SAFETY CONTROL DEVICE

Abstract

A safety control device (1) for a people conveyor (101). The safety control device (1) includes a first safety control channel (2) configured to output a first safety control signal in response to one or more input signals (10, 12, 14), a second safety control channel (4) configured to output a second safety control signal in response to one or more input signals (10, 12, 14), and an override control channel (6) configured to: monitor the health of the first and second safety control channels (2, 4), determine whether a fault has occurred in either of the first or second safety control channels (2, 4), and override the first or second safety control signal in response to a determination that a fault has occurred in the corresponding safety control channel (2, 4).

Claims

1. A safety control device (1) for a people conveyor (101), the safety control device (1) comprising: a first safety control channel (2) configured to output a first safety control signal in response to one or more input signals (10, 12, 14); a second safety control channel (4) configured to output a second safety control signal in response to one or more input signals (10, 12, 14); and an override control channel (6) configured to: monitor the health of the first and second safety control channels (2, 4); determine whether a fault has occurred in either of the first or second safety control channels (2, 4); override the first or second safety control signal in response to a determination that a fault has occurred in the corresponding safety control channel (2, 4).

2. The safety control device (1) of claim 1, wherein the override control channel (6) is configured to monitor the health of the first and second safety control channels (2, 4) by periodically instructing the safety control channels (2, 4) to perform one or more tasks and monitor a response from the safety control channels (2, 4) and/or monitor a debug output from each safety control channel (2, 4).

3. The safety control device (1) of claim 1, wherein the first and second safety control channels (2, 4) are further configured to: monitor the health of the override control channel (6); determine whether a fault has occurred in the override control channel (6); and deactivate the override control channel (6) in response to a determination that a fault has occurred in said channel (6).

4. The safety control device (1) of claim 3, wherein the first and second safety control channels (2, 4) are configured to, in response to a determination that a fault has occurred in the override control channel (6), enable the people conveyor (101) to operate as normal and flag that a fault has occurred in the override control channel (6).

5. The safety control device (1) of claim 1, wherein the override control channel (6) is configured to override the first or second safety control signal on a temporary basis or for a predefined period of time or until the people conveyor (101) is positioned such that any users thereof may safely disembark.

6. The safety control device (1) of claim 1, wherein the override control channel (6) is configured to override the first or second safety control signal for a time period of no more than one minute.

7. The safety control device (1) of claim 1, wherein the same input signals (10, 12, 14) are received by both the first and second safety control channels (2, 4), and wherein the one or more input signals (10, 12, 14) indicate one or more operational parameters of the people conveyor (101).

8. The safety control device (1) of claim 1, wherein the first and second safety control signals are configured to control the operation of one or more safety systems of the people conveyor (101).

9. The safety control device (1) of claim 1, wherein the first safety control channel (2) is configured to output the first safety control signal in order to control the operation of a first safety switch (44, 52), and the second safety control channel (4) is configured to output the second safety control signal in order to control the operation of a second safety switch (46, 54).

10. The safety control device (1) of claim 9, wherein the first safety control channel (2) comprises a first microcontroller unit (26) configured to output the first safety control signal to a first output circuit (40) configured to control the operation of the first safety switch (44, 52); and wherein the second safety control channel (4) comprises a second microcontroller unit (28) configured to output the second safety control signal to a second output circuit (42) configured to control the operation of the second safety switch (46, 54).

11. The safety control device (1) of claim 9, wherein a safety system of the people conveyor (101) is configured to be activated when one, or both, of the first safety switch (44, 52) and the second safety switch (46, 54) are deactivated in response to the first and second safety control signals respectively.

12. The safety control device (1) of claim 9, wherein the first safety switch (44, 52) and the second safety switch (46, 54) are connected in series and configured such that, when both the first safety switch (44, 52) and the second safety switch (46, 54) are activated, they: activate an electromagnet (51) configured to prevent mechanical activation of one or more brakes of the people conveyor (101); or activate a drive system (111) of the people conveyor (101), enabling it to impart a driving force or torque to the people conveyor (101) when controlled to do so.

13. The safety control device (1) of claim 1, wherein the people conveyor (101) is an elevator system (101).

14. A method of controlling one or more safety systems of a people conveyor (101), the method comprising: outputting a first safety control signal by a first safety control channel (2) in response to one or more input signals (10, 12, 14); outputting a second safety control signal by a second safety control channel (4) in response to one or more input signals (10, 12, 14); monitoring the health of the first and second safety control channels (2, 4); determining whether a fault has occurred in either of the first or second safety control channels (2, 4); and overriding the first or second safety control signal in response to a determination that a fault has occurred in the corresponding safety control channel (2, 4).

15. A non-transitory computer readable medium comprising instructions configured to cause a safety control device (1) to operate in accordance with the method of claim 14.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0029] Certain preferred examples of this disclosure will now be described, by way of example only, with reference to the accompanying drawings in which:

[0030] FIG. 1 is a schematic illustration of an elevator system according to examples of the present disclosure;

[0031] FIG. 2 is a schematic diagram illustrating a safety control device according to an example of the present disclosure.

DETAILED DESCRIPTION

[0032] FIG. 1 is a perspective view of an elevator system 101 including an elevator car 103, a counterweight 105, a tension member 107, a guide rail 109, a machine 111, a position reference system 113, and a controller 115. The elevator car 103 and counterweight 105 are connected to each other by the tension member 107. The tension member 107 may include or be configured as, for example, ropes, steel cables, and/or coated-steel belts. The counterweight 105 is configured to balance a load of the elevator car 103 and is configured to facilitate movement of the elevator car 103 concurrently and in an opposite direction with respect to the counterweight 105 within an elevator shaft 117 and along the guide rail 109.

[0033] The tension member 107 engages the machine 111, which is part of an overhead structure of the elevator system 101. The machine 111 is configured to control movement between the elevator car 103 and the counterweight 105. The position reference system 113 may be mounted on a fixed part at the top of the elevator shaft 117, such as on a support or guide rail, and may be configured to provide position signals related to a position of the elevator car 103 within the elevator shaft 117. In other embodiments, the position reference system 113 may be directly mounted to a moving component of the machine 111, or may be located in other positions and/or configurations as known in the art. The position reference system 113 can be any device or mechanism for monitoring a position of an elevator car and/or counterweight, as known in the art. For example, without limitation, the position reference system 113 can be an encoder, sensor, or other system and can include velocity sensing, absolute position sensing, etc., as will be appreciated by those of skill in the art.

[0034] The controller 115 is located, as shown, in a controller room 121 of the elevator shaft 117 and is configured to control the operation of the elevator system 101, and particularly the elevator car 103. For example, the controller 115 may provide drive signals to the machine 111 to control the acceleration, deceleration, levelling, stopping, etc. of the elevator car 103. The controller 115 may also be configured to receive position signals from the position reference system 113 or any other desired position reference device. When moving up or down within the elevator shaft 117 along guide rail 109, the elevator car 103 may stop at one or more landings 125 as controlled by the controller 115. Although shown in a controller room 121, those of skill in the art will appreciate that the controller 115 can be located and/or configured in other locations or positions within the elevator system 101. In one embodiment, the controller may be located remotely or in the cloud.

[0035] The machine 111 may include a motor or similar driving mechanism. In accordance with embodiments of the disclosure, the machine 111 is configured to include an electrically driven motor. The power supply for the motor may be any power source, including a power grid, which, in combination with other components, is supplied to the motor. The machine 111 may include a traction sheave that imparts force to tension member 107 to move the elevator car 103 within elevator shaft 117.

[0036] Although shown and described with a roping system including tension member 107, elevator systems that employ other methods and mechanisms of moving an elevator car within an elevator shaft may employ embodiments of the present disclosure. For example, embodiments may be employed in ropeless elevator systems using a linear motor or pinched wheel propulsion to impart motion to an elevator car. Embodiments may also be employed in ropeless elevator systems using a hydraulic lift to impart motion to an elevator car. FIG. 1 is merely a non-limiting example presented for illustrative and explanatory purposes.

[0037] In other embodiments, the system comprises a conveyance system that moves passengers between floors and/or along a single floor. Such conveyance systems may include escalators, people movers, etc. Accordingly, embodiments described herein are not limited to elevator systems, such as that shown in FIG. 1. In one example, embodiments disclosed herein may be applicable to conveyance systems such as an elevator system 101 and a conveyance apparatus of the conveyance system such as an elevator car 103 of the elevator system 101. In another example, embodiments disclosed herein may be applicable to conveyance systems such as an escalator system and a conveyance apparatus of the conveyance system such as a moving stair of the escalator system.

[0038] FIG. 2 shows a safety control device 1 for a people conveyor. In this example, the safety control device 1 is for an elevator system such as the elevator system 101 shown in FIG. 1, though it will be appreciated that the safety control device 1 is suitable for any conveyance system as described above. In this example, the safety control device 1 may be the final node in a chain of elevator safety systems.

[0039] The safety control device 1 comprises a first safety control channel 2, a second safety control channel 4, and an override control channel 6. The first safety control channel 2 comprises a first microcontroller unit (MCU) 26 configured to control the operation of two safety switches 44 and 52 in response to a number of input signals indicating one or more operational parameters of the elevator system 101. The second safety control channel 4 is operationally identical to the first safety control channel 2 and comprises a second MCU 28 configured to control the operation of two safety switches 46 and 54 in response to a number of input signals indicating one or more operational parameters of the elevator system 101. The same input signals are fed to both the first and second safety control channels 2 and 4, thereby allowing both safety control channels 2, 4 to independently determine whether the elevator system 101 is operating correctly, and to control the operation of the respective safety switches 44, 52 and 46, 54 in response to determining that the elevator system 101 is not operating correctly.

[0040] The first safety control channel 2 comprises two input level converters 18, a first power supply voltage converter 22, a first MCU 26, first output circuitry 40, and two safety switches 44 and 52, which in this example are metal-oxide-semiconductor field-effect-transistors (MOSFETs). The second safety control channel 4 comprises two input level converters 19, a second power supply voltage converter 23, a second MCU 28, second output circuitry 42, and two safety switches 46 and 54, which in this example are also MOSFETs. The override control channel comprises a power supply voltage converter 24 and a microprocessor 30. The number of input level converters 18 and 19 provided for the respective safety control channels 2 and 4 is not limited to two as shown in this example, but may be any number dependent upon the number of input signals that are provided to the safety control channels 2 and 4. In this example, the MCUs 26 and 28 of the first and second safety control channels 2 and 4 comprise one hundred and forty four pin MCUs, and the microprocessor 30 of the override control channel 6 comprises a fourteen pin microprocessor. The MCUs 26 and 28 and the microprocessor 30 are not limited to one hundred and forty-four pins and fourteen pins respectively as in this example, but may comprise any suitable size. However, it is advantageous that the microprocessor 30 of the override channel 6 can be smaller and have fewer pins than the MCUs 26, 28 so that it can be less costly. The transistors 44, 46, 52 and 54 are not limited to MOSFETs as in this example, but may comprise any suitable type of transistor e.g. MOSFET, PMOS, NMOS, BJT, NPN, PNP, etc.

[0041] A power supply 8 (e.g. from the electricity grid or from a generator or battery) is fed via a power supply input 9 to a power supply voltage regulator 16 which outputs a regulated DC supply voltage at a suitable voltage level (e.g. 12V) to two 3.3V voltage converters 22 and 23 and a 1.8V voltage converter 24. The output of the 3.3V voltage converter 22 supplies power to the MCU 26 of the first safety control channel 2, the output of the 3.3V voltage converter 23 supplies power to the MCU 28 of the second safety control channel 4, and the output of the 1.8V voltage converter 24 supplies power to the microprocessor 30 of the override control channel 6. It will be appreciated that the voltage converters 22, 23 and 24 are not limited to producing outputs of 3.3V and 1.8V respectively, but may comprise any suitable voltage converters depending on the voltage requirements of the respectively coupled MCUs 26 & 28 and microprocessor 30, e.g. 5V, 3.3V, 1.8V, etc.

[0042] A first discrete input signal 10 is fed via a first input 11 to one of the input level converters 18 of the first safety control channel 2 and to one of the input level converters 19 of the second safety control channel 4. An n.sup.th discrete input signal 12 is fed via a second input 13 to the other of the input level converters 18 of the first safety control channel 2 and to the other of the input level converters 19 of the second safety control channel 4.

[0043] In this example, two discrete input signals 10 and 12 are shown for the sake of simplicity, however it will be appreciated that the number of discrete input signals provided to the two safety control channels 2 and 4 is not limited to two as shown in this example, but may be any number, and each of the safety control channels 2 and 4 may comprise an input level converter 18, 19 for each input signal 10, 12. The discrete input signals 10 and 12 comprise analogue signals output by sensors within the elevator system 101—e.g. temperature sensors, accelerometers, vibration sensors, light sensors, encoders, etc.

[0044] The input level converters 18 and 19 are configured to convert the discrete input signals 10 and 12 to operational voltage levels that can be received and analysed by the MCUs 26 and 28. Each of the outputs of the input level converters 18 are fed to input pins of the MCU 26 of the first safety control channel 2, and each of the outputs of the input level converters 19 are fed to input pins of the MCU 28 of the second safety control channel 4. The input level converters 18, 19 may be voltage transformers that may convert a current input into a voltage input or they may be analogue to digital converters or digital to analogue converters as required.

[0045] The safety control device 1 further comprises a Controller Area Network (CAN) bus 14, coupled to a CAN bus interface 20, which is in turn coupled to the MCUs 26 and 28. The CAN bus 14 enables the MCUs 26 and 28 to communicate with the MCUs and microprocessors of other systems (e.g. safety nodes) of the elevator system 101 (not shown). Digital signals are sent and received by the MCUs 26 and 28 over the CAN bus 14, enabling the MCUs 26 and 28 to receive information from other systems of the elevator system 101 as well as transmit information to other systems of the elevator system 101. Information such as whether a brake of the elevator system 101 is engaged, whether a driving motor of the elevator system 101 is engaged, the current position, speed and/or acceleration of the elevator, etc. may be received by the MCUs 26 and 28 via the CAN bus 14. These inputs supplement the discrete inputs 10, 12 and all inputs can be processed together within the MCUs 26, 28.

[0046] The MCU 26 of the first safety control channel 2 is configured to analyse the discrete input signals 10, 12 and the CAN bus signals 14 in order to determine whether the elevator system 101 is operating correctly, and accordingly whether any safety mechanisms of the elevator system 101 should be activated, and to output a safety control signal to the output circuit 40 dependent upon this determination. The output circuit 40 is arranged to output two switch control signals in response to the safety control signal received from the MCU 26: the first switch control signal is provided to the gate terminal of a first ‘Safe Brake Control’ (SBC) MOSFET 44, and the second switch control signal is provided to a first ‘Safe Torque Off’ (STO) MOSFET 52. The switch control signals output by the output circuit 40 therefore determine whether the first SBC MOSFET 44 and the first STO MOSFET 52 allow current to flow across their respective source and drain terminals.

[0047] Similarly, the MCU 28 of the second safety control channel 4 is configured to analyse the discrete input signals 10, 12 and the CAN bus signals 14 in order to determine whether the elevator system 101 is operating correctly in the same way as the MCU 26, and to output a safety control signal to the output circuit 42 dependent upon this determination. The output circuit 42 is arranged to output two switch control signals in response to the safety control signal received from the MCU 28: the first switch control signal is provided to the gate terminal of a second SBC MOSFET 46, and the second switch control signal is provided to the gate terminal of a second STO MOSTFET 54. The switch control signals output by the output circuit 42 therefore determine whether the second SBC MOSFET 46 and the second STO MOSFET 54 allow current to flow across their respective source and drain terminals.

[0048] The MCUs 26 and 28 may be coupled to (or may contain) a memory (not shown) containing logic instructions that, when executed by the MCUs 26 and 28, cause the MCUs 26 and 28 to analyse the input signals 10, 12 and 14 in order to determine whether the elevator system 101 is functioning correctly.

[0049] The output circuits 40 and 42 are provided because the operating output voltage ranges of the MCUs 26 and 28 are too small relative to the required operating voltage ranges to control the SBC and STO MOSFETs 44, 46, 52 and 54. Furthermore, the SBC MOSFETs 44 and 46 require different operating voltage ranges to the STO MOSFETs 52 and 54. The output circuits 40 and 42 take the control signals output by the MCUs 26 and 28 as inputs (typically at around 3.3 V), and output switch control signals within the required operating voltage ranges for the MOSFETs 44, 46, 52 and 54 (for example at 48 V or 600 V), thereby allowing the MCUs 26 and 28 to control the operation of the MOSFETs 44, 46, 52 and 54.

[0050] The first and second SBC MOSFETs 44 and 46 are used to control a ‘Safe Brake Control’ safety mechanism of the elevator system 101. When both SBC MOSFETs 44 and 46 are enabled (i.e. the voltage at their gate terminals output by the respective output circuits 40 and 42 enables current to flow across their respective source and drain terminals), current is allowed to flow from an SBC drive control input 48 to a brake coil output 50. The SBC drive control input 48 is coupled to an output of a drive control system 49 of the elevator system 101 which provides a constant voltage supply to the SBC drive control input 48.

[0051] The SBC brake coil output 50 is coupled to a brake coil 51 of the elevator system 101. The brake coil 51 is configured to prevent the brakes of the elevator system 101 from being engaged whilst it is supplied with current. In this example, the brakes of the elevator system 101 are mechanically configured to constantly apply (e.g. by a spring) a braking force in order to slow and stop the movement of an elevator car. The brake coil 51 is configured, when current is applied thereto, to apply a counteracting force to this mechanical braking force, thereby releasing the brakes and allowing the elevator to move. When a current is not applied to the brake coil 51, the counteracting force is removed and the elevator brakes are consequently engaged.

[0052] The first and second SBC MOSFETs 44 and 46 must therefore both be enabled in order for current to be supplied to the brake coil 51, thereby releasing the brakes of the elevator system 101 and enabling the elevator car to move. If either one, or both, of the safety control channels 2 or 4 disables their respective SBC MOSFETs 44 or 46 in response to one or more of the input signals 10, 12 or 14, the brakes of the elevator system 101 are engaged thereby stopping movement of the elevator car as a safety precaution.

[0053] The first and second STO MOSFETs 52 and 54 are used to control a ‘Safe Torque Off’ safety mechanism of the elevator system 101. When both STO MOSFETs 52 and 54 are enabled, current is allowed to flow from an STO drive control input 56 to a machine output 58. The STO drive control input 56 is coupled to a second output of a drive control system 57 of the elevator system 101 which provides a constant voltage supply to the STO drive control input 56.

[0054] The STO machine output 58 is coupled to the machine 111 of the elevator system 101. The machine 111 is configured to only apply a driving force or torque to the elevator system 101 when it receives a current from the STO machine output 58. When no current is received from the STO machine output 58, the machine 111 is prevented from applying a force or torque in order to drive movement of the elevator system 101. In some examples, the STO machine output 58 is coupled directly to a power supply input of the machine 111. In other examples, the STO machine output 58 is coupled to a control input of the machine 111.

[0055] The first and second STO MOSFETs 52 and 54 must therefore both be enabled in order for current to be supplied to the machine 111, thereby enabling the application of force or torque by the machine 111 in order to drive movement of the elevator system 101. If either one, or both, of the safety control channels 2 or 4 disable their respective STO MOSFETs 52 or 54 in response to one or more of the input signals 10, 12 or 14, the machine 111 is prevented from driving movement of the elevator system 101.

[0056] It will be appreciated that the brake control safety circuit and drive safety control circuit could equally be arranged to enable normal operation of the elevator system 101 when no current is supplied to the brake coil 51 or machine 111 respectively (i.e. the circuits are arranged to activate an associated safety system by supplying a current to the system rather than by preventing a current supply as in the previous example). For example, the brake control safety circuit could be arranged to energise the coil 51 in order to apply the brakes in response to a safety event and the drive safety control safety circuit could be arranged to disable the machine 111 by supplying a current thereto. In such cases, the two switches 44 and 46, or 52 and 54, could be connected in parallel instead of in series so as to provide the required redundancy, as the activation of either, or both, parallel switches would then supply a current to the relevant safety system in order to activate it.

[0057] The first and second safety control channels 2 and 4 operate in a parallel manner, with the MCUs 26 and 28 of both channels independently analysing the input signals 10, 12 and 14 in order to determine whether the elevator system 101 is operating correctly. If either one of the channels 2 or 4 detects a fault, it disables its associated SBC MOSFET 44, 46 and/or STO MOSFET 52, 54, thereby activating one or both of the SBC or STO systems, bringing the elevator to a halt and preventing further damage to the system or occupants of an elevator car. This two channel setup of the safety control device 1 increases the reliability of the system: in the event that one of the safety channels 2 or 4 malfunctions and does not detect a fault in the system based on the input signals 10, 12 and 14 when a fault has occurred, it is very likely that the other safety channel 2 or 4 will detect the fault and activate the safety systems of the elevator. It is very unlikely that both safety channels 2 and 4 will malfunction simultaneously and that both fail to detect a fault in the elevator system 101.

[0058] However, if one of the safety control channels 2 or 4 malfunctions as a result of e.g. a component failure, a fault in an electrical connection, an MCU logic fault, etc., it is possible that the faulty channel will deactivate one or both of its associated SBC or STO MOSFETs 44, 46, 52 or 54 and activate the associated safety mechanism when no fault has occurred in the elevator system 101. Consequently an emergency stop is performed and there is a risk that any occupants of an elevator car will become entrapped as the car may be caused to come to a halt between two floors where it is not possible for the occupants to disembark. Furthermore, it is possible that the activation of any safety systems could cause unnecessary harm to any occupants of the elevator, or the elevator itself, as a result of sharp deceleration caused by brake activation or motor deactivation. Therefore an override control channel 6 is provided in order to monitor the health of the two safety control channels 2 and 4 and temporarily override their output signals if an internal fault in one of the safety channels 2, 4 is detected.

[0059] The override control channel 6 comprises a microprocessor 30 configured to monitor the health, function and/or operation of the first and second safety control channels 2 and 4 in order to determine whether a fault has occurred in either channel. The microprocessor 30 is powered by the 1.8V power supply voltage converter 24. The microprocessor 30 is coupled to the MCU 26 of the first safety control channel 2 via the serial communication connections 33, and to the MCU 28 of the second safety control channel 4 via the serial communication connections 34. This serial connections between the microprocessor 30 and the MCUs 26 and 28 enable the microprocessor 30 to communicate with the MCUs 26 and 28. The microprocessor 30 is configured to send instructions via the serial communication connections 33 and 34 to the MCUs 26 and 28 respectively, and to receive responses provided by the MCUs 26 and 28. The connections 33 and 34 between the microprocessor 30 and the MCUs 26 and 28 are not limited to being serial communication connections as in this example, but may comprise any suitable connection enabling transmission and reception of instructions and information between the microprocessor 30 and the MCUs 26 and 28. However, serial connections can be made with a single pin and are sufficient for the communications required here. This allows the size and cost of the microprocessor 30 to be minimised.

[0060] Additionally, the MCUs 26 and 28 are coupled together via a serial communication connection 27 thereby enabling the two MCUs 26 and 28 to transmit and receive instructions and information between one another. The connection 27 between the MCUs 26 and 28 is not limited to a serial communication connection as in this example, but may comprise any suitable connection enabling transmission and reception of instructions and information between the MCUs 26 and 28. This connection 27 may be used for mutual health and status monitoring. For example, one MCU 26, 28 can notify the other MCU 26, 28 if it has detected a safety scenario that requires action, thereby allowing the other MCU 26, 28 to decide whether or not to take action too.

[0061] The MCU 26 of the first safety control channel 2 is coupled to the power supply voltage converter 24 of the override control channel 6 via a shut off control line 31, and the MCU 28 of the second safety control channel 4 is coupled to the power supply voltage converter 24 of the override control channel 6 via a shut off control line 32. The MCUs 26 and 28 are therefore able to enable and disable the microprocessor 30, and therefore the override control channel 6, using the shut off control lines 31 and 32 respectively. This may be useful where either MCU 26, 28 detects an internal fault in the override channel 6.

[0062] The microprocessor 30 is also coupled to the outputs of the MCUs 26 and 28 via the override lines 36 and 38 respectively. The override lines 36 and 38 enable the microprocessor 30 to override the safety control signals output by the MCUs 26 and 28. For example, the microprocessor 30 may use the override lines 36, 38 to ‘force on’ the output of the respective MCU 26, 28, e.g. by setting the voltage on that line to high. This has the same effect on output circuits 40, 42 as if the respective MCU 26, 28 had output a high signal indicating normal operation. It will of course be appreciated that in examples where a low signal indicates normal operation than the override lines 36, 38 may ‘force off’ the respective outputs instead.

[0063] The microprocessor 30 of the override control channel 6 is configured to monitor the health of the first and second safety control channels 2 and 4 over the serial connections 33 and 34 to the MCUs 26 and 28 respectively. The microprocessor 30 may be coupled to a memory (not shown) containing logic instructions that, when executed by the microprocessor 30, cause the microprocessor 30 to monitor the health of the first and second safety control channels 2 and 4.

[0064] The microprocessor 30 in this example is configured to monitor the health of the first and second safety control channels 2 and 4 by transmitting instructions to the MCUs 26 and 28 over the serial communication connections 33 and 34 respectively that cause the MCUs 26 and 28 to perform simple tasks. The MCUs 26 and 28 then perform the instructed tasks and return results to the microprocessor 30 over the serial communication connections 33, 34. The microprocessor 30 then checks the result and if the result is incorrect or if no reply was received then the microprocessor 30 determines that a fault has occurred in that MCU 26, 28. The microprocessor 30 can also be arranged to receive debug signals from each of the MCUs 26, 28 at each stage of the normal processing cycle of the MCU 26, 28. These debug signals can also be received by the microprocessor 30 over the serial communication connections 33 and 34 respectively. The microprocessor 30 is configured to receive and analyse the debug signals that it receives from the MCUs 26 and 28 in order to determine if a fault has occurred in the first or second safety control channels 2 or 4. For example, the presence and/or the timing and/or the order of the debug signals may be used to check for correct operation. If debug signals are not received, or are received in the wrong order, or are received with unusual delays, then the microprocessor 30 can determine that there is a fault in the respective MCU 26, 28. The microprocessor 30 can also compare the order and the timing of the debug signals received from the two MCUs 26, 28. In normal operation, the two MCUs 26, 28 should operate substantially in synchrony as they are identical in design. Therefore any discrepancies that fall outside normal process variation and jitter may indicate a fault in one of the MCUs 26, 28.

[0065] Examples of tasks that may be transmitted from the microprocessor 30 to the MCUs 26 and 28 in order to monitor the health of the safety control channels 2 and 4 may include: a simple request for response, a request for a value of one of the inputs (e.g. a discrete input or a value from the CAN bus 14), or a mathematical calculation to perform or a problem to solve. Debug signals received from the MCUs 26, 28 may include discrete inputs read successfully, serial input read successfully, evaluation of inputs completed successfully, output set successfully, etc. The microprocessor 30 analyses whether a fault has occurred in either of the safety control channels 2 or 4 in response to these tasks and/or debug signals. The microprocessor 30 may check, based on the response and/or debug signals whether the MCUs 26 and 28 perform calculations correctly, whether program flow is being performed in the correct order, whether instructions are being carried out in a timely manner, whether input signal readings are correct, whether output signal readings are correct, etc.

[0066] The microprocessor 30 is configured to temporarily transmit a signal over the override line 36 in order to override the safety control signal output by the MCU 26, if it detects a fault in the first safety control channel 2. Similarly, the microprocessor 30 is configured to transmit a signal over the override line 38 in order to override the safety control signal output by the MCU 28, if it detects a fault in the second safety control channel 4. In doing this, the microprocessor 30 temporarily overrides control of the MOSFETs 44 and 52 or 46 and 54 from the MCU 26 or 28, allowing the microprocessor 30 to prevent the faulty safety control channel 2 or 4 from activating the SBC or STO safety systems, i.e. preventing an emergency stop. The internal fault of one safety channel is not sufficiently severe to warrant an emergency stop while the override channel 6 can provide the necessary redundancy in control of the MOSFETs of the faulty channel. Thus the system still has a two-switch redundancy in the safety control systems even though fault detection is now reliant on a single main safety control channel. In some examples, the override channel 6 may also be arranged to provide a further level of redundancy by detecting a fault in both main safety control channels 2, 4 and forcing off the output signals on both channels 2, 4 so as to activate an emergency stop.

[0067] The time period for which the microprocessor 30 is configured to override control of the outputs of the MCU 26 or 28 may be any appropriate value in accordance with system design, regulations and safety assessments. In some examples, the microprocessor 30 is configured to receive instructions from the MCU 26 or 28 of the non-faulty safety control channel 2 or 4 over the serial communication connections 33 or 34 respectively which instruct the microprocessor 30 as to how long the output of the MCU 26 of 28 of the faulty safety control channel 2 or 4 should be overridden. In other examples it is the microprocessor 30 that is configured to determine how long to override the output of the MCU 26 or 28 of the faulty channel 2 or 4.

[0068] In some examples the microprocessor 30 is configured, whether it is using its own instructions or receiving instructions from the MCU 26 or 28 of the non-faulty safety control channel 2 or 4, to override the output of the MCU 26 or 28 of the faulty safety control channel 2 or 4 for a period of no longer than one minute. The risk of a genuine fault occurring in the elevator system 101 during the up to one minute period of override by the override control channel 6, and that fault not being detected by the non-faulty safety control channel 2 or 4, is extremely small. The risk of the non-faulty safety control channel 2 or 4 developing a fault in the up to one minute period of override by the override control channel 6 is also extremely small. For comparison, the design lifetime of the safety control channels 2, 4 is typically about twenty years.

[0069] The microprocessor 30 may be configured to override the faulty safety control channel 2 or 4 until the elevator car has reached the nearest landing floor at which any occupants may disembark. The microprocessor 30 may be configured to override the faulty safety control channel 2 or 4 until the elevator car has reached the nearest landing that would not require excessive deceleration of the elevator car, thereby avoiding discomfort and distress to the occupants of the elevator car. Alternatively, the microprocessor 30 may be configured to override the faulty safety control channel 2 or 4 until the elevator car has reached the current destination landing floor requested by the passengers.

[0070] By temporarily overriding the output of the MCU 26 or 28 of the first or second safety control channels 2 or 4 when a fault is detected therein, the override control channel 6 prevents the safety systems of the elevator system 101 from being activated inconveniently and when safety considerations do not require it, thus preventing entrapment of elevator passengers. When a fault is detected in one of the safety control channels 2 or 4, the microprocessor 30 may be configured to notify the fault to the non-faulty safety control channel 2 or 4, which can then notify the fault to other systems of the elevator system 101 via the CAN bus 14. Once the elevator system 101 has moved to a landing where occupants can disembark, further use of the elevator system 101 may be prevented until maintenance has been performed on the faulty safety control channel 2 or 4 to correct the fault. In some examples, the maintenance required may be a simple reset of the faulty safety control channel 2 or 4 or may require replacement of the safety control board. Where a reset is all that is required, this can be performed automatically and the system can be restored to operation very quickly. Such a reset is normally only performed while the elevator car is stopped and held safely at a landing and operation is not resumed until the reset has completed successfully and the system is verified as being healthy. With the override channel 6 described here, such resets can be performed on the fly, e.g. while the elevator car is moving. To do so, the override channel takes over the control of the faulty safety control channel while the reset is performed. A reset typically takes 1-2 seconds, i.e. a time period during which the chance of a fault is minimal. During this time, the override channel maintains the redundant control of the two switches of each safety system so that in the event of a fault, both redundant switches will still be triggered, thereby providing the necessary safety fallback during the reset period. This improves the availability and efficiency of the system as there is no need to stop the elevator car at a landing in order to perform the reset.

[0071] In this example, the microprocessor 30 is configured to override the output of the MCUs 26 and 28 via the override lines 36 and 38. In other examples, however, the microprocessor 30 may instead be configured to override the outputs of the output circuits 40 and 42. The override channel 6 could have its own output circuit so as to convert voltages as required.

[0072] The MCUs 26 and 28 are also configured to monitor the health of the override control channel 6 via the serial communication connections 33 and 34 respectively. The monitoring of the health of the override control channel 6 by the MCUs 26 and 28 is performed in much the same manner as the monitoring of the health of the two safety control channels 2 and 4 by the microprocessor 30, as described above. If either of the MCUs 26 or 28 detects a fault in the override control channel, it transmits a signal over the shut off control line 31 or 32 respectively in order to disable the power supply voltage converter 24 from providing power to the microprocessor 30. As a result, the override control channel 6 is disabled when one of the MCUs 26 or 28 detects a fault therein. When a fault is detected in the override control channel 6, the MCUs 26 and 28 are configured to notify the fault to other systems of the elevator system 101, e.g. via the CAN bus 14. In this example, however, use of the elevator system 101 is not prevented by the notification of a fault in the override control channel 6—instead a maintenance report is generated indicating that the override control channel 6 requires maintenance, and the elevator system 101 is configured to continue normal operation. Without the override channel 6, the remaining two safety control channels 4 and 6 provide the normal and accepted level of redundancy for normal operation, although until the override channel 6 is fixed, there will be a risk of passenger entrapment in the event of an internal fault in either of the safety control channels 2, 4.

[0073] As the functionality of the override control channel 6 is low in complexity, the microprocessor 30 is not required to be powerful. As a result, the microprocessor 30 in this example is a small fourteen pin microprocessor. This enables the override control channel 6 to be physically small, minimises the cost of including the override control channel 6 (as small low-powered microprocessors are inexpensive), and reduces the overall power consumption of the override control channel 6.

[0074] The safety control device 1 is not limited to two safety control channels and one override control channel as shown in this example, but may comprise any number of safety control channels and override channels, depending on the requirements of the elevator system 101. For example, the safety control device 1 may comprise three safety control channels and a single override control channel, four safety control channels and a single override control channel, three safety control channels and two override control channels, etc.

[0075] It will be appreciated by those skilled in the art that the invention has been illustrated by describing one or more specific examples thereof, but is not limited to these embodiments; many variations and modifications are possible, within the scope of the accompanying claims.

SAFETY CONTROL DEVICE

Inventors

Cpc classification

Classification Explorer

B66B1/343

PERFORMING OPERATIONS; TRANSPORTING

Classification Explorer

B66B1/32

PERFORMING OPERATIONS; TRANSPORTING

Classification Explorer

B66B1/30

PERFORMING OPERATIONS; TRANSPORTING

Classification Explorer

B66B5/02

PERFORMING OPERATIONS; TRANSPORTING

Classification Explorer

B66B5/027

PERFORMING OPERATIONS; TRANSPORTING

Classification Explorer

B66B5/0031

PERFORMING OPERATIONS; TRANSPORTING

International classification

Classification Explorer

B66B5/02

PERFORMING OPERATIONS; TRANSPORTING

Classification Explorer

B66B1/30

PERFORMING OPERATIONS; TRANSPORTING

Classification Explorer

B66B1/32

PERFORMING OPERATIONS; TRANSPORTING

Abstract

Claims

Description