Thomas D. Barkand
This paper examines safe electrical design of elevator control systems. Supplemental circuits and devices which improve the safety integrity and maintenance of the elevator control system are presented. These circuits and devices provide protection that eliminates the potential hazard and significantly reduces the possibility of a mine elevator accident.
A serious ascending elevator overspeed accident occurred on March 28, 1994 at a southern Ohio underground coal mine. Four miners entered the elevator car at the mine surface and descended 300 ft at the rated speed of 600 ft/min. When the elevator arrived at the mine level, it reversed direction and began to rapidly accelerate to the surface without stopping. Realizing the elevator was accelerating out of control, two of the passengers repeatedly struck the emergency stop button in a futile effort to stop the elevator.
Aware that the elevator was going to crash into the overhead, a passenger advised everyone to lay down on the floor to minimize their injuries upon impact. When the elevator car collided into the overhead structure at an estimated speed of 2,400 ft/min, the four passengers struck the car ceiling. One of the passengers was wearing very dusty clothing and he left a visible dust imprint on the ceiling of the elevator which showed the exact position of his body when he struck the ceiling. The passengers suffered fractured vertebrae and ribs in addition to head lacerations and contusions. Figs. 1 and 2 show the normal elevator position at the surface and the final position of the elevator after the accident.
An investigation into the cause of this serious elevator accident as well as other accidents has identified critical elevator control system components. The failure of these critical circuits and components will result in serious elevator accidents.
Extensive tests and studies of mine elevators have revealed deficiencies in the electrical control design.
Therefore, the first step in achieving a safe elevator is the proper design of the control system. Designers should not only evaluate the schematic diagram to determine the electrical safety integrity, but should also examine the physical layout of the system. This would include such things as susceptibility of the equipment to damage.
Design guidelines are presented in this paper that reduce the possibility of a hoisting accident by improving the safety integrity and trouble-shooting of critical elevator control circuits and devices. An electrical braking system is also described which provides ascending car overspeed protection.
The electrical contacts of the most critical safety devices are typically connected in series to provide power to the elevator control system. This series of electrical contacts is usually referred to as the "safety circuit". A typical elevator safety circuit is shown in fig. 3.
This circuit initiates the stopping sequence of the elevator when an emergency condition is detected. The proper operation of this circuit is paramount to the safe operation of the elevator.
When the elevator is not functioning properly, the safety circuit is typically examined to determine if an open circuit exists. Since the safety circuit can provide diagnostic information, some elevator control manufacturers install indicator lights across the contacts in the safety circuit for annunciating the control fault.
This practice is not advised and can lead to an extremely dangerous situation. The problem occurs when the added monitoring wiring shorts across the safety circuit contact. This fault effectively eliminates the protection offered by the safety device. Even without wiring faults the safety circuit could be compromised by the impedance of the parallel circuit generated by the indicator lights or annunciating circuit.
Electrically isolated, auxiliary contacts on the safety circuit devices should be used if a fault annunciating panel is installed. This duplicate circuit is independent from the critical safety circuit. Therefore, if a fault in the annunciating circuit should occur it would have no effect on the operation of the elevator control.
The introduction of program logic controllers (PLCs) and microprocessors to control elevators requires special hardware considerations. Faults in the software programming or solid state hardware control should not affect the integrity or reliability of the critical circuits.
The critical circuits directly initiate the movement of the elevator and the operation of the brake. As previously discussed, the safety circuit is a critical circuit. The failure of a single solid state device, such as an output thyristor, should not render the safety circuit ineffective. In fig. 3 for example, a PLC should not serve as an interface between the sheave deck switch and the master control relay.
When microprocessor or PLC elevator control is utilized a conventional, hardwired safety circuit must be installed. Furthermore, the safety circuit must directly deenergize the brake circuit through hardwired relay control and cause the brake to apply. This will ensure that faults in the solid state devices or software programming will not result in unsafe operation of the elevator.
Typically the hardwired logic serves as a redundant circuit for the solid state logic and programming used to operate the elevator.
The electrical brake control is extremely critical to the safe operation of the elevator. On virtually every static control elevator and many motor-generator set controllers, the brake is the sole means of stopping the elevator when overspeed and overtravel conditions occur. Therefore, it is essential that the brake control design be rugged, reliable and fault tolerant.
The elevator brake is typically released by a large electromagnetic solenoid and applied by coil spring tension. Therefore the brake is automatically applied when the brake circuit is interrupted.
The dc brake coil inductance may measure several Henrys. Therefore, careful consideration must be given when selecting a dc brake circuit relay to ensure the contacts are capable of interrupting this highly inductive load.
In addition to interrupting the dc circuit, many elevator controls also interrupt the ac side of a solid state brake power supply. This design is consistent with the American Society of Mechanical Engineers (ASME) A17.1 Safety Code for Elevators and Escalators Rule 210.8 which requires two devices be provided to remove power independently from the brake.
The ASME A17.1 Code, Rule 210.7 also prohibits the installation of capacitors, or other arc suppression devices across the brake relay contacts, the failure of which will cause an unsafe operation of the elevator.
The speed governor, governor rope, and safeties comprise a safety system designed to provide descending car overspeed protection. An overspeed condition can occur when there is a malfunction of the control, the mechanical brake fails or when the ropes holding the car break. Fig. 1 shows a typical mine elevator installation.
The speed governor is a centrifugal device driven by the governor rope which is attached to the moving car. The governor is equipped with a normally closed overspeed switch, labeled Car Gov O.S. in fig. 3. When an overspeed is detected by the governor, the safety circuit is opened, thereby disconnecting power from the drive, and applying the brake. This typically occurs at 115% of normal operating speed. At approximately 125% of normal operating speed, the governor jaws trip and mechanically grip the governor rope with a preset tension. The governor rope is connected to the safeties that are mounted on the car. When the governor rope is stopped, the safeties wedges are pulled upward along a tapered, flexible guide until they contact the elevator guide rails. The safeties grip the opposing sides of the elevator guide rails and become a sort of wedge between the rails and the car. This prevents the car from traveling in the downward direction.
As shown in this operating sequence, it is very important that the speed governor, the governor rope, and the safeties are operational. The governor rope travels constantly within the confines of the shaftway and is susceptible to wear, corrosion, damage from falling objects, accumulation of debris, and breakage.
If the governor rope breaks, stretches excessively, or comes off the sheave, the elevator control would operate normally without any indication of a problem unless a governor monitoring system is installed. A governor rope monitoring system would stop the conveyance once a problem is detected in the governor rope or governor. The elevator would be safely stopped and remain stopped until the system was repaired.
This type of protection can be provided by either insuring the governor is turning when the conveyance is moving or by checking when tension is lost on the governor rope itself. The former method can be accomplished by placing a tachometer on the drive motor and one on the governor, as shown in fig. 4. A difference between the two speeds would indicate failure of the governor system or the existence of another potentially hazardous condition. The comparison circuit would open a contact in the control and stop the elevator.
Another method of providing this protection is to monitor the position of the governor rope tail pulley, as shown in fig. 5. This can be accomplished by installing a cam on the governor rope tension sheave which operates a stationary pair of limit switches. The limit switches will detect when the governor tension sheave has fallen below or risen above a preset range. If the tension sheave moves out of range, a contact in the elevator control will open to remove power from the drive and stop the elevator.
There are several safety devices in the control that cause the elevator to stop. Faults such as overspeed, overtravel, collapsed buffers, and governor failure are just a few of these faults. Detection of these faults is normally accomplished by a limit switch. When the switch is activated, the elevator is stopped. Most control systems for elevators allow the control to be reset automatically when the switch is closed. This method of operation would allow repeated operation of the safety device without a technically trained person becoming aware of the problem. This could lead to other failures within the elevator system which could be catastrophic. A solution to this problem is to design safety circuits that do not automatically reset.
This can be accomplished by installing a mechanical reset switch in the safety circuit, as shown in fig. 6. When a fault occurs, the safety circuit is opened and the drive stopped. The controls must be manually reset to start the drive. The manual reset would be located in the machine room and would only be accessible to trained personnel. Thus when a fault occurs, a trained person would be required to acknowledge the fault and reset the control system. If there is a serious problem with the elevator control, the problem could be corrected before it affects the safe operation of the elevator.
Overtravel conditions occasionally occur on mine elevators. This is more true of unregulated drive controls but is also prevalent in regulated drives. Many conditions can cause this to occur such as temperature changes, overloading of the conveyance, rope stretch, or emergency stops. When an overtravel occurs, the conveyance is brought to an immediate stop.
The condition that caused the overtravel should be recognized, evaluated and corrected. One of the first steps in returning the conveyance to safe operation is to remove it from the overtravel condition. Failsafe methods for removing the conveyance from an overtravel condition are not routinely provided on mine elevators.
A jumper wire is normally used to short out the overtravel limit switch. This has proven to be a hazardous procedure. Many times other critical safety devices are unknowingly bypassed in the process of defeating the tripped overtravel switch. This procedure could create a dangerous situation since the protective device that sensed the overtravel may be jumpered and allow the conveyance to move in an uncontrolled manner.
The jumper may be inadvertently left on after the elevator has been returned to normal operation. This would defeat the overtravel protection and create a potentially hazardous condition if another overtravel condition should occur.
There are methods available that can be incorporated directly into the control to allow for safe controlled removal of the elevator car from the overtravel condition. A "backout of overtravel" switch increases the ease of troubleshooting and reduces the possibility of human error.
The backout of overtravel is normally a spring loaded, momentary switch installed in the elevator machine room.
The switch allows the car to move out of the overtravel condition at slow speed, as shown in fig. 7.
Buffers used for elevators are designed to stop the car or counterweight at a deceleration rate not greater than 32.2 ft/sec2 from a speed not exceeding 115% of rated speed. Buffers are similar to shock absorbers in design; a piston or plunger rests above an oil-filled cylinder. When the buffer is struck either by the car or counterweight, oil is displaced from the cylinder through small orifices into a reservoir. Once the car or counterweight is removed from the buffer, either a coil spring or gas-charged cylinder returns the piston to its extended position.
A potential safety hazard exists should the buffer piston not return to the fully extended position. This could happen as a result of gas leaking out of the return mechanism or a rusted or poorly maintained buffer piston. Serious injury to personnel and costly equipment damage could result if the car or counterweight would strike a completely or partially depressed buffer.
Buffer switches located on the buffer cylinder would indicate to the elevator control system whether or not the buffer pistons are fully extended. The location of a typical buffer switch is shown in fig. 8. If the buffer pistons are not fully extended, the switch would not be closed and the elevator will not operate.
The ascending elevator overspeed accident described at the beginning of this paper is not the first accident of this type to occur in the mining industry. These earlier accidents resulted in a great effort and progress toward providing safe, economical ascending car overspeed protection.
One of the simplest solutions to the problem, that is often overlooked, is the installation of self excited dynamic braking (SEDB) in the elevator control.
When the dynamic braking system is operating, the kinetic energy of the falling overhauling load is utilized to drive the motor. The motor generates electricity, which is dissipated as heat in a resistor connected to the motor. Torque is required for the motor to generate electricity. The retarding torque limits the freewheeling speed to a value which the buffers can safely stop. The amount of retardation and the final speed of the car would be dependent upon the motor terminal characteristics and the ohmic value of the dynamic braking resistor. Dynamic braking installed on mine elevators provides an electrical backup to the mechanical braking system, which drastically reduces the possibility of the elevator overspeeding in either direction. SEDB Operation: A simplified schematic diagram of the dynamic braking control circuit is shown in fig. 9. When power is removed from the electrical drive, the M contactor drops out and disconnects the motor armature. The normally closed M contact connects the dynamic braking resistor across the motor armature. When the field power supply is operative, the field loss relay is picked-up and the motor field was supplied with normal standing field current (i.e. field economy current).
When a power loss occurs, the dynamic braking resistor and the motor field are connected across the motor armature. The field current is maintained by the generated armature current.
When brake failure occurs, SEDB allows the car to slowly travel to a terminal landing. The car and passengers are ultimately brought safely to rest by the controlled deceleration of the buffers. This is advantageous since the surface or mine landings are typically the only two locations where the passengers can be quickly and safety evacuated.
SEDB Installations: Dynamic braking systems were installed on both elevators after the accidents described in  and . The elevators operated at 600 ft/min. and were equipped with static controlled, gearless, dc motors. The additional electrical equipment necessary for the installation of SEDB was; a three-pole contactor, dynamic braking resistors, single phase, full wave, rectifier bridge and a field loss detection circuit. The cost of the dynamic braking system modification is typically less than the cost of the other mechanical speed limiting devices.
SEDB Testing: The dynamic braking systems were tested at each mine by inhibiting the machine brake and requiring the dynamic braking system to limit the freewheeling speed of the elevator. The SEDB was tested under all reasonable brake and power failure scenarios. In all cases, the SEDB limited the elevator speed to less than 50 percent of the rated speed when the brake was inhibited.
For one series of tests, the dynamic braking systems were tested by inhibiting the drive brake and interrupting the power to the elevator drive. The freewheeling speed of the elevator was slower with a power loss than with the power on. This is because the field current generated by the armature circuit during power loss was greater than the standing field or field economy current normally provided by the field power supply.
Another method that can be used to provide ascending car overspeed protection is to install safeties on the counterweight. The counterweight safeties stop the counterweight from overspeeding in the down direction. This prevents the elevator car from being pulled up into the overhead structure. This system is most easily incorporated into new installations where the clearances and guide rails can be designed accordingly. Retrofitting this system to existing mine elevators can prove to be costly.
A counterweight safety operated switch contact should always be installed in the elevator control to prevent the elevator drive from operating when the counterweight safeties have engaged.
Accidents have caused increased awareness and concern about elevator safety. These concerns are expressed by the mining industry as well as the Mine Safety and Health Administration. Elevator accidents not only jeopardize the miner's safety, but also impact on the productivity and economic viability of the mining operation.
Ascending mine elevator overspeed accidents always result in severe equipment damage and potentially serious injury. This is because the deep mine portal shafts allow the elevator to achieve tremendous overspeeds when a brake failure occurs. Self excited dynamic braking (SEDB) provides effective ascending car overspeed protection and is particularly well suited for mine elevators.
The guidelines presented in this paper address known electrical control problems and proposed effective, proven solutions that improve the safe operation of the mine elevator.