The present invention relates to an elevator safety control device for controlling operation of an elevator from the safety viewpoint on the basis of a sensor signal from a sensor.
In a conventional elevator safety control device, in the case of providing a plurality of safety control functions, substrates or devices of the same number as that of the safety control functions have to be prepared (refer to, for example, Patent Literature 1). In one substrate or one device, a logic unit including a processor (CPU) and a memory is formed.
In a technique according to Patent Literature 1, a monitor substrate (monitor) for monitoring the position and speed of a car and a brake control substrate (brake controller) for controlling a brake device when second control operation is performed are provided. That is, in the technique according to Patent Literature 1, two safety control functions are provided, and substrates (devices) in which the logic units are formed, of the same number as that of the safety control functions are disposed.
Patent Literature 1: WO 2007-057973
As described above, in the elevator safety control device according to Patent Literature 1, a plurality of substrates or devices of the same number as that of safety control functions have to be prepared. Therefore, when a plurality of safety control functions are realized in the elevator safety control device according to Patent Literature 1, the cost of the elevator safety control device becomes high, and labor hour of installation and maintenance of the elevator safety control device increases.
As a method of solving the problem, there is a method of providing one substrate or device with a plurality of safety control functions. However, when one substrate or device is simply provided with a plurality of safety control functions, in the case where one of the safety control functions fails, it exerts an influence on the other safety control functions, and there is the possibility that safety of the normal safety control functions is impaired.
An object of the present invention, therefore, is to provide an elevator safety control device in which increase in cost and labor hour of installation and maintenance can be suppressed and safety of normal safety control functions are not impaired even when a plurality of safety control functions are provided.
To achieve the object, an elevator safety control device according to claim 1 according to the present invention is an elevator safety control device controlling stop of a car, including: an input unit receiving a signal on a state of an elevator as an input value; a logic unit including a CPU (Central Processing Unit) performing computation on safety control of the elevator by executing computation on a plurality of safety control functions by independent programs by using the input value, and a memory; and an independence assurance unit assuring independence of the safety control function so that the safety control functions do not exert influence on one another. The independence assurance unit assures independence of each of the safety control functions by monitoring whether or not the safety control functions accesses the memory other than a permitted region, and when the independence assurance unit detects an access to the memory other than the permitted region by a predetermined one of the safety control functions, the elevator safety control device stops the car.
An elevator safety control device according to claim 3 is an elevator safety control device controlling stop of a car and includes: an input unit receiving a signal on a state of an elevator as an input value; a logic unit including a CPU (Central Processing Unit) performing computation on safety control of the elevator by executing computation on a plurality of safety control functions by each of independent programs by using the input value; and an independence assurance unit assuring independence of the safety control function so that the safety control functions do not exert influence on one another. The independence assurance unit assures independence of the safety control function by monitoring whether or not computation process time of the safety control function exceeds preset specified time. When the independence assurance unit detects that the computation process time exceeds the specific time, the elevator safety control device stops the car.
In the elevator safety control device according to claim 1 of the present invention, the independence assurance unit assures independence of each of safety control functions by monitoring whether or not the safety control function accesses a memory other than a permitted region. When the independence assurance unit detects an access to the memory other than the permitted region, of a predetermined one of the safety control functions, the elevator safety control device stops a car.
In the elevator safety control device according to claim 3, the independence assurance unit assures independence of each of safety control functions by monitoring whether or not computation process time of the safety control function exceeds preset specified time. When the independence assurance unit detects that the computation process time exceeds the specified time, the elevator safety control device stops the car.
Therefore, without exerting an influence of one of safety control functions on other safety control functions, a single elevator safety control device (safety control substrate) can be provided with a plurality of safety control functions. Thus, the cost on safety control of an elevator can be reduced, and installation and maintenance are performed easily.
Hereinafter, embodiments of the present invention will be concretely described with reference to the drawings.
In a lower part of the hoistway, a hoisting machine 4 for making the car 1 and the balance weight 2 lifted are provided. The hoisting machine 4 has a drive sheave 5 on which the suspending means 3 is wound, a hoisting machine motor for generating drive torque to rotate the drive sheave 5, a hoisting machine brake 6 as braking means which generates braking torque to brake the rotation of the drive sheave 5, and a hoisting machine encoder 7 generating a signal according to the rotation of the drive sheave 5.
As the hoisting machine brake 6, for example, an electromagnetic brake device is used. In the electromagnetic brake device, a brake shoe is pressed against a braking surface by spring force of a braking spring to brake the rotation of the drive sheave 5, and the car 1 is braked. By exciting an electromagnet, the brake shoe is detached from the braking surface, and the braking force is cancelled. Further, a braking force applied by the hoisting machine brake 6 is changed according to the value of current flowing in a brake coil of the electromagnet.
The car 1 is provided with a pair of car pulleys 8a and 8b. The balance weight 2 is provided with a counterweight pulley 9. In an upper part of the hoistway, car pulleys 10a and 10b and a counterweight return pulley 11 are provided. One end of the suspending means 3 is connected to a first rope stop 12a provided in an upper part of the hoistway. The other end of the suspending means 3 is connected to a second rope stop 12b provided in an upper part of the hoistway.
The suspending means 3 is wound on, sequentially from one end side, the car pulleys 8a and 8b, the car return pulleys 10a and 10b, the drive sheave 5, the counterweight return pulley 11, and the counterweight pulley 9. That is, the car 1 and the counterweight 2 are suspended in the hoistway by the “2:1 roping method”.
In the upper part of the hoistway, a governor 14 is installed. The governor 14 includes a governor sheave 15 and a governor encoder 16 for generating a signal according to the rotation of the governor sheave 15. A governor rope 17 is looped around the governor sheave 15. Both ends of the governor rope 17 are connected to an operation lever of an emergency stop device mounted on the car 1. The lower end of the governor rope 17 is looped around a tension pulley 18 disposed in a lower part of the hoistway. When the car 1 is moved up or down, the governor rope 17 is circulated and the governor sheave 15 is rotated at rotation speed according to travel speed of the car 1.
In an upper part of the hoistway, an upper reference-position switch 19a for detecting the position of the car 1 is provided. In a lower part of the hoistway, a lower reference-position switch 19b for detecting the position of the car 1 is provided. The car 1 is provided with a switch operating member (cam) for operating the reference-position switches 19a and 19b.
A car-door switch 20 for detecting opening/closing of a car door is provided on the car 1. A landing-door switch for detecting opening/closing of a landing door is provided for the landing at each floor. Further, in the hoistway, a plurality of floor-alignment plates 21a to 21c for detecting that the car 1 is located at a position (in a door zone) in which a passenger can safely board and deboard the car 1 are provided. The car 1 is provided with a floor-alignment sensor 22 for detecting the floor-alignment plates 21a to 21c.
Each of the hoisting machine encoder 7, the governor encoder 16, the reference-position switches 19a and 19b, the car-door switch 20, the landing-door switches, and the floor-alignment sensor 22 is a sensor which generates a signal according to the state of the car 1.
In the hoistway, a control board 23 is installed. In the control board 23, a driving controller (driving control substrate) 24 as an operation controller and an elevator safety control device (safety control substrate) 25 are provided. The elevator safety control device (safety control substrate) 25 can control stop of the car 1.
In the elevator device, to secure safety, monitoring/controls are executed on the system from a plurality of viewpoints. To execute the monitoring/controls, the safety control substrate 25 is provided with a plurality of safety control functions. That is, the safety control substrate 25 executes computations on the safety control functions by independent programs (software), respectively, thereby realizing the safety controls from the plurality of viewpoints of the elevator device. The safety control functions include, for example, a brake control function and an overspeed monitoring function.
The drive controller 24 controls the operation of the hoisting machine 4, that is, the operation of the car 1. The drive controller 24 also controls travel speed of the car 1 on the basis of a signal from the hoisting machine encoder 7. Further, the drive controller 24 outputs a brake operation instruction for keeping the car 1 stopped at the landing and a brake release instruction for allowing the travel of the car 1 to the brake control function.
The brake control function as one of the safety control functions obtains the brake operation instruction from the drive controller 24 and, in accordance with the operation instruction, outputs a brake operation signal to the hoisting machine brake 6. The brake control function can control the braking force (braking torque) generated by the hoisting machine brake 6 by controlling the current passed to the brake coil of the hoisting machine brake 6. The braking force generated by the hoisting machine brake 6 is reduced by increasing the value of the current to the brake coil. When the current value exceeds a predetermined value, the braking force becomes zero. On the other hand, when the value of the current to the brake coil is reduced, the braking force is increased. When the current value becomes zero, the braking force becomes maximum.
The brake control function uses a signal from the floor-alignment sensor 22 to determine whether or not the car 1 is in the landing position. Further, the brake control function uses signals from the car-door switch 20 and the landing-door switch to determine an open/close state of each of the car door and the landing door. Further, the brake control function uses a signal from the hoisting machine encoder 7 to determine whether or not the car 1 travels.
The brake control function detects a state where at least any one of the car door and the landing door is open although the car 1 has not arrived at the landing position and a state where at least any one of the car door and the landing door is open although the car 1 is traveling, and outputs a brake operation instruction. Specifically, when the door-open travel state is detected, the brake control function brakes the drive sheave 5 by the hoisting machine brake 6 and also stops the hoisting-machine motor to forcibly stop the car 1.
Signals from the governor encoder 16 and the reference-position switches 19a and 19b are input to an overspeed monitoring function as one of the safety control function. The overspeed monitoring function uses the signals from the governor encoder 16 and the reference-position switches 19a and 19b to obtain the position and speed of the car 1 independently of the drive controller 24 and monitors whether or not the speed of the car 1 reaches a predetermined overspeed level. The overspeed level is set as an overspeed monitoring pattern which changes according to the position of the car 1.
When the speed of the car 1 reaches the overspeed level, the overspeed monitoring function transmits a forcible stop signal to the brake control function. When the forcible stop signal is received, the brake control function brakes the drive sheave 5 by the hoisting machine brake 6 and also stops the hoisting machine motor to forcibly stop the car 1.
Each of the drive controller 24 and the elevator safety control device 25 has an independent microcomputer. The function of the drive controller 24 and the function of the elevator safety control device 25 are realized by the microcomputers. Operations of the safety control functions (such as the brake control function and the overspeed monitoring function) provided for the safety control device 25 are executed by independent programs (software).
Although the different names of “elevator safety control device” and “safety control substrate” are used for the elevator safety control device 25 in the application, they refer to the same elevator safety control device 25.
In the present invention, the single elevator safety control device (safety control substrate) 25 is provided with a plurality of various safety control functions. However, in the case of simply providing the single substrate (device) 25 with a plurality of safety control functions, when one of the safety control functions fails, there is the possibility that the other safety control function is lost and a trouble occurs in the elevator safety control (that is, independence of each of the safety control functions cannot be assured). It is consequently necessary to assure the independence of each of the safety control functions so that each of the safety control functions does not exert an influence on the other safety control functions.
In the embodiment, therefore, the elevator safety control device (safety control substrate) 25 having the configuration shown in
As shown in
In
To the input unit 32, a signal on the state of the entire elevator system including the car 1 (hereinbelow, called the state of the elevator) is input as an input value. As described above, to monitor/detect the state of the elevator, the various switches 19a and 19b and the various sensors 16 and the like exist. In
In the input unit 32, pulse signals such as encoder signals are counted to obtain numerical values. The input unit 32 also performs comparison between duplicated input values, comparison between the input value and a signal from a reference sensor (not shown), and the like. In the case where mismatch is detected as a result of the comparison in the input unit 32, the mismatch is transmitted to the CPU 34 as a component of the logic unit. The input values supplied to the input unit 32 are stored in the input buffer 33.
The CPU 34 reads the input values of the sensors 31 and the switches 30 from the input buffer 33. The CPU 34 performs arithmetic operation necessary for a plurality of safety controls on the elevator. That is, the CPU 34 executes the arithmetic operation on the plurality of safety control functions using the input values by independent programs (software). In such a manner, the safety control on the elevator is realized.
The independence assurance unit 36 provides assuring functions of assuring independence of a plurality of safety control functions. One of the assuring functions is a memory interference monitoring function. Each of the safety control functions can access only a determined region in the memory 37 as a component of the logic unit. The memory interference monitoring function is a function of monitoring whether or not each of the safety control functions accesses the memory 37 other than the accessible region. The memory interference monitoring function will be described concretely later with reference to
As shown in
For example, the CPU 34 notifies the independence assurance unit 36 of a process ID of the safety control function currently executing operation in the CPU 34 via the communication line 39a. The process ID is information for identifying the safety control function. On the other hand, the independence assurance unit 36 notifies the CPU 34 via the communication line 39a of determination results of the independence assurance unit 36 (as an example, a memory interference monitoring result, an execution time monitoring result, and the like), various instructions (such as a reset process instruction, for one example), and the like.
The CPU 34 accesses a predetermined address in the memory 37 at the time of computing process of the safety control function. The independence assurance unit 36 obtains information on the region in the memory 37 (that is, address information), to be accessed by the safety control function via the bus 39.
The memory interference monitoring function in the independence assurance unit 36 checks whether the obtained address information is in a preliminarily assigned range in the memory 37 or not.
Concretely, in the independence assurance unit 36, an assignment table as shown in
The independence assurance unit 36 having the memory interference monitoring function monitors whether the memory 37 other than the region which is allowed to the safety control function is accessed or not by using the information (process ID and address information) obtained from the CPU 34 and the assignment table. That is, the independence assurance unit 36 assures independence of the safety control function by the monitoring.
As described above, by comparing the information obtained from the CPU 34 and the assignment table, the independence assurance unit 36 monitors whether each of the safety control functions accesses the memory 37 other than the allowed region or not.
It is now assumed that the independence assurance unit 36 detects that, in a safety control function currently executing operation, the CPU 34 accesses the memory 37 other than an address to which the safety control function is allowed to access (that is, presence of memory interference is detected, in other words, independence of the safety control function cannot be assured). In this case, the independence assurance unit 36 notifies the CPU 34 of the detection of the memory interference via the communication line 39a. The elevator safety control device 25 puts itself in the reset state (that is, the power supply of the elevator safety control device 25 is reset).
When the power supply of the elevator safety control device 25 is reset, an output from the elevator safety control device 25 becomes “low (or zero)”, and power supply to the hoisting machine 4 and the brake 6 is interrupted. Accordingly, the car 1 enters a stop state.
The independence assurance unit 36 according to the embodiment has not only the memory interference monitoring function but also an execution time monitoring function. The execution time monitoring function is a function of monitoring each computation process time in which individual safety control function is executed and/or total computation process time in which all of the safety control functions are executed.
The independence assurance unit 36 may have only either the memory interference monitoring function and the execution time monitoring function. In the following description, the independence assurance unit 36 has both of the memory interference monitoring function and the execution time monitoring function. In the execution time monitoring function to be described hereinafter, both of the individual computation process time and the total computation process time are monitored.
By monitoring whether the computation process time by a safety control function exceeds preset specified time or not, the independence assurance unit 36 assures independence of the safety control function. When the independence assurance unit 36 detects that the computation process time of the safety control function exceeds the specified time (when the independence of the safety control function cannot be assured), the elevator safety control device 25 stops the car 1.
The details of the execution time monitoring function will be described with reference to
The independence assurance unit 36 has a plurality of watchdog timers WDT1, WDT2, . . . , WDTn, and WDTtotal. For each of the watchdog timers WDT1, WDT2, . . . , WDTn, and WDTtotal, specified time (time limit) is preset independently.
The watchdog timers WDT1, WDT2, . . . , WDTn are prepared for respective safety control functions (in the description, “n” pieces of safety control functions exist and, therefore, “n” pieces of watchdog timers exist). Therefore, each specified time is determined in correspondence with each safety control function.
Simultaneously with start of computation of a safety control function, the independence assurance unit 36 starts any of the watchdog timers WDT1, WDT2, . . . , and WDTn corresponding to the safety control function. Further, the independence assurance unit 36 starts the watchdog timer WDTtotal on start of computation in a safety control function which starts the computation process first in a plurality of safety control functions.
At the end of the computation of the safety control function, the independence assurance unit 36 stops the watchdog timer corresponding to the safety control function in the watchdog timers WDT1, WDT2, . . . , and WDTn. After completion of all of the safety control functions (in the description, after the “n” pieces of safety control functions are completed), that is, after completion of computation of the last safety control function, the independence assurance unit 36 stops the watchdog timer WDTtotal.
As described above, specified time is set in each of the watchdog timers WDT1, WDT2, . . . , WDTn, and WDTtotal. When there is even one watchdog timer which is not stopped within the specified time in the watchdog timers WDT1, WDT2, . . . , WDTn, and WDTtotal, the independence assurance unit 36 detects that the computation process time of the safety control function exceeds the specified time. By the detection, the independence assurance unit 36 notifies the CPU 34 of the detection, and the elevator safety control device 25 resets itself (that is, the car 1 is stopped).
For example, the independence assurance unit 36 monitors, for each of the safety control functions, whether or not the individual computation process time exceeds the specified time set in the watchdog timer WDT1, WDT2, . . . , or WDTn corresponding to the safety control function. The individual computation process time is time required for computation for an individual safety control function. When the independence assurance unit 36 detects that the individual computation process time exceeds the specified time in any of the safety control functions (that is, when any one of the watchdog timers WDT1, WDT2, . . . , and WDTn is not stopped within the specified time), the elevator safety control device 25 stops the car 1.
The independence assurance unit 36 monitors whether or not the total computation process time of all of the safety control functions exceeds the specified time set for the watchdog timer WDTtotal. When the independence assurance unit 36 detects that the total computation process time exceeds the specified time (that is, the watchdog timer WDTtotal is not stopped within the specified time), the elevator safety control device 25 stops the car 1.
The independence assurance unit 36 monitors whether or not a failure in any safety control function exerts an influence on the other safety control functions by the memory interference monitoring function and the execution time monitoring function and, in the case where the influence is likely to be exerted, stops the safety control device 25 reliably (that is, stops the car 1).
In
In
In one of the systems, switches SW11, SW12, . . . , and SW1n are connected in series. In the other system, switches SW21, SW22, . . . , and SW2n are connected in series. A power supply Pw is connected to one end of each of the systems.
To the switches SW11 and SW21, a computation result of a first safety control function is input from the output buffer 35. To the switches SW12 and SW22, a computation result of a second safety control function is input from the output buffer 35. To the switches SW1n and SW2n, a computation result of an “n”th safety control function is input from the output buffer 35. An output of one of the systems is connected to the hoisting machine 4 via the output unit 38, and an output of the other system is connected to the brake 6 via the output unit 38.
In
When it is determined that the computation result of the safety control function is normal in the operation of the elevator (when the result shows safety of the elevator), the computation result is input to the switches SW11 to SW1n and the switches SW21 to SW2n, and the switches SW11 to SW1n and the switches SW21 to SW2n enters an ON state.
On the other hand, when it is determined that the computation result of the safety control function is abnormal in the operation of the elevator (when the result does not show safety of the elevator), the computation result is input to the switches SW11 to SW1n and the switches SW21 to SW2n, and the switches SW11 to SW1n and the switches SW21 to SW2n enters an OFF state. In the following description, the computation result determined as abnormal in the operation of the elevator will be called a computation result of “error”.
Stop of supply of the power P to the hoisting machine 4 and the brake 6 means stop of the car 1.
As understood from the description using
As the switches SW11 to SW1n and the switches SW21 to SW2n, transistors or semiconductor switches such as MOS-FET may be used. The switches may be realized by AND circuits (IC) or software.
The supply or interruption of the power P to the hoisting machine 4 and the brake 6 in the output unit 38 is realized by forming a relay or contactor connected to the power P in the output unit 38 (see
The car 1 is stopped in the following modes.
When the independence assurance unit 36 detects that the computation result of any of the safety control functions shows “error” or detects that independence among the safety control functions cannot be assured, the elevator safety control device 25 immediately stops the car 1. Concretely, the safety control device 25 notifies the drive controller 24 of an instruction of immediate stop and, by control of the drive controller 24, the car 1 is immediately stopped. The configuration of
When the independence assurance unit 36 detects that the computation result of any of the safety control functions shows “error” or detects that independence among the safety control functions cannot be assured, the elevator safety control device 25 moves the car 1 to the floor closest to the position of the car 1 at the time of the detection and stops the car 1 at the closest floor. Concretely, the safety control device 25 notifies the drive controller 24 of a closest-floor stop instruction of stopping the car 1 at the closest floor and, by control of the drive controller 24, the car 1 is stopped at the closest floor.
The elevator safety control device 25 determines whether or not the car 1 has arrived at the closest floor within predetermined time since stop of the car 1 at the closest floor is instructed (closest-floor stop instruction). When the elevator safety control device 25 detects that the car 1 did not arrive at the closest floor within the predetermined time, the safety control device 25 immediately emergency-stops the car 1 after lapse of the predetermined time. Concretely, immediately after lapse of the predetermined time, the safety control device 25 sends an immediate stop instruction to the drive controller 24 and, by the control of the drive controller 24, the car 1 is immediately stopped.
For example, the elevator safety control device 25 has a watchdog timer (not shown) in which the predetermined time (time limit) can be set. As the predetermined time, various values can be set in the timer. The elevator safety control device 25 estimates predetermined time that the car 1 arrives at the closest floor and sets the estimated predetermined time in the watchdog timer.
The elevator safety control device 25 starts the watchdog timer simultaneously with the closest-floor stop instruction. It is assumed that a message that the car 1 stops at the closest floor is not transmitted to the watchdog timer within predetermined time after start of the timer. In this case, the watchdog timer operates the function of the watchdog timer immediately after lapse of the predetermined time and, by the operation, the elevator safety control device 25 emergency-stops the car 1.
Next, the operation of the elevator safety control device 25 will be described with reference to the flowchart of
First, the CPU 34 performs computation of a predetermined safety control function (step S1). At this time, the independence assurance unit 36 monitors whether independence is assured or not by the memory interference monitoring function (step S2). Specifically, the CPU 34 executes the predetermined safety control function, and the independence assurance unit 36 monitors whether or not the CPU 34 accesses an address other than an address which is allowed to the predetermined safety control function in the memory 37 (that is the presence or absence of memory interference) (step S2).
It is assumed that the independence assurance unit 36 detects the presence of memory interference (YES in step S2). In this case, the elevator safety control device 25 stops the car 1 in any of the above-described modes (step S8).
On the other hand, it is assumed that the independence assurance unit 36 determines the absence of memory interference (“NO” in step S2). In this case, the independence assurance unit 36 makes determination by the operation of the execution time monitoring function (step S3).
In step S3, the independence assurance unit 36 determines whether the individual computation process time as computation process time of the predetermined safety control function exceeds specified time or not. The specified time is set in the watchdog timer WDTi corresponding to the predetermined safety control function.
It is assumed that the independence assurance unit 36 detects that computation of a predetermined safety control function has not been finished within specified time (“YES” in step S3). In this case, the elevator safety control device 25 stops the car 1 in any of the above-described modes (step S8).
On the other hand, it is assumed that the independence assurance unit 36 detects that computation of a predetermined safety control function is finished within specified time (“NO” in step S3). In this case, the independence assurance unit 36 executes step S4.
When independence of a predetermined safety control function is assured in steps S2 and S3 (“NO” in step S2 and “NO” in step S3), an computation result of a predetermined safety control function is output from the CPU 34 toward the output buffer 35.
It is assumed that the independence assurance unit 36 detects that the computation result is “error” (a result of determination of “abnormal state” from the viewpoint of safety of the elevator) (“YES” in step S4). It means that the switch in the independence assurance unit 36, which corresponds to the output of the computation result is turned off. In this case, the elevator safety control device 25 stops the car 1 in any of the above-described modes (step S8).
On the other hand, it is assumed that the independence assurance unit 36 detects that the computation result is normal (a result of determination of “normal state” from the viewpoint of safety of the elevator) (“NO” in step S4). In this case, the elevator safety control device 25 determines whether execution of computation of all of the safety control functions provided has completed or not (step S5).
In the case where computation of all of the safety control functions is not completed (“NO” in step S5), the elevator safety control device 25 selects one of the safety control functions which are not computed yet and repeatedly executes the operations from step S1 on the selected safety control function.
On the other hand, when computation of all of the safety control functions is completed (“YES” in step S5), the independence assurance unit 36 determines whether the total computation process time of all of the safety control functions exceeds the specified time or not (step S6). The specified time is set in the watchdog timer WDTtotal.
It is assumed that the independence assurance unit 36 detects that computation of all of the safety control functions is not finished within the specified time (“YES” in step S6). In this case, the elevator safety control device 25 stops the car 1 by any of the above-described modes (step S8).
It is assumed that the independence assurance unit 36 detects that computation of all of the safety control functions is finished within the specified time (“NO” in step S6). In this case, the normal operation of the elevator by the drive controller 24 is continued (step S7).
In the flowchart of
As described above, the elevator safety control device 25 according to the embodiment is provided with the independence assurance unit 36 assuring independence of the safety control functions such as the memory interference monitoring function and the execution time monitoring function.
Therefore, without exertion of the influence of one of the safety control functions to the other safety control functions, the single elevator safety control device (safety control substrate) 25 can be provided with the plurality of safety control functions. Thus, the cost on safety control of the elevator can be reduced, and installation and maintenance can be carried out easily.
In the embodiment, in the electronized elevator safety control device 25, necessary safety control functions are provided. Therefore, only by adding the safety control function software, the sensor 31, and the switch 30, a new safety control function can be added to the elevator safety control device 25.
In the elevator safety control device 25 according to the embodiment, at the time of execution of a safety control function, the independence assurance unit 36 obtains identification information indicative of the kind of the safety control function and address information indicating the region in the memory 37, to be accessed in the execution of the safety control function from the CPU 34. The independence assurance unit 36 compares the obtained information with the assignment table shown in
Therefore, the elevator safety control device 25 can easily realize the memory interference monitoring function by the independence assurance unit 36.
In the elevator safety control device 25 according to the embodiment, the independence assuring unit 36 monitors whether the individual computation process time exceeds the specified time or not. The independence assurance unit 36 monitors whether the total computation process time exceeds the specified time or not.
Therefore, the elevator safety control device 25 can easily realize the execution time monitoring function by the independence assurance unit 36.
In the elevator safety control device 25 according to the embodiment, when the independence assurance unit 36 detects that the computation result is “error” in any one of the safety control functions, the elevator safety control device 25 stops the car 1.
Therefore, the elevator safety control device 25 can assure independence on the same output of a plurality of programs.
In the elevator safety control device 25 according to the embodiment, when it is detected that the computation result of any of the safety control functions shows “error” or when it is detected that independence among the safety control functions cannot be assured, the elevator safety control device 25 immediately stops the car 1.
Therefore, the elevator safety control device 25 can immediately shift the elevator to a safe state.
In the elevator safety control device 25 according to the embodiment, when it is detected that the computation result of any of the safety control functions shows “error” or when it is detected that independence among the safety control functions cannot be assured, the elevator safety control device 25 stops the car 1 at the closest floor.
Therefore, the elevator safety control device 25 can evacuate a passenger at the closest floor at the abnormal time of the elevator.
In the elevator safety control device 25 according to the embodiment, when the car 1 does not arrive at the closest floor within predetermined time, the car 1 can be emergency-stopped in a state where the car 1 does not arrive at the closest floor.
When the car 1 does not arrive at the closest floor within predetermined time, it means that there is some trouble in operation of the elevator device. Therefore, the elevator safety control device 25 can assure safety of the car 1 moving toward the closest floor.
In this embodiment, another mode of the memory interference monitoring function described in the first embodiment will be described. Therefore, the configuration and operation other than the memory interference monitoring function (the configuration and operation of the elevator device 100 and the elevator safety control device 25) of the second embodiment and those of the first embodiment are similar.
As described in the first embodiment, the memory 37 is divided into address regions to which accesses of respective safety control functions are permitted. For example, an address region to which access of a first safety control function is permitted is a first safety control function use-permitted region 37a. An address region to which access of a second safety control function is permitted is a second safety control function use-permitted region 37b. Similarly, an address region to which access of an n-th safety control function is permitted is an n-th safety control function use-permitted region 37n.
First, the independence assurance unit 36 according to the embodiment preliminarily calculates error detection codes CRC1, CRC2, . . . , and CRCn for the corresponding safety control function use-permitted regions 37a, 37b, . . . , and 37n, respectively. Specifically, the independence assurance unit 36 calculates the error detection codes CRC1, CRC2, . . . , and CRCn before execution of computation of the safety control functions. The error detection codes calculated before execution of the computation will be referred to as first error detection codes.
In the embodiment, a CRC (Cyclic Redundancy Code) is used as the error detection code (similarly as a second error detection code which will be described later).
Next, after completion of computation of a predetermined safety control function, the independence assurance unit 36 calculates again error detection codes CRC1′, CRC2′, . . . , and CRCn′ for the safety control function use-permitted regions 37a, 37b, . . . , and 37n, respectively. The error detection codes calculated after execution of the computation will be referred to as second error detection codes.
As described above, the independence assurance unit 36 calculates the first error detection codes CRC1, CRC2, . . . , and CRCn and the second error detection codes CRC1′, CRC2′, . . . , and CRCn′ in correspondence with the safe control function use-permitted regions 37a, 37b, . . . , and 37n.
In correspondence with the safety control function use-permitted regions 37a, 37b, . . . , and 37n, the independence assurance unit 36 compares the first error detection codes CRC1, CRC2, . . . , and CRCn with the second error detection codes CRC1′, CRC2′, . . . , and CRCn′, respectively. Specifically, the independence assurance unit 36 compares the first error detection code CRC1 with the second error detection codes CRC1′, compares the second error detection code CRC2 with the second error detection code CRC2′, and compares the first error detection code CRCn with the second error detection code CRCn′.
It is assumed that, in execution of computation of a predetermined safety control function, the predetermined safety control function accesses the safety control function use-permitted regions 37a, 37b, . . . , and 37n to which the predetermined safety control function is not permitted to access. In this case, the error detection codes for the safety control function use-permitted regions 37a, 37b, . . . , and 37n other than the permitted region change before and after execution of computation of the safety control function.
Therefore, when the independence assurance unit 36 detects the second error detection codes CRC1′, CRC2′, . . . , and CRCn′ different from the first error detection codes CRC1, CRC2, . . . , and CRCn by the error detection code comparing process, the independence assurance unit 36 determines the presence of memory interference. As described above, when the independence assurance unit 36 detects the presence of memory interference, the elevator safety control device 25 stops the car 1 in any of the above-described modes (“YES” in step S2 and refer to step S8 in
The operation is executed each time after and before computation of each of the safety control functions. Completion of execution of a predetermined safety control function is found when a change in the process ID notified from the CPU 34 is detected by the independence assurance unit 36 or a measurement stop signal for the watchdog timers WDT1, WDT2, . . . , and WDTn corresponding to the safe control functions is detected by the independence assurance unit 36.
As described above, in the elevator safety control device 25 according to the embodiment, the independence assurance unit 36 compares the first error detection codes CRC1, CRC2, . . . , and CRCn with the second error detection codes CRC1′, CRC2′, . . . , and CRCn′, respectively, for the safety control function use-permitted regions 37a, 37b, . . . , and 37n. Specifically, the independence assurance unit 36 according to the embodiment monitors whether any safety control function accesses the memory 37 other than the permitted regions or not by the comparing process (memory interference monitoring function).
Therefore, the elevator safety control device 25 can easily realize the memory interference monitoring function of the independence assurance unit 36.
Although the CRC is used as the error detection code, obviously, when other error detection codes are used, similar effects are obtained.
In the memory interference monitoring function of the first embodiment, each of the safety control functions only monitors whether an address in the memory 37 other than an address to which access of itself is permitted is accessed or not. That is, the memory interference monitoring function of the first embodiment is executed by using the assignment table shown in
The embodiment is characterized in that the memory interference monitoring function is executed using an assignment table to which access right information is added and “process ID, address information, and access mode information”. The configuration and operation other than the memory interference monitoring function (the configuration and operation of the elevator device 100 and the elevator safety control device 25) in the first embodiment and those in the third embodiment are similar.
In the example of
In the example of
Further, to the assignment table according to the embodiment, different from the assignment table of
Similarly, in the example of
Similarly, in the example of
In the embodiment, the elevator safety control device 25 holds the assignment table shown in
In the independence assurance unit 36 according to the embodiment, the memory interference monitoring function is executed by using the assignment table shown in
It is assumed that the independence assurance unit 36 detects an access in an access mode different from permitted access right information at the time of accessing an address in the memory 37 to which a predetermined safety control function is permitted. This case corresponds to a case where the independence assurance unit 36 detects the presence of memory interference. In this case, the elevator safety control device 25 stops the car 1 in any of the above-described modes (“YES” in step S2 and refer to step S8 in
When the independence assurance unit 36 detects an access of an address in the memory 37 other than the permitted address from a predetermined safety control function, it is as described in the first embodiment.
As described above, in the elevator safety control device 25 according to the embodiment, also in the case where the independence assurance unit 36 detects an access mode to the memory 37 different from the access right information at the time of execution of computation of a predetermined safety control function, the elevator safety control device 25 stops the car 1.
Therefore, the elevator safety control device 25 according to the embodiment can provide the memory interference monitoring function having higher precision than the elevator safety control device 25 according to the first embodiment.
An elevator safety control device (safety control substrate) according to a fourth embodiment is different from the elevator safety control device 25 according to the first embodiment. The configuration of the entire elevator device 100 in the first embodiment and that in the fourth embodiment are the same (see
In the first embodiment, one CPU 34, one independence assurance unit 36, and one memory 37 are disposed on the safety control substrate 25. On the other hand, in the fourth embodiment, two configuration groups each made of a CPU, an independence assurance unit, and a memory are disposed on a safety control substrate. That is, on the safety control substrate, the configuration group is doubly provided.
As shown in
The operation of each of the CPUs 34g1 and 34g2, each of the independence assurance units 36g1 and 36g2, and each of the memories 37g1 and 37g2 is the same as that of the CPU 34, the independence assurance unit 36, and the memory 37 described in the first to third embodiments. That is, also in the independence assurance units 36g1 and 36g2, in relation to the CPUs 34g1 and 34g2 and the memories 37g1 and 37g2, the memory interference monitoring function, the execution time monitoring function, further, the computation result error detecting operation, and the like described in the first to third embodiments are executed.
In the embodiment, each of the independence assurance units 36g1 and 36g2 determines match/mismatch of programs executed in the systems, which will be described later (execution program monitoring function). The independence assurance units 36g1 and 36g2 send notification of results of the execution program monitoring function to the CPUs 34g1 and 34g2, respectively.
Further, as shown in
The configuration and operation of the other blocks 32, 33, 35, and 38 are the same as those of the blocks indicated by the same reference numerals as those in
In
As shown in
As shown in
For example, the CPU 34g1 notifies the independence assurance unit 36g1 and the CPU 34g2 of the process ID of a safety control function currently executing computation in the CPU 34g1 via the communication line 39gm. The CPU 34g2 notifies the independence assurance unit 36g2 and the CPU 34g1 of the process ID of a safety control function currently executing computation in the CPU 34g2 via the communication line 39gn.
The independence assurance unit 36g1 notifies the CPUs 34g1 and 34g2 of determination results of the independence assurance unit 36g1 (as an example, a memory interference monitoring result, an execution time monitoring result, and an execution program monitoring result) and instructions (for example, a reset process instruction) via the signal line 39gm. The independence assurance unit 36g2 notifies the CPUs 34g1 and 34g2 of determination results of the independence assurance unit 36g2 (as an example, a memory interference monitoring result, an execution time monitoring result, and an execution program monitoring result) and instructions (for example, a reset process instruction) via the signal line 39gn.
The CPU 34g1 accesses a predetermined address in the memory 37g1 at the time of computation process of a safety control function. Data such as a computation process result of the CPU 34g1 is written in a predetermined address in the memory 37g1. Similarly, the CPU 34g2 accesses a predetermined address in the memory 37g2 at the time of computation process of a safety control function. Data such as a computation process result of the CPU 34g2 is written in a predetermined address in the memory 37g2.
Accompanying the operation, the independence assurance units 36g1 and 36g2 obtain address information and data of a program operated in the CPU 34g1 via the bus 39g1. The independence assurance units 36g1 and 36g2 obtain address information and data of a program operated in the CPU 34g2 via the bus 39g2.
Using the obtained address information and data, the independence assurance units 36g1 and 36g2 compare the address and data of a program presently executed in the own system with the address and data of a program executed in the other system. That is, the independence assurance units 36g1 and 36g2 determine whether the program executed in the own system and that executed in the other system match or not (execution program monitoring function).
It is assumed that, by the execution program monitoring function, the independence assurance units 36g1 and 36g2 detect mismatch of the programs executed in the CPUs 34g1 and 34g2 in the systems. In this case, the independence assurance units 36g1 and 36g2 notify the CPUs 34g1 and 34g2, respectively, belonging to the own systems of the fact that the program executed in the other system differs from the program executed in the own system. When the independence assurance units 36g1 and 36g2 detect the mismatch of the programs, the elevator safety control device 25A stops the car 1 in any of the modes described in the first embodiment.
In the CPUs 34g1 and 34g2, basically, computing process according to the same program is simultaneously executed. Each of the CPUs 34g1 and 34g2 outputs a computation result as a result of the computing process to the intercomparator 40.
The intercomparator 40 compares the received computation results. As described above, basically, the same computing process is executed in the CPUs 34g1 and 34g2, so that the computation results received by the intercomparator 40 are the same. However, it is assumed that, for some reason, the intercomparator 40 detects mismatch of the computation results as a result of the comparison. In this case, the elevator safety control device 25A stops the car 1 in any of the modes described in the first embodiment.
Operations until the stop of the car, based on the memory interference monitoring function and the execution time monitoring function are as described in the first to third embodiments.
First, the CPUs 34g1 and 34g2 perform computation of a single predetermined safety control function (step S11). At the time of the computation, the independence assurance units 36g1 and 36g2 monitor match/mismatch of a program executed in the own system and a program executed in the other system by the execution program monitoring function (step S12).
It is assumed that any of the independence assurance units 36g1 and 36g2 detects mismatch of the programs executed (“YES” in step S12). In this case, the elevator safety control device 25A stops the car 1 in any of the above-described modes (step S20).
On the other hand, it is assumed that both of the independence assurance units 36g1 and 36g2 determine that the programs executed match (“NO” in step S12). In this case, the operation of the elevator safety control device 25A shifts to step S13.
In step S13, the intercomparator 40 compares computation results output from the CPUs 34g1 and 34g2. It is assumed that the intercomparator 40 detects mismatch of the received computation results (“YES” in step S13). In this case, the elevator safety control device 25A stops the car 1 in any of the above-described modes (step S20).
On the other hand, it is assumed that the intercomparator 40 detects match of the received computation results (“NO” in step S13). In this case, the elevator safety control device 25A shifts to the operation of the memory interference monitoring function.
The independence assurance units 36g1 and 36g2 monitor whether the independence of a safety control function is assured or not by the memory interference monitoring function (step S14). The operation in step S14 executed by each of the independence assurance units 36g1 and 36g2 is the same as that in step S2 in
It is assumed that any of the independence assurance units 36g1 and 36g2 detects the presence of memory interference (“YES” in step S14). In this case, the elevator safety control device 25A stops the car 1 in any of the above-described modes (step S20).
On the other hand, it is assumed that both of the independence assurance units 36g1 and 36g2 determine the absence of memory interference (“NO” in step S14). In this case, each of the independence assurance units 36g1 and 36g2 makes determination by the operation of the execution time monitoring function (step S15).
In step S15, each of the independence assurance units 36g1 and 36g2 determines whether individual computation process time exceeds specified time. The operation in step S15 executed in each of the independence assurance units 36g1 and 36g2 is the same as that in step S3 in
It is assumed that any of the independence assurance units 36g1 and 36g2 detects that computation of a predetermined safety control function is not finished within specified time (“YES” in step S15). In this case, the elevator safety control device 25A stops the car 1 in any of the above-described modes (step S20).
On the other hand, it is assumed that both of the independence assurance units 36g1 and 36g2 detect that computation of a predetermined safety control function is finished within specified time (“NO” in step S15). In this case, the operation of the elevator safety control device 25A shifts to step S16.
In step S16, the independence assurance units 36g1 and 36g2 monitor whether a computation result of a predetermined safety control function stored in the output buffer 35 is a normal value or not. The operation in step S16 executed in each of the independence assurance units 36g1 and 36g2 is the same as that in step S4 in
It is assumed that any of the independence assurance units 36g1 and 36g2 detects that the computation result is “error” (a result determined as “abnormal” from the viewpoint of safety of the elevator) (“YES” in step S16). In this case, the elevator safety control device 25A stops the car 1 in any of the above-described modes (step S20).
On the other hand, it is assumed that each of the independence assurance units 36g1 and 36g2 detects that the computation result is normal (a result determined as “normal” from the viewpoint of safety of the elevator) (“NO” in step S16). In this case, the elevator safety control device 25A determines whether the execution of computation of all of safety control functions provided has been finished or not (step S17).
In the case where computation of all of the safety control functions has not been completed (“NO” in step S17), the elevator safety control device 25A selects one of safety control functions which are not computed yet, and repeatedly executes the operation from step S11 on the selected safety control function.
On the other hand, in the case computation of all of the safety control functions is completed (“YES” in step S17), the independence assurance units 36g1 and 36g2 determine whether total computation process time exceeds specified time or not (step S18). The operation in step S18 executed by each of the independence assurance units 36g1 and 36g2 is the same as that in step S6 in
It is assumed that any of the independence assurance units 36g1 and 36g2 detects computation of all of the safety control functions is not finished within specified time (“YES” in step S18). In this case, the elevator safety control device 25A stops the car 1 in any of the above-described modes (step S20).
On the other hand, it is assumed that both of the independence assurance units 36g1 and 36g2 detect that computation of all of the safety control functions is finished within specified time (“NO” in step S18). In this case, the normal operation of the elevator by the drive controller 24 is continued (step S19).
In the flowchart of
As described above, to the elevator safety control device 25A according to the embodiment, in addition to the series of operations of
Therefore, the reliability of the elevator safety control system of the embodiment can be made higher than that in the first embodiment.
In the connection relations shown in
In the embodiment, the case where two configuration groups each made of the CPU, the memory, and the independence assurance unit are provided has been described (the first and second systems). Alternatively, a configuration of three or more configuration groups may be employed (a configuration having three or more systems is also possible). In this case as well, wiring connection so that data and signals can be shared among the systems is necessary, and the intercomparator 40 is connected to each of the CPUs. Also in the case of such a configuration, obviously, the effect of improvement in reliability of the elevator safety control system described in the embodiment is obtained.
1 car, 2 hoisting machine, 6 brake, 23 control board, 24 drive controller, 25, 25A elevator safety control device (safety control substrate), 30 switch, 31 sensor, 32 input unit, 33 input buffer, 34, 34g1, 34g2 CPU, 35 output buffer, 36, 36g1, 36g2 independence assurance unit, 37, 37g1, 37g2 memory, 38 output unit, 40 intercomparator
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/JP2010/054230 | 3/12/2010 | WO | 00 | 7/18/2012 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2011/111223 | 9/15/2011 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
4345670 | Kaneko et al. | Aug 1982 | A |
4350225 | Sakata et al. | Sep 1982 | A |
4473135 | Yonemoto | Sep 1984 | A |
5387769 | Kupersmith et al. | Feb 1995 | A |
6173814 | Herkel et al. | Jan 2001 | B1 |
6286628 | Lee | Sep 2001 | B1 |
6470430 | Fischer et al. | Oct 2002 | B1 |
7415476 | Borrowman | Aug 2008 | B2 |
7419032 | Yamakawa | Sep 2008 | B2 |
7503432 | Chida | Mar 2009 | B2 |
7896135 | Kattainen et al. | Mar 2011 | B2 |
20010021966 | Kawasaki et al. | Sep 2001 | A1 |
20070125604 | Ohira | Jun 2007 | A1 |
20100187047 | Gremaud et al. | Jul 2010 | A1 |
20110036667 | Ueda et al. | Feb 2011 | A1 |
20120279809 | Ogava et al. | Nov 2012 | A1 |
Number | Date | Country |
---|---|---|
199 27 657 | Jan 2001 | DE |
2 276784 | Nov 1990 | JP |
2001-325150 | Nov 2001 | JP |
2002 91826 | Mar 2002 | JP |
2002 538536 | Nov 2002 | JP |
2004 137055 | May 2004 | JP |
10-2010-0129340 | Dec 2010 | KR |
2005 115898 | Dec 2005 | WO |
2006 090470 | Aug 2006 | WO |
2007 057973 | May 2007 | WO |
2009 157085 | Dec 2009 | WO |
Entry |
---|
Office Action issued Sep. 3, 2013 in Japanese Application No. 2012-504248 (With English Translation). |
Office Action issued Nov. 11, 2013 in German Patent Application No. 11 2010 005 384.7 (with English translation). |
International Preliminary Report on Patentability Issued Oct. 2, 2012 in PCT/JP10/54230 Filed Mar. 12, 2010. |
International Search Report Issued Jul. 20, 2010 in PCT/JP10/54230 Filed Mar. 12, 2010. |
Combined Chinese Office Action and Search Report issued Mar. 4, 2014 in Patent Application No. 201080064973.1 (with English language translation). |
Office Action issued Jul. 22, 2013 in Korean Patent Application No. 10-2012-7022851 (with partial English language translation). |
Number | Date | Country | |
---|---|---|---|
20120292136 A1 | Nov 2012 | US |