step S111 determines N≤8 (i.e., YES), the processing returns to the processing to write specified data (step S106) to repeatedly perform steps S107 to S110. In other words, the second specified data (="02"), the third specified data (="02"), ··· and the eighth specified data (="80") are sequentially written in the test address in the RAM (step S106). After the respective pieces of data are read (step S107), consistency or inconsistency is judged (step S108).
On the other hand, when step S111 determines N>9 (i.e., NO), all pieces of specified data (N=1 to 8) are checked with regards to abnormality of the data bus and it is assumed that all pieces of specified data are consistent before and after being written. In this case, the CPU 142 successfully completes the processing routine of Fig. 28.
In this manner, by performing not only the processing by the memory data abnormality check circuit 141 as in a conventional system but also the cyclic abnormality check processing of the address bus BA and the data bus BD used when the memory is written and read, thereby making it possible to provide an improved reliability in the abnormality check.
The abnormality check is particularly effective to check the soundness of a memory system in the elevator electronic safety apparatus.
In this manner, the electronic safety controller 21 in this example includes: the CPU having the designated address output software and the data bus abnormality check software; the main memory and the sub memory connected to the CPU via the address bus and the data bus; the memory data abnormality check circuit that compares the data of the main memory with that of the sub memory; and the designated address detection circuit connected to the CPU via the addressbus. The CPU executes the designated address output software and uses the designated address detection circuit to check abnormality of the address bus in a cyclic manner. The CPU executes the data bus abnormality check software and uses the main memory and the sub memory to check abnormality of the data bus in a cyclic manner.
Furthermore, the CPU executes the designated address output software to output, with regards to all of the respective bit signals used for the main memory and the sub memory in an address bus designated addresses for check with which both cases of "0" and "1" can be checked to the designated address detection circuit. Then, the designated address detection circuit detects plural designated addresses outputted from the CPU in a cyclic manner and, when the CPU cannot detect all of the designated addresses, the CPU judges that abnormality of the address bus has occurred and outputs an address bus abnormality signal.
Furthermore, the CPU executes the data bus abnormality check software to input and output, with regards to all of the bit signals used for the main memory and the sub memory in the data bus, designated addresses for check with which both cases of "0" and "1" can be checked to once write plural pieces of specified data cyclically outputted from the CPU in the main memory and the sub memory and subsequently read and compare the pieces of specified data. When all of the specified data before being written and the specified data after being written are inconsistent, the CPU determines that abnormality of the data bus has occurred and outputs a data bus abnormality signal.

Claims

An elevator apparatus, comprising:
a sensor that generates detection signal for detecting a state of an elevator; and

an electronic safety controller that detects abnormality of the elevator based on the detection signal from the sensor to output an instruction signal for shifting the elevator to a safe state,

wherein the electronic safety controller can detect abnormality of the electronic safety controller itself and, when abnormality of the electronic safety controller itself is detected, the electronic safety controller also outputs the instruction signal for shifting the elevator to the safe state.
The elevator apparatus according to claim 1, wherein the electronic safety controller can detect abnormality of the sensor and, when abnormality of the sensor is detected, the electronic safety controller also outputs the instruction signal for shifting the elevator to the safe state.
The elevator apparatus according to claim 1, wherein:
the electronic safety controller includes a microprocessor that executes arithmetic processing for detecting abnormality of the elevator; and

the microprocessor periodically executes arithmetic processing for detecting abnormality of the electronic safety controller itself.
The elevator apparatus according to claim 1, wherein:
the electronic safety controller includes a microprocessor that executes arithmetic processing for detecting abnormality of the elevator; and

the microprocessor executes, when a predetermined state is satisfied, arithmetic processing for detecting abnormality of the electronic safety controller itself.
The elevator apparatus according to claim 1, wherein:
the electronic safety controller includes a first microprocessor that executes arithmetic processing for detecting abnormality of the elevator based on a first safety program and a second microprocessor that executes arithmetic processing for detecting abnormality of the elevator based on a second safety program; and

the first and secondmicroprocessors can communicate with each other via an interprocessor bus and can compare arithmetic processing results with each other to check the soundness of the first and second microprocessors.