Elevator safety arrangement with drive prevention logic

Abstract

The invention relates to a safety arrangement of an elevator, which includes sensors configured to indicate functions that are critical to the safety of the elevator, and also a safety circuit, with which the data formed by the sensors indicating the safety of the elevator is read. The safety arrangement includes a drive device including a control circuit of a motor bridge, an input circuit for a safety signal that can be disconnected/connected from outside the drive device, and also drive prevention logic, to prevent the passage of control pulses to the control poles of high-side and/or low-side switches of the motor bridge when the safety signal is disconnected. The safety circuit brings the elevator into a state preventing a run by disconnecting the safety signal and removes the state preventing a run by connecting the safety signal.

Claims

1. A safety arrangement of an elevator, comprising: sensors configured to indicate functions that are critical from the viewpoint of the safety of the elevator; an electronic supervision unit, which comprises an input for the data formed by the sensors indicating the safety of the elevator; and a drive device for driving the hoisting machine of the elevator, which drive device comprises: a DC bus; a motor bridge connected to the DC bus for the electricity supply of the elevator motor, which motor bridge comprises high-side and low-side switches for supplying electric power from the DC bus to the elevator motor when driving with the elevator motor, and also from the elevator motor to the DC bus when braking with the elevator motor; a control circuit of the motor bridge, with which control circuit the operation of the motor bridge is controlled by producing control pulses in the control poles of the high-side and low-side switches of the motor bridge; an input circuit for a safety signal, which safety signal can be disconnected/connected from outside the drive device; and drive prevention logic, which is connected to the input circuit and is configured to prevent the passage of control pulses to the control poles of the high-side and/or low-side switches of the motor bridge when the safety signal is disconnected, wherein: the signal conductor of the safety signal is wired from the electronic supervision unit to the drive device; the electronic supervision unit comprises a mechanism configured to disconnect/connect the safety signal; the electronic supervision unit is arranged to bring the elevator into a state preventing a run by disconnecting the safety signal; and the electronic supervision unit is arranged to remove the state preventing a run by connecting the safety signal.

2. The safety arrangement according to claim 1, wherein: a data transfer bus is formed between the electronic supervision unit and the drive device; the drive device comprises an input for the measuring data of a sensor measuring the state of motion of the elevator; and the electronic supervision unit is arranged to receive measuring data from the sensor measuring the state of motion of the elevator via the data transfer bus between the electronic supervision unit and the drive device.

3. A safety arrangement of an elevator, comprising: a safety circuit, which comprises mechanical safety switches fitted in series with each other, which safety switches are configured to indicate functions that are critical from the viewpoint of the safety of the elevator; and a drive device for driving the hoisting machine of the elevator; elevator, which drive device comprises: a DC bus; a motor bridge connected to the DC bus for the electricity supply of the elevator motor, which motor bridge comprises high-side and low-side switches for supplying electric power from the DC bus to the elevator motor when driving with the elevator motor, and also from the elevator motor to the DC bus when braking with the elevator motor; a control circuit of the motor bridge, with which control circuit the operation of the motor bridge is controlled by producing control pulses in the control poles of the high-side and low-side switches of the motor bridge; an input circuit for a safety signal, which safety signal can be disconnected/connected from outside the drive device; and drive prevention logic, which is connected to the input circuit and is configured to prevent the passage of control pulses to the control poles of the high-side and/or low-side switches of the motor bridge when the safety signal is disconnected, wherein: the signal conductor of the safety signal is wired from the safety circuit to the drive device; the safety circuit comprises a mechanism configured to disconnect/connect the safety signal; and the safety signal is configured to be disconnected by opening a safety switch in the safety circuit.

4. The safety arrangement according to claim 1, wherein the drive device comprises: a brake controller, which comprises a switch for supplying electric power to the control coil of an electromagnetic brake; a brake control circuit, with which the operation of the brake controller is controlled by producing control pulses in the control pole of the switch of the brake controller; and brake drop-out logic, which is connected to the input circuit and is configured to prevent passage of the control pulses to the control pole of the switch of the brake controller when the safety signal is disconnected.

5. The safety arrangement according to claim 4, wherein the brake controller is connected to the DC bus; and the switch is configured to supply electric power from the DC bus to the control coil of an electromagnetic brake.

6. The safety arrangement according to claim 1, wherein the drive prevention logic is configured to allow passage of the control pulses to the control poles of the switches of the motor bridge when the safety signal is connected.

7. The safety arrangement according to claim 4, wherein the brake drop-out logic is configured to allow passage of the control pulses to the control pole of the switch of the brake controller when the safety signal is connected.

8. The safety arrangement according to claim 4, wherein: the drive device comprises indicator logic for forming a signal permitting startup of a run; the indicator logic is configured to activate the signal permitting startup of a run when both the drive prevention logic and the brake drop-out logic are in a state preventing the passage of control pulses; the indicator logic is configured to disconnect the signal permitting startup of a run if at least either one of the drive prevention logic and the brake drop-out logic is in a state permitting the passage of control pulses; and the drive device comprises an output for indicating the signal permitting startup of a run to a supervision logic external to the drive device.

9. The safety arrangement according to claim 8, wherein: the signal permitting startup of a run is conducted from the drive device to the electronic supervision unit; the electronic supervision unit is configured to read the status of the signal permitting startup of a run when the safety signal is disconnected; and the electronic supervision unit is arranged to prevent a run with the elevator, if the signal permitting startup of run does not activate when the safety signal is disconnected.

10. The safety arrangement according to claim 1, wherein: the signal path of the control pulses to the control poles of the high-side and/or low-side switches of the motor bridge travels via the drive prevention logic; and the electricity supply to the drive prevention logic is arranged via the signal path of the safety signal.

11. The safety arrangement according to claim 1, wherein the signal path of the control pulses from the control circuit of the motor bridge to the drive prevention logic is arranged via an isolator.

12. The safety arrangement according to claim 4, wherein: the signal path of the control pulses travels to the control pole of the switch of the brake controller travels via the brake drop-out logic; and the electricity supply to the brake drop-out logic is arranged via the signal path of the safety signal.

13. The safety arrangement according to claim 4, wherein the signal path of the control pulses from the brake control circuit to the brake drop-out logic is arranged via an isolator.

14. The safety arrangement according to claim 11, wherein the isolator is a digital isolator.

15. The safety arrangement according to claim 1, wherein: the drive prevention logic comprises a bipolar or multipolar signal switch, via which the control pulses travel to the control pole of a switch of the motor bridge; and at least one pole of the signal switch is connected to the input circuit in such a way that the signal path of the control pulses through the signal switch breaks when the safety signal is disconnected.

16. The safety arrangement according to claim 15, wherein the signal switch is fitted in connection with the control pole of each high-side switch of the motor bridge and/or in connection with the control pole of each low-side switch of the motor bridge.

17. The safety arrangement according to claim 4, wherein: the brake drop-out logic comprises a bipolar or multipolar signal switch, via which the control pulses travel to the control pole of the switch of the brake controller; and at least one pole of the signal switch is connected to the input circuit in such a way that the signal path of the control pulses through the signal switch breaks when the safety signal is disconnected.

18. The safety arrangement according to claim 10, wherein the electricity supply occurring via the signal path of the safety signal is configured to be disconnected by disconnecting the safety signal.

19. The safety arrangement according to claim 1, wherein the drive device comprises a rectifier connected between the AC electricity source and the DC bus.

20. The safety arrangement according to claim 1, wherein the drive device is implemented without a single mechanical contactor.

21. The safety arrangement according to claim 1, wherein: the safety comprises an emergency drive device, which is connected to the DC bus of the drive device; the emergency drive device comprises a secondary power source, via which electric power can be supplied to the DC bus (2A, 2B) during a malfunction of the primary power source of the elevator system; and both the emergency drive device and the drive device are implemented without any mechanical contactors.

Description

BRIEF EXPLANATION OF THE FIGURES

(1) FIG. 1 presents as a block diagram one safety arrangement of an elevator according to the invention.

(2) FIG. 2 presents a circuit diagram of the motor bridge and the drive prevention logic.

(3) FIG. 3 presents a circuit diagram of the brake controller and the brake drop-out logic.

(4) FIG. 4 presents an alternative circuit diagram of the brake controller and the brake drop-out logic.

(5) FIG. 5 presents another alternative circuit diagram of the brake controller and the brake drop-out logic.

(6) FIG. 6 presents the circuit of the safety signal in the safety arrangement of an elevator according to FIG. 1.

(7) FIG. 7 presents as a block diagram the fitting of an emergency drive device to the safety arrangement of an elevator according to FIG. 1.

(8) FIG. 8 presents as a circuit diagram the fitting of a drive device according to the invention into connection with the safety circuit of an elevator.

MORE DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS OF THE INVENTION

(9) FIG. 1 presents as a block diagram a safety arrangement in an elevator system, in which an elevator car (not in figure) is driven in an elevator hoistway (not in figure) with the hoisting machine of the elevator via rope friction or belt friction. The speed of the elevator car is adjusted to be according to the target value for the speed of the elevator car, i.e. the speed reference, calculated by the elevator control unit 35. The speed reference is formed in such a way that the elevator car can transfer passengers from one floor to another on the basis of elevator calls given by elevator passengers.

(10) The elevator car is connected to the counterweight with ropes or with a belt traveling via the traction sheave of the hoisting machine. Various roping solutions known in the art can be used in an elevator system, and they are not presented in more detail in this context. The hoisting machine also comprises an elevator motor, which is an electric motor 6, with which the elevator car is driven by rotating the traction sheave, as well as two electromagnet brakes 9, with which the traction sheave is braked and held in its position. The hoisting machine is driven by supplying electric power with the frequency converter 1 from the electricity network 25 to the electric motor 6. The frequency converter 1 comprises a rectifier 26, with which the voltage of the AC network 25 is rectified for the DC intermediate circuit 2A, 2B of the frequency converter. The DC voltage of the DC intermediate circuit 2A, 2B is further converted by the motor bridge 3 into the variable-amplitude and variable-frequency supply voltage of the electric motor 6. The circuit diagram of the motor bridge 3 is presented in FIG. 2. The motor bridge comprises high-side 4A and low-side 4B IGBT transistors, which are connected by producing with the control circuit 5 of the motor bridge short, preferably PWM (pulse-width modulation) modulated, pulses in the gates of the IGBT transistors. The control circuit 5 of the motor bridge can be implemented with e.g. a DSP processor. The IGBT transistors 4A of the high side are connected to the high voltage busbar 2A of the DC intermediate circuit and the IGBT transistors 4B of the low side are connected to the low voltage busbar 2B of the DC intermediate circuit. By connecting alternately the IGBT transistors of the high-side 4A and of the low-side 4B, a PWM modulated pulse pattern forms from the DC voltages of the high voltage busbar 2A and of the low voltage busbar 2B in the outputs R, S, T of the motor, the frequency of the pulses of which pulse pattern is essentially greater than the frequency of the fundamental frequency of the voltage. The amplitude and frequency of the fundamental frequency of the output voltages R, S, T of the motor can in this case be changed steplessly by adjusting the modulation index of the PWM modulation.

(11) The control circuit 5 of the motor bridge also comprises a speed regulator, by means of which the speed of rotation of the rotor of the electric motor 6, and simultaneously the speed of the elevator car, are adjusted towards the speed reference calculated by the elevator control unit 35. The frequency converter 1 comprises an input for the measuring signal of a pulse encoder 27, with which signal the speed of rotation of the rotor of the electric motor 6 is measured for adjusting the speed.

(12) During motor braking electric power also returns from the electric motor 6 via the motor bridge 3 back to the DC intermediate circuit 2A, 2B, from where it can be supplied onwards back to the electricity network 25 with a rectifier 26. On the other hand, the solution according to the invention can also be implemented with a rectifier 26, which is not of a type braking to the network, such as e.g. with a diode bridge. In this case during motor braking the power returning to the DC intermediate circuit can be converted into e.g. heat in a power resistor or it can be supplied to a separate temporary storage for electric power, such as to an accumulator or capacitor. During motor braking the force effect of the electric motor 6 is in the opposite direction with respect to the direction of movement of the elevator car. Consequently, motor braking occurs e.g. when driving an empty elevator car upwards, in which case the elevator car is braked with the electric motor 6, so that the counterweight pulls upwards with its gravitational force.

(13) The electromagnetic brake 9 of the hoisting machine of an elevator comprises a frame part fixed to the frame of the hoisting machine and also an armature part movably supported on the frame part. The brake 9 comprises thruster springs, which resting on the frame part activate the brake by pressing the armature part to engage with the braking surface on the shaft of the rotor of the hoisting machine or e.g. on the traction sheave to brake the movement of the traction sheave. The frame part of the brake 9 comprises an electromagnet, which exerts a force of attraction between the frame part and the armature part. The brake is opened by supplying current to the control coil of the brake, in which case the force of attraction of the electromagnet pulls the armature part off the braking surface and the braking force effect ceases. Correspondingly, the brake is activated by dropping out the brake by disconnecting the current supply to the control coil of the brake.

(14) A brake controller 7 is integrated into the frequency converter 1, by the aid of which brake controller both the electromagnetic brakes 9 of the hoisting machine are controlled by supplying current separately to the control coil 10 of both electromagnetic brakes 9. The brake controller 7 is connected to the DC intermediate circuit 2A, 2B, and the current supply to the control coils of the electromagnetic brakes 9 occurs from the DC intermediate circuit 2A, 2B. The circuit diagram of the brake controller 7 is presented in more detail in FIG. 3. For the sake of clarity FIG. 3 presents a circuit diagram in respect of the electricity supply of only the one brake, because the circuit diagrams are similar for both brakes. Consequently the brake controller 7 comprises a separate transformer 36 for both brakes, with the primary circuit of which transformer two IGBT transistors 8A, 8B are connected in series in such a way that the primary circuit of the transformer 36 can be connected between the busbars 2A, 2B of the DC intermediate circuit by connecting the IGBT transistors 8A, 8B. The IGBT transistors are connected by producing with the brake control circuit 11 short, preferably PWM modulated, pulses in the gates of the IGBT transistors 8A, 8B. The brake control circuit 11 can be implemented with e.g. a DSP processor, and it can also connect to the same processor as the control circuit 5 of the motor bridge. The secondary circuit of the transformer 36 comprises a rectifier 37, by the aid of which the voltage induced when connecting the primary circuit to the secondary circuit is rectified and supplied to the control coil 10 of the electromagnetic brake, which control coil 10 is thus connected to the secondary side of the rectifier 36. In addition, a current damping circuit 38 is connected in parallel with the control coil 10 on—the secondary side of the transformer, which current damping circuit comprises one or more components (e.g. a resistor, capacitor, varistor, et cetera), which receive(s) the energy stored in the inductance of the control coil of the brake in connection with disconnection of the current of the control coil 10, and consequently accelerate(s) disconnection of the current of the control coil 10 and activation of the brake 9. Accelerated disconnection of the current occurs by opening the MOSFET transistor 39 in the secondary circuit of the brake controller, in which case the current of the coil 10 of the brake commutates to travel via the current damping circuit 38. The brake controller to be implemented with the transformer described here is particularly fail-safe, especially from the viewpoint of earth faults, because the power supply from the DC intermediate circuit 2A, 2B to both current conductors of the control coil 10 of the brake disconnects when the modulation of the IGBT transistors 8A, 8B on the primary side of the transformer 36 ceases.

(15) The safety arrangement of an elevator according to FIG. 1 comprises mechanical normally-closed safety switches 28, which are configured to supervise the position/locking of entrances to the elevator hoistway as well as e.g. the operation of the overspeed governor of the elevator car. The safety switches of the entrances of the elevator hoistway are connected to each other in series. Opening of a safety switch 28 consequently indicates an event affecting the safety of the elevator system, such as the opening of an entrance to the elevator hoistway, the arrival of the elevator car at an extreme limit switch for permitted movement, activation of the overspeed governor, et cetera.

(16) The safety arrangement of the elevator comprises an electronic supervision unit 20, which is a special microprocessor-controlled safety device fulfilling the EN IEC 61508 safety regulations and designed to comply with SIL 3 safety integrity level. The safety switches 28 are wired to the electronic supervision unit 20. The electronic supervision unit 20 is also connected with a communications bus 30 to the frequency converter 1, to the elevator control unit 35 and to the control unit of the elevator car, and the electronic supervision unit 20 monitors the safety of the elevator system on the basis of data it receives from the safety switches 28 and from the communications bus. The electronic supervision unit 20 forms a safety signal 13, on the basis of which a run with the elevator can be allowed or, on the other hand, prevented by disconnecting the power supply of the elevator motor 6 and by activating the machinery brakes 9 to brake the movement of the traction sheave of the hoisting machine. Consequently, the electronic supervision unit 20 prevents a run with the elevator e.g. when detecting that an entrance to the elevator hoistway has opened, when detecting that an elevator car has arrived at the extreme limit switch for permitted movement, and when detecting that the overspeed governor has activated. In addition, the electronic supervision unit receives the measuring data of a pulse encoder 27 from the frequency converter 1 via the communications bus 30, and monitors the movement of the elevator car in connection with, inter alia, an emergency stop on the basis of the measuring data of the pulse encoder 27 it receives from the frequency converter 1.

(17) The frequency converter 1 is provided with a special safety logic 15, 16 to be connected to the signal path of the safety signal 13, by means of which safety logic disconnection of the power supply of the elevator motor 6 as well as activation of the machinery brakes can be performed without mechanical contactors, using just solid-state components, which improve the safety and reliability of the elevator system compared to a solution implemented with mechanical contactors. The safety logic is formed from the drive prevention logic 15, the circuit diagram of which is presented in FIG. 2, and also from the brake drop-out logic 16, the circuit diagram of which is presented in FIG. 3. In addition, the frequency converter 1 comprises indicator logic 17, which forms data about the operating state of the drive prevention logic 15 and of the brake drop-out logic 16 for the electronic supervision unit 20. FIG. 6 presents how the safety functions of the aforementioned electronic supervision unit 20 and of the frequency converter 1 are connected together into a safety circuit of the elevator.

(18) According to FIG. 2, the drive prevention logic 15 is fitted to the signal path between the control circuit 5 of the motor bridge and the control gate of each high-side IGBT transistor 4A. The drive prevention logic 15 comprises a PNP transistor 23, the emitter of which is connected to the input circuit 12 of the safety signal 13 in such a way that the electricity supply to the drive prevention logic 15 occurs from the DC voltage source 40 via the safety signal 13. The safety signal 13 travels via a contact of the safety relay 14 of the electronic supervision unit 20, in which case the electricity supply from the DC voltage source 40 to the emitter of the PNP transistor 23 disconnects, when the contact 14 of the safety relay of the electronic supervision unit 20 opens. Although FIGS. 2 and 3 present only one contact 14 of the safety relay, in practice the electronic supervision unit 20 comprises two safety relays/contacts 14 of the safety relay connected in series with each other, with which it is thus endeavored to ensure the reliability of disconnection. When the contacts 14 of the safety relay open, the signal path of the control pulses from the control circuit 5 of the motor bridge to the control gates of the high-side IGBT transistors 4A of the motor bridge is disconnected at the same time, in which case the high-side IGBT transistors 4A open and the power supply from the DC intermediate circuit 2A, 2B to the phases R, S, T of the electric motor ceases. The circuit diagram of the drive prevention logic 15 in FIG. 2 for the sake of simplicity is presented only in respect of the R phase because the circuit diagrams of the drive prevention logic 15 are similar also in connection with the S and T phases.

(19) The power supply to the electric motor 6 is prevented as long as the safety signal 13 is disconnected, i.e. the contact of the safety relay 14 is open. The electronic supervision unit 20 connects the safety signal 13 by controlling the contact of the safety relay 14 closed, in which case DC voltage is connected from the DC voltage source 40 to the emitter of the PNP transistor 23. In this case the control pulses are able to travel from the control circuit 5 of the motor bridge via the collector of the PNP transistor 23 and onwards to the control gates of the high-side IGBT transistors 4A, which enables a run with the motor. Since a failure of the PNP transistor 23 might otherwise cause the control pulses to travel to the high-side IGBT transistors 4A although the voltage supply to the emitter of the PNP transistor has in fact been cut (the safety signal has been disconnected), the signal path of the control pulses from the control circuit 5 of the motor bridge to the drive prevention logic 15 is also arranged to travel via an opto-isolator 21.

(20) According to FIG. 2, the circuit of the PNP transistor 23 also tolerates well EMC interference connecting to the signal conductors of the safety signal 13 traveling outside the frequency converter, preventing its access to the drive prevention logic 15.

(21) According to FIG. 3 the brake drop-out logic 16 is fitted to the signal path between the brake control circuit 11 and the control gates of the IGBT transistors 8A, 8B of the brake controller 7. Also the brake drop-out logic 16 comprises a PNP transistor 23, the emitter of which is connected to the same input circuit 12 of the safety signal 13 as the drive prevention logic 15. Consequently the electricity supply from the DC voltage source 40 to the emitter of the PNP transistor 23 of the brake drop-out logic 16 disconnects, when the contact 14 of the safety relay of the electronic supervision unit 20 opens. At the same time the signal path of the control pulses from the brake control circuit 11 to the control gates of the IGBT transistors 8A, 8B of the brake controller 7 is disconnected, in which case the IGBT transistors 8A, 8B open and the power supply from the DC intermediate circuit 2A, 2B to the coil 10 of the brake ceases. The circuit diagram of the brake drop-out logic 16 in FIG. 3 for the sake of simplicity is presented only in respect of the IGBT transistor 8B connecting to the low-voltage busbar 2B of the DC intermediate circuit, because the circuit diagram of the brake drop-out logic 16 is similar also in connection with the IGBT transistor 8A connecting to the high-voltage busbar 2A of the DC intermediate circuit.

(22) Power supply from the DC intermediate circuit 2A, 2B to the coil of the brake is again possible after the electronic supervision unit 20 connects the safety signal 13 by controlling the contact of the safety relay 14 closed, in which case DC voltage is connected from the DC voltage source 40 to the emitter of the PNP transistor 23 of the brake drop-out logic 16. Also the signal path of the control pulses formed by the brake control circuit 11 to the brake drop-out logic 16 is arranged to travel via an opto-isolator 21, for the same reasons as stated in connection with the above description of the drive prevention logic. Since the switching frequency of the IGBT transistors 8A, 8B of the brake controller 7 is generally very high, even 20 kilohertz or over, the opto-isolator 21 must be selected in such a way that the latency of the control pulses through the opto-isolator 21 is minimized.

(23) Instead of an opto-isolator 21, also a digital isolator can be used for minimizing the latency. FIG. 4 presents an alternative circuit diagram of the brake drop-out logic, which differs from the circuit diagram of FIG. 3 in such a way that the opto-isolator 21 has been replaced with a digital isolator. One possible digital isolator 21 of FIG. 4 is that with an ADUM 4223 type marking manufactured by Analog Devices. The digital isolator 21 receives its operating voltage for the secondary side from a DC voltage source 40 via the contact 14 of the safety relay, in which case the output of the digital isolator 21 ceases modulating when the contact 14 opens.

(24) FIG. 5 presents yet another alternative circuit diagram of the brake drop-out logic. The circuit diagram of FIG. 5 differs from the circuit diagram of FIG. 3 in such a way that the opto-isolator 21 has been replaced with a transistor 46, and the output of the brake control circuit 11 has been taken directly to the gate of the transistor 46. An MELF resistor 45 is connected to the collector of the transistor 46. Elevator safety instruction EN 81-20 specifies that failure of an MELF resistor into a short-circuit does not need to be taken into account when making a fault analysis, so that by selecting the value of the MELF resistor to be sufficiently large, a signal path from the output of the brake control circuit 11 to the gate of an IGBT transistor 8A, 8B can be prevented when the safety contact 14 is open. With the solution of FIG. 5 a simple and cheap drop-out logic is achieved.

(25) In some embodiments the circuit diagram of the drive prevention logic of FIG. 2 has been replaced with the circuit diagram of the brake drop-out logic according to FIG. 4 or 5. In this way the transit time latency of the signal from the output of the control circuit 5 of the motor bridge to the gate of the IGBT transistor 4A, 4B can be reduced in the drive prevention logic.

(26) According to FIG. 6 the safety signal 13 is conducted from the DC voltage source 40 of the frequency converter 1 via the contacts 14 of the safety relay of the electronic supervision unit 20 and onwards back to the frequency converter 1, to the input circuit 12 of the safety signal. The input circuit 12 is connected to the drive prevention logic 15 and also to the brake drop-out logic 16 via the diodes 41. The purpose of the diodes 41 is to prevent voltage supply from the drive prevention logic 15 to the brake drop-out logic 16/from the brake drop-out logic 16 to the drive prevention logic 15 as a consequence of a failure, such as a short-circuit et cetera, occurring in the drive prevention logic 15 or in the brake drop-out logic 16.

(27) Additionally, the frequency converter comprises indicator logic 17, which forms data about the operating state of the drive prevention logic 15 and of the brake drop-out logic 16 for the electronic supervision unit 20. The indicator logic 17 is implemented as AND logic, the inputs of which are inverted. A signal allowing startup of a run is obtained as the output of the indicator logic, which signal reports that the drive prevention logic 15 and the brake drop-out logic are in operational condition and starting of the next run is consequently allowed. For activating the signal 18 allowing the startup of a run, the electronic supervision unit 20 disconnects the safety signal 13 by opening the contacts 14 of the safety relay, in which case the electricity supply of the drive prevention logic 15 and of the brake drop-out logic 16 must go to zero, i.e. the supply of control pulses to the high-side IGBT transistors 4A of the motor bridge and to the IGBT transistors 8A, 8B of the brake controller is prevented. If this happens, the indicator logic 17 activates the signal 18 permitting startup of a run by controlling the transistor 42 to be conductive. The output of the transistor 42 is wired to the electronic supervision unit 20 in such a way that current flows in the opto-isolator in the electronic supervision unit 20 when the transistor 42 conducts, and the opto-isolator indicates to the electronic supervision unit 20 that the startup of a run is allowed. If at least either one of the electricity supplies of the drive prevention logic and brake drop-out logic does not go to zero after the contact 14 of the safety relay has opened in the electronic supervision unit 20, the transistor 42 does not start to conduct and the electronic supervision unit 20 deduces on the basis of this that the safety logic of the frequency converter 1 has failed. In this case the electronic supervision unit prevents the starting of the next run and sends data about prevention of the run to the frequency converter 1 and to the elevator control unit 35 via the communications bus 30.

(28) FIG. 7 presents one embodiment of the invention, in which an emergency drive apparatus 32 has been added to the safety arrangement according to FIG. 1, by means of which apparatus the operation of the elevator can be continued during a functional nonconformance of the electricity network 25, such as during an overload or an electricity outage. The emergency drive apparatus comprises a battery pack 33, preferably a lithium-ion battery pack, which is connected to the DC intermediate circuit 2A, 2B with a DC/DC transformer 43, by means of which electric power can be transmitted in both directions between the battery pack 33 and the DC intermediate circuit 2A, 2B. The emergency drive device is controlled in such a way that the battery pack 33 is charged with the electric motor 6 when braking and current is supplied from the battery pack to the electric motor 6 when driving with the electric motor 6. According to the invention also the electricity supply occurring from the battery pack 33 via the DC intermediate circuit 2A, 2B to the electric motor 6 as well as to the brakes 9 can be disconnected using the drive prevention logic 15 and the brake drop-out logic 16, in which case also the emergency drive apparatus 32 can be implemented without adding a single mechanical contactor to the emergency drive apparatus 32/frequency converter 1.

(29) FIG. 8 presents an embodiment of the invention in which the safety logic of the frequency converter 1 according to the invention is fitted into an elevator having a conventional safety circuit 34. The safety circuit 34 is formed from safety switches 28, such as e.g. safety switches of the doors of entrances to the elevator hoistway, that are connected together in series. The coil of the safety relay 44 is connected in series with the safety circuit 34. The contact of the safety relay 44 opens, when the current supply to the coil ceases as the safety switch 28 of the safety circuit 34 opens. Consequently the contact of the safety relay 44 opens e.g. when a serviceman opens the door of an entrance to the elevator hoistway with a service key. The contact of the safety relay 44 is wired from the DC voltage source 40 of the frequency converter 1 to the common input circuit 12 of the drive prevention logic 15 and the brake drop-out logic 16 in such a way that the electricity supply to the drive prevention logic 15 and brake drop-out logic 16 ceases when the contact of the safety relay 44 opens. Consequently, when the safety switch 28 opens in the safety circuit 34, the passage of control pulses to the control gates of the high-side IGBT transistors 4A of the motor bridge 3 of the frequency converter 1 ceases, and the power supply to the electric motor 6 of the hoisting machine of the elevator is disconnected. At the same time also the passage of control pulses to the IGBT transistors 8A, 8B of the brake controller 7 ceases, and the brakes 9 of the hoisting machine activate to brake the movement of the traction sheave of the hoisting machine.

(30) It is obvious to the person skilled in the art that, differing from what is described above, the electronic supervision unit 20 can also be integrated into the frequency converter 1, preferably on the same circuit card as the drive prevention logic 15 and/or the brake drop-out logic 16. In this case the electronic supervision unit 20 and the drive prevention logic 15/brake drop-out logic 16 form, however, subassemblies that are clearly distinguishable from each other, so that the fail-safe apparatus architecture according to the invention is not fragmented.

(31) The invention is described above by the aid of a few examples of its embodiment. It is obvious to the person skilled in the art that the invention is not only limited to the embodiments described above, but that many other applications are possible within the scope of the inventive concept defined by the claims.