WO2020056701A1 - First safety control unit, a method to operate the first safety control unit, a second safety control unit, a method to operate the second control unit, and an elevator system - Google Patents

First safety control unit, a method to operate the first safety control unit, a second safety control unit, a method to operate the second control unit, and an elevator system Download PDF

Info

Publication number
WO2020056701A1
WO2020056701A1 PCT/CN2018/106833 CN2018106833W WO2020056701A1 WO 2020056701 A1 WO2020056701 A1 WO 2020056701A1 CN 2018106833 W CN2018106833 W CN 2018106833W WO 2020056701 A1 WO2020056701 A1 WO 2020056701A1
Authority
WO
WIPO (PCT)
Prior art keywords
safety
control unit
safety control
input states
state
Prior art date
Application number
PCT/CN2018/106833
Other languages
French (fr)
Inventor
Alexander Klein
Yijian Zhang
Jinpeng ZHU
Original Assignee
G-Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by G-Technologies Co., Ltd. filed Critical G-Technologies Co., Ltd.
Priority to CN201880003517.2A priority Critical patent/CN109890738B/en
Priority to EP18867311.5A priority patent/EP3672897A4/en
Priority to PCT/CN2018/106833 priority patent/WO2020056701A1/en
Publication of WO2020056701A1 publication Critical patent/WO2020056701A1/en

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B66HOISTING; LIFTING; HAULING
    • B66BELEVATORS; ESCALATORS OR MOVING WALKWAYS
    • B66B13/00Doors, gates, or other apparatus controlling access to, or exit from, cages or lift well landings
    • B66B13/22Operation of door or gate contacts
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B66HOISTING; LIFTING; HAULING
    • B66BELEVATORS; ESCALATORS OR MOVING WALKWAYS
    • B66B5/00Applications of checking, fault-correcting, or safety devices in elevators
    • B66B5/0006Monitoring devices or performance analysers
    • B66B5/0018Devices monitoring the operating condition of the elevator system
    • B66B5/0031Devices monitoring the operating condition of the elevator system for safety reasons

Definitions

  • the invention relates to a first safety control unit, a method to operate the first safety control unit, a second safety control unit, a method to operate the second control unit, and an elevator system.
  • a first safety control unit of a safety network of an elevator system comprises at least one processor, at least one memory including computer program code, at least one digital communication module, a plurality of safety inputs, and at least one safety output.
  • the at least one memory and computer program code are configured to with the at least one processor, the at least one digital communication module, the plurality of safety inputs, and the at least one safety output cause the first safety control unit at least to determine a first plurality of safety input states of the plurality of the safety inputs.
  • the first safety control unit is further configured to receive a second plurality of safety input states via the digital communication module from a second safety control unit of the safety network, and to determine the safety output state of the at least one safety output in dependence on the plurality of first safety input states and in dependence on the plurality of second safety input states.
  • the parallel supply of the safety input states of the physical safety contacts provides to replace the hardwired safety circuit of the state of the art, which consumes a huge number of single strands.
  • the complex safety circuit wiring which is traditionally a network mixed of serial and parallel connections, is simplified due to parallel wiring.
  • the parallel supply has the advantage to reduce the former wiring overhead. Therefore costs are reduced due to shorter strands, less wiring and a simplification of the whole elevator safety circuit is achieved.
  • the shorter strands result from the provision of the safety control units and the necessary safety inputs at the local spot where the physical safety contacts /safety sensors are located.
  • the shorter strands allow to reduce the supply voltage level for the safety inputs. Long safety circuit lengths are not a problem anymore because the cable lengths are heavily reduced. Consequently, the provided first safety control unit enables freeing space and simplification of the car top installation, the pit installation, the elevator controller system and the controller cabinet. Moreover, a voltage reduction for the supply of the safety contacts is feasible.
  • the number of inputs and connection points towards an elevator controller system can be heavily reduced, which safes hardware, system wiring time and makes it easier to conduct maintenance of the system, so costs can be significantly reduced.
  • the determination of the output safety state via a corresponding binary control function is adapted accordingly. For example, due to the possibility to include the safety input state of a physical bypass contact at a plurality of locations in the binary control function, the physical bypass contact / switch may have significantly less safety contacts, for example only one safety contact, which saves space and costs. The same applies to a physical recall switch or a physical inspection switch.
  • Another advantage is that complex and expensive safety modules for bypassing safety contacts can be omitted and represented by a corresponding part of the binary control function of the first safety control unit. Also safety modules for underrated buffers, advanced door opening, releveling are not necessary anymore. Especially a safety module at the power module of the elevator motor for safety torque off-inverters are not necessary anymore.
  • the reception of the second plurality of states provides that the states of safety inputs of the second safety control unit are mirrored in the safety circuit network.
  • the provision of first and second plurality of safety states allows monitoring of all the safety states available at the site of the first safety control unit. In other words, simple and full monitoring of every connected physical safety contact at any given time (all switches are not serial but parallel) is available.
  • the safety control unit permits a reduced number of single strands between the safety control entities of the safety network. Especially in the case of the elevator car, a lower mass of a moving cable to the elevator car is advantageous.
  • the safety input states can be monitored. So, full safety circuit monitoring through bus or monitoring of several main standard safety circuit points through outputs are feasible. These outputs can be easily used for third party controller systems. Especially, the monitoring enables an easy testing of shorted/bypassed door safety contacts. Moreover, existing elevator facilities can be upgraded with the safety control unit to attain a higher operational safety level than before.
  • the first safety control unit comprises a supervision output, wherein the first safety control unit is configured to determine a supervision output state of the supervision output in dependence on at least a part of the plurality of first states and in dependence on at least a part of the plurality of second states.
  • the safety control unit provides the supervision output which can be freely configured to provide the desired information of the condition of the connected and received safety input states.
  • already existing elevator control systems can be operated via the determination of the state of the elevator supervision output, therefore enabling a re-factoring of existing elevator systems.
  • an indicator lamp is operated via the supervision output in order to assist the maintenance staff to quickly check the state of the elevator system or a part thereof.
  • the first safety control unit is further configured to determine the at least one safety output state in dependence of a signal edge of a set-type safety input state, wherein the set-type safety input state opens or closes a simulated latching switch, and determine the at least one safety output state in dependence on a signal edge of a reset-type safety input state, wherein the reset-type safety input state closes or opens the simulated latching switch.
  • the simulated latching switch and the safety inputs for setting and re-setting the simulated latching switch provide a simplification, for example by avoiding the use of additional reset-boxes.
  • self-latching contacts/switches for safety devices are not necessary anymore (e.g. safety gear or over speed governor). Also magnets for resetting latching safety circuit contacts are obsolete.
  • a state of the simulated latching switch is of a type remanent
  • the first safety control unit comprises a non-volatile memory
  • the first safety control unit is further configured to write the state of the simulated latching switch of type remanent to the non-volatile memory, and retrieve the state of the simulated latching switch of type remanent from the non-volatile memory after booting-up the first safety control unit.
  • the remanent states can be retrieved from the non-volatile memory after a power blackout. Therefore, the distribution of the remanent states remains at the source of determination, namely at the corresponding safety control unit.
  • an uninterrupted power supply is not necessary anymore for self-latching remanent contacts/switches, e.g. for pit inspection supervision, as these switches are replaced by the respective safety control unit.
  • the first safety control unit comprises a further digital communication module, and wherein the first safety control unit is further configured to provide the first and second plurality of input states read-only via the further digital communication module.
  • this further digital communication module provides a diagnosis interface.
  • the further digital communication module is a WLAN or Ethernet module
  • a laptop or handheld device may serve for online monitoring functionality of the safety circuit.
  • third services like IoT services can monitor the functionality of the safety circuit (IoT: Internet of Things)
  • the first safety control unit comprises a first and a second safety relay, wherein the at least one safety output is an output of a series connection of normally-open contacts of the safety relays.
  • the series connection of the normally open contacts provides a safety mechanism. If one of the two safety relays is not energized, the safety output state will be Zero and therefore the lifting machinery is stopped.
  • a first processing unit determines a first drive signal to open the normally-open contact of the first safety relay if the first processing unit detects a failure of at least one of the first and second safety relays via a feedback state
  • a second processing unit determines a second drive signal to open the normally-open contact of the second safety relay if the second processing unit detects a failure of at least one of the first and second safety relays via the feedback state.
  • the safety relays are monitored for proper operation.
  • the feedback state is an output of a series connection of a normally-closed contact of the first safety relay and a normally-closed contact of the second safety relay. Via this series connection of the normally-closed contacts of the safety relays a failure of one of the safety relays and the safety output state are determined in a safe manner.
  • a method to operate a first safety control unit of a safety network comprises: determining a first plurality of safety input states of a plurality of safety inputs, receiving a second plurality of safety input states via a digital communication module from a second safety control unit of the safety network, and determining a safety output state of at least one safety output in dependence on the plurality of first safety input states and in dependence on the plurality of second safety input states.
  • a second safety control unit of a safety circuit network of an elevator system comprises at least one processor, at least one memory including computer program code, at least one digital communication module, and a plurality of safety inputs.
  • the at least one memory and computer program code are configured to with the at least one processor, the at least one digital communication module, and the plurality of safety inputs cause the second safety control unit at least to: determine a plurality of safety input states of the plurality of the safety inputs, and transmit the plurality of safety input states via the digital communication module to a first safety control unit of the safety network.
  • the second safety control unit comprises a further digital communication module, and wherein the second safety control unit is further configured to provide the first and second plurality of input states read-only via the further digital communication module.
  • a method to operate a second safety control unit of a safety network comprises: determining a plurality of safety input states of the plurality of the safety inputs, and transmitting the plurality of safety input states via the digital communication module to a first safety control unit of the safety network.
  • an elevator system comprising: The first safety control unit according to one of the corresponding aspects above, a first plurality of safety contacts, each one being connected to one of the safety inputs of the first safety control unit, the second control unit according to one of the corresponding aspects above, wherein the first and second control unit take part in the safety network, a second plurality of safety contacts, each being connected to one of the safety inputs of the second safety control unit, and a lifting machinery, wherein the elevator system is configured to determine the safety output state, and stop the lifting machinery, if the safety output state indicates an open safety circuit.
  • Figure 1 depicts schematically an elevator system
  • Figure 2 depicts schematically a safety network
  • Figures 3 to 5 depict schematically a first safety unit
  • Figure 6 depicts schematically content of a display
  • Figures 7 and 8 depict a schematical flow diagram.
  • Figure 1 depicts schematically an elevator system 2.
  • a car 4 is arranged in an elevator shaft 6.
  • the car 4 is operated by a lifting machinery 8 to be moved upwards or downwards.
  • the lifting machinery 8 is arranged in the machine room 9 and comprises a machinery brake 10 and an electric motor 12.
  • the elevator system 2 is only shown by way of example and can be implemented another way.
  • the lifting machinery 8 comprises a hydraulic motor in another example.
  • a first safety control unit 20a is arranged in the machine room 9.
  • the first safety control unit 20a is adapted to control the lifting machinery 8 in order to stop the car 4 in case of an open safety circuit.
  • a second control unit 20b is arranged at the car top of the car 4.
  • a further second control unit 20c is arranged at a pit 14.
  • Most installations of an elevator system 2 will comprise these three safety control units 20a, 20b, and 20c.
  • the safety control units 20a, 20b and 20c are interconnected via a digital safety bus 22 like SafetyBUS p or a CAN-Bus (Controller Area Network) or another bus to interchange data in a safe manner and provide a safety network 24.
  • the digital safety bus 22 is hardwired or wireless and conforms to Safety Integrity Level 3 (SIL3) or to a higher Safety Integrity Level.
  • SIL3 Safety Integrity Level 3
  • the elevator system 2 comprises operational controls 26a, 26b and 26c for moving upward or downward the car 4, a so called recall/inspection function, in dependence on the state of a control element 28a, 28b or 28c which comprises for example two push buttons and which is connected to an elevator controller not shown in figure 1.
  • a switch 30a, 30b, 30c of the operational controls 26a, 26b, 26c is connected to the corresponding safety control unit 20a, 20b, 20c and activates the corresponding control element 28a, 28b or 28c. If two or more of the switches 30a, 30b and 30c indicate an activation of the corresponding control element 28a, 28b or 28c the first safety control unit 20a triggers the lifting machinery 8 to stop the car 4.
  • a safety output state of the first safety control unit 20a indicates an approval of operation (1) or a denial of operation (0), wherein 0 indicates an open safety circuit and 1 indicates a closed safety circuit.
  • the safety output state depends on a plurality of safety input states and table 1 is only examplary.
  • Being one of the controls 28a-c being active (1) means that only one of the up-down-push buttons is pressed.
  • state-of-the-art multi-contact rotary switches and the corresponding complex wiring is replaced by determining and/or receiving the safety input state of the switches 30a-30c and controls 28a-28c and determining the safety output state in dependence of the former safety input states.
  • Table 1 Exemplary binary control function
  • binary control function By means of the binary control function the safety circuit can be adjusted for any controller system at any time if necessary, also if new norms apply in the future the system can be easily and quickly adapted.
  • binary control function is only directed to the result of the function, namely the safety output state.
  • the binary control function as such may comprise more functions than provided by a binary conjunction as explained with respect to figure 6.
  • the car 4 comprises a position sensor 19 connected to the second safety control unit 20b.
  • the safety control unit 20a will not inhibit the lifting machinery 8 from moving the car 4.
  • the elevator control conducts a leveling of the car 4 at the door zone
  • the position sensor 19 will indicate that the car 4 is at the door zone and another safety contact indicates an open door.
  • the safety control unit 20a will not inhibit the lifting machinery 8 from moving the car 4. But if the position sensor 19 does not indicate that the car 4 is in the door zone and the corresponding safety contact indicates an open door, then the safety control unit 20a will inhibit the lifting machinery 8 from moving the car.
  • a final limit switch 29 indicates when the car 4 is in contact with the corresponding buffer.
  • the first safety control unit 20a will trigger the lifting machinery 8 to stop movement of the car 4.
  • the state of the final limit switch 29 can be overridden by the activation of a corresponding override switch 30a, 30b, 30c.
  • the final limit switch 29 therefore transmits its switch state to a safety input.
  • the safety state of the final limit switch 29 determined by the safety unit 20c is of a type override. Consequently, if the state of one of the switches 30a, 30b, or 30c is active (1), this state overrides the safety state of the final limit switch 29 when determining the safety output state. This enables to move the car 4 during maintenance.
  • the configuration of the elevator system 2 is only one exemplary configuration and the description is not limited to this example.
  • the safety control unit 20a and the lifting machinery 8 are arranged in the pit 14.
  • FIG. 2 depicts schematically the safety network 24 comprising the first safety control unit 20a and the second safety control units 20b, 20c.
  • the safety control unit 20a is described, wherein the description is also valid for the second safety control units 20b, 20c, and wherein the suffix a is interchanged with the suffix b or c.
  • the safety control unit 20a comprises a plurality of safety inputs 202a to 204a, a contact 206a, a processor 208a, a memory 210a, a safety output 212a, a contact 214a assigned to the safety output 212a, a supervision output 216a, a contact 218a assigned to the supervision output 216a, a digital communication module 220a, a further digital communication module 222a, and an even further digital communication module 224a.
  • the safety output 212a conforms at least to SIL3.
  • the supervision output 216a may conform to SIL0-SIL4, that means the supervision output 216a can be provided even unsafe.
  • Each one of the physical safety contacts s2a to s4a being installed in a same area is connected to the corresponding one of the plurality of safety inputs 202a to 204a.
  • this same area is the machine room 9.
  • the contact 206a allows a vendor-specific adaption of the voltage level applied to the safety inputs 202a to 204a, typically 0 V. Especially, an existing low-voltage safety circuit with old contacts can also be used and the system can be upgraded with the provided safety circuit. Moreover, the problem with safety circuits that have different voltages is eliminated. The same applies analogously to the contacts 218a, 214a. According to an example, a plurality of safety outputs is present. According to a further example, a plurality of supervision outputs is present.
  • the processor 208a comprises a plurality of processor cores Ca, Da in order to provide a redundant processing capacity to determine the at least one safety output 212a.
  • the memory 210a comprises a computer program code Ea configured to perform the methods of this description by being executed on the processor 208a.
  • the memory 210a comprises an electrically erasable and reprogrammable nonvolatile memory Na, which maintains its information state even after being powered off.
  • the memory 210a comprises a first binary control function Xa which is configured to determine the state of the safety output 212a together with the processor 208a and the computer program code Ea.
  • the memory 210a further comprises a second binary control function Za which is configured to determine the supervision output state of the supervision output 216a together with the processor 208a and the computer program code Ea.
  • the safety output 212a is determined in dependence on the first binary control function Xa.
  • the safety output 212a is connected to the lifting machinery 8. In the case that the state of the safety output 212a indicates a closed safety circuit the lifting machinery 8 is enabled to be controlled by the elevator controller 40. In the case that the state of the safety output 212a indicates an open safety circuit the lifting machinery 8 is operated to stop the movement of the car and the control of the lifting machinery 8 by the elevator controller 40 is disabled.
  • the supervision output 216a is determined in dependence on the second binary control function Za.
  • the supervision output 216a is connected to the elevator controller 40.
  • the supervision output 216a enables an easy way to retrofit legacy elevator systems without replacing the legacy elevator controller 40.
  • the elevator controller 40 is connected to a diagnosis bus 23.
  • the information the elevator controller 40 receives from the safety control unit 40 comprises for example: all doors closed, one door open, etc.
  • Each safety input state of the safety inputs 202a to 204a is a) fed to the first binary control function Xa and b) transmitted via the digital communication module 220a to the safety network 24.
  • Each one of the safety control units 20a to 20c takes the state of the connected physical safety contacts s2b, s4b, s2c, s4c and mirrors these states in the safety network 24, in particular the first safety control unit 20a receives these states of the other safety control units 20b, 20c via the digital communication module 220a.
  • the first safety control unit 20a determines the safety output state of the safety output 212a in dependence on safety input states of the safety inputs 202a, 204a of the first safety control unit 20a, in dependence on safety input states of the inputs 202b, 204b of the second safety control unit 20b, and in dependence on safety input states of the inputs 202c, 204c of the further second safety control unit 20c.
  • a plurality of safety control units are cascaded in order to guarantee an abundant number of inputs in the same area.
  • the safety control unit 20a does not apply the safety input states of the safety inputs 202a to 204a to the safety network 24 but only applies the safety input states to the first binary control function Xa.
  • the further digital communication module 222a is connected to the diagnosis bus 23.
  • a diagnosis device 25 like a personal computer/laptop is connected to the diagnosis bus 23.
  • the diagnosis device 25 provides diagnosis functions by receiving the safety input states mirrored on the diagnosis bus 23.
  • the diagnosis bus 23 can be provided unsafe, that means with SIL0.
  • the diagnosis bus 23 is made up of the diagnosis device 25 and the first safety control unit 20a.
  • the safety states of the control units 20a, 20b, and 20c are read-only via the diagnosis bus 23.
  • each of the binary control functions Xa, Za is transferable from an administration device 27 to the memory 210a.
  • the supervision output 216b of the second safety control unit 20b is connected to an indicator lamp 42 arranged at the car 4.
  • the memory 210b further comprises the binary control function Zb which is configured to determine the state of the supervision output 216b together with the processor 208b and the computer program code Eb.
  • the supervision output 216b therefore allows additional functions.
  • the configuration of the safety network 24 is only one exemplary configuration.
  • the safety control unit 20a comprises sub-units, a first sub-unit with the safety inputs 202a to 204a and the digital communication module 220a to transmit the safety input states of the safety inputs 202 to 204a to the digital safety bus 22.
  • a second sub-unit comprises a digital communication module to receive safety input states including the safety input states originating from the first sub-unit in order to determine the safety output state of the safety output 212a in dependence on the received safety input states.
  • FIG. 3 depicts schematically a part of the first safety control unit 20a according to an example.
  • the first safety control unit 20a comprises a first and a second positively-guided safety relay 300, 320 with a coil 302, 322 operating both a normally-closed contact 304, 324 and a normally-open contact 306, 326.
  • the contacts 306 and 326 are connected in series and are connected via the safety output 212a to the lifting machinery 8 in order to allow or to stop the operation of the lifting machinery 8.
  • the positively-guided relay 300, 320 operates both switches 304 and 306 / 324 and 326 via a mechanical operating structure being moved by the coil 302, 322.
  • the safety control unit 20a further comprises two processing units 310 and 330, wherein each of the processing units 310 and 330 operates according to the binary control function Xa as described with respect to figures 1 and 2.
  • the processing units 310 and 330 correspond to the processor cores Ca, Da of figure 2.
  • the first processing unit 310 determines a first drive signal 312 in dependence on a plurality of safety input states S202a to S204a received via the safety inputs 202a to 204a, in dependence on a plurality of safety input states S220a to S221a received via the digital communication module 220a, and in dependence on a feedback state S300 of the safety relays 300 and 320.
  • the second processing unit 330 determines a second drive signal 332 in dependence on the plurality of safety input states S202a to S204a received via the safety inputs 202a to 204a, in dependence on the plurality of safety input states S220a to S221a received via the digital communication module 220a, and in dependence on the feedback state S300 of the safety relays 300 and 320.
  • the first drive signal 312 drives the coil 302 of the first safety relay 300.
  • the second drive signal 332 drives the coil 322 of the second safety relay 320.
  • the processing units 310, 330 are able to detect a failure of at least one of the safety relays 300 and 320.
  • the processing unit 310, 330 determines the drive signal 312, 332 to open the contact 306, 326 if the processing unit 310, 330 detects a failure via the feedback state S300.
  • FIG. 4 depicts schematically a part of the first safety control unit 20a according to an example.
  • the first safety control unit 20 comprises an internal switch 400, for example an electronically operable switch.
  • the contacts 212a and 214a are connected to a coil 404 of an external safety relay 402.
  • the safety relay 402 comprises a plurality of simultaneously movable switches, at least one of these switches being connected to the lifting machinery 8. Another one of the switches is connected to further monitoring contacts 406a and 408a.
  • the safety control unit 20a verifies the state of the safety relay 402 by monitoring the state of the monitoring contacts 406a and 408a and is able to detect an operational fault of the safety relay 402 resulting in a determination of the open safety circuit.
  • Figure 5 depicts schematically a part of the first safety control unit 20a according to an example.
  • Coils 404 and 502 of safety relays 402 and 502 are operated by the safety control unit 20a via the contacts 212a and 214a.
  • the connection between the lifting machinery 8 and the safety relay is considered safe in the sense that this connection fulfils SIL3.
  • Figure 6 depicts schematically a content of a display 606 of the diagnosis device 25 of figure 2.
  • the display 606 displays a simulated connection diagram 608, which represents at least a part of the binary control function Xa.
  • the simulated connection diagram 608 comprises a plurality of safety input states S1 to S8 of the plurality of the physical safety inputs, each being connected to a safety contact, which is arranged in the elevator system.
  • Each one of the safety input states S1 to S8 is connected to at least one corresponding block, each block representing a switch B1 to B8 in the shown simulated connection diagram.
  • the representation of the latching normally-open switch B1 is of type remanent, which implies that the state of the simulated latching switch is written to the non-volatile memory Na and is retrieved from the nonvolatile memory Na after a boot procedure of the safety control unit. Therefore, each one of the switches B1, B2 represents a simulated latching switch.
  • the latching normally-open switch is set to closed when detecting a rising edge in the safety input state S1.
  • the latching normally-open switch is set to open when detecting a rising edge in the safety input state S2.
  • the latching normally-closed switch B2 is of type non-remanent, wherein the state of the switch B2 is reset to closed after a boot procedure of the safety control unit.
  • the safety input state S2 resets switch B2.
  • the reset input is dominant, wherein the reset input is preferred over the set input if both are present at the same time.
  • the normally-open switch B3 comprises a negating input, wherein the switch B3 is closed when the safety input state S4 is logically FALSE.
  • the safety input state S4 is also used to drive switch B8, therefore reusing the safety input state S4 at another position in the binary control function Xa.
  • a plurality of safety outputs 212a, 212xa are provided, wherein the safety outputs 212a, 212xa are determined in dependence on the safety input states S1 to S8 and the binary control function Xa.
  • Figure 7 depicts schematically a flow diagram to operate the first safety control unit.
  • a first plurality of the safety input states of the plurality of the safety inputs is determined.
  • a second plurality of the safety input states is received via the digital communication module from the second safety control unit of the safety network.
  • the safety output state of the at least one safety output is determined depending on the plurality of the first safety input states and in dependence on the plurality of the second safety input states.
  • Figure 8 depicts schematically a flow diagram to operate one of the second control units.
  • a step 802 a plurality of the safety input states of the plurality of the safety inputs is determined.
  • the plurality of safety input states is transmitted via the digital communication module to the first safety control unit of the safety network.

Landscapes

  • Maintenance And Inspection Apparatuses For Elevators (AREA)

Abstract

A first safety control unit (20a) of a safety network of an elevator system, the first safety control unit (20a) is configured to determine a first plurality of safety input states of a plurality of the safety inputs (202a, 204a), receive a second plurality of safety input states via a digital communication module from a second safety control unit (20b; 20c) of the safety network, and determine a safety output state of at least one safety output (212a) in dependence on the first plurality of safety input states and in dependence on the second plurality of safety input states. The number of inputs and connection points towards an elevator controller system can be heavily reduced, which saves system wiring time and makes it easier to conduct maintenance of the system, so costs can be significantly reduced.

Description

FIRST SAFETY CONTROL UNIT, A METHOD TO OPERATE THE FIRST SAFETY CONTROL UNIT, A SECOND SAFETY CONTROL UNIT, A METHOD TO OPERATE THE SECOND CONTROL UNIT, AND AN ELEVATOR SYSTEM
Specification
Field of the invention
The invention relates to a first safety control unit, a method to operate the first safety control unit, a second safety control unit, a method to operate the second control unit, and an elevator system.
Background
State-of-the-art elevator systems are provided with a hard-wired safety circuit. These safety circuits tend to be complex due to the plurality of safety contacts and their distribution over the elevator system.
Summary
According to an aspect of this description a first safety control unit of a safety network of an elevator system is provided. The first safety control unit comprises at least one processor, at least one memory including computer program code, at least one digital communication module, a plurality of safety inputs, and at least one safety output. The at least one memory and computer program code are configured to with the at least one processor, the at least one digital communication module, the plurality of safety inputs, and the at least one safety output cause the first safety control unit at least to determine a first plurality of safety input states of the plurality of the safety inputs. The first safety control unit is further configured to receive a second plurality of safety input states via the digital communication module from a second safety control unit of the safety network, and to determine the safety output state of the at least one safety output in dependence on the plurality of first safety input states and in dependence on the plurality of second safety input states.
Advantageously, the parallel supply of the safety input states of the physical safety contacts provides to replace the hardwired safety circuit of the state of the art, which consumes a huge number of single strands. The complex safety circuit wiring, which is traditionally a network mixed of serial and parallel connections, is simplified due to parallel wiring. The parallel supply has the advantage to reduce the former wiring overhead. Therefore costs are reduced due to shorter strands, less wiring and a simplification of the whole elevator safety circuit is achieved. The shorter strands result from the provision of the safety control units and the necessary safety inputs at the local spot where the physical safety contacts /safety sensors are located. The shorter strands allow to reduce the supply voltage level for the safety inputs. Long safety circuit lengths are not a problem anymore because the cable lengths are heavily reduced. Consequently, the provided first safety control unit enables freeing space and simplification of the car top installation, the pit installation, the elevator controller system and the controller cabinet. Moreover, a voltage reduction for the supply of the safety contacts is feasible.
The number of inputs and connection points towards an elevator controller system can be heavily reduced, which safes hardware, system wiring time and makes it easier to conduct maintenance of the system, so costs can be significantly reduced. The determination of the output safety state via a corresponding binary control function is adapted accordingly. For example, due to the possibility to include the safety input state of a physical bypass contact at a plurality of locations in the binary control function, the physical bypass contact / switch may have significantly less safety contacts, for example only one safety contact, which saves space and costs. The same applies to a physical recall switch or a physical inspection switch.
Another advantage is that complex and expensive safety modules for bypassing safety contacts can be omitted and represented by a corresponding part of the binary control function of the first safety control unit. Also safety modules for underrated buffers, advanced door opening, releveling are not necessary anymore. Especially a safety module at the power module of the elevator motor for safety torque off-inverters are not necessary anymore.
The reception of the second plurality of states provides that the states of safety inputs of the second safety control unit are mirrored in the safety circuit network. The provision of first and second plurality of safety states allows monitoring of all the safety states available at the site of the first safety control unit. In other words, simple and full monitoring of every connected physical safety contact at any given time (all switches are not serial but parallel) is available. Advantageously, the safety control unit permits a reduced number of single strands between the safety control entities of the safety network. Especially in the case of the elevator car, a lower mass of a moving cable to the elevator car is advantageous.
The safety input states can be monitored. So, full safety circuit monitoring through bus or monitoring of several main standard safety circuit points through outputs are feasible. These outputs can be easily used for third party controller systems. Especially, the monitoring enables an easy testing of shorted/bypassed door safety contacts. Moreover, existing elevator facilities can be upgraded with the safety control unit to attain a higher operational safety level than before.
In summary, the costs of construction, re-factoring and maintenance of an elevator system are reduced while maintaining a necessary safety level of the elevator system.
According to an advantageous example, the first safety control unit comprises a supervision output, wherein the first safety control unit is configured to determine a supervision output state of the supervision output in dependence on at least a part of the plurality of first states and in dependence on at least a part of the plurality of second states. Advantageously, the safety control unit provides the supervision output which can be freely configured to provide the desired information of the condition of the connected and received safety input states. For example, already existing elevator control systems can be operated via the determination of the state of the elevator supervision output, therefore enabling a re-factoring of existing elevator systems. In another example, an indicator lamp is operated via the supervision output in order to assist the maintenance staff to quickly check the state of the elevator system or a part thereof.
According to an advantageous example the first safety control unit is further configured to determine the at least one safety output state in dependence of a signal edge of a set-type safety input state, wherein the set-type safety input state opens or closes a simulated latching switch, and determine the at least one safety output state in dependence on a signal edge of a reset-type safety input state, wherein the reset-type safety input state closes or opens the simulated latching switch. Advantageously, the simulated latching switch and the safety inputs for setting and re-setting the simulated latching switch provide a simplification, for example by avoiding the use of additional reset-boxes. Especially, self-latching contacts/switches for safety devices are not necessary anymore (e.g. safety gear or over speed governor). Also magnets for resetting latching safety circuit contacts are obsolete.
According to an advantageous example, a state of the simulated latching switch is of a type remanent, and wherein the first safety control unit comprises a non-volatile memory, wherein the first safety control unit is further configured to write the state of the simulated latching switch of type remanent to the non-volatile memory, and retrieve the state of the simulated latching switch of type remanent from the non-volatile memory after booting-up the first safety control unit. Advantageously, the remanent states can be retrieved from the non-volatile memory after a power blackout. Therefore, the distribution of the remanent states remains at the source of determination, namely at the corresponding safety control unit. Moreover, an uninterrupted power supply is not necessary anymore for self-latching remanent contacts/switches, e.g. for pit inspection supervision, as these switches are replaced by the respective safety control unit.
According to an advantageous example, the first safety control unit comprises a further digital communication module, and wherein the first safety control unit is further configured to provide the first and second plurality of input states read-only via the further digital communication module. Advantageously, this further digital communication module provides a diagnosis interface. For example, if the further digital communication module is a WLAN or Ethernet module, a laptop or handheld device may serve for online monitoring functionality of the safety circuit. Moreover, third services like IoT services can monitor the functionality of the safety circuit (IoT: Internet of Things)
According to an advantageous example the first safety control unit comprises a first and a second safety relay, wherein the at least one safety output is an output of a series connection of normally-open contacts of the safety relays. The series connection of the normally open contacts provides a safety mechanism. If one of the two safety relays is not energized, the safety output state will be Zero and therefore the lifting machinery is stopped.
According to an advantageous example a first processing unit determines a first drive signal to open the normally-open contact of the first safety relay if the first processing unit detects a failure of at least one of the first and second safety relays via a feedback state, and wherein a second processing unit determines a second drive signal to open the normally-open contact of the second safety relay if the second processing unit detects a failure of at least one of the first and second safety relays via the feedback state. Advantageously the safety relays are monitored for proper operation.
According to an advantageous example the feedback state is an output of a series connection of a normally-closed contact of the first safety relay and a normally-closed contact of the second safety relay. Via this series connection of the normally-closed contacts of the safety relays a failure of one of the safety relays and the safety output state are determined in a safe manner.
According to a further aspect of the description a method to operate a first safety control unit of a safety network is provided. The method comprises: determining a first plurality of safety input states of a plurality of safety inputs, receiving a second plurality of safety input states via a digital communication module from a second safety control unit of the safety network, and determining a safety output state of at least one safety output in dependence on the plurality of first safety input states and in dependence on the plurality of second safety input states.
According to a further aspect of this description a second safety control unit of a safety circuit network of an elevator system is provided. The second safety control unit comprises at least one processor, at least one memory including computer program code, at least one digital communication module, and a plurality of safety inputs. The at least one memory and computer program code are configured to with the at least one processor, the at least one digital communication module, and the plurality of safety inputs cause the second safety control unit at least to: determine a plurality of safety input states of the plurality of the safety inputs, and transmit the plurality of safety input states via the digital communication module to a first safety control unit of the safety network.
According to an advantageous example the second safety control unit comprises a further digital communication module, and wherein the second safety control unit is further configured to provide the first and second plurality of input states read-only via the further digital communication module.
According to an advantageous example a method to operate a second safety control unit of a safety network is provided. The method comprises: determining a plurality of safety input states of the plurality of the safety inputs, and transmitting the plurality of safety input states via the digital communication module to a first safety control unit of the safety network.
According to another aspect of this description an elevator system is provided, the elevator system comprising: The first safety control unit according to one of the corresponding aspects above, a first plurality of safety contacts, each one being connected to one of the safety inputs of the first safety control unit, the second control unit according to one of the corresponding aspects above, wherein the first and second control unit take part in the safety network, a second plurality of safety contacts, each being connected to one of the safety inputs of the second safety control unit, and a lifting machinery, wherein the elevator system is configured to determine the safety output state, and stop the lifting machinery, if the safety output state indicates an open safety circuit.
Brief description of the figures
Figure 1 depicts schematically an elevator system;
Figure 2 depicts schematically a safety network;
each of
Figures 3 to 5 depict schematically a first safety unit;
Figure 6 depicts schematically content of a display; and
each of
Figures 7 and 8 depict a schematical flow diagram.
Description of the embodiments
Figure 1 depicts schematically an elevator system 2. A car 4 is arranged in an elevator shaft 6. The car 4 is operated by a lifting machinery 8 to be moved upwards or downwards. The lifting machinery 8 is arranged in the machine room 9 and comprises a machinery brake 10 and an electric motor 12. Of course, the elevator system 2 is only shown by way of example and can be implemented another way. The lifting machinery 8 comprises a hydraulic motor in another example.
A first safety control unit 20a is arranged in the machine room 9. The first safety control unit 20a is adapted to control the lifting machinery 8 in order to stop the car 4 in case of an open safety circuit. A second control unit 20b is arranged at the car top of the car 4. A further second control unit 20c is arranged at a pit 14. Most installations of an elevator system 2 will comprise these three safety control units 20a, 20b, and 20c. The safety control units 20a, 20b and 20c are interconnected via a digital safety bus 22 like SafetyBUS p or a CAN-Bus (Controller Area Network) or another bus to interchange data in a safe manner and provide a safety network 24. The digital safety bus 22 is hardwired or wireless and conforms to Safety Integrity Level 3 (SIL3) or to a higher Safety Integrity Level.
For maintenance purposes the elevator system 2 comprises operational controls 26a, 26b and 26c for moving upward or downward the car 4, a so called recall/inspection function, in dependence on the state of a control element 28a, 28b or 28c which comprises for example two push buttons and which is connected to an elevator controller not shown in figure 1. A switch 30a, 30b, 30c of the operational controls 26a, 26b, 26c is connected to the corresponding safety control unit 20a, 20b, 20c and activates the corresponding control element 28a, 28b or 28c. If two or more of the switches 30a, 30b and 30c indicate an activation of the corresponding control element 28a, 28b or 28c the first safety control unit 20a triggers the lifting machinery 8 to stop the car 4. This example is depicted in a partly shown binary control function of figure 1, where a safety output state of the first safety control unit 20a indicates an approval of operation (1) or a denial of operation (0), wherein 0 indicates an open safety circuit and 1 indicates a closed safety circuit. Of course, the safety output state depends on a plurality of safety input states and table 1 is only examplary. Being one of the controls 28a-c being active (1) means that only one of the up-down-push buttons is pressed. Advantageously, state-of-the-art multi-contact rotary switches and the corresponding complex wiring is replaced by determining and/or receiving the safety input state of the switches 30a-30c and controls 28a-28c and determining the safety output state in dependence of the former safety input states.
28a active 28b active 28c active 30a 30b 30c Safety output state
0 0 0 0 0 0 1
0 0 0 0 0 1 0
0 0 1 0 0 1 1
0 0 0 0 1 0 0
0 1 0 0 1 0 1
0 0 0 1 0 0 0
1 0 0 1 0 0 1
- - - 0 1 1 0
- - - 1 1 0 0
- - - 1 0 1 0
- - - 1 1 1 0
Table 1: Exemplary binary control function
By means of the binary control function the safety circuit can be adjusted for any controller system at any time if necessary, also if new norms apply in the future the system can be easily and quickly adapted. The term "binary" in binary control function is only directed to the result of the function, namely the safety output state. The binary control function as such may comprise more functions than provided by a binary conjunction as explained with respect to figure 6.
Along the elevator shaft 6 a plurality of position markers like the position marker 18 are arranged. For example to indicate a position of the car 4 inside a door zone, the car 4 comprises a position sensor 19 connected to the second safety control unit 20b. For example, if the position sensor 19 indicates that the car 4 is at the door zone and another switch/sensor indicates that the doors of the car 4 are in an advanced door opening position then the safety control unit 20a will not inhibit the lifting machinery 8 from moving the car 4. In another example, the elevator control conducts a leveling of the car 4 at the door zone, the position sensor 19 will indicate that the car 4 is at the door zone and another safety contact indicates an open door. Also, in this case, the safety control unit 20a will not inhibit the lifting machinery 8 from moving the car 4. But if the position sensor 19 does not indicate that the car 4 is in the door zone and the corresponding safety contact indicates an open door, then the safety control unit 20a will inhibit the lifting machinery 8 from moving the car.
A final limit switch 29 indicates when the car 4 is in contact with the corresponding buffer. In this case, the first safety control unit 20a will trigger the lifting machinery 8 to stop movement of the car 4. For maintenance purposes the state of the final limit switch 29 can be overridden by the activation of a corresponding override switch 30a, 30b, 30c. The final limit switch 29 therefore transmits its switch state to a safety input. The safety state of the final limit switch 29 determined by the safety unit 20c is of a type override. Consequently, if the state of one of the switches 30a, 30b, or 30c is active (1), this state overrides the safety state of the final limit switch 29 when determining the safety output state. This enables to move the car 4 during maintenance.
The configuration of the elevator system 2 is only one exemplary configuration and the description is not limited to this example. For example, in the case of a hydraulic elevator system the safety control unit 20a and the lifting machinery 8 are arranged in the pit 14.
Figure 2 depicts schematically the safety network 24 comprising the first safety control unit 20a and the second safety control units 20b, 20c. In the following, the safety control unit 20a is described, wherein the description is also valid for the second safety control units 20b, 20c, and wherein the suffix a is interchanged with the suffix b or c.
The safety control unit 20a comprises a plurality of safety inputs 202a to 204a, a contact 206a, a processor 208a, a memory 210a, a safety output 212a, a contact 214a assigned to the safety output 212a, a supervision output 216a, a contact 218a assigned to the supervision output 216a, a digital communication module 220a, a further digital communication module 222a, and an even further digital communication module 224a. The safety output 212a conforms at least to SIL3. The supervision output 216a may conform to SIL0-SIL4, that means the supervision output 216a can be provided even unsafe.
Each one of the physical safety contacts s2a to s4a being installed in a same area is connected to the corresponding one of the plurality of safety inputs 202a to 204a. In the case of the first safety control unit 20a this same area is the machine room 9. Of course, there can be a physical connection of more than one safety contact being applied to one of the safety inputs 202a to 204a.
The contact 206a allows a vendor-specific adaption of the voltage level applied to the safety inputs 202a to 204a, typically 0 V. Especially, an existing low-voltage safety circuit with old contacts can also be used and the system can be upgraded with the provided safety circuit. Moreover, the problem with safety circuits that have different voltages is eliminated. The same applies analogously to the contacts 218a, 214a. According to an example, a plurality of safety outputs is present. According to a further example, a plurality of supervision outputs is present.
The processor 208a comprises a plurality of processor cores Ca, Da in order to provide a redundant processing capacity to determine the at least one safety output 212a. The memory 210a comprises a computer program code Ea configured to perform the methods of this description by being executed on the processor 208a. The memory 210a comprises an electrically erasable and reprogrammable nonvolatile memory Na, which maintains its information state even after being powered off. The memory 210a comprises a first binary control function Xa which is configured to determine the state of the safety output 212a together with the processor 208a and the computer program code Ea. The memory 210a further comprises a second binary control function Za which is configured to determine the supervision output state of the supervision output 216a together with the processor 208a and the computer program code Ea.
The safety output 212a is determined in dependence on the first binary control function Xa. The safety output 212a is connected to the lifting machinery 8. In the case that the state of the safety output 212a indicates a closed safety circuit the lifting machinery 8 is enabled to be controlled by the elevator controller 40. In the case that the state of the safety output 212a indicates an open safety circuit the lifting machinery 8 is operated to stop the movement of the car and the control of the lifting machinery 8 by the elevator controller 40 is disabled.
The supervision output 216a is determined in dependence on the second binary control function Za. The supervision output 216a is connected to the elevator controller 40. The supervision output 216a enables an easy way to retrofit legacy elevator systems without replacing the legacy elevator controller 40. Alternatively, or additionally, the elevator controller 40 is connected to a diagnosis bus 23. The information the elevator controller 40 receives from the safety control unit 40 comprises for example: all doors closed, one door open, etc.
Each safety input state of the safety inputs 202a to 204a is a) fed to the first binary control function Xa and b) transmitted via the digital communication module 220a to the safety network 24. Each one of the safety control units 20a to 20c takes the state of the connected physical safety contacts s2b, s4b, s2c, s4c and mirrors these states in the safety network 24, in particular the first safety control unit 20a receives these states of the other safety control units 20b, 20c via the digital communication module 220a. Consequently, the first safety control unit 20a determines the safety output state of the safety output 212a in dependence on safety input states of the safety inputs 202a, 204a of the first safety control unit 20a, in dependence on safety input states of the inputs 202b, 204b of the second safety control unit 20b, and in dependence on safety input states of the inputs 202c, 204c of the further second safety control unit 20c. According to an example, a plurality of safety control units are cascaded in order to guarantee an abundant number of inputs in the same area.
In one example the safety control unit 20a does not apply the safety input states of the safety inputs 202a to 204a to the safety network 24 but only applies the safety input states to the first binary control function Xa.
The further digital communication module 222a is connected to the diagnosis bus 23. A diagnosis device 25 like a personal computer/laptop is connected to the diagnosis bus 23. The diagnosis device 25 provides diagnosis functions by receiving the safety input states mirrored on the diagnosis bus 23. The diagnosis bus 23 can be provided unsafe, that means with SIL0. According to an example, the diagnosis bus 23 is made up of the diagnosis device 25 and the first safety control unit 20a. The safety states of the control units 20a, 20b, and 20c are read-only via the diagnosis bus 23.
By means of the digital safety bus 22 each of the binary control functions Xa, Za is transferable from an administration device 27 to the memory 210a.
The supervision output 216b of the second safety control unit 20b is connected to an indicator lamp 42 arranged at the car 4. The memory 210b further comprises the binary control function Zb which is configured to determine the state of the supervision output 216b together with the processor 208b and the computer program code Eb. The supervision output 216b therefore allows additional functions.
The configuration of the safety network 24 is only one exemplary configuration. In a further example the safety control unit 20a comprises sub-units, a first sub-unit with the safety inputs 202a to 204a and the digital communication module 220a to transmit the safety input states of the safety inputs 202 to 204a to the digital safety bus 22. A second sub-unit comprises a digital communication module to receive safety input states including the safety input states originating from the first sub-unit in order to determine the safety output state of the safety output 212a in dependence on the received safety input states.
Figure 3 depicts schematically a part of the first safety control unit 20a according to an example. The first safety control unit 20a comprises a first and a second positively-guided safety relay 300, 320 with a coil 302, 322 operating both a normally-closed contact 304, 324 and a normally-open contact 306, 326. The contacts 306 and 326 are connected in series and are connected via the safety output 212a to the lifting machinery 8 in order to allow or to stop the operation of the lifting machinery 8. The positively-guided relay 300, 320 operates both switches 304 and 306 / 324 and 326 via a mechanical operating structure being moved by the coil 302, 322.
The safety control unit 20a further comprises two processing units 310 and 330, wherein each of the processing units 310 and 330 operates according to the binary control function Xa as described with respect to figures 1 and 2. In one example, the processing units 310 and 330 correspond to the processor cores Ca, Da of figure 2.
The first processing unit 310 determines a first drive signal 312 in dependence on a plurality of safety input states S202a to S204a received via the safety inputs 202a to 204a, in dependence on a plurality of safety input states S220a to S221a received via the digital communication module 220a, and in dependence on a feedback state S300 of the safety relays 300 and 320. The second processing unit 330 determines a second drive signal 332 in dependence on the plurality of safety input states S202a to S204a received via the safety inputs 202a to 204a, in dependence on the plurality of safety input states S220a to S221a received via the digital communication module 220a, and in dependence on the feedback state S300 of the safety relays 300 and 320. The first drive signal 312 drives the coil 302 of the first safety relay 300. The second drive signal 332 drives the coil 322 of the second safety relay 320.
By monitoring the feedback state S300, the processing units 310, 330 are able to detect a failure of at least one of the safety relays 300 and 320. The processing unit 310, 330 determines the drive signal 312, 332 to open the contact 306, 326 if the processing unit 310, 330 detects a failure via the feedback state S300.
Figure 4 depicts schematically a part of the first safety control unit 20a according to an example. The first safety control unit 20 comprises an internal switch 400, for example an electronically operable switch. The contacts 212a and 214a are connected to a coil 404 of an external safety relay 402. The safety relay 402 comprises a plurality of simultaneously movable switches, at least one of these switches being connected to the lifting machinery 8. Another one of the switches is connected to further monitoring contacts 406a and 408a. The safety control unit 20a verifies the state of the safety relay 402 by monitoring the state of the monitoring contacts 406a and 408a and is able to detect an operational fault of the safety relay 402 resulting in a determination of the open safety circuit.
Figure 5 depicts schematically a part of the first safety control unit 20a according to an example. Coils 404 and 502 of safety relays 402 and 502 are operated by the safety control unit 20a via the contacts 212a and 214a. In this case the connection between the lifting machinery 8 and the safety relay is considered safe in the sense that this connection fulfils SIL3.
Figure 6 depicts schematically a content of a display 606 of the diagnosis device 25 of figure 2. The display 606 displays a simulated connection diagram 608, which represents at least a part of the binary control function Xa. The simulated connection diagram 608 comprises a plurality of safety input states S1 to S8 of the plurality of the physical safety inputs, each being connected to a safety contact, which is arranged in the elevator system. Each one of the safety input states S1 to S8 is connected to at least one corresponding block, each block representing a switch B1 to B8 in the shown simulated connection diagram.
For example, the representation of the latching normally-open switch B1 is of type remanent, which implies that the state of the simulated latching switch is written to the non-volatile memory Na and is retrieved from the nonvolatile memory Na after a boot procedure of the safety control unit. Therefore, each one of the switches B1, B2 represents a simulated latching switch. The latching normally-open switch is set to closed when detecting a rising edge in the safety input state S1. The latching normally-open switch is set to open when detecting a rising edge in the safety input state S2.
The latching normally-closed switch B2 is of type non-remanent, wherein the state of the switch B2 is reset to closed after a boot procedure of the safety control unit. The safety input state S2 resets switch B2. For the latching switches the reset input is dominant, wherein the reset input is preferred over the set input if both are present at the same time.
The normally-open switch B3 comprises a negating input, wherein the switch B3 is closed when the safety input state S4 is logically FALSE. The safety input state S4 is also used to drive switch B8, therefore reusing the safety input state S4 at another position in the binary control function Xa.
A plurality of safety outputs 212a, 212xa are provided, wherein the safety outputs 212a, 212xa are determined in dependence on the safety input states S1 to S8 and the binary control function Xa.
Figure 7 depicts schematically a flow diagram to operate the first safety control unit. According to a step 702 a first plurality of the safety input states of the plurality of the safety inputs is determined. According to a step 704 a second plurality of the safety input states is received via the digital communication module from the second safety control unit of the safety network. According to a step 706 the safety output state of the at least one safety output is determined depending on the plurality of the first safety input states and in dependence on the plurality of the second safety input states.
Figure 8 depicts schematically a flow diagram to operate one of the second control units. According to a step 802 a plurality of the safety input states of the plurality of the safety inputs is determined. According to step 804 the plurality of safety input states is transmitted via the digital communication module to the first safety control unit of the safety network.

Claims (15)

  1. A first safety control unit (20a) of a safety network of an elevator system, the first safety control unit (20a) comprising at least one processor, at least one memory including computer program code, a plurality of safety inputs (202a, 204a), at least one safety output (212a), and at least one digital communication module, the at least one memory and computer program code configured to with the at least one processor, the plurality of safety inputs (202a, 204a), the at least one safety output (212a), and the at least one digital communication module cause the first safety control unit (20a) at least to
    determine a first plurality of safety input states of the plurality of the safety inputs (202a, 204a),
    receive a second plurality of safety input states via the digital communication module from a second safety control unit (20b; 20c) of the safety network, and
    determine a safety output state of the at least one safety output (212a) in dependence on the plurality of first safety input states and in dependence on the plurality of second safety input states.
  2. The first safety control unit (20a) according to claim 1, wherein the first safety control unit (20a) comprises a supervision output, and wherein the first safety control unit (20a) is configured to
    determine a supervision output state of the supervision output in dependence on at least a part of the plurality of first safety input states and/or in dependence on at least a part of the plurality of second safety input states.
  3. The first safety control unit (20a) according to one of the preceding claims, wherein the first safety control unit (20a) is further configured to
    determine the at least one safety output state (212a) in dependence of a signal edge represented by a set-type safety input state (S1), wherein the set-type safety input state opens or closes a simulated latching switch, and
    determine the at least one safety output state (212a) in dependence on a signal edge represented by a reset-type safety input state (S2), wherein the reset-type safety input state closes or opens the simulated latching switch.
  4. The first safety control unit (20a) according to claim 3, wherein a safety input state of the simulated latching switch is of a type remanent, and wherein the first safety control unit (20a) comprises a non-volatile memory, wherein the first safety control unit (20a) is further configured to
    write the safety input state of the simulated latching switch of type remanent to the non-volatile memory, and
    retrieve the safety input state of the simulated latching switch of type remanent from the non-volatile memory after booting-up the first safety control unit (20a).
  5. The first safety control unit (20a) according to one of the preceding claims, wherein the first safety control unit (20a) comprises a further digital communication module, and wherein the first safety control unit (20a) is further configured to
    provide the first and second plurality of input states read-only via the further digital communication module.
  6. The first safety control unit (20a) according to one of the preceding claims, wherein the first safety control unit (20a) comprises a first and a second safety relay (300, 320), and wherein the at least one safety output (212a) is an output of a series connection of normally-open contacts (306, 326) of the safety relays (300, 302).
  7. The first safety control unit (20a) according to claim 6, wherein a first processing unit (310) determines a first drive signal (312) to open the normally-open contact (306) of the first safety relay (300) if the first processing unit (310) detects a failure of at least one of the first and second safety relays (300, 320) via a feedback state (S300), and wherein a second processing unit (320) determines a second drive signal (322) to open the normally-open contact (326) of the second safety relay (300) if the second processing unit (310) detects a failure of at least one of the first and second safety relays (300, 320) via the feedback state (S300).
  8. The first safety control unit (20a) according to claim 7, wherein the feedback state (S300) is an output of a series connection of a normally-closed contact (304) of the first safety relay (300) and a normally-closed contact (324) of the second safety relay (320).
  9. A method to operate a first safety control unit (20a) of a safety network, wherein the method comprises
    determining a first plurality of safety input states of a plurality of safety inputs (202a, 204a),
    receiving a second plurality of safety input states via a digital communication module from a second safety control unit (20b; 20c) of the safety network, and
    determining a safety output state of at least one safety output (212a) in dependence on the plurality of first safety input states and in dependence on the plurality of second safety input states.
  10. A second safety control unit (20b; 20c) of a safety circuit network of an elevator system, the second safety control unit (20b; 20c) comprising at least one processor, at least one memory including computer program code, at least one digital communication module, and a plurality of safety inputs (202b, 204b; 202c, 204c), the at least one memory and computer program code configured to with the at least one processor, the at least one digital communication module, and the plurality of safety inputs cause the second safety control unit (20b; 20c) at least to
    determine a plurality of safety input states of the plurality of the safety inputs (202b, 204b; 202c, 204c), and
    transmit the plurality of safety input states via the digital communication module to a first safety control unit (20a) of the safety network.
  11. The second safety control unit (20b) according to claim 10, wherein the second safety control unit (20b) is further configured to
    determine one of the plurality of safety input states in dependence of a signal edge represented by a set-type safety input state (S1), wherein the set-type safety input state (S1) opens or closes a simulated latching switch, and
    determine the one of the plurality of safety input states in dependence on a signal edge represented by a reset-type safety input state (S2), wherein the reset-type safety input state closes or opens the simulated latching switch, and
    transmit the one of the plurality of safety input states via the digital communication module to the first control unit (20a) of the safety network.
  12. The second safety control unit (20b) according to claim 11, wherein the one of the plurality of safety input states of the simulated latching switch is of a type remanent, and wherein the second safety control unit (20a) comprises a non-volatile memory, wherein the second safety control unit (20b) is further configured to
    write the one of the plurality of safety input states of type remanent to the non-volatile memory, and
    retrieve the one of the plurality of safety input states of the simulated latching switch of type remanent from the non-volatile memory after booting-up the second safety control unit (20b).
  13. The second safety control unit (20b; 20c) according to one of the claims 10 to 12, wherein the second safety control unit (20b; 20c) comprises a further digital communication module, and wherein the second safety control unit (20b; 20c) is further configured to
    provide the first and second plurality of input states read-only via the further digital communication module.
  14. A method to operate a second safety control unit (20b; 20c) of a safety network, the method comprising:
    determining a plurality of safety input states of a plurality of safety inputs (202b, 204b; 202c, 204c), and
    transmitting the plurality of safety input states via a digital communication module to a first safety control unit (20a) of the safety network.
  15. An elevator system comprising:
    the first safety control unit (20a) according to one of the claims 1 to 8,
    a first plurality of safety contacts, each one being connected to one of the safety inputs (202a, 204a) of the first safety control unit (20a),
    the second control unit according to one of the claims 10 to 13, wherein the first and second control unit (20a, 20b, 20c) take part in the safety network,
    a second plurality of safety contacts, each one being connected to one of the safety inputs (202b, 204b; 202c, 204c) of the second safety control unit (20b; 20c), and
    a lifting machinery (8), wherein the elevator system is configured to
    determine the safety output state, and
    stop the lifting machinery, if the safety output state indicates an open safety circuit.
PCT/CN2018/106833 2018-09-21 2018-09-21 First safety control unit, a method to operate the first safety control unit, a second safety control unit, a method to operate the second control unit, and an elevator system WO2020056701A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201880003517.2A CN109890738B (en) 2018-09-21 2018-09-21 First safety control unit of safety network of elevator system and elevator system
EP18867311.5A EP3672897A4 (en) 2018-09-21 2018-09-21 First safety control unit, a method to operate the first safety control unit, a second safety control unit, a method to operate the second control unit, and an elevator system
PCT/CN2018/106833 WO2020056701A1 (en) 2018-09-21 2018-09-21 First safety control unit, a method to operate the first safety control unit, a second safety control unit, a method to operate the second control unit, and an elevator system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/106833 WO2020056701A1 (en) 2018-09-21 2018-09-21 First safety control unit, a method to operate the first safety control unit, a second safety control unit, a method to operate the second control unit, and an elevator system

Publications (1)

Publication Number Publication Date
WO2020056701A1 true WO2020056701A1 (en) 2020-03-26

Family

ID=66926781

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/106833 WO2020056701A1 (en) 2018-09-21 2018-09-21 First safety control unit, a method to operate the first safety control unit, a second safety control unit, a method to operate the second control unit, and an elevator system

Country Status (3)

Country Link
EP (1) EP3672897A4 (en)
CN (1) CN109890738B (en)
WO (1) WO2020056701A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113716423A (en) * 2020-05-26 2021-11-30 奥的斯电梯公司 Emergency terminal stop system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7470918B2 (en) * 2020-04-24 2024-04-19 パナソニックIpマネジメント株式会社 Safety switches and switch systems
EP4074641A1 (en) * 2021-04-14 2022-10-19 Otis Elevator Company Safety control device and method

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1602610A1 (en) 2004-06-02 2005-12-07 Inventio Ag Elevator supervision
CN101687606A (en) * 2007-08-07 2010-03-31 蒂森克虏伯电梯股份有限公司 Elevator system
CN202625540U (en) * 2012-05-03 2012-12-26 中山市卓梅尼控制技术有限公司 Elevator safety circuit detection system
CN202744135U (en) * 2012-08-22 2013-02-20 苏州麦道快速电梯有限公司 Elevator brake
US20130118836A1 (en) * 2011-11-15 2013-05-16 Inventio Ag Elevator with safety device
CN107148392A (en) 2014-10-21 2017-09-08 因温特奥股份公司 Elevator with non-central electronic safety system
CN107572328A (en) * 2017-08-03 2018-01-12 江苏速度信息科技股份有限公司 The device and method of the monitoring and management of elevator

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5107964A (en) * 1990-05-07 1992-04-28 Otis Elevator Company Separate elevator door chain
US6173814B1 (en) * 1999-03-04 2001-01-16 Otis Elevator Company Electronic safety system for elevators having a dual redundant safety bus
SG112018A1 (en) * 2003-11-11 2005-06-29 Inventio Ag Elevator installation and monitoring system for an elevator installation
JP2012224448A (en) * 2011-04-20 2012-11-15 Mitsubishi Electric Corp Safety protection device for elevator
JP5553796B2 (en) * 2011-05-25 2014-07-16 株式会社日立製作所 Elevator safety system
JP6207961B2 (en) * 2013-10-11 2017-10-04 株式会社日立製作所 Elevator safety system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1602610A1 (en) 2004-06-02 2005-12-07 Inventio Ag Elevator supervision
CN101687606A (en) * 2007-08-07 2010-03-31 蒂森克虏伯电梯股份有限公司 Elevator system
US20130118836A1 (en) * 2011-11-15 2013-05-16 Inventio Ag Elevator with safety device
CN202625540U (en) * 2012-05-03 2012-12-26 中山市卓梅尼控制技术有限公司 Elevator safety circuit detection system
CN202744135U (en) * 2012-08-22 2013-02-20 苏州麦道快速电梯有限公司 Elevator brake
CN107148392A (en) 2014-10-21 2017-09-08 因温特奥股份公司 Elevator with non-central electronic safety system
CN107572328A (en) * 2017-08-03 2018-01-12 江苏速度信息科技股份有限公司 The device and method of the monitoring and management of elevator

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3672897A4 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113716423A (en) * 2020-05-26 2021-11-30 奥的斯电梯公司 Emergency terminal stop system

Also Published As

Publication number Publication date
EP3672897A1 (en) 2020-07-01
CN109890738A (en) 2019-06-14
EP3672897A4 (en) 2021-03-24
CN109890738B (en) 2021-07-02

Similar Documents

Publication Publication Date Title
WO2020056701A1 (en) First safety control unit, a method to operate the first safety control unit, a second safety control unit, a method to operate the second control unit, and an elevator system
EP3591782B1 (en) Input power supply selection circuit
FI114345B (en) Control and adjustment of a door operated by an electromechanical motor
RU2604633C2 (en) Interface unit, conveying system and method for monitoring operating condition of input circuit in safety circuit of conveying system
JP5764714B2 (en) Electric power supply control to elevator drive
RU2136573C1 (en) Elevator system
US20180282123A1 (en) Drive device
CN110884972B (en) Door lock detection method based on elevator safety loop
US20220018903A1 (en) Disconnect Verification
US4857813A (en) Self-stopping motor control circuit
JP4474115B2 (en) Storage battery discharge characteristics measuring device
KR100981643B1 (en) Humidity Controller of Power Receiving and Switching Board
CN112134360A (en) Control method, device and equipment of elevator power supply circuit and storage medium
JP2002514380A (en) Safety device for drive
US7528567B2 (en) Safety interlock system and method for disrupting stepper motor control signals
JPS58162467A (en) Control panel for controller for elevator
JPH1135240A (en) Control device for elevator
JPH0527417Y2 (en)
KR20170009703A (en) Line system
KR20020062092A (en) A device for monitoring door status of an elevator system and a method thereof and an elevator controller using the same
WO2022208858A1 (en) Transmission system
SU1765090A1 (en) Device for automatic control of lift cabin drive switching
JP2006176285A (en) Portable switch device for man conveyor
CN109132754B (en) Elevator device
RU2148009C1 (en) Device to provide safe operation of lift

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2018867311

Country of ref document: EP

Effective date: 20190422

NENP Non-entry into the national phase

Ref country code: DE