The Elevator Code in the 21st Century

Elevator World
5/01/96
The Elevator Code in the 21st Century

Author: Galen L. Dutch

Introduction

Since the American Society of Mechanical Engineers (ASME) published the first version of the elevator safety code in 1921, vertical transportation has evolved dramatically. At the inception of the code, elevator safety was primarily the concern of the me chanical engineer, and electrical control circuits were rudimentary protective accessories added to basic machinery.

Today, however, the safety and integrity of modern elevators depend on much more than the cables, sheaves and rails. In state-of-the-art equipment, sophisticated electronic systems and computer software must be compatible and function predictably to ensu re public safety and promote reliability. Present engineering practice emphasizes the use of solid-state devices instead of the traditional electromechanical equipment incorporated into earlier designs. This new technology is quite abstract, and the A17.1 Elevator Code does not address the issue of electronic safety circuits in much detail. Furthermore, solid-state controls have no moving parts, and their operation is virtually invisible to the inspector who visits the equipment room. The condition of ele ctronic circuits cannot be assessed or verified by casual observation. Hence, the safety of an electronic control system is a condition that can be checked only by personnel who have knowledge of the specific circuits and their diagnostic equipment. Also, these controls are not subject to mechanical wear, and their safety-sensitive functions are not compromised by repeated operation. If this type of control is determined to have a defect impairing safe operation of the elevator, that defect must have been designed into the system rather than a result of wear or age. Therefore, the safety functions in high-tech elevator controllers are largely dependent on the integrity of the initial design rather than on maintenance of the equipment after it is placed in operation. An inspector cannot examine those safety features using the traditional methods of analysis either. The only way authorities can regulate the safety issues associated with electronic controls is to address the design objectives rather than to probe the actual hardware that comprises the system. This article will discuss the methods that can be used to fashion an elevator code which will accommodate new technologies, by specifying design-analysis techniques. This will allow code authorities to judge the safety of innovative products by applying a logical analysis process, rather than trying to understand the exotic details of the technology.

Objectives of the Elevator Code

In order to rewrite the present A17.1 Code to accommodate new technology, it is necessary to clearly identify the objectives of the code and how they are actually applied and enforced. In summary, the code's purpose is to ensure the safety of the public who will be transported by the equipment, to protect personnel who will work on the apparatus and to provide for inspection of the installation by an examiner from the code-enforcement authority. The inspection process must be done quickly, and it should be capable of being performed by anyone with an average knowledge of elevator equipment. In a solid-state system, the only portion of the equipment that visibly operates will be the actual hoist machinery and perhaps a few large power contactors. Therefor e, the safety functions of this type of equipment can be verified only by checking for the proper end results of the decisions made by the system.

The Need for Change

The introduction of the A17.1 Code contains a brief paragraph regarding the application of the rules to new technology. It states, ÒWhere present rules are not applicable or do not describe the product or system, the enforcing authority should recognize the need for exercising latitude and granting exceptions where the product or system is equivalent in quality, strength or stability, fire-resistance, effectiveness, durability and safety to that intended by present code rules.Ó Therefore, the framers of the code were aware that the technology would be subject to evolution, and traditional designs would eventually become obsolete. This is well-demonstrated throughout the history of elevator engineering.

Early equipment used purely mechanical controls, such as the tiller-rope technique. When electricity came into use, the concept of circuit design was adapted to elevator controls. In addition to providing motive power, electric circuits could perform log istical functions, such as checking the position of the doors, and car gate and limit switches prevented over-travel. These circuits could be built to perform more elaborate functions, such as signaling and automation. After it was demonstrated that elect rical controls were safe, reliable and economical, the industry quickly phased out production of the mechanical systems in favor of the new technology. In the 1950s, electronic circuits were blended with the basic electrical controls to enhance equipment performance, and eventually, complete automation of elevators became possible. The self-service equipment quickly proved itself as safe, and code authorities were quite confident that the passengers' well-being was not compromised by eliminating the atten dant from the car.

In the 1960s, the desire to eliminate electromechanical relays was fulfilled through the use of solid-state devices. A radically new concept in hoist-motor control Ð based on the SCR drive principle Ð was introduced in that era. Since then, elevator desi gn has been largely guided by advances in electronics technology and computer science. Today's equipment is a blend of power electronic systems that control raw energy to produce the car motion and computer software that provides the logistics of operatio n. These systems must function together in a harmonious manner to assure user safety and prevent equipment damage. Computer software is playing an increasing role in the design of these controls, and future elevators will truly be products of the informat ion age.

Upon examining the present A17.1 Code, it is apparent that some subjects taken for granted may need reevaluation to accommodate new technology. Consider these parts of the code, where the safety of new products can be addressed:

1 Rule 204.2a Material for Car Enclosures

Composite materials, such as graphite-fiber-reinforced plastic, can reduce the weight of cab and door panels. If the material is as durable and fire-resistive as metal or wood, it should be permitted.

2 Rule 205.1 Car Safety Gear

Are car safeties always necessary, or could a rope brake provide the necessary protection in most cases?

3 Rule 205.9a Safety Gear Application Methods

Could electrical or pneumatic devices perform this function more reliably?

4 Rule 206 Speed Governors

An electronic speed-sensor can perform this function more safely than the centrifugal type. If the trip point of the electronic sensor is set by programming a read-only memory (ROM), the calibration can be considered sealed, because the data in a ROM can not be changed.

5 Rule 208.1 Driving Machines and Sheaves

This rule states that elevator driving machines shall be the traction type. Future drive systems may use a linear-induction motor which combines propulsion components in the car or counterweight assembly.

6 Rule 210.9 Control and Operating Circuits

There are several issues to be discussed on this topic:

(A)Control data can be transmitted from the car to the machine room using the serial method, where many functions can be controlled using only two wires. The traditional method is parallel transmission, which requires a wire for each function.

(B)The car traveling cable can be completely eliminated by using a radio or microwave link to transmit signals to each controller. Special protocol can be used to avoid addressing the wrong car or controller.

(C)A trolley rail with a current-collector can deliver power to the car for door motors and light fixtures.

(D)Traditional controls use the closed-circuit principle to implement fail-safe functions. This involves opening electrical contacts to interrupt equipment operation. Modern systems use computer software to check for input variables that indicate an unsa fe condition. Most relay logic can be eliminated, except for power contactors that control motor inputs or the service brake coil.

(E) Computer software uses the Von Neumann Principle, where a stored program makes logical decisions instead of relay circuits based on Boolean algebra. Although software is a nonphysical entity, there are methods available from computer science to demon strate that it can directly control functions with a probability of failure less than that of relay-based systems. Future controls may employ fuzzy logic and other exotic methods to make operational decisions.

7 Rule F211.5b(2) Seismic Switches for Earthquake Detection

Presently, the code prescribes that seismic switches be located in the machine room. Seismologists have proposed the concept of regional seismic sensors that transmit emergency control signals over telephone lines. This system would give advance warning that earthquake shock waves are approaching the building site. Should the code allow the seismic shutdown routine to be initiated by such a regional sensor network?

If engineers can design new technology that is safe and reliable, how can they qualitatively define this level of safety for the code committees, inspectors and other authorities? Simplified methods of analyzing technology must be used so that relative la ypersons can gain understanding.

Methods of Analyzing New Products

Modern elevators are based on technologies derived from other engineering disciplines. Equipment manufacturers have exploited the field of power electronics and computers to eliminate moving parts that are expensive and require maintenance. Solid-state c ontrols are not readily understood by persons not versed in the field of electronics engineering. The code was originally developed by specialists in mechanical or electrical engineering. The closed-circuit principle is an elementary concept in safety cir cuit design. If a hazardous condition could be checked by an electrical switch, the equipment could be rendered safe by simply opening the contacts that supply energy to the machinery. This technique was enhanced by using carbon-to-copper contacts known t o be nonwelding and by incorporating arc-suppression devices, such as blow-out coils Ð to interrupt current flow. These components are based on well-known principles of physics or metallurgy, and they are understood by all electrical equipment designers.

Modern control systems involve much more than simple circuits to implement safety functions. However, it is not always necessary to know electronics engineering to understand that the technology is safe. Some techniques will be presented to help code aut horities evaluate how these systems work. Consider the following methods of analysis:

A. The Equivalency Test

This simple technique involves proving a new product is actually in compliance with existing code. For example, a serial transmission link can be used to send control data through the traveling cable with just two wires instead of the usual parallel meth od Ð with many wires representing each device on the car.

The serial method uses a sequence of digital pulses to transmit control data. However, this arrangement is actually in compliance with the closed-circuit principle dictated by the code. If either of the two wires of the serial link is opened, the flow of data will be interrupted. If the wires are shorted, the data flow will also be halted, because the current or voltage from the transmitter cannot propagate beyond the shorted point.

If an electronic speed-sensor is used as a governor, the trip point can be set by programming a ROM device. The data in this type of device is actually stored by burning microscopic fuses in a matrix pattern on a silicon chip. Once the fuses are burned, the matrix behaves like a hard-wired circuit, and electric signals must follow only that path. A ROM circuit cannot be reprogrammed, because the matrix-burning process is irreversible. The data can be changed only by removing the ROM device from the board and inserting a fresh one, which must then have the new data burned-in prior to installation. This technique can be considered as sealing the adjustment of the speed-sensor. Hence, the code authority should recognize the electronic ROM chip as providing protection equivalent to the mechanical seal on the centrifugal type.

B. The Performance Test

This technique addresses the intent of the code and how the new product can give the desired level of safe performance. In this method, it should not be necessary to prove that the product meets the code verbatim, rather it seeks to show that the end res ults are as safe as the code intended.

A number of industry experts have made arguments for adopting a performance-based approach to writing code requirements. Using results obtained from equipment operation in a test tower, it is possible to verify the quality of performance under various co nditions. If laboratory operation proves successful, a variance can be obtained from local authorities to allow limited use of the new design. After the product has performed to an acceptable level in actual service, the code can be rewritten to accommoda te the design's general attributes. The variances granted by local authorities are actually a performance-based judgement that is rendered if they can verify that the equipment is as safe as a conventional design.

The most dramatic changes in elevator design involve features covered by Rule 210.9, which addresses control and operating circuits. Some installations already contain novel equipment, and proposals are being made to allow the use of more unconventional d esigns. Consider these existing or proposed features:

(1)Serial data transmission through the traveling cable instead of multiple conductors for control signals.

(2)A radio frequency data link and power trolley rails that provide control signals between the car and machine room without using a traveling cable.

(3)An inductive data transmission system that uses an antenna on the car, and a stationary cable loop mounted next to the guide rails to communicate control signals.

(4)An electronic speed-sensor on the car replaces the governor and cable. The sensor and a control system can apply the car safeties by de-energizing a solenoid.

(5)An advanced programmable logic controller (PLC) allows computer software engineers to write programs that have replaced relay-logic circuits that are associated with safety functions. This approach is widely used in the aerospace field and is being ada pted to more commonplace applications.

The criteria for implementing a performance-based code is to determine the average time between hazardous failures for a given design. Most elevators operate their entire life cycle without experiencing a serious incident. Because there are several hundr ed thousand installations in the U.S. alone, the industry has been able to compile a reliable database on safety performance. From the statistics, authorities have extrapolated that the present technology has an average time between hazardous failure of s everal billion hours!

C. The Mode-of-Failure Test

This method of evaluating a product is very useful in understanding complex electronic systems without having to know high-technology, itself. The failure mode and effects analysis (FMEA) technique determines how individual elements of a system can malfu nction and what combinations of failure can result in an unsafe condition. Redundancy is a property of a system that is provided by using two or more elements to influence the final action of that system. The FMEA process is easily used for relays, becaus e they have only two modes of failure Ð they can be open-circuited or shorted. Electronic circuits can also be analyzed using this two-mode failure concept.

Applying the Principles of Analysis

In this section, several examples will be given to show how the methods of analysis can be used to check a product's safety features. In the first example, the equivalency and the performance tests will be applied to car position-indicating devices that provide input signals to an elevator controller. If the power to the controller fails, the proper car position must be remembered. This requirement is commonly known as fault tolerance.

Figure 1 illustrates a mechanical floor selector that provides car-position input to the relay-type of controller. The selector is operated by a steel cord attached to the car frame. The drive sheave, gear box and lead screw cause the carriage to move in synchronism with the car. Contacts on the floor bars and the carriage provide electrical inputs that correspond to the true car position in the hoistway. Because of the mechanical linkage between the car and the carriage, this type of selector can be a v ery fault-tolerant device for tracking car movements.

Figure 2 shows a digital encoder that provides car-position data to a microprocessor-based control system. In this case, a digital code is etched on eight concentric tracks on a revolving disk. An optical transmitter/receiver arrangement reads the code o n the disk and provides binary signals at the digital output terminals. This type of encoder uses a Gray Code, in which the binary output is a number that is unique to the exact circular position of the disk. The entire travel of an elevator car can be en coded in less than one complete revolution of this disk, and the true position will always appear at the output terminals. As an additional precaution, the digital output is checked by the controller software for an improper counting sequence that might i ndicate erroneous positional data.

It can be concluded that a digital encoder is reasonably equivalent to a mechanical floor selector, because the true car position is always known. Furthermore, the encoder gives the same level of safe performance as a mechanical selector in terms of aver age time between hazardous failures.

Motor controls can be complex systems that require the use of the FMEA technique to verify code compliance. When an emergency stop is required, the hoist motor must be de-energized, and the service brake is to be applied. The FMEA shows how many componen ts must fail to produce a hazardous condition. A minimum of three components must be used in a fail-safe motor control system. Figures 3 and 4 illustrate a rotating motor-generator set and the schematic for a DC motor drive based on the field-regulation t echnique. This system must comply with Rule 210.9(f). Because a rotating generator contains energy stored as angular momentum, the control must remove field-excitation in addition to shutting off the induction motor power. In an emergency stop, these even ts will take place:

(1) The AC motor starter contactor must drop out.

(2) The generator field contacts (GF1 & GF2) must open.

(3) Suicide contacts (SU1 & SU2) close - to kill excitation.

(4) The series field bypass contact (BP) must close - to remove compounding.

(5) The motor field contacts (MF1 & MF2) must open.

(6) The brake coil contacts (B1 & B2) must open.

From this analysis, the generator field-control system would require six components to fail in a hazardous mode to render the entire motor drive unsafe. This drive failure could cause the car to over-travel the final limit switches.

The FMEA technique will now be used for the solid-state inverter shown in Figure 5 and its circuit diagram in Figure 6. This inverter can generate three-phase power for an AC hoist motor. Although the inverter contains few moving parts, it is easy to use the FMEA method if some simplifying assumptions are made. In the inverter diagram, the power switch array has been drawn with the simple-switch symbol. Actually, these switches are made from a solid-state device called an insulated-gate bipolar transisto r (IGBT), as shown in Figure 7. If the gate of the IGBTs receive signals from the traction inverter controller in the proper sequence, three-phase power will be applied to the motor. The power can be in the form of a pulse width modulated (PWM) voltage en velope or a square wave output. The conduction sequence table for the switch modules is depicted in Figure 8. This sequence must be correct for the motor to rotate. If the switching sequence is out of proper order, the motor will not turn. The correct ord er is actually determined by a software program stored in the inverter controller.

Rule 210.9(e) of the code addresses the operation of this type of AC inverter. The FMEA method is simplified because the IGBTs function like contacts; the transistors can fail as an open circuit or may short out. Neither of these conditions can allow the hoist motor to run if the main controller requires an emergency stop to occur. When a stop command is received, these events must take place:

(1)The main line contactor must drop out.

(2)The inverter software must command the switch modules to turn off.

(3)The software must halt the conduction-sequence routine.

(4)All of the switch modules must actually turn off.

(5)The brake coil contactor must drop out.

It is interesting to note that the switch modules can fail in the shorted mode without causing the motor to run. This is because the switches must be turned on in the proper sequence to produce the actual phase-rotation. This feature guarantees the inver ter cannot produce any motion not allowed by the system software. It can be concluded that the inverter complies with Rule 210.9(e) because five components must fail simultaneously to allow the elevator to run when an emergency stop is required.

As with any type of drive arrangement, the service brake must be applied to stop the hoist machine. The main controller must also contain redundant circuits to shut off current to the brake coil. This feature is included in both the motor generator type of drive and the AC inverter-fed system. The prime objective of the previous analysis was to demonstrate that the generator field control and the solid-state inverter technologies provide the level of safety that the code requires.

Conclusions

The examples of analysis presented in this article should serve as a guide to thinking when the various A17.1 Code committees are confronted with evaluating new product designs. ASME should also consider forming an electronic systems committee, as equipm ent of the future will be increasingly dependent on high-technology.

Bibliography

1. ASME. ASME/ANSI A17.1 Code Ð 1990 Safety Code for Elevators and Escalators.

2. Hymans, Fred. Electric Elevators. Scranton, PA: International Textbook Company, 1941.

3. Tarter, Ralph E. Solid State Power Conversion Handbook. John Wiley & Sons, Inc.

4. Littlewood, Bev and Lorenzo Strigini. ÒThe Risks of Software.Ó Scientific American, Nov. 1992.

5. Gibbs, W. Wayt. ÒSoftware's Chronic Crisis.Ó Scientific American, Sept. 1994.

Galen L. Dutch is an electronics specialist for the San Francisco Municipal Railway Electric Vehicle Division, presently supervising the maintenance and repair operations on the city's newest fleet of 60 electric trolley buses. These vehicles feature com puter-assisted diagnostics and an onboard battery package for emergency power. Dutch has a unique background, encompassing work in both the elevator industry and the rapid transit field, while also conducting training and lecture sessions on various aspec ts of transportation engineering.