Electronic safety system for elevators

Abstract

 An elevator safety system comprises a controller (10) for controlling a safety mechanism (12) of an elevator; a safety bus (14) connected to the controller (10); and a plurality of strings of safety contacts (32) in communication with said safety bus (14) via a bus node (34). The bus nodes (34) each transmit a signal determining a condition of the respective string (32) to the controller (10) via the safety bus (14) in a digitized form and comprise transmission means (37) for transmitting the digitized condition signals in a time division multiplexed manner. Further, the controller (10) comprises demultiplexing means (17) for demultiplexing the digitized condition signals received via the safety bus (14).

Description

[0001] The present invention relates to an elevator safety system and a method for supervising the safety of an elevator which simplify the architecture of the travelling cable concerning the transmission of safety signals.

[0002] Conventional elevator safety systems use a so-called safety chain which is a serial circuit comprised of switches and contacts. The switches and contacts are operated by safety devices of the elevator system such as the overspeed governor and the limit switch of the car and the switches and locks of the landing doors. The safety chain operates relays that handle power to the motor and the brake of the elevator. A safety operation of any contact within the serial circuit will disconnect the motor or drive from the main power supply to stop the car.

[0003] In recent years, the safety chain formed by a serial circuit of contacts and switches has been replaced by a safety chain comprising a safety bus connecting a plurality of bus nodes to an electronic safety controller. Each of the bus nodes receives data from a sensor detecting a safety condition of the elevator system. On the basis of the condition signals received via the safety bus the controller controls the drive and brake system of the elevator. Such an electronic safety system for an elevator is disclosed e.g. in US 6,173,814 B1.

[0004] In an elevator system, two main zones have to be considered: the car and the shaft. Some of the safety devices are located in the shaft only, some in the car only, and some span both. Therefore, the safety chain of an elevator comprises a safety bus spanning the car and the shaft over the travelling cable connected to the car.

[0005] It is an objective of the present invention to simplify the architecture of the travelling cable concerning the transmission of safety signals between the car and the shaft.

[0006] This object is achieved by providing an elevator safety system showing the features of claim 1 and a method for supervising the safety of an elevator showing the features of claim 10, respectively. Further developments and advantageous embodiments are defined in the dependent claims.

[0007] The elevator safety system of the invention comprises a controller for controlling a safety mechanism of an elevator, a safety bus connected to the controller, and a plurality of strings of safety contacts in communication with the safety bus via a bus node. The bus nodes each transmit a signal determining a condition of the respective string to the controller via the safety bus in a digitized form and further comprise transmission means for transmitting the digitized condition signals in a time division multiplexed manner. The controller comprises demultiplexing means for demultiplexing the digitized condition signals received via the safety bus.

[0008] According to the present invention, the bus nodes each transmit the condition signals of the respective strings to the controller via the safety bus in a digitized form and in a time division multiplexed manner. Therefore, the architecture of the safety bus and thus the transmitting components comprising the safety bus may be simplified while retaining the required safety, reliability and compatibility with current norms and standards. The present invention offers a solution that can be implemented using cost effective electronics so that the cost increase in the electronics is more than compensated by the cost decrease in the safety bus and the transmitting means, respectively.

[0009] In a preferred embodiment, the bus nodes further comprise encoding means for encoding the digitized condition signals.

[0010] Preferably, a communication time on the safety bus is divided into slots and each of the transmission means of the bus nodes transmits in one of these slots. More preferably, the number of the slots is greater than the number of the transmission means of the bus nodes. In this case, the safety bus may be further adapted to carry out voice communication.

[0011] The present invention is advantageously implemented for the bus nodes provided at a car of the elevator system, wherein the safety bus connecting the bus nodes to the controller is arranged in a travelling cable of the elevator system connected to the car. Preferably, the safety bus arranged in the travelling cable is formed by a twisted pair.

[0012] To provide a more complete understanding of the present invention, and for further objects, features and advantages thereof, reference is now made to the following description taken in conjunction with the accompanying drawings, in which:

Figure 1

is a simplified block diagram showing the concept of the elevator safety system of the present invention;

Figure 2

is an illustrative example of a safety chain used in the elevator safety system of Figure 1;

Figure 3

is a schematic representation of a safety chain for illustrating the concept of the logical concept of the elevator safety system of Figure 1;

Figure 4

is a simplified block diagram showing the concept of the elevator safety system of the present invention having redundancy;

Figure 5

is a schematic block diagram showing the inventive concept of the signal transmission of the elevator safety systems of Figures 1 and 4; and

Figure 6

is a schematic block diagram showing the inventive concept of the signal transmission of Figure 5 with additional redundancy.

[0013] It is the purpose of the present invention to provide a way of replacing the part of the safety chain that goes over the travelling cable of the elevator system with a digital system, while retaining the traditional nature of the safety chain in the rest of the elevator, both in the car and in the shaft.

[0014] The so-called safety chain of an elevator is a combination of strings of contacts, connected together at nodes. A voltage is defined at one end of the chain, and the resulting current at the other end of the chain is being used to control the brake. Two main zones have to be considered in an elevator system: the car and the shaft. Some of the single strings are located in the shaft only, some in the car only, and some span both, going over the above-mentioned travelling cable.

[0015] Main parts of the safety chain are being monitored by the controller. In the following description, a node is anyone of the following three items: a point where three or more strings are connected together, a point which is being measured by the controller, a point in the travelling cable. A string is therefore defined as a series of contacts not interrupted by such a node.

[0016] Figure 2 shows a possible safety chain for the EN81 standard. In this diagram, reference numbers 2 represent chain strings including one or more contacts 3, reference number 4 represents the starting node, reference numbers 6 represent chain nodes, and reference number 8 represents the final node. The input voltage is given at the starting node 4, and the output current of the final node 8 is used for safety control.

[0017] Each string will have a state ("0" or "1") depending on the position of the various contacts 3 determining the condition of a safety device of the elevator. The safety devices of the elevator system are e.g. an overspeed sensor detecting the actual velocity of the car, landing door sensors each located near a landing door, an elevator car door sensor, an emergency stop switch sensor, an inspection switch sensor, etc..

[0018] The state of the final node 8 can in fact be represented by a logical equation of the states of the individual strings. The idea of this invention is to implement this equation in hardware in the electronics of the shaft, while retaining the same safety and reliability of the current safety circuit.

[0019] Each string 2, instead of being connected in a serial safety circuit, is operating independently and the state of the final chain node 8 is being computed from the states of the individual strings using a logical equation. This is illustratively shown in Figure 3.

[0020] In Figure 3, again the starting node 4 is denoted by reference numeral 4, and the final node is denoted by reference numeral 8. The strings are denoted by references numerals 2A through 2G. The logical equation derived from that simplified safety chain may be defined as follows:
8 = 2A AND ((2D AND 2E) OR (2B AND 2C)) AND 2F AND 2G

[0021] The person skilled in the art will be able to derive corresponding logic equation even from more complex safety chains (e.g. as shown in Figure 2) in a similar way.

[0022] More generally, the elevator safety system can be represented as shown in Figure 1.

[0023] A controller 10 including a safety circuit logical state computation unit controls a safety mechanism 12 of the elevator system. The safety mechanism 12 is, for example, the drive and brake system of the elevator. The controller 10 is in communication with a plurality of strings 22a ... 22n located in the shaft 20 as well as with a plurality of strings 32a ... 32n located at the elevator car 30, via bus nodes 24a ... 24n and bus nodes 34a ... 34n, respectively.

[0024] The safety circuit logical state computation unit of the controller 10 can be reprogrammable, therefore allowing the same hardware to serve different elevator norms. Indeed, most of contacts on the strings 22, 32 are the same worldwide, but the way the strings are connected together is different for each norm or regional requirement. For example, the number of strings and nodes for the A17 and EN81 norm are:

	A17	EN81
Strings in car	13	8
Strings in Shaft	9	11
Total Nodes	22	19

[0025] The output of the controller 10, as the output of the safety chain, is normally used to drive relays that will open the brake and motor phases of the elevator (safety mechanism 12). Because the system has to ensure that the brake is closed in case of a single failure, the controller 10 has to be duplicated in order to make a redundant implementation, as shown in Figure 4.

[0026] The controller 10 may be duplicated or multiplied to reach the desired level of failure rate. Depending on the requirements of the code, the relays to the brake might need to have an additional forcibly guided contact 11 that allows an external supervision device 9 to check their status and stop the elevator if an error is detected.

[0027] Referring to Figures 5 and 6, the inventive transmission of the status signals of the bus nodes 32 via the safety bus 14 arranged in the travelling cable connected to the car of the elevator is explained in more detail.

[0028] Each chain node state must be transmitted over the travelling cable using a safe system. Furthermore, to reduce the number of wires, the chain node state should be transmitted by means of a unique medium, such as a twisted pair, already existing in the current travelling cables.

[0029] According to the present invention, this is achieved using a combination of a type of Time Division Multiplexing and Redundancy (e.g. Simple Redundancy or Triple Voting), specifically tailored for the application and compatible with the normative requirements.

[0030] The main system characteristics considered here are as follows. The system must operate safely in case of a single component failure, and should avoid passenger entrapment. The system must be able to detect a single component failure and stop operation, if possible after releasing the passengers. The system must transmit the information over a single transmission medium.

[0031] For a single chain node 32i, the system is shown in Figure 5.

[0032] The signal conditioning units 35 are controlled failure mode resistors and resistive divisor bridge that ensure that there is no uncontrolled failure propagation from one side to the other. Indeed, the only failure mode of this resistor is open-circuit, guaranteeing safe operation in case of failure: the pull down resistor pulls the signal low, thereby transmitting a "0" which is the safe state. The pull down itself must have short-circuit as its unique failure mode.

[0033] The state capture units 36 forming the encoding means of the invention encode the state of the chain node 32i. If the overall reliability of the system is good enough, this can be a simple one-to-one translation, but safety can be enhanced by encoding the state to make sure that an error in the transmission medium over the travelling cable results in the receiving end misinterpreting the state. A possible mechanism to do this is to transmit only "0" in case the node read "0", and to transmit continuously some node identifier if the state of the node reads "1". Then on the receiving end, a decoder would only grant the "1" state to the node 32i if it received the correct sequence for the correct node. Any error would result in a "0" state being granted by the receiving end, which is the safe state. This can only be implemented if it does not impact negatively on the reaction time of the system.

[0034] Another mechanism that can be implemented in the state capture units 36 is an independent watchdog to ensure that a failure of the state capture units 36 does not permanently bring the communication bus down. In case of a bus 14 with recessive / dominant states for example, this would mean to check that the unit does not remain stuck in the dominant state. As above, this is optional and only necessary in case of a low reliability of the components used to build the unit.

[0035] On the side of the elevator car, the bus node 34i further comprises transmission units 37 and bus drivers 38 connected to the safety bus 14. With the construction shown in Figure 14, the bus node 34i is able to transmit a signal determining the condition of the respective string 32i in a digitized form and in a time division multiplexed manner.

[0036] On the side of the shaft 20 and the controller 10 there is provided a bus driver 16 connected to the safety bus 14 and receptions units 17 for demultiplexing the condition signals transmitted via the safety bus 14. The reception units 17 are each connected to the controller 10, via a triple voting unit 18 informing the controller 10 in case of mismatch between the reception units 17.

[0037] For more than one transmission channel, the same transmission and reception units 37, 17 can be used. Preferably, however, the reception part has to be doubled as can be seen in Figure 6.

[0038] The inventive implementation for the transmission of the information over the safety bus 14 in the travelling cable must be made in a deterministic way to allow for a easier certification process. For this reason, a time division multiplexing synchronous approach is being implemented. This avoids managing collisions and therefore the undeterministic behaviour of the system.

[0039] The communication time on the safety bus 14 is divided into slots, and each of the transmission units 37 transmits in one of the slots. Their may be more than three time slots, where the additional time slots are used for other purposes such as voice communication, for example.

[0040] Given the analysis made above, each slot must be able to transmit at least 13 or 8 node states depending on the safety chain implementation. To account for future expansions, at least 32 node states may be considered.

[0041] A possible implementation will also consider the use of a synchronization slot.

[0042] As the communication medium may not be perfect every time, two failures have to be taken into account. First, the communication between the transceivers and receivers may be lost and the elevator may therefore be unnecessarily stopped. Second, even if the transmission is successful, the content of the transmission may get corrupted and dangerous information may be potentially transmitted. As the controller 10 computes a safe state (safety circuit open) or a potentially dangerous state (safety circuit closed), this state will have to be filtered before acting on the safety mechanism 12.

[0043] To account for this, preferably, two filters are defined. If no communication is present on the safety bus 14, the controller 10 must of course produce the safe state. If the communication is resumed, the controller 10 may immediately produce the state defined by the bus contents. But in case the communication is lost, the controller 10 should not force immediately the safe state, but remain in the potentially dangerous state for a predefined delay, to allow for short bus disruptions.

[0044] Once the bus communication is established, the communication unit should not allow the potentially dangerous state immediately, but wait for the state defined by the bus be stable for a predefined number of transmissions. On the other hand, if the bus contents signify a safe state, the controller 10 should switch to the safe state immediately.

[0045] Furthermore, it should be noted that the different state capture and transmission units 36, 37 of the bus nodes 34 may also be implemented in a single component having the required number of inputs. The same is also valid for the triple voting units 18 and the controllers 10. That means that the hardware is reduced to three identical hardware units on the car 30 and two identical hardware units in the controller 20 located in the shaft 20.

[0046] With the present invention, the overall cost of the system may be reduced, especially in case of long travelling cables where the additional cost of the units is more than compensated by the reduction in cost of the travelling cable.

[0047] Furthermore, the controller has a better view of the safety chain and the safety chain can be easily reconfigured in case of code modifications, avoiding changing the hardware in elevators already installed.

[0048] One of the most important structural improvements can be reached when considering that the time division multiplexing bus may also be used to transport voice communication. Having both safety circuit information and voice communication over a single twisted pair yields significant cost reductions for the whole elevator system.

[0049] In the above description, the inventive signal transmission has been explained taking the bus nodes 32 on the side of the elevator car 30 as an example. In general, however, also the bus nodes 22 on the shaft side 20 may use the inventive system. Although, the advantageous effect of the present invention is especially shown for the safety bus 14 running through the travelling cable of the elevator car.

Claims

1. An elevator safety system, comprising:

a controller (10) for controlling a safety mechanism (12) of an elevator;

a safety bus (14) connected to said controller (10); and

a plurality of strings of safety contacts (32) in communication with said safety bus (14) via a bus node (34),

characterized in that

said bus nodes (34) each transmit a signal determining a condition of the respective string (32) to said controller (10) via said safety bus (14) in a digitized form;

said bus nodes (34) comprise transmission means (37) for transmitting the digitized condition signals in a time division multiplexed manner; and

said controller (10) comprises demultiplexing means (17) for demultiplexing the digitized condition signals received via said safety bus (14).

2. The elevator system according to claim 1, wherein
said bus nodes (34) further comprise encoding means (36) for encoding the digitized condition signals.

3. The elevator system according to claim 1 or 2, wherein
a communication time on said safety bus (14) is divided into slots and each of said transmission means (37) of said bus nodes (34) transmits in one of said slots.

4. The elevator system according to claim 3, wherein
the number of said slots is greater than the number of said transmission means (37) of said bus nodes (34).

5. The elevator system according to any one of preceding claims, wherein
said controller (10) further comprises a voting means (18) receiving the signals output from the demultiplexing means (17).

6. The elevator system according to any one of preceding claims, wherein
said controller (10) comprises at least two controlling units (10-1, 10-2, ...) connected in parallel to each other for redundantly controlling said safety mechanism (12).

7. The elevator system according any one of preceding claims, wherein
said bus nodes (34) are provided at a car of said elevator system and said safety bus (14) connecting said bus nodes (34) to said controller (10) is arranged in a travelling cable of said elevator system connected to said car.

8. The elevator system according to claim 7, wherein
said safety bus (14) arranged in said travelling cable is formed by a twisted pair.

9. The elevator system according to any one of preceding claims, wherein
said safety bus (14) is further adapted to carry out voice communication.

10. A method for supervising the safety of an elevator having an elevator safety system comprising a controller (10) for controlling a safety mechanism (12) of an elevator, a safety bus (14) connected to said controller (10), and a plurality of strings of safety contacts (32) in communication with said safety bus (14) via a bus node (34),
characterized in that
said bus nodes (34) each transmit a signal determining a condition of the respective string (32) to said controller (10) via said safety bus (14) in a digitized form and in a time division multiplexed manner; and
said controller (10) demultiplexes the digitized condition signals received via said safety bus (14).

11. The method according to claim 10, wherein the digitized condition signals are encoded in said bus nodes (34).

12. The method according to claim 10 or 11, wherein a communication time on said safety bus (14) is divided into slots.

13. The method according to any one of claims 10 to 12, wherein a voice communication is further carried out via said safety bus (14).

Drawing