JPWO2019163133A1 - Elevator safety control device - Google Patents

Abstract

The elevator safety control device can perform multiple functions by multitasking, and when an abnormality is detected by the safety control function or the self-diagnosis function, the execution of the task of the self-diagnosis function is suspended and The safety transition process corresponding to the abnormality detected in the task execution time frame is executed. Further, when an abnormality is newly detected during the execution of the safety transition processing and the priority of the safety transition processing corresponding to the newly detected abnormality is higher than the priority of the safety transition processing, the safety The execution of the transition process is interrupted, and the safety transition process corresponding to the newly detected abnormality is executed.

Description

The present invention relates to an elevator safety control device, and more particularly to an elevator safety control device that provides a plurality of safety control functions.

In the conventional elevator safety control device, when providing a plurality of safety control functions, it is necessary to prepare devices or boards for the number of safety control functions. For example, in Patent Document 1, each device is provided with a logic unit including a CPU (Central Processing Unit) and a memory.

The technique according to Patent Document 1 is provided with a monitoring board as a monitoring section for monitoring the position and speed of the elevator car, and a brake control board as a brake control section for controlling the brake device when performing the second braking operation. ing. That is, the technique according to Patent Document 1 has two safety control functions, and the devices or boards on which the above logic units are formed are provided by the number of safety control functions.

International Publication No. 2007/057973

The technique according to Patent Document 1 requires as many devices or boards as the number of safety control functions, resulting in high cost. However, simply mounting multiple safety control functions on one device or board interrupts the execution of other safety control functions when an abnormality is detected by a certain safety control function and safety transition processing is executed. As a result, the safety control of the entire elevator may be inconvenient. In other words, the independence of multiple safety control functions cannot be guaranteed.

The present invention is to solve the above problems, and an object of the present invention is to provide an elevator safety control device capable of ensuring independence of a plurality of safety control functions.

In order to achieve the above object, the elevator safety control device according to the present invention is an elevator safety control device capable of executing a plurality of functions by multitasking, and an arithmetic processing unit that executes repetitive processing at a constant cycle, A plurality of functions executed by the arithmetic processing unit are provided in a first group including a safety control function and a second group including a self-diagnosis function. The scheduler is classified into a third group including a group and a non-safety control function, and the scheduler allocates execution time to each task of at least one function from each of the first and second groups in each cycle, and assigns the execution time to the third group. The remaining execution time is assigned to the tasks of the included functions, and the arithmetic processing unit suspends the execution of the tasks of the functions included in the second group when an abnormality is detected by the safety control function or the self-diagnosis function. , The safety transition process corresponding to the abnormality detected in the execution time frame of the interrupted task is executed.

In the elevator safety control device according to the present invention, a plurality of functions can be executed by multitasking, and the plurality of functions include a first group including a safety control function, a second group including a self-diagnosis function, and a non-safety control. When the abnormality is detected by the safety control function or the self-diagnosis function, which is classified into the third group including the function, the execution of the task of the function included in the second group is interrupted and the interrupted task By executing the safety transition process corresponding to the detected abnormality in the execution time frame, it is possible to guarantee the independence of the plurality of safety control functions.

It is a figure which shows the structure of the elevator which concerns on Embodiment 1 of this invention. It is a figure which shows the hardware constitutions of the elevator safety control apparatus which concerns on Embodiment 1 of this invention. It is a figure which shows the function structure of the elevator safety control apparatus which concerns on Embodiment 1 of this invention. 5 is a flowchart illustrating a safety transition process according to the first embodiment of the present invention. It is a figure which shows the 1st example of the scheduling which concerns on Embodiment 1 of this invention. It is a figure which shows the 2nd example of the scheduling which concerns on Embodiment 1 of this invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the embodiments shown below are examples, and the present invention is not limited to these embodiments.

Embodiment 1.
FIG. 1 is a diagram showing a configuration of an elevator apparatus 100 according to Embodiment 1 of the present invention. In FIG. 1, a car 1 and a counterweight 2 are suspended in a hoistway by suspension means 3. The suspension means 3 includes a plurality of ropes or belts.

A hoisting machine 4 for raising and lowering the car 1 and the counterweight 2 is installed in the lower part of the hoistway. The hoisting machine 4 includes a drive sheave 5 around which the suspension means 3 is wound, a hoisting machine motor (not shown) that generates a drive torque to rotate the drive sheave 5, and a braking torque to generate a drive sheave. The hoisting machine brake 6 serves as a braking unit that brakes the rotation of the hoisting machine 5, and a hoisting machine encoder 7 that generates a signal according to the rotation of the drive sheave 5.

As the hoisting machine brake 6, for example, an electromagnetic brake device is used. At the time of braking by the electromagnetic brake device, the brake shoe is pressed against the braking surface by the spring force of the braking spring, the rotation of the drive sheave 5 is braked, and the car 1 is braked. Further, when braking is released by the electromagnetic brake device, the brake shoe is separated from the braking surface by exciting the electromagnetic magnet, and the braking force is released. The braking force applied by the hoisting machine brake 6 changes according to the value of the current applied to the brake coil of the electromagnetic magnet.

The car 1 is provided with a pair of car suspension cars 8a and 8b. The counterweight 2 is provided with a counterweight suspension wheel 9. Car return wheels 10a and 10b and a counterweight return wheel 11 are provided above the hoistway. One end of the suspension means 3 is connected to a first rope stopper 12a provided on the upper part of the hoistway. The other end of the suspension means 3 is connected to a second rope stopper 12b provided at the top of the hoistway.

The suspension means 3 is wound around the car suspension cars 8a, 8b, the car return cars 10a, 10b, the drive sheave 5, the counterweight return car 11, and the counterweight suspension car 9 in this order from one end side. That is, the car 1 and the counterweight 2 are suspended in the hoistway by the "2:1 roping method".

A speed governor 14 is installed above the hoistway. The speed governor 14 includes a speed governor sheave 15 and a speed governor encoder 16 that generates a signal according to the rotation of the speed governor sheave 15. A speed governor rope 17 is wound around the speed governor sheave 15. Both ends of the governor rope 17 are connected to an operating lever (not shown) of an emergency stop device mounted on the car 1. The lower end of the governor rope 17 is wound around a tension wheel 18 arranged at the bottom of the hoistway. When the car 1 is moved up and down, the governor rope 17 is circulated, and the governor sheave 15 is rotated at a rotation speed corresponding to the traveling speed of the car 1.

An upper reference position switch 19a for detecting the position of the car 1 is provided in the upper part of the hoistway. A lower reference position switch 19b for detecting the position of the car 1 is provided in the lower portion of the hoistway. The car 1 is provided with a switch operating member for operating the reference position switches 19a and 19b, for example, a cam.

On the car 1, a car door switch 20 for detecting opening/closing of the car door is provided. A hall door switch (not shown) that detects opening and closing of the hall door is provided at the hall on each floor. Further, the hoistway is provided with a plurality of floor alignment plates 21a to 21c for detecting a position where passengers can safely enter and leave the car 1, that is, a position where the car 1 is located in the door zone. The car 1 is provided with a floor alignment sensor 22 that detects the floor alignment plates 21a to 21c.

The hoisting machine encoder 7, the governor encoder 16, the reference position switches 19a and 19b, the car door switch 20, the landing door switch (not shown), and the floor alignment sensor 22 each generate a signal corresponding to the state of the car 1. It is a sensor that does.

A control panel 23 is installed in the hoistway. In the control panel 23, a drive control unit 24 that is an operation control unit and an elevator safety control device 25 are provided. The elevator safety control device 25 can control the stop of the car 1.

In an elevator apparatus, the system is monitored and controlled from a plurality of viewpoints in order to ensure safety. Therefore, a plurality of safety control functions are installed in the elevator safety control device 25 in order to carry out each monitoring/control. That is, the elevator safety control device 25 executes the calculations related to the plurality of safety control functions by the respective independent programs, so that the safety control from a plurality of viewpoints of the elevator device is realized. Specific examples of the safety control function include a door-open running protection function, an overspeed monitoring function, a maintenance switching function, and a safety communication function.

The drive control unit 24 controls the operation of the hoisting machine 4, that is, the operation of the car 1. In addition, the drive control unit 24 controls the traveling speed of the car 1 based on the signal from the hoisting machine encoder 7.

The door-open running protection function determines whether or not the car 1 is in the landing position based on the signal from the floor alignment sensor 22. Further, the door-open running protection function determines the open/closed state of the car door and the hall door based on signals from the car door switch 20 and the hall door switch (not shown). In addition, the door-open running protection function determines whether or not the car 1 is running, based on a signal from the hoisting machine encoder 7.

Further, the door-open traveling protection function is provided when the car 1 is not at the landing position but at least one of the car door and the landing door is open, and the car 1 is running. Despite this, it detects a state where at least one of the car door and the hall door is open, and outputs a brake operation command. That is, when the door-open running state is detected, the door-open running protection function brakes the drive sheave 5 by the hoisting machine brake 6 and stops the hoisting machine motor to forcibly stop the car 1.

Signals from the governor encoder 16 and the reference position switches 19a and 19b are input to an overspeed monitoring function which is one of safety control functions. The overspeed monitoring function obtains the position and speed of the car 1 independently of the drive control unit 24 based on signals from the governor encoder 16 and the reference position switches 19a and 19b, and the speed of the car 1 is predetermined. To see if the overspeed level has been reached.

The overspeed level is set as an overspeed monitoring pattern that changes according to the position of the car 1. When the speed of the car 1 reaches the overspeed level, the overspeed monitoring function brakes the drive sheave 5 by the hoisting machine brake 6 and stops the hoisting machine motor to forcibly stop the car 1.

The maintenance switching function disables automatic operation when maintenance personnel detect that the maintenance personnel have entered the hoistway for inspection by detecting the opening of the inspection door or the operation of the switch that detects the assembly of the car handrail. Turn into. Further, when the overshoot is detected by the position switch provided at the restricted position in the hoistway, the car 1 is stopped to limit the hoisting stroke during the inspection operation. The return to the automatic operation is performed by the reset switch provided outside the hoistway.

The drive controller 24 and the elevator safety controller 25 each have an independent microcomputer. The functions of the drive control unit 24 and the elevator safety control device 25 are realized by these microcomputers. Note that various safety control functions implemented in the elevator safety control device 25, that is, calculations such as a door-open running protection function and an overspeed monitoring function are executed by independent programs. In addition, maintenance functions such as log collection and non-safety functions such as operation control such as assignment response to calls are also executed.

In the present application, a different name from “elevator safety control device” or “safety control board” is used for the elevator safety control device 25, but both names are the same.

In the above configuration, one elevator safety control device 25 is equipped with a plurality of safety control functions. However, as described above, when a plurality of safety control functions are simply mounted in one elevator safety control device 25, when an abnormality is detected by a certain safety control function and the safety transition process is executed, another safety control function is executed. Execution of the safety control function is interrupted, which may cause inconvenience in safety control of the entire elevator. In other words, the independence of each safety control function cannot be guaranteed. Therefore, it is necessary to guarantee the independence of a plurality of safety control functions so that each safety control function does not affect other safety control functions.

In the present invention, the task scheduling function using time partitioning assigns execution times to the tasks of a plurality of safety control functions, and executes a plurality of safety control functions in a multitasking manner, thereby enabling independent safety control functions. Guarantee the sex.

FIG. 2 shows the hardware configuration of the elevator safety control device 25. The elevator safety control device 25 includes an I/O, that is, an input/output unit 30, a CPU 31, a ROM 32 of a non-volatile memory, a RAM 33 of a volatile memory, a first timer 34 and a second timer 35, and a memory protection. And a unit 36. In other words, the input/output unit 30, the CPU 31, the ROM 32, the RAM 33, the first timer 34 and the second timer 35, and the memory protection unit 36 are mounted on one safety control board 25. ing.

The ROM 32 stores a plurality of programs for executing the safety control function and the non-safety control function, respectively. The CPU 31 reads the program from the ROM 32, expands it on the RAM 33, and executes the program while storing temporary data in the RAM 33.

In FIG. 2, the input/output unit 30 is connected to external components (not shown) of the safety control board 25.

A signal regarding the state of the elevator is input to the input/output unit 30. As described above, there are various switches 19a and 19b for monitoring and detecting the state of the elevator. There are also various sensors including the governor encoder 16 in order to monitor/detect the state of the elevator. Signals from these switches and sensors, that is, signals relating to the state of the car 1 are input to the input/output unit 30.

Further, the input/output unit 30 counts and digitizes the pulse signals including the encoder signal. The input/output unit 30 also compares the duplicated input signals and compares the input signal with a signal from a reference sensor (not shown). When a mismatch is detected as a result of the comparison in the input/output unit 30, the fact is notified to the CPU 31 forming the logic unit.

The CPU 31 reads the signals from the sensors and the switches as input values via the input/output unit 30 and performs calculations necessary for a plurality of safety controls regarding the elevator. That is, the CPU 31 executes computations regarding a plurality of safety control functions by independent programs based on the input values from the sensor and the switch. Thereby, safety control of the elevator is realized.

Note that these configurations can be multiplexed, and a failure can be detected by comparing each system.

It is also possible to obtain the input signal via the network. In this case, in order to detect the abnormality of the network, the program checks the transmission/reception address, the sequence number, the error detection code, and the reception monitoring timer (not shown). In the present invention, these processes are classified as a safety communication function.

In the elevator safety control device 25, the CPU 31 repeatedly executes the process at regular intervals. The task execution time is assigned to the CPU 31 in each cycle by the scheduler 37 (see FIG. 3). The scheduler 37 according to this embodiment is implemented by software.

The scheduler 37 divides the functions executed by the CPU 31 into three groups and manages them. The first group includes various safety control functions including the safety communication function described above. The second group includes the self-diagnosis function and the safety transition process. The third group includes other non-safety control functions. In FIG. 3, the safety control function, the self-diagnosis function, the safety transition process, and the non-safety control function are shown as a safety control program 41, a self-diagnosis program 42, a safety transition program 43, and a non-safety control program 44, respectively.

In each cycle, the scheduler 37 gives priority to the execution time of the CPU 31 to the tasks of the functions included in the first and second groups, and allocates the remaining execution time to the tasks of the functions included in the third group. .. Therefore, depending on the situation, it may not be possible to allocate execution time to the tasks of the functions included in the third group.

The safety scheduling information 51 stores the execution order and specified time of various safety control functions included in the first group. The scheduler 37 allocates execution times to the tasks of various safety control functions based on the safety scheduling information 51.

The safety shift scheduling information 52 stores various self-diagnosis functions included in the second group, an execution sequence of safety shift processing, and a prescribed time. The scheduler 37 allocates execution times to various self-diagnosis functions and tasks of safety transition processing based on the safety transition scheduling information 52.

The non-safety scheduling information 53 stores the execution order and specified time of various non-safety control functions included in the third group. The scheduler 37 allocates execution times to the tasks of various non-safety control functions based on the non-safety scheduling information 53.

When the execution of a task of a certain safety control function is started in a certain cycle according to the allocation of the scheduler 37, the task execution time is monitored by the first timer 34 set to the specified time of the safety control function. The monitoring time of the first timer 34 is variable and is set for each function. As the first timer 34, for example, a watchdog timer with a variable time window can be used.

When the execution of the task of the safety control function is completed normally, the task switching process is performed within the specified time of the first timer 34, that is, the execution state of the functional task is saved and the execution state of the next functional task is changed. The process of returning is performed, and according to the scheduling by the scheduler 37, the execution of the task of the next safety control function is started.

When execution of the task of the safety control function included in the first group assigned to a certain cycle ends, execution of the task of the self-diagnosis function included in the second group starts. At this time, also in the case of the self-diagnosis function, as in the case of the safety control function, the task execution time is monitored by the first timer 34 set to the specified time.

When the first timer 34 detects that the specified time is exceeded, the execution of the task of the safety control function or the self-diagnosis function is interrupted. If the execution is interrupted a predetermined number of times, the corresponding safety transition process is executed.

When the execution of the task of the self-diagnosis function included in the second group is completed, the task of the non-safety control function included in the third group is executed according to the scheduling determined by the scheduler 37 based on the non-safety scheduling information 53. Is started. However, at this time, the execution time is not monitored by the first timer 34.

Further, the CPU 31 monitors the execution time of the entire cycle by the second timer 35. The monitoring time of the second timer 35 is fixed and is set according to the cycle time. As the second timer, for example, a watchdog timer with a fixed time window can be used.

When the second timer 35 detects that the task of the safety control function has exceeded the cycle time, the corresponding safety transition process is executed. Further, when the second timer 35 detects that the task of the non-safety control function has exceeded the cycle time, the execution of the task is interrupted and the next cycle starts.

In addition, the CPU 31 immediately stops the hoisting machine 4 and operates the brake when the cycle time excess due to the safety shift process is detected.

Further, during execution of a task of a certain function, the memory protection unit 36 restricts access to a memory area used by a task of another function, that is, reading from the memory and writing to the memory. A memory range that can be accessed is set in advance for each function, and if an attempt is made to perform an access exceeding the range, the memory protection unit 36 detects a memory access violation.

Direct access is prohibited for input/output, and the same protection is implemented via the input/output memory. When a memory access violation is detected, for example, a safety transition process of "stop nearest floor" is executed.

(Safety transition process)
Next, details of the safety shift process in the elevator safety control device 25 according to the first embodiment of the present invention will be described. In the ROM 32 of the elevator safety control device 25, a plurality of safety transition processing execution programs, that is, the safety transition programs 43 according to the types of elevator abnormalities, and a safety transition priority 54 that defines the priority of each safety transition processing And are stored.

For example, when the position information of the overspeed monitoring function is lost due to a sensor failure or the like, the CPU 31 implements a “speed limit” that limits the maximum speed over the entire process as a safety transition process.

Further, when a minor arithmetic abnormality such as the above-mentioned memory access violation is detected, the CPU 31 instructs the drive device to stop to the nearest floor and completely stops the car 1 after a certain time as a safety transition process. Carry out "stop on the nearest floor".

Further, the CPU 31 immediately stops the hoisting machine 4 and operates the brakes as a safety transition process when a serious abnormality such as the stipulated time excess, the cycle time excess, or the door open traveling is detected. "Stop".

In this case, the priority of the safety transition process is in the order of "emergency stop", "stop nearest floor", and "speed limit". In addition to this, when a safety transition process is necessary, the priority can be set by adding as appropriate.

FIG. 4 shows a flowchart of the safety shift process in the elevator safety control device 25.

During the execution of the periodic processing in the elevator safety control device 25, does the task of the safety control function or the task of the self-diagnosis function have an abnormality in the elevator or the safety control function itself or the safety control device 25 itself. Check (step S1). If no abnormality is detected (step S1=No), the process is executed according to the schedule.

If an abnormality is detected in step S1 (step S1=Yes), the execution of the task of the self-diagnosis function scheduled in advance is interrupted, that is, excluded from the schedule (step S2), and the abnormality detected this time in the time frame is detected. A corresponding safety shift process is executed (step S3). If the time required for the safety transition processing is short and the execution times of both the safety transition processing and the self-diagnosis function can be secured, the task of the self-diagnosis function may be continued.

During execution of the safety shift process, it is checked whether or not the return condition is satisfied (step S4). For example, it is checked whether or not the sensor input abnormality has been eliminated, whether or not the overspeed state has been eliminated by restoration by the maintenance personnel.

When the return condition is satisfied in step S4 (step S4=Yes), the safety shift process is ended (step S5), and the execution of the task of the self-diagnosis function is restarted in that time frame (step S6).

If the task of the safety control function detects a new abnormality during execution of the safety transition processing (step S7=Yes), the priority of the safety transition processing corresponding to the newly detected abnormality is checked. (Step S8), if the priority of the safety transition process being executed is higher (step S8=No), the current safety transition process is continued as it is (return to step S4).

On the other hand, when the priority of the new safety transition process is higher (step S8=Yes), the current safety transition process is interrupted, that is, excluded from the schedule (step S9), and newly detected in the time frame. A safety shift process corresponding to the abnormal condition is executed (step S10). After that, if the return condition is satisfied, the process returns (steps S4 to S6).

(First example of scheduling)
FIG. 5 shows a first example of scheduling in the elevator safety control device 25 according to the first embodiment of the present invention.

In a certain cycle, the CPU 31 of the elevator safety control device 25 executes the task of the safety communication function and the task of the overspeed detection function from the first group as shown in the pattern (a1). Next, the task of the self-diagnosis function is executed from the second group. In the last free time, the maintenance function task is executed and finished from the third group.

In the next cycle, the CPU 31 executes the task of the safety communication function, the task of the door-open running protection function, and the task of the maintenance switching function from the first group as shown in the pattern (a2). Next, the task of the self-diagnosis function is executed from the second group. In the last free time, the task of the operation function is executed from the third group and ends.

Here, for example, when the overspeed detection function detects a sensor abnormality and requests execution of "speed limitation" as the safety transition processing, the CPU 31 first sets the first speed as shown in the pattern (b1). The task of safety communication function and the task of overspeed detection function are executed from the group. Next, during the execution time of the second group, the "speed limit" process is executed instead of the task of the self-diagnosis function. Then, in the last free time, the maintenance function task is executed from the third group, and the processing ends.

However, if the door-open running protection function further detects an abnormality in the elevator and requests execution of an "emergency stop" as a safety transition process, the CPU 31 first determines, as shown in pattern (b2). The task of the safety communication function, the task of the door-open running protection function, and the task of the maintenance switching function are executed from the first group. Next, the safety transition process is executed during the execution time of the second group. However, since the priority of "emergency stop" is higher than the priority of "speed limit" currently being executed, "speed limit" is executed. The process of "emergency stop" is executed instead of the process of "." Then, in the last free time, the task of the operation function is executed from the third group and ends.

After that, the normal pattern shown in the pattern (a1) is restored by the restoration by the maintenance personnel.

As described above, the elevator safety control device 25 according to the first embodiment of the present invention can execute a plurality of safety control functions by multitasking by the task scheduling function using time partitioning.

The plurality of functions executed by the CPU 31 are classified into a first group including a safety control function, a second group including a self-diagnosis function, and a third group including a non-safety control function.

In each cycle, the scheduler 37 allocates the execution time to the task of at least one function from the first and second groups, and allocates the remaining execution time to the task of the function included in the third group.

When an abnormality is detected by the safety control function or the self-diagnosis function, the CPU 31 suspends the execution of the task of the function included in the second group, and detects it in the execution time frame of the suspended task. Execute the safety transition process corresponding to the abnormality.

Thereby, independence of a plurality of safety control functions can be guaranteed.

Further, the CPU 31 detects a new abnormality during the execution of the safety transition process, and the priority of the safety transition process corresponding to the newly detected abnormality is higher than the priority of the safety transition process. For this purpose, the execution of the safety transition process is suspended, and the safety transition process corresponding to the newly detected abnormality is executed.

As a result, it is possible to appropriately deal with the case where a plurality of abnormalities are simultaneously detected while guaranteeing the independence of the plurality of safety control functions.

(Second example of scheduling)
FIG. 6 shows a second example of scheduling in the elevator safety control device 25 according to the first embodiment of the present invention. The scheduling (a1′, a2′) during the normal operation of the elevator is the same as that in the first example described above.

In a certain cycle, when an abnormality of the safety control function itself is detected and it is difficult to continue execution of the task of the safety control function, for example, when a fatal calculation error or execution time excess is detected, the CPU 31 , The pattern (b1′) or the pattern (b2′), the time assignment of the task of the safety control function is released, and the execution time frame indicates the pattern (b1′) or the pattern (b2′). Perform a safety transition process like this. That is, the safety transition process at this time is executed not in the execution time frame of the second group but in the execution time frame of the safety control function included in the first group.

When it is difficult to continue execution of the tasks of the plurality of safety control functions, the CPU 31 releases the time allocation of the tasks of the plurality of safety control functions, and selects the most of the safety transition processing corresponding to the abnormality. Run the one with the highest priority in an open time frame. At this time, a plurality of execution time frames may be assigned to the safety transition process in the same cycle.

Alternatively, the CPU 31 extends the execution time frame of the second group by canceling the time allocation of the task of the safety control function and advancing the execution start time of the task of the subsequent safety control function, In the execution time frame of the second group, the safety transition process and the task of the self-diagnosis function may be executed.

Claims (8)

An elevator safety control device capable of performing multiple functions by multitasking,
An arithmetic processing unit that executes repetitive processing at a constant cycle,
A scheduler for allocating task execution time to the arithmetic processing unit in each cycle,
The plurality of functions executed by the arithmetic processing unit are classified into a first group including a safety control function, a second group including a self-diagnosis function, and a third group including a non-safety control function,
In each cycle, the scheduler allocates execution time to each task of at least one function from the first and second groups, and allocates remaining execution time to each task of functions included in the third group,
When an abnormality is detected by the safety control function or the self-diagnosis function, the arithmetic processing unit interrupts the execution of the task of the function included in the second group, and the execution time of the interrupted task. An elevator safety control device that executes a safety transition process corresponding to the detected abnormality in a frame. When a new abnormality is detected during the execution of the safety transition processing, and the priority of the safety transition processing corresponding to the newly detected abnormality is higher than the priority of the safety transition processing, the safety transition is performed. The elevator safety control device according to claim 1, wherein the execution of the process is interrupted, and the safety transition process corresponding to the newly detected abnormality is executed. When the abnormality of the safety control function itself is detected, the arithmetic processing unit releases the execution time allocation of the task of the safety control function, and in the released execution time frame, the safety control function The elevator safety control device according to claim 1 or 2, which executes a safety shift process corresponding to an abnormality of itself. Further comprising a memory protection unit for detecting a memory access violation of the plurality of functions,
The elevator safety control device according to any one of claims 1 to 3, wherein, when the memory access violation is detected, the arithmetic processing unit executes a safety transition process corresponding to the memory access violation. Further comprising a first timer for detecting a stipulated time overrun of tasks of the functions included in the first and second groups,
The elevator safety control device according to any one of claims 1 to 4, wherein the arithmetic processing unit executes a corresponding safety transition process when the prescribed time excess is detected a predetermined number of times. A second timer for detecting the total cycle time excess,
The arithmetic processing unit executes a corresponding safety transition process when the cycle time excess due to a task of a function included in the first or second group is detected. The elevator safety control device according to claim 1. The elevator safety control device according to claim 6, wherein, when the cycle time excess by the task of the function included in the third group is detected, the execution of the task is interrupted. The elevator safety control device according to any one of claims 1 to 7, wherein the safety transition process includes an emergency stop, a nearest floor stop operation, and a speed limit in order of increasing priority.

Images