Elevator with safety chain overlay control unit with a safety PLC separately monitoring various safety switches for increasing a safety integrity level

Abstract

An elevator has a drive unit displacing an elevator car in an elevator hoistway, an elevator controller controlling operation of the drive unit, multiple safety switches switchable upon occurrence of safety relevant events, and a safety chain overlay control unit including a safety PLC. The PLC has first connectors connected to first safety switch contacts and second connectors connected to second safety switch contacts. The PLC monitors a current safety status of the elevator and identifies a safety critical status by detecting when at least one of the safety switches changes its switching state and comparing the current switching states of the first and second safety switches. The PLC interrupts a main energy supply to the drive unit in response to the safety critical status of the elevator. Comparing switching states of the safety switches connected to the first and second connectors also enables detecting faulty safety switches.

Claims

1. An elevator comprising: a drive unit for displacing an elevator car in an elevator hoistway; an elevator controller for controlling an operation of components of the drive unit; multiple safety switches being switchable upon occurrence of safety relevant events related to the elevator; a safety chain overlay control unit including a safety programmable logic controller (PLC); wherein the safety PLC includes first connectors connected to contacts of at least one first safety switch of the safety switches being one of a single first safety switch or a plurality of first safety switches connected in series to form a first safety chain; wherein the safety PLC includes second connectors connected to contacts of at least one second safety switch of the safety switches being one of a single second safety switch or a plurality of second safety switches connected in series to form a second safety chain; wherein the safety PLC is adapted for monitoring a current safety status of the elevator and identifying a safety critical status of the elevator based on detecting when at least one of the at least one first safety switch and the at least one second safety switch changes its switching state and based on comparing a current switching state of the at least one first safety switch with a current switching state of the at least one second safety switch; and wherein the safety PLC is adapted to cause interruption of a power supply to the drive unit upon identifying the safety critical status of the elevator.

2. The elevator according to claim 1 wherein the switching state of the at least one first safety switch and the switching state of the at least one second safety switch are correlated in a predetermined correlation manner due to structural characteristics of the elevator components and wherein the safety PLC takes into account such predetermined correlation manner upon identifying the safety critical status of the elevator.

3. The elevator according to claim 1 wherein the at least one first safety switch includes a car door switch and the at least one second safety switch includes a plurality of landing door switches connected in series to form the second safety chain.

4. The elevator according to claim 1 wherein: the elevator car includes at least one car door provided with a car door switch; the elevator hoistway includes a plurality of landing doors, each of the landing doors having a landing door switch; the safety PLC includes at least one pair of first connectors being connected to contacts of the car door switch; the safety PLC includes at least one pair of second connectors being connected to end contacts of a safety chain having the landing door switches connected in series; and the safety PLC is adapted to monitor the current safety status of the elevator and identify the safety critical status of the elevator based on detecting when at least one of the car door switch and at least one the landing door switches changes its switching state and based on comparing a current switching state of the car door switch with a current switching state of the at least one landing door switch.

5. The elevator according to claim 1 wherein: the elevator car includes at least two car doors, each of the car doors being provided with a car door switch; the elevator hoistway includes a plurality of landing doors, each of the landing doors having a landing door switch, the landing door switches associated with at least one set of the landing doors being connected in series forming a set safety chain; the safety PLC includes at least two pairs of first connectors, each of the pairs of first connectors being connected to contacts of one of the car door switches; and the safety PLC includes at least one pair of second connectors being connected to end contacts of the set safety chain.

6. The elevator according to claim 5 wherein a number of the pairs of the first connectors corresponds to a number of the car doors and wherein a number of the pairs of the second connectors corresponds to a number of set safety chains formed from the landing doors.

7. The elevator according to claim 1 wherein the safety chain overlay control unit includes at least one door zone switch connected to the safety PLC, the at least one door zone switch being adapted to determine a door zone presence status and communicate the door zone presence status to the safety PLC, the door zone presence status indicating whether or not the elevator car is presently in a predetermined door zone within the elevator hoistway.

8. The elevator according to claim 7 wherein the safety PLC is adapted to take into account the door zone presence status when identifying the safety critical status of the elevator.

9. The elevator according to claim 7 wherein, while the elevator car is in the predetermined door zone, a car door of the elevator car and a neighboring landing doors in the elevator hoistway are mechanically coupled to move synchronously, and wherein the safety PLC is adapted to, when the door zone presence status is indicating that the elevator car is currently in the predetermined door zone within the elevator hoistway, monitor the current safety status of the elevator and identify the safety critical status of the elevator based on comparing the current switching state of the first safety switch being implemented as the car door switch with the current switching state of the first safety chain of landing door switches including a landing door switch associated with the neighboring landing door.

10. The elevator according to claim 1 wherein the safety chain overlay control unit further comprises a main power supply unit providing electric power to the safety PLC and an uninterruptible power supply providing electric power stored in the uninterruptible power supply to the safety PLC upon failure of the main power supply unit to provide the electric power.

11. The elevator according to claim 1 wherein the safety PLC is adapted to, upon monitoring the current safety status of the elevator, apply a pulsed voltage to the safety switches.

12. The elevator according to claim 1 wherein the safety PLC is adapted to fulfill at least safety-integrity-level-2 (SIL-2) requirements.

13. The elevator according to claim 12 wherein the safety PLC is adapted to fulfill safety-integrity-level-3 (SIL-3) requirements.

14. The elevator according to claim 1 comprising: the elevator car having at least one car door provided with a car door switch being the at least one first safety switch; a plurality of landing doors in the elevator hoistway, each of the landing doors provided with a landing door switch, the landing door switches being the at least one second safety switch; wherein the safety PLC has a pair of the first connectors connected to contacts of the car door switch; wherein the safety PLC has at least one pair of the second connectors connected to end contacts of the second safety chain that includes the landing door switches connected in series; wherein the safety PLC identifies the safety critical status of the elevator based on detecting when at least one of the car door switch and the landing door switches changes its switching state and based on comparing a current switching state of the car door switch with a current switching state of the landing door switches; wherein the safety PLC is adapted to cause interruption of a main power supply to the drive unit upon identifying the safety critical status of the elevator; wherein the switching state of the car door switch and the switching state of the landing door switches are correlated in a predetermined correlation manner due to structural characteristics of elevator components and wherein the safety PLC takes into account the predetermined correlation manner upon identifying the safety critical status of the elevator; wherein the safety chain overlay control unit includes at least one door zone switch connected to the safety PLC, the at least one door zone switch being adapted to determine a door zone presence status and communicate the door zone presence status to the safety PLC, the door zone presence status indicating whether or not the elevator car is presently in a predetermined door zone within the elevator hoistway; wherein the safety PLC is adapted to take into account the door zone presence status when identifying the safety critical status of the elevator; and wherein, while the elevator car is in the predetermined door zone, the at least one car door and a neighboring one of the landing doors are mechanically coupled to move synchronously and wherein the safety PLC is adapted to, when the door zone presence status is indicating that the elevator car is currently in the predetermined door zone within the elevator hoistway, monitor the current safety status of the elevator and identify the safety critical status of the elevator based on comparing the current switching state of the car door switch with the current switching state of the second safety chain including the landing door switch associated with the neighboring landing door.

15. A method for modernizing an existing elevator, the elevator including a drive unit for displacing an elevator car in an elevator hoistway, an elevator controller for controlling an operation of components of the drive unit, and multiple safety switches being switchable upon occurrence of safety relevant events related to the elevator, the method comprising: providing a safety chain overlay control unit according to claim 1; connecting the first connectors of the safety PLC to contacts of the at least one first safety switch; and connecting the second connectors of the safety PLC to contacts of the at least one second safety switch.

16. A safety chain overlay control unit for an elevator, the elevator including a drive unit for displacing an elevator car in an elevator hoistway, an elevator controller for controlling an operation of components of the drive unit, multiple safety switches being switchable upon occurrence of safety relevant events related to the elevator, the safety chain overlay control unit comprising: a safety PLC; wherein the safety PLC includes first connectors connectable to contacts of at least one first safety switch of the safety switches being one of a single first safety switch and a plurality of first safety switches connected in series to form a first safety chain; wherein the safety PLC includes second connectors connectable to contacts of at least one second safety switch of the safety switches being one of a single second safety switch and a plurality of second safety switches connected in series to form a second safety chain; wherein the safety PLC is adapted to monitoring a current safety status of the elevator and identifying a safety critical status of the elevator based on detecting when at least one of the at least one first safety switch and the at least one second safety switch changes its switching state and based on comparing a current switching state of the at least one first safety switch with a current switching state of the at least one second safety switch; and wherein the safety PLC is adapted to cause interruption of a main energy supply to the drive unit upon identifying the safety critical status of the elevator.

Description

DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 shows an elevator according to an embodiment of the present invention.

(2) FIG. 2 shows a safety chain overlay control unit for an elevator according to an embodiment of the present invention.

(3) FIG. 3 shows a safety-related part of a control system to be implemented with the safety chain overlay control unit according to an embodiment of the present invention in a specific operation condition of the elevator.

(4) FIG. 4 shows a safety-related part of a control system to be implemented with the safety chain overlay control unit according to an embodiment of the present invention in another specific operation condition of the elevator.

(5) The figures are only schematic and not to scale. Same reference signs refer to same or similar features.

DETAILED DESCRIPTION

(6) FIG. 1 shows an elevator 1 according to an embodiment of the present invention. The elevator 1 comprises an elevator car 5 and a counterweight 7 which are both suspended by a multiplicity of ropes or belts forming a suspension traction member (STM) 9. The STM 9 may be displaced using a drive unit 11 in order to thereby effectuate displacing the elevator car 5 and counterweight 7 within an elevator hoistway 3 in a vertical direction. The drive unit 11 comprises a drive engine including e.g. an electric motor for rotatably driving a traction sheave. Furthermore, the drive unit 11 typically comprises brake means for decelerating a motion of the STM 9 in order to thereby stop the car 5 and counterweight 7 from moving.

(7) An operation of the drive unit 11 is controlled by an elevator controller 13. Particularly, the elevator controller 13 controls or regulates a power supply coming from a power source 15 to the drive unit 11. Particularly, a power supply to the drive engine comprised in the drive unit 11 may be controlled. Furthermore, a power supply to the brake included in the drive unit 11 may be controlled wherein such brake is typically adapted such that upon power supply a braking action is released and at an interruption of the power supply, the braking action is activated.

(8) The elevator 1 furthermore comprises landing doors 21 at each of multiple floors 33 of a building, such landing doors 21 opening and closing an access from a floor 33 to the elevator hoistway 3. Each of the landing doors 21 is provided with a safety switch 17 forming a landing door switch 19. Such landing door switch 19 is closed as long as the associated landing door 21 is closed.

(9) Furthermore, the elevator car 5 comprises a car door 27 opening and closing an access to the elevator car 5. The car door 27 is provided with another safety switch 17 forming a car door switch 29.

(10) While in the example shown in FIG. 1, the elevator car 5 comprises only one car door 27 with one car door switch 29, a car 5 may comprise more than one door. For example, the car 5 may comprise two doors 27 at opposing sides of the car 5. Or the car 5 may comprise several car units at various vertical levels, each having its own door 27 or doors 27. For example, a double decker car has two units at two levels. Each car door 27 may have its own car door switch 29 associated thereto.

(11) Furthermore, a ladder 25 is provided close to a bottom of the elevator hoistway 3. Whether or not the ladder 25 is present and correctly stored is monitored with another safety switch 17 provided as a ladder presence switch 23. Further safety switches 17 may be provided in the elevator 1 for other purposes.

(12) In a conventional elevator, all of such safety switches 17 are connected to the elevator control 13 such that the elevator control 13 may be informed about closing states of all landing doors 21 and of the car door 27 as well as of other features such as the correct storing of the ladder 25. Taking into account such information from the safety switches 17, the elevator controller may then suitably control the drive unit 11. However, increased safety requirements may not always be satisfied in such conventional elevators.

(13) It is therefore proposed to provide a specific safety chain overlay control unit 31 to the elevator 1. Instead of being conventionally electrically directly connected to the elevator controller 13, all of the safety switches 17 may be electrically connected to such safety chain overlay control unit 31, for example via an electrical connection 35 formed by an electric line 37. Therein, the various safety switches 17 may be connected in series such as to form a safety chain. The safety switches 17 forming the car door switch 29 may be connected to the safety chain overlay control unit 31 via a travelling cable (not shown in FIG. 1 for simplicity of representation).

(14) The safety chain overlay control unit 31 being connected to the various safety switches 17 may use the information provided by the safety switches 17 for monitoring a current safety status of the elevator 1 and identifying a safety critical status of the elevator based on detecting when one of the safety switches 17 changes its switching state. For such purpose, the safety chain overlay control unit 31 comprises a safety PLC 43. The safety chain overlay control unit 31 and its safety PLC 43 are adapted to interrupt a main energy supply to the drive unit 11 upon identifying a safety critical status of the elevator 1. For such purpose, a main contactor 41 (only schematically shown in FIG. 1) may be comprised in an electric connection between the elevator controller 13 and the drive unit 11. Alternatively, such main contactor 41 may be provided at a different location within an energy supply path between the power source 15 and the drive unit 11. The safety chain overlay control unit 31 may then cause such main contactor 41 to interrupt a power connection to the drive unit 11 as soon as a safety critical status, such as one of the landing doors 21 being opened, is detected in the elevator 1.

(15) Details of a specific embodiment of a safety chain overlay control unit 31 and its cooperation with the elevator controller 13 and the safety switches 17 will now be explained with reference to FIG. 2.

(16) In the exemplary embodiment shown in FIG. 2, the safety chain overlay control unit 31 is adapted for monitoring a safety critical status of an elevator 1 having two car doors 27, one car door 27 at each of opposing sides of the car 5. Each of the car doors 27 is provided with an associated car door switch 29 which is closed only when the car door 27 is in its closed state. Furthermore, landing doors 21 are provided at each of the floors 33, one landing door 21 being provided at each of opposing sides of the hoistway 3. Each landing door 21 is provided with an associated landing door switch 19. Again, the landing door switches 19 are closed only when the associated landing door 21 is in its closed state.

(17) While the diagram shown in FIG. 2 discloses many details of the embodied safety chain overlay control unit 31 as well as of other components of the elevator that may be understood by those skilled in the art from the circuitry representation, only those features which are relevant for or correlated to the present invention shall be described in more detail.

(18) The safety chain overlay control unit 31 follows state of the art methods of machinery industries as described for example in the standard EN ISO 13849-1. Instead of monitoring for example a voltage in a safety chain that needs to be interpreted as “doors are opened”, as it is conventionally done for example by elevator controllers in existing elevators following more relaxed safety standards, it is proposed herein to directly connect the safety switches 17 forming for example landing door switches 19 and/or car door switches 29 to the safety chain overlay control unit 31 in order to enable direct monitoring of their switching states by such safety add-on device.

(19) The safety chain overlay control unit 31 comprises a safety PLC 43 which may be certified as a safety controller in accordance for example with EN ISO 13849.

(20) In the embodiment shown in FIG. 2, the safety PLC 43 comprises two pairs of first connectors 47 (indicated with D, E, H, I) and two pairs of second connectors 48 (indicated with F, G, J, K). The first connectors 47 are connected each to contacts of a first safety switch 17 formed by a respective one of the car door switches 29. The second connectors 48 are connected each to end contacts of safety chains 20 formed by a series connection of landing door switches 19. Therein, all landing door switches 19 provided at one side of the elevator hoistway 3 are serially connected in order to form one of the safety chains 20.

(21) The safety PLC 43, due to its internal circuitry logics and/or due to its application-specific programming, is then adapted for monitoring the current safety status of the elevator 1 and identifying a safety critical status of the elevator 1 by supervising switching states of all safety switches 17, particularly of the car door switches 29 and of the safety chains 20 comprising the landing door switches 19.

(22) Therein, the safety PLC 43 does not only continuously or repeatedly check current switching states of all these safety switches 17 but, additionally, also compares current switching states of the safety switches 17 connected to the first connectors 47, i.e. of the car door switches 29, with the current switching states of the safety switches 17 connected to the second connectors 48, i.e. of the landing door switches 19 comprised in the safety chain 20. Inter-alia upon such comparison, the safety PLC 43 may recognize for example not only when one of the safety switches 17 is opened thereby indicating a safety critical status of the elevator 1 in which for example the elevator car 5 should not be moved, but may also recognize whether for example one of the safety switches 17 is faulty thereby causing another type of safety critical status of the elevator 1.

(23) Upon a safety critical status of the elevator 1 being identified based on the information obtained from the safety switches 17, the safety PLC 43 may control two redundant contactors 49. These contactors 49 are adapted to, upon such actuation, interrupt the power supply to the drive unit 11 and its drive engine 10 and brake 12 by suitably actuating or influencing the main contacts 41 which otherwise establishes the power supply between the elevator controller 13 and the drive unit 11. Accordingly, operation of the drive unit 11 is securely interrupted and any motion of the car 5 driven by the drive unit 11 is effectively stopped as soon as a safety critical status is identified.

(24) Since the safety switches 17 are now connected to the safety chain overlay control unit 31 instead of to the existing elevator controller 13, the existing elevator controller 13 will generally no more get the required information for example about door closing states and should therefore refuse to operate as desired. Therefore, for example the information normally provided by the door switches 19, 29 generally needs to be re-created by the safety chain overlay control unit 31 and rewired into the existing elevator safety chain. This may be done by the safety PLC 43 emulating an overall switching state of the safety switches 17 and communicating such emulated overall switching state back to the elevator controller 13 using third connectors 51. In a specific implementation, this may be done by a safety relay 53 comprised in or controlled by the safety PLC 43, such safety relay 53 having its output contacts doing the same as the safety switches 17 do. Accordingly, the output third contacts 51 may be considered as “mirroring” the action of the safety switches 17 comprised in the safety chain 20 and may feed-back such information to the elevator controller 13. Upon receiving such fed-back information, the elevator controller 13 may operate in its normal manner.

(25) The safety chain overlay control unit 31 shown in FIG. 2 furthermore comprises two redundant door zone switches 55. These door zone switches 55 are connected to further connectors of the safety PLC 43 and are adapted to determine a door zone presence status and communicate same to the safety PLC 43. Two door zone switches 55 are used to retrieve the door zone information in a redundant and therefore safe way. The safety PLC 43 can perform discrepancy checks to detect faulty door zone switches 55. Taking into account such door zone presence status, the safety PLC may control the interruption of the main energy supply (via controlling the contactors 49) and/or may emulate the fed-back information (via the third connectors 51) in a manner such as to enable additional functionalities such as re-levelling and/or pre-opening.

(26) Furthermore, the safety chain overlay control unit 31 comprises a main power supply unit 57 and an uninterruptible power supply unit (UPS) 59. Furthermore, a manual start button 61, a status indication 63 and an additional safety relay 65 are provided. It should be noted that the safety chain overlay control unit 31 does not necessarily interrupt a power supply to the main contactors. A reason for this may be that such main contactors including their monitoring are not always being considered as safe enough in existing elevator controllers. Therefore, when the safety chain overlay control unit 31 detects a dangerous condition and identifies the safety critical status of the elevator, it preferably cuts the energy supply from the engine 10 and/or the brake 12 of the drive unit 11.

(27) Furthermore, it shall be noted that other safety switches 17 than door switches 19, 29 may be used for removing power supply from those main contactors as well. Such other safety switches may comprise for example over-speed governor switches, safety gear switches, hoistway limit switches, etc. Since an implementation of the main contactors of existing elevators may be considered not to be safe enough, the safety chain overlay control unit may also monitor their coil voltage using a “tab to safety chain” 67.

(28) Next, some possible implementations for further increasing a safety level in the elevator 1 by specifically adapting its safety chain overlay control unit 31 will be explained with reference to FIGS. 3 and 4. Therein, the safety PLC 43 is specifically adapted for realizing that the elevator 1 is in one of specific operation conditions such as the elevator car 5 being in a door zone and to then perform specific checks or comparisons for determining for example any faulty safety switches 17.

(29) It may be mentioned that safety switches 17 may not only be faulty due to internal components or wirings being defective but also due to external defects such as broken interconnections between neighboring safety switches 17, isolation defects in a safety chain, etc. Such defects may result e.g. in safety switches 17 being short-circuited and/or being bypassed.

(30) FIG. 3 represents a safety-related part of control system (SRP/CS) applicable for implementing a safety function which may be enabled when the elevator 1 is in a door zone.

(31) Inside the door zone, the elevator's car door 27 and the landing door 21 closely neighboring the current position of the elevator car 5 are generally mechanically linked and can therefore be considered as one single device. Accordingly, the associated car door switch 29 and the associated landing door switch 19 should change their switching states in a synchronous manner. As these door switches 29, 19 are connected to different ones of the first and second connectors 47, 48 of the safety PLC 43, a 2-channel architecture as defined in EN ISO 13849-1 may be applied.

(32) In the SRP/CS shown in FIG. 3 for applying such architecture, I1 can be the input of the landing door switch 19 or the safety chain 20 comprising such landing door switch 19. I2 can be the input of the car door switch 29. The logics L1 and L2 are implemented in a 2-channel SIL-3-certified safety PLC 43. The safety PLC 43 then uses two outputs O1, O2 to control two main contactors and monitors them using their mechanically linked (or positively driven) normally-closed (NC) contacts.

(33) Since this is a 2-channel system, cross checking may be possible and therefore fails can be detected (diagnostic coverage). SIL-1 to SIL-3 may be achieved by such architecture. If the elevator car 5 leaves the door zone with open doors 21, 27, the safety function triggers an unintended car movement event and removes power from the two contactors. Such events may be stored nonvolatile in the safety PLC 43 and may require a manual reset from a competent person.

(34) It may be mentioned as a side effect that it is a normal procedure to open a landing door 21 in order to enter the car roof for inspection. This can happen while the car stands in the door zone. Since all landing doors 21 are wired in series, the safety chain overlay control unit 31 cannot differentiate this landing door 21 from the one mechanically linked to the car door 27. It could therefore interpret it as a broken car door switch 29 that is always closed. To enable both monitoring landing door switches 19 but not triggering errors when the service personal enters the car roof, the safety chain overlay control unit 31 may accept opening the landing door 21 inside the door zone without opening the car door 27, at least under certain circumstances. Since every regular trip tests the car door switch 29, the required test rate to assure the expected safety level is generally much lower. Therefore, a car door error can be triggered when this happens for example 10 times in a sequence. This counter will then be reset when the car door switch 29 gets successfully tested. This is the case when both car door 27 and landing door 21 open while the car 5 is in the door zone.

(35) Next, the safety function for preventing a movement of the elevator car 5 with open doors 21, 27 when being outside the door zone will be explained with reference to FIG. 4.

(36) When being outside the door zone, the car door 27 and the landing door 21 are no more mechanically linked. However, the elevator 1 offers a lot of diagnostic possibilities since the doors 27, 21 are of automatic type. Accordingly, a correct function of door switches 29, 19 may be tested frequently. Therefore, the EN ISO 13849-1 architecture for category-2 can be considered as shown in FIG. 4.

(37) Therein, the block “I” may contain the door switch inputs from the car door switch 29 or the landing door switch 19. “L” is the logic. TE is a test equipment and OTE is an output of the test equipment, all being implemented in the SIL-3-certified safety PLC 43. O and OTE are the outputs of this SRP/CS that can be further used in the safety PLC's application. Although only a single-channel architecture is applied, up to SIL-2 may be reached by such architecture.

(38) Finally, some possible advantages of embodiments of the present invention shall be summarized. Overall, since the safety chain in an elevator is generally a complex wiring and may differ between various existing elevator controllers, an elevator as proposed herein comprising the specific safety chain overlay control unit 31 may be significantly safer compared to prior art elevators. There may be various reasons for such improved safety.

(39) For example, connecting the safety switches forming door switches to the safety chain overlay control unit 31 may result in an easy, new and/or standardized wiring that may be used in the parts where safety is a must. A wiring with variations and adaptations to the existing elevator controllers may then be done in a part that is less safety-relevant.

(40) Door switches may usually be by-passed to allow pre-opening and/or re-levelling. This could create wrong input signals to conventional safety add-on devices and may cause faulty behavior. Having the safety switches directly wired to the safety chain overlay control unit proposed herein does not have such negative side effects.

(41) Finding a correct point in an existing elevator controller to be connected to a conventional safety add-on device may require high skills and product know-how. Therefore, there may be some risk that it might go wrong. Adding the safety switches using new wiring to the safety chain overlay control unit proposed herein may be much easier verified.

(42) There may be various defects such as isolation or electronics defects that may apply a voltage to a safety chain and therefore fooling the safety overlay provided by a conventional safety add-on device. A safety PLC to be comprised in the safety chain overlay control unit proposed herein may use instead of a constant safety chain voltage a pulsed voltage that needs to be received by an input of such safety PLC. Isolation defects applying a voltage to safety switches may therefore be detected by the safety chain overlay control unit.

(43) Connecting the safety switches directly to the safety chain overlay control unit may allow using new wiring fulfilling requirements for safety such as selecting a correct material, isolation, creeping distances, separation, labelling, etc.

(44) If the safety switches are not directly connected to the safety chain overlay control unit, an ability to know the current status of for example doors may be lost when another safety switch in the series connection forming the safety chain has opened. Connecting the safety switches forming the door switches directly to the safety chain overlay control unit allows for knowing the current door status at all times.

(45) Overall, using the safety chain overlay control unit 31 proposed herein, an existing elevator 1 may be modernized and its safety may be increased, possibly even enabling additional functionalities such as re-levelling of the car 5 or pre-opening of elevator doors 21, 27.

(46) Additionally to these possible advantages, separately monitoring car door switches 29 and landing door switches 19 connected to different first and second connectors 47 and 48 may result in the following advantages: a safety integrity level of up to SIL-3 may be assigned for unintended car movement detection due to using a 2-channel architecture according to EN ISO 13849. a safety integrity level of up to SIL-2 may be assigned for preventing a movement with open doors outside the door zone due to using the EN ISO 13849 architecture for category 2. easy diagnostics of door switch failure is enabled since the door switches are connected directly to the safety PLC. following the EN ISO 13849-1 standard allows easy determination of a Performance Level (corresponding to a SIL) demonstrating that the risks are enough mitigated. In contrast hereto, following just EN81-requirements and therefore state-of-the-art generally leads to using the standard elevator controller for the safety chain monitoring and therefore no SIL.

(47) Finally, it should be noted that the term “comprising” does not exclude other elements or steps and the “a” or “an” does not exclude a plurality. Also, elements described in association with different embodiments may be combined.

(48) In accordance with the provisions of the patent statutes, the present invention has been described in what is considered to represent its preferred embodiment. However, it should be noted that the invention can be practiced otherwise than as specifically illustrated and described without departing from its spirit or scope.

LIST OF REFERENCE SIGNS

(49) 1 elevator

(50) 3 elevator hoistway

(51) 5 elevator car

(52) 7 counterweight

(53) 9 suspension traction member

(54) 10 drive engine

(55) 11 drive unit

(56) 12 brake

(57) 13 elevator controller

(58) 15 power source

(59) 17 safety switches

(60) 19 landing door switches

(61) 20 safety chain

(62) 21 landing door

(63) 23 ladder presence switch

(64) 25 ladder

(65) 27 car door

(66) 29 car door switch

(67) 31 safety chain overlay control unit

(68) 33 floor

(69) 35 electrical connection

(70) 37 electric line

(71) 41 main contactor

(72) 43 safety PLC

(73) 47 first connectors

(74) 48 second connectors

(75) 49 contactors

(76) 51 third connectors

(77) 53 safety relay

(78) 55 door zone switches

(79) 57 main power supply unit

(80) 59 uninterruptible power supply

(81) 61 manual start button

(82) 63 status indication

(83) 65 safety relay

(84) 67 tab to safety chain