[go: up one dir, main page]

WO2019163133A1 - Elevator safety control device - Google Patents

Elevator safety control device Download PDF

Info

Publication number
WO2019163133A1
WO2019163133A1 PCT/JP2018/007000 JP2018007000W WO2019163133A1 WO 2019163133 A1 WO2019163133 A1 WO 2019163133A1 JP 2018007000 W JP2018007000 W JP 2018007000W WO 2019163133 A1 WO2019163133 A1 WO 2019163133A1
Authority
WO
WIPO (PCT)
Prior art keywords
safety control
safety
function
task
transition process
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2018/007000
Other languages
French (fr)
Japanese (ja)
Inventor
昭之 鳥谷
和則 鷲尾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mitsubishi Electric Corp
Original Assignee
Mitsubishi Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitsubishi Electric Corp filed Critical Mitsubishi Electric Corp
Priority to CN201880088986.9A priority Critical patent/CN111788139B/en
Priority to PCT/JP2018/007000 priority patent/WO2019163133A1/en
Priority to JP2020501987A priority patent/JP6824465B2/en
Publication of WO2019163133A1 publication Critical patent/WO2019163133A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B66HOISTING; LIFTING; HAULING
    • B66BELEVATORS; ESCALATORS OR MOVING WALKWAYS
    • B66B5/00Applications of checking, fault-correcting, or safety devices in elevators
    • B66B5/02Applications of checking, fault-correcting, or safety devices in elevators responsive to abnormal operating conditions
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/05Programmable logic controllers, e.g. simulating logic interconnections of signals according to ladder diagrams or function charts
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt

Definitions

  • the present invention relates to an elevator safety control device, and more particularly to an elevator safety control device that provides a plurality of safety control functions.
  • each device when providing a plurality of safety control functions, it is necessary to prepare as many devices or boards as the number of safety control functions.
  • each device is formed with a logic unit including a CPU (Central Processing Unit) and a memory.
  • CPU Central Processing Unit
  • a monitoring board as a monitoring unit that monitors the position and speed of an elevator car and a brake control board as a brake control unit that controls the brake device when performing a second braking operation are provided. ing.
  • the technology according to Patent Document 1 has two safety control functions, and the same number of devices or substrates on which the logic unit is formed are provided as the number of safety control functions.
  • the present invention is intended to solve the above-described problems, and an object thereof is to provide an elevator safety control device that can guarantee the independence of a plurality of safety control functions.
  • an elevator safety control device capable of performing a plurality of functions in a multitasking manner, and an arithmetic processing unit that repeatedly executes processing at a constant cycle;
  • a scheduler for assigning task execution time to the arithmetic processing unit in each cycle, and the plurality of functions executed by the arithmetic processing unit are a first group including a safety control function and a second group including a self-diagnosis function.
  • the scheduler is classified into a third group including a group and a non-safety control function, and the scheduler allocates an execution time to each task of at least one function from the first group and the second group in each cycle, and assigns the execution time to the third group.
  • the remaining execution time is allocated to the tasks of the included functions, and the arithmetic processing unit detects abnormalities using the safety control function or self-diagnosis function. Is the case was interrupts the execution of the function of the tasks included in the second group, to execute the interrupted execution time frame is detected by the abnormality corresponding safety migration processing tasks.
  • a plurality of functions can be executed by multitasking.
  • the plurality of functions includes a first group including a safety control function, a second group including a self-diagnosis function, and non-safety control.
  • the execution of the task of the function included in the second group is suspended and the suspended task.
  • FIG. 1 is a diagram showing a configuration of an elevator apparatus 100 according to Embodiment 1 of the present invention.
  • a car 1 and a counterweight 2 are suspended in a hoistway by suspension means 3.
  • the suspension means 3 includes a plurality of ropes or belts.
  • a hoisting machine 4 for raising and lowering the car 1 and the counterweight 2 is installed in the lower part of the hoistway.
  • the hoisting machine 4 includes a driving sheave 5 around which the suspension means 3 is wound, a hoisting machine motor (not shown) that generates driving torque to rotate the driving sheave 5, and a driving sheave that generates braking torque.
  • the hoisting machine brake 6 as a braking means for braking the rotation of the hoisting machine 5 and the hoisting machine encoder 7 for generating a signal corresponding to the rotation of the driving sheave 5 are provided.
  • an electromagnetic brake device is used as the hoisting machine brake 6, for example.
  • the brake shoe is pressed against the braking surface by the spring force of the braking spring, the rotation of the drive sheave 5 is braked, and the car 1 is braked.
  • the brake shoe is separated from the braking surface by exciting the electromagnetic magnet, and the braking force is released.
  • the braking force applied by the hoisting machine brake 6 changes according to the current value that flows through the brake coil of the electromagnetic magnet.
  • the car 1 is provided with a pair of car suspension wheels 8a and 8b.
  • the counterweight 2 is provided with a counterweight suspension vehicle 9.
  • a car return wheel 10a, 10b and a counterweight return wheel 11 are provided at the upper part of the hoistway.
  • One end of the suspension means 3 is connected to a first rope stop 12a provided at the upper part of the hoistway.
  • the other end of the suspension means 3 is connected to a second rope stop 12b provided at the upper part of the hoistway.
  • the suspension means 3 is wound around the car suspension cars 8a and 8b, the car return cars 10a and 10b, the drive sheave 5, the counterweight return car 11 and the counterweight suspension car 9 in this order from one end side. That is, the car 1 and the counterweight 2 are suspended in the hoistway by the “2: 1 roping method”.
  • a governor 14 is installed at the top of the hoistway.
  • the governor 14 includes a governor sheave 15 and a governor encoder 16 that generates a signal corresponding to the rotation of the governor sheave 15.
  • a governor rope 17 is wound around the governor sheave 15. Both ends of the governor rope 17 are connected to an operation lever (not shown) of an emergency stop device mounted on the car 1. The lower end portion of the governor rope 17 is wound around a tension wheel 18 disposed at the lower part of the hoistway.
  • An upper reference position switch 19a for detecting the position of the car 1 is provided in the upper part of the hoistway.
  • a lower reference position switch 19b for detecting the position of the car 1 is provided at the lower part in the hoistway.
  • the car 1 is provided with a switch operating member for operating the reference position switches 19a and 19b, for example, a cam.
  • a car door switch 20 is provided on the car 1 to detect opening / closing of the car door.
  • the landing on each floor is provided with a landing door switch (not shown) for detecting opening / closing of the landing door.
  • the hoistway is provided with a plurality of floor matching plates 21a to 21c for detecting a position where the passenger can safely enter and exit the car 1, that is, the position of the car 1 in the door zone.
  • the car 1 is provided with a floor alignment sensor 22 for detecting the floor alignment plates 21a to 21c.
  • the hoisting machine encoder 7, the governor encoder 16, the reference position switches 19a and 19b, the car door switch 20, the landing door switch (not shown), and the floor matching sensor 22 generate signals corresponding to the state of the car 1, respectively. Sensor.
  • a control panel 23 is installed in the hoistway.
  • a drive control unit 24, which is an operation control unit, and an elevator safety control device 25 are provided.
  • the elevator safety control device 25 can control the stop of the car 1.
  • a plurality of safety control functions are implemented in the elevator safety control device 25 in order to perform each monitoring / control. That is, safety control from a plurality of viewpoints of the elevator apparatus is realized by the elevator safety control apparatus 25 executing calculations related to a plurality of safety control functions with separate independent programs.
  • the safety control function include a door open travel protection function, an overspeed monitoring function, a maintenance switching function, and a safety communication function.
  • the drive control unit 24 controls the operation of the hoisting machine 4, that is, the operation of the car 1.
  • the drive control unit 24 controls the traveling speed of the car 1 based on a signal from the hoisting machine encoder 7.
  • the door-opening travel protection function determines whether the car 1 is in the landing position based on the signal from the floor alignment sensor 22.
  • the door-open travel protection function determines whether the car door and the landing door are open or closed based on signals from the car door switch 20 and a landing door switch (not shown). Further, the door-opening travel protection function determines whether or not the car 1 is traveling based on a signal from the hoisting machine encoder 7.
  • the door-opening travel protection function includes a state in which at least one of the car door or the landing door is open and the car 1 is traveling even though the car 1 is not at the landing position. Nevertheless, it detects a state in which at least one of the car door and the landing door is open, and outputs a brake operation command. That is, when the door-open travel protection function detects the door-open travel state, the drive sheave 5 is braked by the hoisting machine brake 6 and the hoisting machine motor is stopped to forcibly stop the car 1.
  • Signals from the governor encoder 16 and the reference position switches 19a and 19b are input to an overspeed monitoring function which is one of safety control functions.
  • the overspeed monitoring function obtains the position and speed of the car 1 independently of the drive control unit 24 based on signals from the governor encoder 16 and the reference position switches 19a and 19b, and the speed of the car 1 is predetermined. Monitor whether the overspeed level is reached.
  • the overspeed level is set as an overspeed monitoring pattern that changes according to the position of the car 1.
  • the overspeed monitoring function brakes the drive sheave 5 by the hoisting machine brake 6 and stops the hoisting machine motor to forcibly stop the car 1.
  • the maintenance switching function disables automatic operation when it detects that maintenance personnel have entered the hoistway for inspection by detecting the operation of the switch that detects the opening of the inspection door or the assembly of the handrail of the car. Turn into. In addition, when an overshoot is detected by a position switch provided at the restriction position in the hoistway, the car 1 is stopped, thereby restricting the ascending / descending stroke during the inspection operation. The return to the automatic operation is performed by a reset switch provided outside the hoistway.
  • the drive control unit 24 and the elevator safety control device 25 each have an independent microcomputer.
  • the function in the drive control part 24 and the function in the elevator safety control apparatus 25 are implement
  • various safety control functions implemented in the elevator safety control device 25, that is, calculations such as a door-opening travel protection function and an overspeed monitoring function are executed by independent programs.
  • maintenance functions such as log collection and non-safety functions such as operation control such as allocation response to calls are also executed.
  • elevator safety control device 25 a name different from “elevator safety control device” or “safety control board” is used for the elevator safety control device 25, but both are the same.
  • a single elevator safety control device 25 is equipped with a plurality of safety control functions.
  • a plurality of safety control functions are simply implemented in one elevator safety control device 25, when an abnormality is detected by a certain safety control function and a safety transition process is executed, Execution of the safety control function is interrupted, which may cause inconvenience in the safety control of the entire elevator. In other words, the independence of each safety control function cannot be guaranteed. Therefore, it is necessary to guarantee the independence of a plurality of safety control functions so that each safety control function does not affect other safety control functions.
  • the task scheduling function using time partitioning allocates execution time to each of the tasks of the plurality of safety control functions, and executes the plurality of safety control functions in a multitask, thereby making it possible to make the plurality of safety control functions independent. Guarantee sex.
  • FIG. 2 shows a hardware configuration of the elevator safety control device 25.
  • the elevator safety control device 25 includes an I / O, that is, an input / output unit 30, a CPU 31, a ROM 32 of a nonvolatile memory, a RAM 33 of a volatile memory, a first timer 34 and a second timer 35, and memory protection. And a unit 36.
  • the input / output unit 30, the CPU 31, the ROM 32, the RAM 33, the first timer 34 and the second timer 35, and the memory protection unit 36 are mounted on one safety control board 25. ing.
  • the ROM 32 stores a plurality of programs that respectively execute a safety control function and a non-safety control function.
  • the CPU 31 reads out the program from the ROM 32, develops it on the RAM 33, and executes the program while storing temporary data in the RAM 33.
  • the input / output unit 30 is connected to each external component (not shown) of the safety control board 25.
  • the input / output unit 30 receives a signal related to the state of the elevator. As described above, there are various switches 19a and 19b for monitoring and detecting the state of the elevator. Similarly, various sensors including the governor encoder 16 exist for monitoring and detecting the state of the elevator. Signals from these switches and sensors, that is, signals relating to the state of the car 1 are input to the input / output unit 30.
  • the input / output unit 30 counts and digitizes pulse signals including encoder signals.
  • the input / output unit 30 also compares the duplicated input signals and compares the input signal with a signal from a reference sensor (not shown). If a mismatch is detected as a result of the comparison at the input / output unit 30, a message to that effect is sent to the CPU 31 constituting the logic unit.
  • CPU31 reads the signal from a sensor and a switch as an input value via the input-output part 30, and performs the calculation required for several safety control regarding an elevator. That is, the CPU 31 executes calculations related to a plurality of safety control functions by independent programs based on input values from the sensors and switches. Thereby, the safety control of an elevator is implement
  • the input signal can be acquired via the network.
  • a check by a transmission / reception address, a sequence number, an error detection code, a reception monitoring timer (not shown), etc. is performed in the program.
  • these processes are classified into safety communication functions.
  • the CPU 31 repeatedly executes processing at a constant cycle.
  • the task execution time is assigned to the CPU 31 in each cycle by the scheduler 37 (see FIG. 3).
  • the scheduler 37 according to this embodiment is implemented by software.
  • the scheduler 37 manages the functions executed by the CPU 31 in three groups.
  • the first group includes various safety control functions including the safety communication function described above.
  • the second group includes self-diagnosis functions and safety transition processing.
  • the third group includes other non-safety control functions.
  • the safety control function, the self-diagnosis function, the safety transition process, and the non-safety control function are shown as a safety control program 41, a self-diagnosis program 42, a safety transition program 43, and a non-safety control program 44, respectively.
  • the scheduler 37 assigns the execution time of the CPU 31 with priority over the tasks of the functions included in the first and second groups, and assigns the remaining execution time to the tasks of the functions included in the third group. . Therefore, depending on the situation, the execution time may not be assigned to the task of the function included in the third group.
  • the safety scheduling information 51 stores the execution order and prescribed times of various safety control functions included in the first group. Based on the safety scheduling information 51, the scheduler 37 assigns execution times to various safety control function tasks.
  • the safety transition scheduling information 52 stores various self-diagnostic functions included in the second group and the execution order and specified time of the safety transition processing. Based on the safe transition scheduling information 52, the scheduler 37 assigns execution times to various self-diagnosis functions and safety transition processing tasks.
  • the non-safety scheduling information 53 stores the execution order and specified time of various non-safety control functions included in the third group. Based on the non-safety scheduling information 53, the scheduler 37 assigns execution time to various non-safety control function tasks.
  • the execution time of the task is monitored by the first timer 34 set at the specified time of the safety control function.
  • the monitoring time of the first timer 34 is variable and is set for each function.
  • a watchdog timer with a variable time window can be used as the first timer 34.
  • the task switching process that is, the execution state of the functional task is saved and the execution state of the next functional task is saved within the specified time of the first timer 34.
  • the returning process is performed, and the execution of the task of the next safety control function is started according to the scheduling by the scheduler 37.
  • the execution of the task of the safety control function included in the first group assigned in a certain cycle is finished, the execution of the task of the self-diagnosis function included in the second group is started.
  • the task execution time is monitored by the first timer 34 set to the specified time, as in the case of the safety control function.
  • the execution of the task of the self-diagnosis function included in the second group is completed, the execution of the task of the non-safety control function included in the third group according to the scheduling determined by the scheduler 37 based on the non-safety scheduling information 53 Is started. However, at this time, the execution time is not monitored by the first timer 34.
  • the CPU 31 monitors the execution time of the entire cycle by the second timer 35.
  • the monitoring time of the second timer 35 is fixed and is set according to the cycle time.
  • a watchdog timer with a fixed time window can be used as the second timer.
  • the second timer 35 detects that the cycle time has been exceeded by the safety control function task, the corresponding safety transition process is executed. In addition, when the second timer 35 detects that the cycle time is exceeded by the task of the non-safety control function, the execution of the task is interrupted and the next cycle is started.
  • the CPU 31 immediately stops the hoisting machine 4 and operates the brake.
  • the memory protection unit 36 In addition, during execution of a task of a certain function, access to a memory area used by a task of another function, that is, reading from the memory and writing to the memory are restricted by the memory protection unit 36.
  • Each function has a memory range that can be accessed in advance. When an attempt is made to access beyond that range, the memory protection unit 36 detects a memory access violation.
  • the CPU 31 for example, when the position information of the overspeed monitoring function is lost due to a sensor failure or the like, as a safety transition process, the CPU 31 performs “speed limit” that limits the maximum speed over the entire process.
  • the CPU 31 instructs the drive device to stop to the nearest floor as a safety transition process and completely stops the car 1 after a certain time. Execute “Nearest floor stop”.
  • the CPU 31 immediately stops the hoisting machine 4 and activates the brake as a safety transition process when a serious abnormality such as the above-mentioned specified time excess, cycle time excess, or door-opening travel is detected. “Stop”.
  • the priority of the safety transition process is "Emergency stop”, “Nearest floor stop”, “Speed limit”.
  • priority can be determined by adding as appropriate.
  • FIG. 4 shows a flowchart of the safety transition process in the elevator safety control device 25.
  • the task of the safety control function or the task of the self-diagnosis function is an abnormality of the elevator or the safety control function itself or the safety control device 25 itself.
  • step S1 Yes
  • a corresponding safety transition process is executed (step S3). If the time required for the safety transition process is short and the execution time of both the safety transition process and the self-diagnosis function can be secured, the execution of the self-diagnosis function task may be continued.
  • step S4 it is checked whether the return condition is satisfied. For example, it is checked whether or not the sensor input abnormality has been resolved and whether or not the overspeed state has been resolved by the return by the maintenance staff.
  • step S4 Yes
  • Step S7 Yes
  • the priority of the safety transition process corresponding to the newly detected abnormality is checked.
  • Step S8 No
  • the current safety transition process is continued (returns to Step S4).
  • step S8 Yes
  • the current safety transition process is interrupted, that is, excluded from the schedule (step S9), and newly detected in that time frame.
  • a safety transition process corresponding to the abnormal condition is executed (step S10). Thereafter, if the return condition is satisfied, the process returns (steps S4 to S6).
  • FIG. 5 shows a first example of scheduling in the elevator safety control device 25 according to Embodiment 1 of the present invention.
  • the CPU 31 of the elevator safety control device 25 executes the task of the safety communication function and the task of the overspeed detection function from the first group as shown in the pattern (a1) in a certain cycle. Next, the self-diagnosis function task is executed from the second group. In the last free time, the maintenance function task is executed from the third group and the process ends.
  • the CPU 31 executes a task of the safety communication function, a task of the door-opening travel protection function, and a task of the maintenance switching function from the first group.
  • the self-diagnosis function task is executed from the second group.
  • the task of the operation function is executed from the third group and the process ends.
  • the CPU 31 when the overspeed detection function detects a sensor abnormality and requests the execution of “speed limit” as the safety transition process, the CPU 31 first performs the first operation as shown in the pattern (b1). The task of the safety communication function and the task of the overspeed detection function are executed from the group. Next, in the execution time of the second group, a “speed limit” process is executed instead of the self-diagnostic function task. Then, in the last free time, the maintenance function task is executed from the third group, and the process ends.
  • the CPU 31 first displays the pattern (b2) as shown in FIG.
  • a safety communication function task, a door-opening travel protection function task, and a maintenance switching function task are executed from the first group.
  • the safety transition process is executed at the execution time of the second group. Since the priority of “emergency stop” is higher than the priority of “speed limit” currently being executed, "Emergency stop” is executed instead of "”. Then, in the last free time, the task of the operation function is executed from the third group, and the process ends.
  • the elevator safety control device 25 can execute a plurality of safety control functions in a multitasking manner by the task scheduling function using time partitioning.
  • the plurality of functions executed by the CPU 31 are classified into a first group including a safety control function, a second group including a self-diagnosis function, and a third group including a non-safety control function.
  • the scheduler 37 assigns execution time to tasks of at least one function from the first and second groups, and assigns remaining execution time to tasks of functions included in the third group.
  • the CPU 31 interrupts the execution of the task of the function included in the second group, and is detected in the execution time frame of the interrupted task.
  • the safety transition process corresponding to the abnormality is executed.
  • the CPU 31 detects a new abnormality during the execution of the safety transition process, and the priority of the safety transition process corresponding to the newly detected abnormality is higher than the priority of the safety transition process. First, the execution of the safety transition process is interrupted, and the safety transition process corresponding to the newly detected abnormality is executed.
  • FIG. 6 shows a second example of scheduling in the elevator safety control device 25 according to Embodiment 1 of the present invention.
  • the scheduling (a1 ′, a2 ′) during normal operation of the elevator is the same as that in the first example described above.
  • the CPU 31 As shown in the pattern (b1 ′) or the pattern (b2 ′), the time allocation of the task of the safety control function is canceled, and the execution time frame indicates the pattern (b1 ′) or the pattern (b2 ′).
  • the safety transition process is executed. That is, the safety transition process at this time is executed not in the execution time frame of the second group but in the execution time frame of the safety control function included in the first group.
  • the CPU 31 cancels the time allocation of the tasks of the plurality of safety control functions, and is the most in the safety transition process corresponding to those abnormalities.
  • the one with the higher priority is executed in a free time frame.
  • a plurality of execution time frames may be assigned to the safety transition process in the same cycle.
  • the CPU 31 extends the execution time frame of the second group by deallocating the time allocation of the task of the safety control function and moving forward the execution start time of the task of the subsequent safety control function, In the execution time frame of the second group, the task of the safety transition process and the self-diagnosis function may be executed.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • General Engineering & Computer Science (AREA)
  • Maintenance And Inspection Apparatuses For Elevators (AREA)
  • Indicating And Signalling Devices For Elevators (AREA)

Abstract

An elevator safety control device can execute a plurality of functions by multitasking, aborts the execution of a self-diagnosis function task when an abnormality is detected by a safety control function or the self-diagnosis function, and executes a safety transition process corresponding to the detected abnormality within an execution time frame for the aborted task. In addition, when a new abnormality is detected during execution of the safety transition process and the priority of the safety transition process is lower than the priority of the safety transition process corresponding to the newly detected abnormality, the execution of the safety transition process is interrupted and the safety transition process corresponding to the newly detected abnormality is executed.

Description

エレベータ安全制御装置Elevator safety control device

 この発明は、エレベータ安全制御装置に係り、特に複数の安全制御機能を提供するエレベータ安全制御装置に関するものである。 The present invention relates to an elevator safety control device, and more particularly to an elevator safety control device that provides a plurality of safety control functions.

 従来のエレベータ安全制御装置では、複数の安全制御機能を提供する際には、装置または基板を安全制御機能の数だけ用意する必要があった。例えば、特許文献1では、各装置には、CPU(Central Processing Unit)とメモリとを含む論理部が形成されている。 In the conventional elevator safety control device, when providing a plurality of safety control functions, it is necessary to prepare as many devices or boards as the number of safety control functions. For example, in Patent Document 1, each device is formed with a logic unit including a CPU (Central Processing Unit) and a memory.

 特許文献1に係る技術では、エレベータのかごの位置および速度を監視する監視部としての監視基板と、第2制動動作を行う時にブレーキ装置を制御するブレーキ制御部としてのブレーキ制御基板とが設けられている。すなわち、特許文献1に係る技術は、2つの安全制御機能を有しており、安全制御機能の数だけ、上記の論理部が形成された装置または基板が設けられている。 In the technology according to Patent Document 1, a monitoring board as a monitoring unit that monitors the position and speed of an elevator car and a brake control board as a brake control unit that controls the brake device when performing a second braking operation are provided. ing. In other words, the technology according to Patent Document 1 has two safety control functions, and the same number of devices or substrates on which the logic unit is formed are provided as the number of safety control functions.

国際公開第2007/057973号International Publication No. 2007/057973

 特許文献1に係る技術では、安全制御機能の数だけ装置または基板が必要となるため、コスト高となる。しかしながら、単に1つの装置または基板に複数の安全制御機能を実装しただけでは、ある安全制御機能によって異常が検出されて安全移行処理が実行される際には、他の安全制御機能の実行が中断されてしまい、エレベータ全体の安全制御に不都合が生じる可能性がある。換言すれば、複数の安全制御機能の独立性を保証することができない。 In the technique according to Patent Document 1, the number of devices or substrates required for the number of safety control functions is increased, which increases the cost. However, simply implementing multiple safety control functions on a single device or board will interrupt the execution of other safety control functions when an abnormality is detected by a certain safety control function and a safety transition process is executed. This may cause inconvenience in the safety control of the entire elevator. In other words, the independence of a plurality of safety control functions cannot be guaranteed.

 本発明は、上記の課題を解決するためのものであり、複数の安全制御機能の独立性を保証することができる、エレベータ安全制御装置を提供することを目的とする、 The present invention is intended to solve the above-described problems, and an object thereof is to provide an elevator safety control device that can guarantee the independence of a plurality of safety control functions.

 上記の目的を達成するために、本発明に係るエレベータ安全制御装置は、複数の機能をマルチタスクで実行可能なエレベータ安全制御装置であって、一定周期で繰り返し処理を実行する演算処理部と、各周期における演算処理部へのタスク実行時間の割り当てを行うスケジューラとを備え、演算処理部によって実行される複数の機能は、安全制御機能を含む第1のグループ、自己診断機能を含む第2のグループおよび非安全制御機能を含む第3のグループに分類され、スケジューラは、各周期において、第1、第2のグループから各々少なくとも1つの機能のタスクに実行時間を割り当てるとともに、第3のグループに含まれる機能のタスクに残りの実行時間を割り当て、演算処理部は、安全制御機能または自己診断機能によって異常が検出された場合には、第2のグループに含まれる機能のタスクの実行を中断し、当該中断されたタスクの実行時間枠で検出された異常に対応する安全移行処理を実行する。 In order to achieve the above object, an elevator safety control device according to the present invention is an elevator safety control device capable of performing a plurality of functions in a multitasking manner, and an arithmetic processing unit that repeatedly executes processing at a constant cycle; A scheduler for assigning task execution time to the arithmetic processing unit in each cycle, and the plurality of functions executed by the arithmetic processing unit are a first group including a safety control function and a second group including a self-diagnosis function. The scheduler is classified into a third group including a group and a non-safety control function, and the scheduler allocates an execution time to each task of at least one function from the first group and the second group in each cycle, and assigns the execution time to the third group. The remaining execution time is allocated to the tasks of the included functions, and the arithmetic processing unit detects abnormalities using the safety control function or self-diagnosis function. Is the case was interrupts the execution of the function of the tasks included in the second group, to execute the interrupted execution time frame is detected by the abnormality corresponding safety migration processing tasks.

 本発明に係るエレベータ安全制御装置では、複数の機能をマルチタスクで実行可能であり、複数の機能は、安全制御機能を含む第1のグループ、自己診断機能を含む第2のグループおよび非安全制御機能を含む第3のグループに分類され、安全制御機能または自己診断機能によって異常が検出された場合には、第2のグループに含まれる機能のタスクの実行を中断し、当該中断されたタスクの実行時間枠で前記検出された異常に対応する安全移行処理を実行することにより、複数の安全制御機能の独立性を保証することができる。 In the elevator safety control device according to the present invention, a plurality of functions can be executed by multitasking. The plurality of functions includes a first group including a safety control function, a second group including a self-diagnosis function, and non-safety control. When the abnormality is detected by the safety control function or the self-diagnosis function, the execution of the task of the function included in the second group is suspended and the suspended task By executing the safety transition process corresponding to the detected abnormality in the execution time frame, independence of a plurality of safety control functions can be ensured.

本発明の実施の形態1に係るエレベータの構成を示す図である。It is a figure which shows the structure of the elevator which concerns on Embodiment 1 of this invention. 本発明の実施の形態1に係るエレベータ安全制御装置のハードウェア構成を示す図である。It is a figure which shows the hardware constitutions of the elevator safety control apparatus which concerns on Embodiment 1 of this invention. 本発明の実施の形態1に係るエレベータ安全制御装置の機能構成を示す図である。It is a figure which shows the function structure of the elevator safety control apparatus which concerns on Embodiment 1 of this invention. 本発明の実施の形態1に係る安全移行処理を説明するフローチャートである。It is a flowchart explaining the safe transition process which concerns on Embodiment 1 of this invention. 本発明の実施の形態1に係るスケジューリングの第1の例を示す図である。It is a figure which shows the 1st example of the scheduling which concerns on Embodiment 1 of this invention. 本発明の実施の形態1に係るスケジューリングの第2の例を示す図である。It is a figure which shows the 2nd example of the scheduling which concerns on Embodiment 1 of this invention.

 以下、添付の図面を参照して、本発明の実施の形態を詳細に説明する。ただし、以下に示す実施の形態は一例であり、これらの実施の形態によって本発明が限定されるものではない。 Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the following embodiments are merely examples, and the present invention is not limited to these embodiments.

 実施の形態1.
 図1は、本発明の実施の形態1に係るエレベータ装置100の構成を示す図である。図1において、かご1および釣合おもり2は、懸架手段3によって昇降路内に吊り下げられている。懸架手段3は、複数本のロープまたはベルトを含んでいる。 Embodiment 1 FIG.
FIG. 1 is a diagram showing a configuration of an elevator apparatus 100 according to Embodiment 1 of the present invention. In FIG. 1, a car 1 and a counterweight 2 are suspended in a hoistway by suspension means 3. The suspension means 3 includes a plurality of ropes or belts.

 昇降路内の下部には、かご1および釣合おもり2を昇降させる巻上機4が設置されている。巻上機4は、懸架手段3が巻き掛けられた駆動シーブ5と、駆動トルクを発生して駆動シーブ5を回転させる巻上機モータ(図示せず)と、制動トルクを発生して駆動シーブ5の回転を制動する制動手段としての巻上機ブレーキ6と、駆動シーブ5の回転に応じた信号を発生する巻上機エンコーダ7とを備えている。 A hoisting machine 4 for raising and lowering the car 1 and the counterweight 2 is installed in the lower part of the hoistway. The hoisting machine 4 includes a driving sheave 5 around which the suspension means 3 is wound, a hoisting machine motor (not shown) that generates driving torque to rotate the driving sheave 5, and a driving sheave that generates braking torque. The hoisting machine brake 6 as a braking means for braking the rotation of the hoisting machine 5 and the hoisting machine encoder 7 for generating a signal corresponding to the rotation of the driving sheave 5 are provided.

 巻上機ブレーキ6としては、例えば電磁ブレーキ装置が用いられる。電磁ブレーキ装置による制動時には、制動ばねのばね力によってブレーキシューが制動面に押し付けられて駆動シーブ5の回転が制動され、かご1が制動される。また、電磁ブレーキ装置による制動解除時には、電磁マグネットを励磁することによってブレーキシューが制動面から引き離され、制動力が解除される。なお、巻上機ブレーキ6によって印加される制動力は、電磁マグネットのブレーキコイルに流される電流値に応じて変化する。 As the hoisting machine brake 6, for example, an electromagnetic brake device is used. At the time of braking by the electromagnetic brake device, the brake shoe is pressed against the braking surface by the spring force of the braking spring, the rotation of the drive sheave 5 is braked, and the car 1 is braked. Further, when braking is released by the electromagnetic brake device, the brake shoe is separated from the braking surface by exciting the electromagnetic magnet, and the braking force is released. In addition, the braking force applied by the hoisting machine brake 6 changes according to the current value that flows through the brake coil of the electromagnetic magnet.

 かご1には、一対のかご吊り車8a,8bが設けられている。釣合おもり2には、釣合おもり吊り車9が設けられている。昇降路の上部には、かご返し車10a,10bおよび釣合おもり返し車11が設けられている。懸架手段3の一端部は、昇降路の上部に設けられた第1の綱止め12aに接続されている。懸架手段3の他端部は、昇降路の上部に設けられた第2の綱止め12bに接続されている。 The car 1 is provided with a pair of car suspension wheels 8a and 8b. The counterweight 2 is provided with a counterweight suspension vehicle 9. A car return wheel 10a, 10b and a counterweight return wheel 11 are provided at the upper part of the hoistway. One end of the suspension means 3 is connected to a first rope stop 12a provided at the upper part of the hoistway. The other end of the suspension means 3 is connected to a second rope stop 12b provided at the upper part of the hoistway.

 懸架手段3は、一端部側から順に、かご吊り車8a,8b、かご返し車10a,10b、駆動シーブ5、釣合おもり返し車11、釣合おもり吊り車9に巻き掛けられている。すなわち、かご1および釣合おもり2は、「2:1ローピング方式」によって昇降路内に吊り下げられている。 The suspension means 3 is wound around the car suspension cars 8a and 8b, the car return cars 10a and 10b, the drive sheave 5, the counterweight return car 11 and the counterweight suspension car 9 in this order from one end side. That is, the car 1 and the counterweight 2 are suspended in the hoistway by the “2: 1 roping method”.

 昇降路の上部には、調速機14が設置されている。調速機14は、調速機シーブ15と、調速機シーブ15の回転に応じた信号を発生する調速機エンコーダ16とを備えている。調速機シーブ15には、調速機ロープ17が巻き掛けられている。調速機ロープ17の両端部は、かご1に搭載された非常止め装置の操作レバー(図示せず)に接続されている。調速機ロープ17の下端部は、昇降路の下部に配置された張り車18に巻き掛けられている。かご1が昇降されると、調速機ロープ17が循環され、かご1の走行速度に応じた回転速度で調速機シーブ15が回転される。 A governor 14 is installed at the top of the hoistway. The governor 14 includes a governor sheave 15 and a governor encoder 16 that generates a signal corresponding to the rotation of the governor sheave 15. A governor rope 17 is wound around the governor sheave 15. Both ends of the governor rope 17 are connected to an operation lever (not shown) of an emergency stop device mounted on the car 1. The lower end portion of the governor rope 17 is wound around a tension wheel 18 disposed at the lower part of the hoistway. When the car 1 is raised and lowered, the governor rope 17 is circulated, and the governor sheave 15 is rotated at a rotational speed corresponding to the traveling speed of the car 1.

 昇降路内の上部には、かご1の位置を検出するための上部基準位置スイッチ19aが設けられている。昇降路内の下部には、かご1の位置を検出するための下部基準位置スイッチ19bが設けられている。かご1には、基準位置スイッチ19a,19bを操作するスイッチ操作部材、例えばカムが設けられている。 An upper reference position switch 19a for detecting the position of the car 1 is provided in the upper part of the hoistway. A lower reference position switch 19b for detecting the position of the car 1 is provided at the lower part in the hoistway. The car 1 is provided with a switch operating member for operating the reference position switches 19a and 19b, for example, a cam.

 かご1上には、かごのドア開閉を検出するかごドアスイッチ20が設けられている。各階の乗場には、乗場ドアの開閉を検出する乗場ドアスイッチ(図示せず)が設けられている。また、昇降路には、乗客がかご1に安全に出入りできる位置、すなわちドアゾーンにかご1が位置していることを検出するための複数の床合わせプレート21a~21cが設けられている。かご1には、床合わせプレート21a~21cを検出する床合わせセンサ22が設けられている。 A car door switch 20 is provided on the car 1 to detect opening / closing of the car door. The landing on each floor is provided with a landing door switch (not shown) for detecting opening / closing of the landing door. Further, the hoistway is provided with a plurality of floor matching plates 21a to 21c for detecting a position where the passenger can safely enter and exit the car 1, that is, the position of the car 1 in the door zone. The car 1 is provided with a floor alignment sensor 22 for detecting the floor alignment plates 21a to 21c.

 巻上機エンコーダ7、調速機エンコーダ16、基準位置スイッチ19a,19b、かごドアスイッチ20、乗場ドアスイッチ(図示せず)、床合わせセンサ22は、それぞれかご1の状態に応じた信号を発生するセンサである。 The hoisting machine encoder 7, the governor encoder 16, the reference position switches 19a and 19b, the car door switch 20, the landing door switch (not shown), and the floor matching sensor 22 generate signals corresponding to the state of the car 1, respectively. Sensor.

 昇降路内には、制御盤23が設置されている。制御盤23内には、運行制御部である駆動制御部24と、エレベータ安全制御装置25とが設けられている。エレベータ安全制御装置25は、かご1の停止を制御することができる。 A control panel 23 is installed in the hoistway. In the control panel 23, a drive control unit 24, which is an operation control unit, and an elevator safety control device 25 are provided. The elevator safety control device 25 can control the stop of the car 1.

 エレベータ装置では、安全性を担保するために、複数の観点からシステムに対する監視・制御が実施されている。そのため、各々の監視・制御を実施するために、エレベータ安全制御装置25には、複数の安全制御機能が実装されている。すなわち、エレベータ安全制御装置25が、複数の安全制御機能に関する演算を別個独立のプログラムで各々実行することにより、エレベータ装置の複数の観点からの安全制御が実現される。なお、安全制御機能の具体例としては、例えば、戸開走行保護機能、過速度監視機能、保守切替機能、安全通信機能などがある。 In the elevator system, in order to ensure safety, the system is monitored and controlled from a plurality of viewpoints. Therefore, a plurality of safety control functions are implemented in the elevator safety control device 25 in order to perform each monitoring / control. That is, safety control from a plurality of viewpoints of the elevator apparatus is realized by the elevator safety control apparatus 25 executing calculations related to a plurality of safety control functions with separate independent programs. Specific examples of the safety control function include a door open travel protection function, an overspeed monitoring function, a maintenance switching function, and a safety communication function.

 駆動制御部24は、巻上機4の運転、すなわちかご1の運行を制御する。また、駆動制御部24は、巻上機エンコーダ7からの信号に基づいて、かご1の走行速度を制御する。 The drive control unit 24 controls the operation of the hoisting machine 4, that is, the operation of the car 1. The drive control unit 24 controls the traveling speed of the car 1 based on a signal from the hoisting machine encoder 7.

 戸開走行保護機能は、床合わせセンサ22からの信号に基いて、かご1が着床位置にいるか否かを判断する。また、戸開走行保護機能は、かごドアスイッチ20および乗場ドアスイッチ(図示せず)からの信号に基いて、かごドアおよび乗場ドアの開閉状態を判断する。また、戸開走行保護機能は、巻上機エンコーダ7からの信号に基いて、かご1が走行しているか否かを判断する。 The door-opening travel protection function determines whether the car 1 is in the landing position based on the signal from the floor alignment sensor 22. The door-open travel protection function determines whether the car door and the landing door are open or closed based on signals from the car door switch 20 and a landing door switch (not shown). Further, the door-opening travel protection function determines whether or not the car 1 is traveling based on a signal from the hoisting machine encoder 7.

 また、戸開走行保護機能は、かご1が着床位置に来ていないにもかかわらず、かごドアまたは乗場ドアの少なくともいずれか一方が開いている状態、並びに、かご1が走行中であるにもかかわらず、かごドアまたは乗場ドアの少なくともいずれか一方が開いている状態を検出し、ブレーキ動作指令を出力する。すなわち戸開走行保護機能は、戸開走行状態を検出すると、巻上機ブレーキ6によって駆動シーブ5を制動するとともに巻上機モータを停止させ、かご1を強制停止させる。 In addition, the door-opening travel protection function includes a state in which at least one of the car door or the landing door is open and the car 1 is traveling even though the car 1 is not at the landing position. Nevertheless, it detects a state in which at least one of the car door and the landing door is open, and outputs a brake operation command. That is, when the door-open travel protection function detects the door-open travel state, the drive sheave 5 is braked by the hoisting machine brake 6 and the hoisting machine motor is stopped to forcibly stop the car 1.

 調速機エンコーダ16および基準位置スイッチ19a,19bからの信号は、安全制御機能の1つである過速度監視機能に入力される。過速度監視機能は、調速機エンコーダ16および基準位置スイッチ19a,19bからの信号に基いて、駆動制御部24とは独立して、かご1の位置および速度を求め、かご1の速度が所定の過速度レベルに達しているか否かを監視する。 Signals from the governor encoder 16 and the reference position switches 19a and 19b are input to an overspeed monitoring function which is one of safety control functions. The overspeed monitoring function obtains the position and speed of the car 1 independently of the drive control unit 24 based on signals from the governor encoder 16 and the reference position switches 19a and 19b, and the speed of the car 1 is predetermined. Monitor whether the overspeed level is reached.

 なお、過速度レベルは、かご1の位置に応じて変化する過速度監視パターンとして設定されている。かご1の速度が過速度レベルに達すると、過速度監視機能は、巻上機ブレーキ6によって駆動シーブ5を制動するとともに巻上機モータを停止させ、かご1を強制停止させる。 Note that the overspeed level is set as an overspeed monitoring pattern that changes according to the position of the car 1. When the speed of the car 1 reaches the overspeed level, the overspeed monitoring function brakes the drive sheave 5 by the hoisting machine brake 6 and stops the hoisting machine motor to forcibly stop the car 1.

 保守切替機能は、点検用ドアの開放あるいはかご上手すりの組み立てを検出するスイッチの動作を検出することによって、保守員が点検のために昇降路内に立ち入ったことを検知すると、自動運転を無効化する。また、昇降路内制限位置に設けられた位置スイッチによって行き過ぎを検知するとかご1を停止させることによって、点検運転時の昇降行程の制限を実施する。自動運転への復帰は、昇降路外に設けられたリセットスイッチによって行われる。 The maintenance switching function disables automatic operation when it detects that maintenance personnel have entered the hoistway for inspection by detecting the operation of the switch that detects the opening of the inspection door or the assembly of the handrail of the car. Turn into. In addition, when an overshoot is detected by a position switch provided at the restriction position in the hoistway, the car 1 is stopped, thereby restricting the ascending / descending stroke during the inspection operation. The return to the automatic operation is performed by a reset switch provided outside the hoistway.

 駆動制御部24およびエレベータ安全制御装置25は、各々独立したマイクロコンピュータを有している。駆動制御部24における機能およびエレベータ安全制御装置25における機能は、これらのマイクロコンピュータによって実現される。なお、エレベータ安全制御装置25に実装される各種の安全制御機能、すなわち、戸開走行保護機能、過速度監視機能などの演算は、独立したプログラムによって実行される。また、ログ収集といった保守機能、呼びに対する割り当て応答といった運行制御などの非安全機能も実行される。 The drive control unit 24 and the elevator safety control device 25 each have an independent microcomputer. The function in the drive control part 24 and the function in the elevator safety control apparatus 25 are implement | achieved by these microcomputers. It should be noted that various safety control functions implemented in the elevator safety control device 25, that is, calculations such as a door-opening travel protection function and an overspeed monitoring function are executed by independent programs. In addition, maintenance functions such as log collection and non-safety functions such as operation control such as allocation response to calls are also executed.

 なお、本願では、エレベータ安全制御装置25に対して、「エレベータ安全制御装置」または「安全制御基板」と異なる名称を使用するが、ともに同じものを示している。 In the present application, a name different from “elevator safety control device” or “safety control board” is used for the elevator safety control device 25, but both are the same.

 上記の構成において、1つのエレベータ安全制御装置25には、複数の安全制御機能が実装されている。しかしながら、前述したように、単に1つのエレベータ安全制御装置25に複数の安全制御機能を実装しただけでは、ある安全制御機能によって異常が検出されて安全移行処理が実行される際には、他の安全制御機能の実行が中断されてしまい、エレベータ全体の安全制御に不都合が生じる可能性がある。換言すれば、各々の安全制御機能の独立性を保証することができない。そのため、各々の安全制御機能が他の安全制御機能に影響を及ぼさないように、複数の安全制御機能の独立性を保証する必要がある。 In the above configuration, a single elevator safety control device 25 is equipped with a plurality of safety control functions. However, as described above, when a plurality of safety control functions are simply implemented in one elevator safety control device 25, when an abnormality is detected by a certain safety control function and a safety transition process is executed, Execution of the safety control function is interrupted, which may cause inconvenience in the safety control of the entire elevator. In other words, the independence of each safety control function cannot be guaranteed. Therefore, it is necessary to guarantee the independence of a plurality of safety control functions so that each safety control function does not affect other safety control functions.

 本願発明では、タイムパーティショニングを用いたタスクスケジューリング機能によって、複数の安全制御機能のタスクに実行時間をそれぞれ割り当て、複数の安全制御機能をマルチタスクで実行することによって、複数の安全制御機能の独立性を保証する。 In the present invention, the task scheduling function using time partitioning allocates execution time to each of the tasks of the plurality of safety control functions, and executes the plurality of safety control functions in a multitask, thereby making it possible to make the plurality of safety control functions independent. Guarantee sex.

 図2には、エレベータ安全制御装置25のハードウェア構成が示されている。エレベータ安全制御装置25は、I/O、すなわち入出力部30と、CPU31と、不揮発性メモリのROM32と、揮発性メモリのRAM33と、第1のタイマ34および第2のタイマ35と、メモリ保護ユニット36とを備えている。換言すれば、1つの安全制御基板25上には、入出力部30と、CPU31と、ROM32と、RAM33と、第1のタイマ34および第2のタイマ35と、メモリ保護ユニット36とが実装されている。 FIG. 2 shows a hardware configuration of the elevator safety control device 25. The elevator safety control device 25 includes an I / O, that is, an input / output unit 30, a CPU 31, a ROM 32 of a nonvolatile memory, a RAM 33 of a volatile memory, a first timer 34 and a second timer 35, and memory protection. And a unit 36. In other words, the input / output unit 30, the CPU 31, the ROM 32, the RAM 33, the first timer 34 and the second timer 35, and the memory protection unit 36 are mounted on one safety control board 25. ing.

 ROM32には、安全制御機能および非安全制御機能をそれぞれ実行する複数のプログラムが格納されている。CPU31は、ROM32からプログラムを読み出してRAM33上に展開し、RAM33に一時データを保存しながらプログラムを実行する。 The ROM 32 stores a plurality of programs that respectively execute a safety control function and a non-safety control function. The CPU 31 reads out the program from the ROM 32, develops it on the RAM 33, and executes the program while storing temporary data in the RAM 33.

 図2において、入出力部30は、安全制御基板25の外部構成要素(図示せず)に各々接続されている。 In FIG. 2, the input / output unit 30 is connected to each external component (not shown) of the safety control board 25.

 入出力部30には、エレベータの状態に関する信号が入力される。上述したように、エレベータの状態を監視・検出するために、各種のスイッチ19a,19bが存在する。また、同じくエレベータの状態を監視・検出するために、調速機エンコーダ16を含む各種のセンサが存在する。入出力部30には、これらのスイッチおよびセンサからの信号、すなわち、かご1の状態に関する信号が入力される。 The input / output unit 30 receives a signal related to the state of the elevator. As described above, there are various switches 19a and 19b for monitoring and detecting the state of the elevator. Similarly, various sensors including the governor encoder 16 exist for monitoring and detecting the state of the elevator. Signals from these switches and sensors, that is, signals relating to the state of the car 1 are input to the input / output unit 30.

 また、入出力部30は、エンコーダ信号をはじめとするパルス信号をカウントして数値化する。また、入出力部30は、二重化された入力信号同士の比較、および入力信号と基準センサ(図示せず)からの信号との比較も行う。入出力部30における比較の結果、不一致が検出された場合には、その旨が論理部を構成するCPU31へ通達される。 Also, the input / output unit 30 counts and digitizes pulse signals including encoder signals. The input / output unit 30 also compares the duplicated input signals and compares the input signal with a signal from a reference sensor (not shown). If a mismatch is detected as a result of the comparison at the input / output unit 30, a message to that effect is sent to the CPU 31 constituting the logic unit.

 CPU31は、入出力部30を介してセンサおよびスイッチからの信号を入力値として読み込み、エレベータに関する複数の安全制御に必要な演算を行なう。すなわち、CPU31は、センサおよびスイッチからの入力値に基いて、複数の安全制御機能に関する演算を各々独立したプログラムによって実行する。これにより、エレベータの安全制御が実現される。 CPU31 reads the signal from a sensor and a switch as an input value via the input-output part 30, and performs the calculation required for several safety control regarding an elevator. That is, the CPU 31 executes calculations related to a plurality of safety control functions by independent programs based on input values from the sensors and switches. Thereby, the safety control of an elevator is implement | achieved.

 なお、これらの構成は多重化することができ、各系統を比較することによって故障を検出することができる。 Note that these configurations can be multiplexed, and a failure can be detected by comparing each system.

 また、入力信号をネットワーク経由で取得することもできる。この場合、ネットワークの異常を検出するために、送受信アドレス、シーケンス番号、誤り検出符号、受信監視タイマ(図示せず)などによるチェックをプログラムにおいて実施する。本願発明では、これらの処理は安全通信機能に分類される。 Also, the input signal can be acquired via the network. In this case, in order to detect an abnormality in the network, a check by a transmission / reception address, a sequence number, an error detection code, a reception monitoring timer (not shown), etc. is performed in the program. In the present invention, these processes are classified into safety communication functions.

 エレベータ安全制御装置25において、CPU31は、一定周期で繰り返し処理を実行する。各周期におけるCPU31へのタスク実行時間の割り当ては、スケジューラ37によって行われる(図3参照)。この実施の形態に係るスケジューラ37は、ソフトウェアによって実装されている。 In the elevator safety control device 25, the CPU 31 repeatedly executes processing at a constant cycle. The task execution time is assigned to the CPU 31 in each cycle by the scheduler 37 (see FIG. 3). The scheduler 37 according to this embodiment is implemented by software.

 スケジューラ37は、CPU31によって実行される機能を3つのグループに分けて管理する。第1のグループには、上述した安全通信機能を含む各種の安全制御機能が含まれる。第2のグループには、自己診断機能および安全移行処理が含まれる。第3のグループには、その他の非安全制御機能が含まれる。図3においては、安全制御機能、自己診断機能、安全移行処理、非安全制御機能は、それぞれ安全制御プログラム41、自己診断プログラム42、安全移行プログラム43、非安全制御プログラム44として示されている。 The scheduler 37 manages the functions executed by the CPU 31 in three groups. The first group includes various safety control functions including the safety communication function described above. The second group includes self-diagnosis functions and safety transition processing. The third group includes other non-safety control functions. In FIG. 3, the safety control function, the self-diagnosis function, the safety transition process, and the non-safety control function are shown as a safety control program 41, a self-diagnosis program 42, a safety transition program 43, and a non-safety control program 44, respectively.

 スケジューラ37は、各周期において、第1、第2のグループに含まれる機能のタスクに優先してCPU31の実行時間を割り当て、第3のグループに含まれる機能のタスクには残りの実行時間を割り当てる。そのため、状況によっては、第3のグループに含まれる機能のタスクに実行時間を割り当てられない場合もある。 In each cycle, the scheduler 37 assigns the execution time of the CPU 31 with priority over the tasks of the functions included in the first and second groups, and assigns the remaining execution time to the tasks of the functions included in the third group. . Therefore, depending on the situation, the execution time may not be assigned to the task of the function included in the third group.

 安全スケジューリング情報51には、第1のグループに含まれる各種の安全制御機能の実行順序および規定時間が格納されている。スケジューラ37は、安全スケジューリング情報51に基いて、各種の安全制御機能のタスクに実行時間を割り当てる。 The safety scheduling information 51 stores the execution order and prescribed times of various safety control functions included in the first group. Based on the safety scheduling information 51, the scheduler 37 assigns execution times to various safety control function tasks.

 安全移行スケジューリング情報52には、第2のグループに含まれる各種の自己診断機能および安全移行処理の実行順序および規定時間が格納されている。スケジューラ37は、安全移行スケジューリング情報52に基いて、各種の自己診断機能および安全移行処理のタスクに実行時間を割り当てる。 The safety transition scheduling information 52 stores various self-diagnostic functions included in the second group and the execution order and specified time of the safety transition processing. Based on the safe transition scheduling information 52, the scheduler 37 assigns execution times to various self-diagnosis functions and safety transition processing tasks.

 非安全スケジューリング情報53には、第3のグループに含まれる各種の非安全制御機能の実行順序および規定時間が格納されている。スケジューラ37は、非安全スケジューリング情報53に基いて、各種の非安全制御機能のタスクに実行時間を割り当てる。 The non-safety scheduling information 53 stores the execution order and specified time of various non-safety control functions included in the third group. Based on the non-safety scheduling information 53, the scheduler 37 assigns execution time to various non-safety control function tasks.

 スケジューラ37の割り当てに従って、ある周期においてある安全制御機能のタスクの実行が開始されると、当該安全制御機能の規定時間に設定された第1のタイマ34によって、タスクの実行時間が監視される。第1のタイマ34の監視時間は可変であり、機能毎に設定される。第1のタイマ34としては、例えば可変タイムウィンドウ付きのウォッチドッグタイマを用いることができる。 When the execution of a task of a certain safety control function is started in a certain cycle according to the assignment of the scheduler 37, the execution time of the task is monitored by the first timer 34 set at the specified time of the safety control function. The monitoring time of the first timer 34 is variable and is set for each function. As the first timer 34, for example, a watchdog timer with a variable time window can be used.

 安全制御機能のタスクの実行が正常に終了した場合には、第1のタイマ34の規定時間内にタスクの切り替え処理、すなわち当該機能タスクの実行状態を退避して次の機能タスクの実行状態を復帰する処理が行われ、スケジューラ37によるスケジューリングに従って、次の安全制御機能のタスクの実行が開始される。 When the execution of the task of the safety control function ends normally, the task switching process, that is, the execution state of the functional task is saved and the execution state of the next functional task is saved within the specified time of the first timer 34. The returning process is performed, and the execution of the task of the next safety control function is started according to the scheduling by the scheduler 37.

 ある周期に割り当てられた第1のグループに含まれる安全制御機能のタスクの実行が終了すると、第2のグループに含まれる自己診断機能のタスクの実行が開始される。この際、自己診断機能の場合にも、安全制御機能の場合と同様に、規定時間に設定された第1のタイマ34によって、タスクの実行時間が監視される。 When the execution of the task of the safety control function included in the first group assigned in a certain cycle is finished, the execution of the task of the self-diagnosis function included in the second group is started. At this time, also in the case of the self-diagnosis function, the task execution time is monitored by the first timer 34 set to the specified time, as in the case of the safety control function.

 第1のタイマ34によって規定時間超過が検出された場合には、当該安全制御機能または自己診断機能のタスクの実行を中断する。また、実行の中断が所定回数発生した場合には、対応する安全移行処理を実行する。 When the first timer 34 detects that the specified time is exceeded, execution of the task of the safety control function or the self-diagnosis function is interrupted. In addition, when execution is interrupted a predetermined number of times, a corresponding safety transition process is executed.

 第2のグループに含まれる自己診断機能のタスクの実行が完了すると、スケジューラ37によって非安全スケジューリング情報53に基いて決定されたスケジューリングに従って、第3のグループに含まれる非安全制御機能のタスクの実行が開始される。ただし、この際には、第1のタイマ34による実行時間の監視は行われない。 When the execution of the task of the self-diagnosis function included in the second group is completed, the execution of the task of the non-safety control function included in the third group according to the scheduling determined by the scheduler 37 based on the non-safety scheduling information 53 Is started. However, at this time, the execution time is not monitored by the first timer 34.

 また、CPU31は、周期全体の実行時間を第2のタイマ35によって監視する。第2のタイマ35の監視時間は固定であり、周期時間に合わせて設定される。第2のタイマとしては、例えば固定タイムウィンドウ付きのウォッチドッグタイマを用いることができる。 Further, the CPU 31 monitors the execution time of the entire cycle by the second timer 35. The monitoring time of the second timer 35 is fixed and is set according to the cycle time. For example, a watchdog timer with a fixed time window can be used as the second timer.

 第2のタイマ35によって、安全制御機能のタスクによる周期時間超過が検出された場合には、対応する安全移行処理が実行される。また、第2のタイマ35によって、非安全制御機能のタスクによる周期時間超過が検出された場合には、当該タスクの実行が中断されて次の周期に移る。 When the second timer 35 detects that the cycle time has been exceeded by the safety control function task, the corresponding safety transition process is executed. In addition, when the second timer 35 detects that the cycle time is exceeded by the task of the non-safety control function, the execution of the task is interrupted and the next cycle is started.

 また、CPU31は、安全移行処理に起因する周期時間超過が検出された場合には、直ちに巻上機4の停止とブレーキ作動を行なう。 Further, when the excess of the cycle time due to the safety transition process is detected, the CPU 31 immediately stops the hoisting machine 4 and operates the brake.

 また、ある機能のタスクの実行中は、メモリ保護ユニット36によって他の機能のタスクの利用するメモリエリアへのアクセス、すなわちメモリからの読み込み、およびメモリへの書き込みが制限される。各機能には、予めアクセス可能なメモリ範囲が設定されており、それを超えたアクセスを実施しようとすると、メモリ保護ユニット36によってメモリアクセス違反が検出される。 In addition, during execution of a task of a certain function, access to a memory area used by a task of another function, that is, reading from the memory and writing to the memory are restricted by the memory protection unit 36. Each function has a memory range that can be accessed in advance. When an attempt is made to access beyond that range, the memory protection unit 36 detects a memory access violation.

 また、入出力については直接アクセスが禁止されており、入出力用メモリを経由して同様の保護が実施される。なお、メモリアクセス違反が検出された場合には、例えば、「最寄り階停止」の安全移行処理が実行される。 Also, direct access is prohibited for input / output, and the same protection is implemented via the input / output memory. When a memory access violation is detected, for example, a “safety floor stop” safety transition process is executed.

 (安全移行処理)
 次に、本発明の実施の形態1に係るエレベータ安全制御装置25における、安全移行処理の詳細について説明する。エレベータ安全制御装置25のROM32には、エレベータの異常の種類に応じた複数の安全移行処理の実行プログラム、すなわち安全移行プログラム43と、各々の安全移行処理の優先度を定めた安全移行優先度54とが格納されている。 (Safe transition process)
Next, details of the safety transition process in the elevator safety control device 25 according to the first embodiment of the present invention will be described. In the ROM 32 of the elevator safety control device 25, a plurality of safety transition processing execution programs corresponding to the type of abnormality of the elevator, that is, a safety transition program 43, and a safety transition priority 54 that determines the priority of each safety transition process. And are stored.

 CPU31は、例えば、センサ故障などによって過速度監視機能の位置情報が喪失した場合には、安全移行処理として、全行程にわたって最高速度を制限する「速度制限」を実施する。 CPU31, for example, when the position information of the overspeed monitoring function is lost due to a sensor failure or the like, as a safety transition process, the CPU 31 performs “speed limit” that limits the maximum speed over the entire process.

 また、CPU31は、前述のメモリアクセス違反などの軽微な演算異常が検出された場合には、安全移行処理として、駆動装置に最寄り階への停止を指示して一定時間後にかご1を完全に停止させる「最寄り階停止」を実施する。 In addition, when a minor calculation abnormality such as the above-mentioned memory access violation is detected, the CPU 31 instructs the drive device to stop to the nearest floor as a safety transition process and completely stops the car 1 after a certain time. Execute “Nearest floor stop”.

 また、CPU31は、前述の規定時間超過、周期時間超過、戸開走行などの重大な異常が検出された場合には、安全移行処理として、直ちに巻上機4の停止とブレーキ作動を行なう「非常停止」を実施する。 The CPU 31 immediately stops the hoisting machine 4 and activates the brake as a safety transition process when a serious abnormality such as the above-mentioned specified time excess, cycle time excess, or door-opening travel is detected. “Stop”.

 この場合、安全移行処理の優先度は、「非常停止」、「最寄り階停止」、「速度制限」の順である。この他にも安全移行処理が必要な場合には、適宜追加して優先度を定めることができる。 In this case, the priority of the safety transition process is "Emergency stop", "Nearest floor stop", "Speed limit". In addition, when a safe transition process is necessary, priority can be determined by adding as appropriate.

 図4には、エレベータ安全制御装置25における安全移行処理のフローチャートが示されている。 FIG. 4 shows a flowchart of the safety transition process in the elevator safety control device 25.

 エレベータ安全制御装置25における周期的な処理の実行中に、安全制御機能のタスクまたは自己診断機能のタスクは、エレベータの異常または安全制御機能自体もしくは安全制御装置25自体の異常が発生していないかチェックする(ステップS1)。異常が検出されない場合(ステップS1=いいえ)には、スケジュール通りに処理を実行する。 During the execution of the periodic processing in the elevator safety control device 25, the task of the safety control function or the task of the self-diagnosis function is an abnormality of the elevator or the safety control function itself or the safety control device 25 itself. Check (step S1). If no abnormality is detected (step S1 = No), the process is executed as scheduled.

 ステップS1において異常が検出されると(ステップS1=はい)、予めスケジュールされていた自己診断機能のタスクの実行を中断、すなわちスケジュールから除外し(ステップS2)、その時間枠で今回検出した異常に対応した安全移行処理を実行する(ステップS3)。なお、安全移行処理に必要な時間が短く、安全移行処理と自己診断機能の両方の実行時間が確保できる場合には、自己診断機能のタスクの実行を継続してもよい。 If an abnormality is detected in step S1 (step S1 = Yes), execution of the task of the self-diagnosis function scheduled in advance is interrupted, that is, excluded from the schedule (step S2), and the abnormality detected this time in that time frame is detected. A corresponding safety transition process is executed (step S3). If the time required for the safety transition process is short and the execution time of both the safety transition process and the self-diagnosis function can be secured, the execution of the self-diagnosis function task may be continued.

 安全移行処理の実行中は、復帰条件が成立するか否かをチェックする(ステップS4)。例えば、センサ入力異常が解消されたか否か、保守員による復帰によって過速度状態が解消されたか否かなどをチェックする。 During the execution of the safety transition process, it is checked whether the return condition is satisfied (step S4). For example, it is checked whether or not the sensor input abnormality has been resolved and whether or not the overspeed state has been resolved by the return by the maintenance staff.

 ステップS4において復帰条件が成立すると(ステップS4=はい)、安全移行処理を終了し(ステップS5)、その時間枠で自己診断機能のタスクの実行を再開する(ステップS6)。 If the return condition is satisfied in step S4 (step S4 = Yes), the safety transition process is terminated (step S5), and the execution of the self-diagnosis function task is resumed in that time frame (step S6).

 なお、安全移行処理の実行中に、安全制御機能のタスクが新たな異常を検出した場合(ステップS7=はい)には、新たに検出された異常に対応する安全移行処理の優先度をチェックし(ステップS8)、実行中の安全移行処理の優先度の方が高い場合(ステップS8=いいえ)には、そのまま現在の安全移行処理を継続する(ステップS4に戻る)。 When the safety control function task detects a new abnormality during the execution of the safety transition process (step S7 = Yes), the priority of the safety transition process corresponding to the newly detected abnormality is checked. (Step S8) If the priority of the safety transition process being executed is higher (Step S8 = No), the current safety transition process is continued (returns to Step S4).

 一方、新たな安全移行処理の優先度の方が高い場合(ステップS8=はい)には、現在の安全移行処理を中断、すなわちスケジュールから除外し(ステップS9)、その時間枠で新たに検出された異常に対応する安全移行処理を実行する(ステップS10)。その後、復帰条件が成立すれば復帰する(ステップS4~S6)。 On the other hand, if the priority of the new safety transition process is higher (step S8 = Yes), the current safety transition process is interrupted, that is, excluded from the schedule (step S9), and newly detected in that time frame. A safety transition process corresponding to the abnormal condition is executed (step S10). Thereafter, if the return condition is satisfied, the process returns (steps S4 to S6).

 (スケジューリングの第1の例)
 図5には、本発明の実施の形態1に係るエレベータ安全制御装置25における、スケジューリングの第1の例が示されている。 (First example of scheduling)
FIG. 5 shows a first example of scheduling in the elevator safety control device 25 according to Embodiment 1 of the present invention.

 エレベータ安全制御装置25のCPU31は、ある周期では、パターン(a1)に示されるように、第1のグループから安全通信機能のタスク、過速度検知機能のタスクを実行する。次に、第2のグループから自己診断機能のタスクを実行する。最後の空き時間に、第3のグループから保守機能のタスクを実行して終了する。 The CPU 31 of the elevator safety control device 25 executes the task of the safety communication function and the task of the overspeed detection function from the first group as shown in the pattern (a1) in a certain cycle. Next, the self-diagnosis function task is executed from the second group. In the last free time, the maintenance function task is executed from the third group and the process ends.

 次の周期では、CPU31は、パターン(a2)に示されるように、第1のグループから安全通信機能のタスク、戸開走行保護機能のタスク、保守切替機能のタスクを実行する。次に、第2のグループから自己診断機能のタスクを実行する。最後の空き時間に、第3のグループから運行機能のタスクを実行して終了する。 In the next cycle, as shown in the pattern (a2), the CPU 31 executes a task of the safety communication function, a task of the door-opening travel protection function, and a task of the maintenance switching function from the first group. Next, the self-diagnosis function task is executed from the second group. In the last vacant time, the task of the operation function is executed from the third group and the process ends.

 ここで例えば、過速度検知機能がセンサ異常を検出して、安全移行処理として「速度制限」の実施を要求した場合には、CPU31は、パターン(b1)に示されるように、まず第1のグループから安全通信機能のタスク、過速度検知機能のタスクを実行する。次に、第2のグループの実行時間において、自己診断機能のタスクの代わりに「速度制限」の処理を実行する。そして、最後の空き時間に、第3のグループから保守機能のタスクを実行して終了する。 Here, for example, when the overspeed detection function detects a sensor abnormality and requests the execution of “speed limit” as the safety transition process, the CPU 31 first performs the first operation as shown in the pattern (b1). The task of the safety communication function and the task of the overspeed detection function are executed from the group. Next, in the execution time of the second group, a “speed limit” process is executed instead of the self-diagnostic function task. Then, in the last free time, the maintenance function task is executed from the third group, and the process ends.

 ところが、ここでさらに戸開走行保護機能がエレベータの異常を検出して、安全移行処理として「非常停止」の実施を要求した場合には、CPU31は、パターン(b2)に示されるように、まず第1のグループから安全通信機能のタスク、戸開走行保護機能のタスク、保守切替機能のタスクを実行する。次に、第2のグループの実行時間において安全移行処理を実行するのであるが、現在実行中の「速度制限」の優先度よりも「非常停止」の優先度の方が高いため、「速度制限」の処理に代わって「非常停止」の処理を実行する。そして、最後の空き時間に、第3のグループから運行機能のタスクを実行して終了する。 However, when the door-opening travel protection function further detects an abnormality of the elevator and requests the execution of “emergency stop” as the safety transition process, the CPU 31 first displays the pattern (b2) as shown in FIG. A safety communication function task, a door-opening travel protection function task, and a maintenance switching function task are executed from the first group. Next, the safety transition process is executed at the execution time of the second group. Since the priority of “emergency stop” is higher than the priority of “speed limit” currently being executed, "Emergency stop" is executed instead of "". Then, in the last free time, the task of the operation function is executed from the third group, and the process ends.

 その後、保守員による復旧によって、再びパターン(a1)に示されるような通常のパターンに戻る。 After that, the normal pattern as shown in pattern (a1) is restored again by the restoration by the maintenance personnel.

 以上説明したように、本発明の実施の形態1に係るエレベータ安全制御装置25は、タイムパーティショニングを用いたタスクスケジューリング機能によって、複数の安全制御機能をマルチタスクで実行可能である。 As described above, the elevator safety control device 25 according to Embodiment 1 of the present invention can execute a plurality of safety control functions in a multitasking manner by the task scheduling function using time partitioning.

 CPU31によって実行される複数の機能は、安全制御機能を含む第1のグループと、自己診断機能を含む第2のグループと、非安全制御機能を含む第3のグループとに分類される。 The plurality of functions executed by the CPU 31 are classified into a first group including a safety control function, a second group including a self-diagnosis function, and a third group including a non-safety control function.

 スケジューラ37は、各周期において、第1、第2のグループから各々少なくとも1つの機能のタスクに実行時間を割り当てるとともに、第3のグループに含まれる機能のタスクに残りの実行時間を割り当てる。 In each cycle, the scheduler 37 assigns execution time to tasks of at least one function from the first and second groups, and assigns remaining execution time to tasks of functions included in the third group.

 CPU31は、安全制御機能または自己診断機能によって異常が検出された場合には、第2のグループに含まれる機能のタスクの実行を中断し、当該中断されたタスクの実行時間枠において、検出された異常に対応する安全移行処理を実行する。 When abnormality is detected by the safety control function or the self-diagnosis function, the CPU 31 interrupts the execution of the task of the function included in the second group, and is detected in the execution time frame of the interrupted task. The safety transition process corresponding to the abnormality is executed.

 これにより、複数の安全制御機能の独立性を保証することができる。 This ensures the independence of multiple safety control functions.

 また、CPU31は、上記の安全移行処理の実行中に新たに異常が検出されて、新たに検出された異常に対応する安全移行処理の優先度が上記の安全移行処理の優先度よりも高い場合には、上記の安全移行処理の実行を中断して、新たに検出された異常に対応する安全移行処理を実行する。 Further, the CPU 31 detects a new abnormality during the execution of the safety transition process, and the priority of the safety transition process corresponding to the newly detected abnormality is higher than the priority of the safety transition process. First, the execution of the safety transition process is interrupted, and the safety transition process corresponding to the newly detected abnormality is executed.

 これにより、複数の安全制御機能の独立性を保証しながら、複数の異常が同時に検出された場合にも適切に対応することができる。 This makes it possible to respond appropriately even when multiple abnormalities are detected at the same time while ensuring the independence of multiple safety control functions.

 (スケジューリングの第2の例)
 図6には、本発明の実施の形態1に係るエレベータ安全制御装置25における、スケジューリングの第2の例が示されている。なお、エレベータの通常動作時のスケジューリング(a1’、a2’)は、上述した第1の例と同様である。 (Second example of scheduling)
FIG. 6 shows a second example of scheduling in the elevator safety control device 25 according to Embodiment 1 of the present invention. The scheduling (a1 ′, a2 ′) during normal operation of the elevator is the same as that in the first example described above.

 ある周期において、安全制御機能それ自体の異常が検出され、当該安全制御機能のタスクの実行継続が困難な場合、例えば致命的な演算エラー、実行時間超過などが検出された場合には、CPU31は、パターン(b1’)またはパターン(b2’)に示されるように、当該安全制御機能のタスクの時間割り当てを解除し、その実行時間枠でパターン(b1’)またはパターン(b2’)に示されるような安全移行処理を実行する。すなわち、この際の安全移行処理は、第2のグループの実行時間枠ではなく、第1のグループに含まれる安全制御機能の実行時間枠において実行される。 In a certain cycle, when an abnormality of the safety control function itself is detected and it is difficult to continue the execution of the task of the safety control function, for example, when a fatal calculation error or an excessive execution time is detected, the CPU 31 As shown in the pattern (b1 ′) or the pattern (b2 ′), the time allocation of the task of the safety control function is canceled, and the execution time frame indicates the pattern (b1 ′) or the pattern (b2 ′). The safety transition process is executed. That is, the safety transition process at this time is executed not in the execution time frame of the second group but in the execution time frame of the safety control function included in the first group.

 なお、複数の安全制御機能のタスクの実行継続が困難な場合には、CPU31は、当該複数の安全制御機能のタスクの時間割り当てを解除し、それらの異常に対応した安全移行処理の中で最も優先度の高いものを、空いた時間枠において実行する。この際には、同一周期において、安全移行処理に複数の実行時間枠が割当てられることもありえる。 When it is difficult to continue the execution of the tasks of the plurality of safety control functions, the CPU 31 cancels the time allocation of the tasks of the plurality of safety control functions, and is the most in the safety transition process corresponding to those abnormalities. The one with the higher priority is executed in a free time frame. In this case, a plurality of execution time frames may be assigned to the safety transition process in the same cycle.

 代替的には、CPU31は、当該安全制御機能のタスクの時間割り当てを解除し、後続の安全制御機能のタスクの実行開始時間を前倒しすることによって、第2のグループの実行時間枠を拡張し、第2のグループの実行時間枠において、安全移行処理および自己診断機能のタスクの実行を行ってもよい。 Alternatively, the CPU 31 extends the execution time frame of the second group by deallocating the time allocation of the task of the safety control function and moving forward the execution start time of the task of the subsequent safety control function, In the execution time frame of the second group, the task of the safety transition process and the self-diagnosis function may be executed.

Claims (8)

 複数の機能をマルチタスクで実行可能なエレベータ安全制御装置であって、
 一定周期で繰り返し処理を実行する演算処理部と、
 各周期における前記演算処理部へのタスク実行時間の割り当てを行うスケジューラと
を備え、
 前記演算処理部によって実行される前記複数の機能は、安全制御機能を含む第1のグループ、自己診断機能を含む第2のグループおよび非安全制御機能を含む第3のグループに分類され、
 前記スケジューラは、各周期において、前記第1、第2のグループから各々少なくとも1つの機能のタスクに実行時間を割り当てるとともに、前記第3のグループに含まれる機能のタスクに残りの実行時間を割り当て、
 前記演算処理部は、前記安全制御機能または前記自己診断機能によって異常が検出された場合には、前記第2のグループに含まれる機能のタスクの実行を中断し、該中断されたタスクの実行時間枠で前記検出された異常に対応する安全移行処理を実行する、エレベータ安全制御装置。 An elevator safety control device capable of performing a plurality of functions by multitasking,
An arithmetic processing unit that repeatedly executes processing at a fixed period;
A scheduler for assigning task execution time to the arithmetic processing unit in each cycle,
The plurality of functions executed by the arithmetic processing unit are classified into a first group including a safety control function, a second group including a self-diagnosis function, and a third group including a non-safety control function,
The scheduler assigns an execution time to each task of at least one function from each of the first and second groups in each cycle, and assigns a remaining execution time to the task of the function included in the third group,
When an abnormality is detected by the safety control function or the self-diagnosis function, the arithmetic processing unit interrupts the execution of the task of the function included in the second group, and the execution time of the interrupted task An elevator safety control device that executes a safety transition process corresponding to the detected abnormality in a frame.  前記安全移行処理の実行中に新たに異常が検出されて、該新たに検出された異常に対応する安全移行処理の優先度が前記安全移行処理の優先度よりも高い場合には、前記安全移行処理の実行を中断して、該新たに検出された異常に対応する安全移行処理を実行する、請求項1に記載のエレベータ安全制御装置。 When a new abnormality is detected during the execution of the safety transition process, and the priority of the safety transition process corresponding to the newly detected abnormality is higher than the priority of the safety transition process, the safety transition The elevator safety control device according to claim 1, wherein the execution of the process is interrupted and a safety transition process corresponding to the newly detected abnormality is executed.  前記演算処理部は、前記安全制御機能それ自体の異常が検出された場合には、該安全制御機能のタスクの実行時間割り当てを解除し、該解除された実行時間枠において、前記安全制御機能それ自体の異常に対応する安全移行処理を実行する、請求項1または2に記載のエレベータ安全制御装置。 When the abnormality of the safety control function itself is detected, the arithmetic processing unit cancels the execution time allocation of the task of the safety control function, and the safety control function itself is released in the released execution time frame. The elevator safety control device according to claim 1 or 2, wherein a safety transition process corresponding to an abnormality of itself is executed.  前記複数の機能のメモリアクセス違反を検出するメモリ保護ユニットをさらに備え、
 前記演算処理部は、前記メモリアクセス違反が検出された場合には、該メモリアクセス違反に対応する安全移行処理を実行する、請求項1~3のいずれか一項に記載のエレベータ安全制御装置。 A memory protection unit for detecting memory access violations of the plurality of functions;
The elevator safety control device according to any one of claims 1 to 3, wherein when the memory access violation is detected, the arithmetic processing unit executes a safety transition process corresponding to the memory access violation.  前記第1、第2のグループに含まれる機能のタスクの規定時間超過を検出する第1のタイマをさらに備え、
 前記演算処理部は、前記規定時間超過が所定回数検出された場合には、対応する安全移行処理を実行する、請求項1~4のいずれか一項に記載のエレベータ安全制御装置。 A first timer for detecting an excess of a specified time of a task of a function included in the first and second groups;
The elevator safety control device according to any one of claims 1 to 4, wherein the arithmetic processing unit executes a corresponding safety transition process when the specified time excess is detected a predetermined number of times.  全体周期時間超過を検出する第2のタイマをさらに備え、
 前記演算処理部は、前記第1、第2のグループに含まれる機能のタスクによる前記周期時間超過が検出された場合には、対応する安全移行処理を実行する、請求項1~5のいずれか一項に記載のエレベータ安全制御装置。 A second timer for detecting a total cycle time excess;
6. The arithmetic processing unit according to claim 1, wherein when the excess of the period time is detected by a task of a function included in the first and second groups, the arithmetic processing unit executes a corresponding safety transition process. The elevator safety control device according to one item.  前記第3のグループに含まれる機能のタスクによる前記周期時間超過が検出された場合には、当該タスクの実行を中断する、請求項6に記載のエレベータ安全制御装置。 The elevator safety control device according to claim 6, wherein when an excess of the cycle time is detected by a task having a function included in the third group, execution of the task is interrupted.  前記安全移行処理は、前記優先度の高い順に、緊急停止、最寄り階停止運転、速度制限を含む、請求項1~7のいずれか一項に記載のエレベータ安全制御装置。 The elevator safety control device according to any one of claims 1 to 7, wherein the safety transition processing includes emergency stop, nearest floor stop operation, and speed limit in descending order of priority.
PCT/JP2018/007000 2018-02-26 2018-02-26 Elevator safety control device Ceased WO2019163133A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201880088986.9A CN111788139B (en) 2018-02-26 2018-02-26 Elevator safety control device
PCT/JP2018/007000 WO2019163133A1 (en) 2018-02-26 2018-02-26 Elevator safety control device
JP2020501987A JP6824465B2 (en) 2018-02-26 2018-02-26 Elevator safety controller

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2018/007000 WO2019163133A1 (en) 2018-02-26 2018-02-26 Elevator safety control device

Publications (1)

Publication Number Publication Date
WO2019163133A1 true WO2019163133A1 (en) 2019-08-29

Family

ID=67687012

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/007000 Ceased WO2019163133A1 (en) 2018-02-26 2018-02-26 Elevator safety control device

Country Status (3)

Country Link
JP (1) JP6824465B2 (en)
CN (1) CN111788139B (en)
WO (1) WO2019163133A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2025163707A1 (en) * 2024-01-29 2025-08-07 株式会社日立製作所 Elevator control device and control method for elevator control device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001125797A (en) * 1999-10-25 2001-05-11 Seiko Epson Corp Multitask system, recording medium recording program thereof, and processing device
JP2011121726A (en) * 2009-12-11 2011-06-23 Hitachi Ltd Electronic safety elevator
WO2011111223A1 (en) * 2010-03-12 2011-09-15 三菱電機株式会社 Elevator safety control device
WO2012104899A1 (en) * 2011-01-31 2012-08-09 トヨタ自動車株式会社 Safety control device and safety control method
US20150338835A1 (en) * 2012-06-26 2015-11-26 Inter Control Hermann Kohler Elektrik Gmbh & Co., Kg Apparatus and method for a security-critical application

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03109643A (en) * 1989-09-22 1991-05-09 Nec Corp Execution system for data exception procedure
CN100359481C (en) * 2003-09-13 2008-01-02 华为技术有限公司 Abnormality monitoring device and method for multi-task system
CN1953926B (en) * 2005-03-31 2010-05-05 三菱电机株式会社 Elevator device
CN100595123C (en) * 2005-03-31 2010-03-24 三菱电机株式会社 Elevator device
CN101925528B (en) * 2008-03-27 2012-11-28 三菱电机株式会社 Elevator control system
CN102514988B (en) * 2011-11-16 2014-08-06 领科无线射频系统(上海)有限公司 Ultrahigh frequency elevator remote control system
WO2015079976A1 (en) * 2013-11-28 2015-06-04 株式会社日立製作所 Elevator safety system
CN206529179U (en) * 2017-01-13 2017-09-29 内蒙古滋润广告传媒有限责任公司 Elevator emergency equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001125797A (en) * 1999-10-25 2001-05-11 Seiko Epson Corp Multitask system, recording medium recording program thereof, and processing device
JP2011121726A (en) * 2009-12-11 2011-06-23 Hitachi Ltd Electronic safety elevator
WO2011111223A1 (en) * 2010-03-12 2011-09-15 三菱電機株式会社 Elevator safety control device
WO2012104899A1 (en) * 2011-01-31 2012-08-09 トヨタ自動車株式会社 Safety control device and safety control method
US20150338835A1 (en) * 2012-06-26 2015-11-26 Inter Control Hermann Kohler Elektrik Gmbh & Co., Kg Apparatus and method for a security-critical application

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2025163707A1 (en) * 2024-01-29 2025-08-07 株式会社日立製作所 Elevator control device and control method for elevator control device

Also Published As

Publication number Publication date
JP6824465B2 (en) 2021-02-03
CN111788139B (en) 2021-09-14
CN111788139A (en) 2020-10-16
JPWO2019163133A1 (en) 2020-07-30

Similar Documents

Publication Publication Date Title
CN102781804B (en) Elevator safety control device
JPWO2006106575A1 (en) Elevator equipment
CN107922151B (en) elevator installation
JP2006298538A (en) Elevator equipment
JP6824465B2 (en) Elevator safety controller
CN112744660B (en) Multi-car elevator
JP6776457B2 (en) Elevator controls, elevators, and elevator control methods
JP7014337B2 (en) Task schedule management device
EP2085348A1 (en) Elevator controller
CN113165836B (en) Monitoring device for preventing elevator user from being trapped
KR102807586B1 (en) Elevator safety control device and elevator safety control system
EP4389665B1 (en) Verifying configuration parameter changes in an elevator safety system
EP3878787B1 (en) Managing elevator call assignments in response to elevator door reversals
JPS6242833B2 (en)
JP7003217B2 (en) Elevator safety control device
KR100891234B1 (en) Elevator device
JP2024068460A (en) ELEVATOR SYSTEM, INTERACTION DEVICE, INTERACTION METHOD, AND INTERACTION PROGRAM
JP2006160384A (en) Elevator control device
CN121317485A (en) Elevator safety control device, method for elevator safety control and elevator system
JPS5834384B2 (en) elevator control device
JPH03106778A (en) Side rescue operation device for elevator
JP2014065571A (en) Elevator system, elevator driving device for passenger rescue, and passenger rescue method for elevator system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18907041

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020501987

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18907041

Country of ref document: EP

Kind code of ref document: A1