A Very Important Elevator Secondary Protection

Figure 2: Brake secondary protection control circuit

Generally, the elevator-safety system is thought to be very safe, reliable and complete, but it does have a very weak link. If that link fails to work, the system may thoroughly collapse (ELEVATOR WORLD, July 2011, “How Elevator Door Interlocks and Brake Circuits Influence Each Other and Cross-Cycle Protection”). Dealing with this link is very important in the overall scope of elevator safety.

Multilevel and Multi-Angle Protection

Multilevel security protection is typically used in the elevator control system. For example, during downward elevator overspeed, the overspeed governor shall initiate elevator stoppage by an electric safety device before the car speed reaches the tripping speed of the overspeed governor. If this protection fails and there is further acceleration, the overspeed governor shall initiate elevator stoppage by an electric switch-off safety gear. If this protection also fails and there is yet further acceleration, the overspeed governor shall initiate stopping of elevator with the safety gear by gripping the guide rails and holding the car.

Another example is terminal protection in the well. In order to prevent elevator terminal offside (car operation over the normal terminal position), the two safety switches (i.e., limit and final limit switches) are usually set in the terminal well, and even in the case of electric switch-off failure, the buffers can also protect the car at the end of the well. However, in many other examples of mechanical and electrical equipment, only one limit switch is set to prevent terminal offside.

We also use multi-angle security protection in the elevator control system. Within this system, an electric safety chain exists with a lot of safety switches, which corresponds to each device that needs to be protected. If one of these devices fails to work, the corresponding safety switch will cut off the electric safety chain, terminating the running of the elevator.

The Elevator Safety System Bottleneck

The elevator safety system is divided into mechanical and electrical parts. The mechanical part plays a dual role: acquiring the related initial mechanical signal and executing a protection function at the end. The role of the electrical part is also twofold: converting the initial mechanical signal into an electrical one through the electrical contacts and transmitting the electrical signal to the mechanical protection device through an electrical circuit. In elevators, the latest execution devices of machinery safety protection being controlled electrically are the main motor and brake (i.e., main motor and brake power would be interrupted at the same time to stop the running of the elevator). The above control mode is shown as Figure 1, where there is an evident problem: since all the security protection will eventually come to two basic components, if the motor or brake fails, would the whole protection system fail?

Let us first look at the main motor. When implementing the safety system, the main motor would stop working. This is performed by removal of power from the motor. From Figure 1, we can see the elevator has multilevel and multi-angle protection (i.e., there are many ways to interrupt electric current to the main motor; even if one of the safety switches fails, another can perform the interruption). Therefore, the main motor control failing to work will not cause overall failure of the safety system.

Next, we look at the brake. When an elevator car is brought to a halt in regular operation, the main motor stops first, then the brake brings the car to “zero speed.” It is not a problem to break the brake’s electricity; like the motor, if one safety switch does not work, another will perform the task. However, this does not necessarily mean the brake can work reliably. This is because the electromagnetic force of the brake is not braking force, but releasing force. The braking force of the brake is provided by the mechanical device, and if the mechanical braking force of the brake is not enough, the main motor and brake cannot stop the elevator, even if it has been removed from an electrical supply.

The elevator car is different from an automobile on a flat road. The latter has no potential energy, and as long as the automobile’s motor stops, the machine will not move after coming to a halt (in a closed environment). The elevator car, on the other hand, usually has potential energy as long as the car weight and counterweight differ. Therefore, when the elevator arrives at a landing and the motor power has been broken, the reliability of car stoppage is entirely ensured by the brake’s mechanical braking force. If this force is not enough, brake slip can occur, even though the elevator door is opened. Since brake slip is due to the shortcoming of a mechanical device, all electrical safety control (i.e., the whole system as shown in Figure 1) will lose efficacy.

With the exception of the brake, the elevator still has three mechanical safety devices that can stop its movement. These are the safety gear, Rope Gripper™ and buffer. But the influence of these mechanical safety devices is far less than that of the brake, because these devices are only used in certain circumstances. The safety gear and Rope Gripper are used in overspeed protection, but owing to counterweight disposition and well restrictions, the opportunity for speeding is low, so the actual work opportunity of the safety gear and Rope Gripper is minimal. The buffer disposition is in the terminal location of the well, and its main purpose is to prevent the elevator from being out of its terminal location. However, the opportunity for this circumstance is also small, owing to stopped landing, speeding control and strong terminal electric protection. The elevator brake, by contrast, is used in every instance of normal parking, and in these instances, if the brake fails, shear accidents could occur.

The brake’s role on the safety system makes it irreplaceable. When the safety-monitoring system finds a fault state, the control system uses the brake to stop the elevator first. Also, as long as the brakes can play a normal role, the other mechanical safety devices need not act; that is, the brake can replace other mechanical safety devices in many instances. However, in the case of brake failure, replacement is difficult due to its important safety role. Brake failure usually occurs in the overload condition. If, during overload, the braking force of the mechanical components is lacking, the elevator may lead to slip, even with the door open, causing a shear accident. These accidents occur at low and medium speeds, where the safety gear and Rope Gripper cannot act for protection. The buffer is used in a terminal location of the well, but shear accidents occur near the landing, which is far from the well’s terminus. Therefore, the buffer cannot also act for protection.

When brake failure occurs, the entire safety system may fail. For example, the protection of the door interlock requires that the control system stop elevator movement when the door is open; but, if there is not enough mechanical braking force, the elevator can still move, despite the open elevator door. At this time, there is no protection from the occurrence of a shear accident. Therefore, the brake is a real bottleneck of the safety system.

Elevator Accidents

Today’s elevator safety performance is very high, due to the development of electromechanical technology and the introduction of computer technology. But, because the system’s weakness mentioned here has not been fundamentally solved, some serious safety accidents still occur.

In August 2011, an elevator accident in Xiamen, China, occurred due to failure of the brake. One person died, and another was wounded. A follow-up survey found the brake shoe had not closely jointed on the surface of brake wheel in braking time. When the elevator parked on the first floor in that time, the brake suddenly failed to work, and the car began to move upward, because of the heavy counterweight. At this moment, a child walked out of the elevator and was clipped by the elevator door, which moved upward. The child’s grandfather, who was also at the scene, tried to extract his grandson, but he fell into the well, through the open elevator door.

Secondary Protection for the Brake

In order to thoroughly correct the weakness of the elevator safety system, the brake stop function for the lower or middle speed must have a second electromechanical protection (i.e., another electromechanical braking device) for braking. Not only should mechanical problems be considered; electrical ones should be, as well. That is, at first, the monitoring system shall monitor the brake failure state; once the brake fails to work, the monitoring circuit immediately starts another electromechanical braking device, in time to stop the elevator, instead of the brake. The electromechanical braking device of this secondary protection should be completely independent from the brake of the main drive; it does not participate in normal braking in order to avoid wear, and it works just in an extraordinary emergency. Although the brake also has two braking parts, and the two braking parts also have independence, the two parts work and wear at the same time. Once one part fails, another usually fails at same time, so it has neither true independence, nor double protection. Therefore, it is necessary to use another independent electromechanical braking device for secondary protection of brake.

Improved Electric Rope Gripper

In order to prevent an accident caused by brake failure, another independent braking device is needed to protect the brake may be introduced. However, this does not mean a new braking device must be added. A reasonable solution is attaching this important function to an existing electromechanical braking device. In other words, we can use an electromechanical Rope Gripper to perform this function incidentally. The Rope Gripper has been used extensively in the last few years, with the purpose of performing the upward speeding protection. It can also, however, provide a solution for the problem of brake slippage.

There are two kinds of Rope Grippers: electromechanical and pure mechanical. Both are initiated by the overspeed governor, which triggers the electrical switch of electromechanical Rope Gripper and the control-wire rope of the mechanical Rope Gripper. Only the electromechanical Rope Gripper can perform secondary protection for the brake; the mechanical one cannot – it just provides protection for upward overspeed. In order to support the brake with an electromechanical Rope Gripper, the monitoring system would first detect brake failure. Once the brake failed to work, the control system would, by means of a parallel circuit, initiate the Rope Gripper to stop the car. Although the switch checking on the ascending-car overspeed protection means is an electric safety device (usually a series electric safety circuit without electric equipment in parallel), the start switch of the Rope Gripper is not the electric safety device. In order to accomplish specific control requirements, a parallel circuit to it would be allowed.

Specific Protection Control Circuit for Brake

Rope Gripper secondary protection for the brake is only used when the car leaves the unlocking zone with open doors. However, the Rope Gripper braking is usually for moving traction rope. This wears not only the Rope Gripper, but also the traction rope. So, the Rope Gripper would be used as little as possible. The device does not initiate the braking in the following situations:

If the brake has some uncontrolled slip but the slip is not beyond the security area in which the shear accident cannot occur

When the slip is beyond the security area but the elevator doors are closed (Car slippage with the elevator door closed has no risk of shear accident, so the Rope Gripper need not act in such a situation. If continued slip causes speeding and reaches the well terminal, the safety gear and buffer can be used for protection.)

When in inspection mode, the Rope Gripper does not participate in brake protection, because the inspection needs to open the door anywhere, including beyond the unlocking zone (This is a work state, not a fault state.)

Figure 2 is a brake secondary protection control circuit. The top row is the door interlock control. “J” is the car-door interlock relay; “KM” is the open-door relay; “CRIR” is the car-roof inspection relay; “CIR” is the car inspection relay; “ALR” and “BLR” are the above and below leveling relays, respectively; “B1” and “B2” are the brake circuit relays; “T11” and “T21” are the electrical contacts of the active and passive doors of a landing in one floor, respectively; “T1” is a landing active door relay controlled by all the active door contacts of a landing in a series circuit; and “T2” is a landing passive door relay controlled by all the passive door contacts of landing in a series circuit. “MS” is the door interlock relay controlled by all door interlocking contacts in a series circuit. In programmable controllers and computer boards, relays such as “T1,” “T2” and “MS” can be set in software (i.e., they may be subjunctive). After all doors have closed, “MS” is connected, and its normally open contact (“MS2”) connected, with its normally closed contact (“MS1” and “MS3”) disconnected, or else “MS” is disconnected, and its normally open contact disconnected, with its normally closed contact connected.

In Figure 2, “T” is a time relay. The purpose of using a timer is to avoid some unnecessary protection. As long as the control system can automatically revert to normal state or be protected by other means in a short time, the Rope Gripper does not participate in braking. The time relay begins the timing as the car leaves the unlocking zone with an open door. This can happen in one of two cases. First, the elevator may leave the unlocking zone with an open door when the driving machine is under power. Some elevators have a re-leveling function: while the elevator is automatically running to its leveling zone, the Rope Gripper does not participate in braking. The second case may happen when the elevator leaves the unlocking zone with an open door after the driving machine has lost power. In this case, if the elevator does not re-level in a short time, the Rope Gripper would get ready for braking, because this time, the brake may be in a state of slipping. Whatever the cause, as long as the car leaves the unlocking zone (when the normally closed contact leveling inductor “LI1” is connected) and the elevator door does not close (when the normally closed contact “MS1” is connected), “T” begins the timing (when “T” is connected). The unlocking zone corresponds to a length of door vane roughly equal to the length of the segregation board in Figure 2. So, “LI” leaving the segregation board would be considered as the elevator leaving the unlocking zone.

In some cases, that the elevator leaves the unlocking zone with an open door does not represent brake failure, but a short circuit of the door interlock or brake circuit. At this time, as long as there is a detection circuit and it has found the short circuit, the control system can forcibly start the brake to stop movement. To avoid the risk of brake failure, this state should be timed (i.e., if the brake failed in protection, the control system would immediately initiate the Rope Gripper). “MBF” in Figure 2 is used to test whether the door-interlock or brake circuit has shorted. After the elevator has been parked at a landing and its door has opened, as long as the door-interlock or brake circuit has (partially) shorted, “MBF” cannot be connected, and the electric safety chain relay (“SCR”) can be broken. If the door-interlock or brake circuit has not shorted, but an elevator door opens outside of the unlocking zone (i.e., normally open contacts “LI2” and “MS2” all disconnected at same time), the SCR can also be broken immediately. “SCS1” to “SCSN” are the general electric safety-chain contacts that broke the SCR in the original method after failure of the safety component with which the contact corresponds. When the SCR is broken, its contacts should directly control the main motor and brake to stop running.

If the slip cannot be stopped after the electric safety chain is broken and this further increases until the above and below leveling inductors (“ALI” and “BLI,” respectively) all leave the segregation board and, at same time, the elevator door is opened or the door-interlock or brake circuit has shorted, shear accidents are likely to occur. At this time, the control system should be ready to start the Rope Gripper through its parallel circuit upward overspeed protection switch (“UOP”). Any “ALI” or “BLI” on the segregation board is equivalent to the length of the board. Adding the length between “ALI” and “BLI,” this area is much larger than the unlocking zone. If the car exceeds this area with an open door and does not return to it when the delay of “T” is over, the control system immediately starts the Rope Gripper. Its secondary protection circuit is in parallel with the start contact of its upward overspeed protection; that is, its secondary protection circuit would not affect the original upward overspeed protection of the device. “JDJ2” in the Rope Gripper relay (“RGR”) circuit is the car-roof inspection relay contact. In inspection state, this normally closed contact disconnects to shield the Rope Gripper’s secondary protection.


The failure of brake slippage with an open door is completely different from the failure of upward overspeed, not only in the probability of its occurrence, but also in the degree of potential harm – both are much larger than in the case of upward speeding. Therefore, if the Rope Gripper can execute the brake secondary protection apart from the original upward overspeed protection, its additional value is much greater.

Not all mechanical safety devices need secondary protection, but secondary protection for the brake is necessary. Compared to other mechanical safety devices, the brake has three features: 1) brake frequency of use is high, and the possibility of failure is much greater than that of other mechanical safety devices due to excessive wear; 2) the brake failure is often accompanied with slippage in an open door, with its danger after failure much greater than that of other mechanical safety devices; and 3) brake failure could cause all the electrical safety devices to lose their effectiveness. Therefore, using an electrical Rope Gripper for brake secondary protection is necessary. Otherwise, the elevator safety protection system cannot be called complete.

Related Tags

Elevator World | November 2012 Cover