The Impact of Standards on Escalator Electrical Control
Lutfi R. Al-Sharif, B.Sc., M.Sc., Ph.D., C.Eng., M.I.E.E.
Prepared for publication in the bilingual lift magazine, Elevatori. This web version © Peters Research Ltd 2016
The design of escalator controllers from a safety point of view, is governed by several standards. These generally fall into two categories: dedicated escalator standards and general standards.
Although dedicated escalator standards exist and are used, many other standards are needed to complement such standards and to provide guidance on some of the more detailed design points.
This paper attempts to expound upon the salient points of the escalator standard (EN115) in the way it relates to the safe electrical design of the controller and control circuitry. Moreover, it also explores the impact of other standards on the electrical design of escalator controllers, and how such standards are complied with in commercially available products.
The standard, "EN115 - Safety rules for the construction and installation of escalators and passenger coveyors" is the standard used in Europe. The American equivalent is the "ASME/ANSI A17.1 Safety code for Elevators and escalators". There is no world wide standard, although an ISO document has been produced which attempts to compare the codes for lifts in Europe, the USA, Canada and the former USSR (ISO, 1990).
The similarity between safety standards for lift and escalators, makes it possible to interchange safety concepts. Thus some of the points discussed here apply to escalators, although discussed in the lift context.
1.1 Notes on prEN115 and differences to EN115.
A new draft of EN115 (prEN 115) is now available for public comment. The main differences are in specifying the Mean Time Between Failure of safety circuits, number of devices switching the brake, the scope of international standards for lighting and power circuits and re-starting.
1.2 Faults and dangerous situations.
Inspection of the standard on electrical safety devices, highlights the concept of two faults leading to a dangerous situation. This is detailed in the clause:
18.104.22.168.2 Furthermore, the following conditions shall apply:
(a) If one fault combined with a second fault can lead to a dangerous situation, the escalator or passenger conveyor shall be stopped by the time the next operating sequence takes place in which the faulty element should participate.
Any restarting of the escalator or passenger conveyor shall be impossible as long as this fault persists. The possibility of a second fault leading to a dangerous situation before the escalator or passenger conveyor has been stopped by the sequence mentioned, is not considered.
The previous clause is based on a very important assumption. The standard assumes that the checking of whether the first fault has developed is not carried out visually, but automatically. Thus, if a fault develops, it will automatically be detected by the controller, which will not restart the escalator unless the fault has been rectified.
It also precludes the possibility of another fault developing before the escalator has stopped.
So, CEN assumes that a redundancy type circuit can fail by subsequent failure of one component after another and therefore CEN requires continuous or cyclical checking redundnacy (ISO, 1990). This is contrary to other standards (e.g., ASME , A17), which assume that there is no possibility for the second failure occurring before the first is visually detected and manually corrected (by service mechanics) and also that there is no risk of two simultaneous failures.
2. Number of Main and Brake Contactors
The number of main contactors (or electrical devices in general) feeding the main drive motor (or the brake), is directly related to the concept of faults and dangerous situations. This section discusses this concept and how it is specified for lifts as well.
2.1 Analogy to Lifts.
The standard on lifts (BS5655, EN81) specifies that two contactors be used to drive the motor:
12.7.1 Motors supplied directly from a.c. or d.c. mains
The supply shall be interrupted by two independent contactors, the contacts of which shall be in series in the supply circuit. If whilst the lift is stationary, one of the contactors has not opened the main contacts, further movement of the car shall be prevented at the latest at the next change in the direction of motion.
It is assumed that this is in accordance with the other clause on dangerous situations:
If one fault combined with a second fault can lead to a dangerous situation, the lift shall be stopped at the latest at the next operating sequence in which the first faulty element should participate. All further operation of the lift shall be impossible as long as this fault persists.
The possibility of the second fault occuring after the first, and before the lift has been stopped by the sequence, is not considered.
So, in the case of two contactors driving the motor, if the armature of one contactor fails to separate (i.e., welds), this will not lead to the dangerous situation which could take place if both the main contactors welded, as then the motor will be energised and the lift will be moving regardless of the safety devices and regardless of the logic running sequence.
It assumed that the expression "directly driven from the mains", is used to cater for the case of a Ward Leonard DC drive. It is not clear whether it includes the case of solid state devices controlling the supply to the motor.
2.2 Number of main contactors in an escalator controller.
The standard on escalators, does not specify the number of contactors driving the motor, but a similar clause on dangerous situations exists ( EN 115: 22.214.171.124.2 ).
In the case of an escalator motor driven from the mains, the only way to achieve this protection is to have two main contactors driving the motor, AND stopping the starting sequence if any contactor is still on before the escalator starts (this is to comply with the second paragraph of 126.96.36.199.2 (a).
In the case where the motor is driven by an solid state electronic speed controller (e.g., variable frequency inverter), and the control is done by a solid state controller, a dangerous situation can develop if a fault occurs in the speed controller, where it supplies full voltage to the motor regardless of the control signals received from the controller. To protect against this dangerous situation the following precautions have to be taken:
- There should be at least one contactor in series with the inverter, which controls the supply to the motor as well. So if a fault develops within the inverter, the contactor is still available to disconnect the supply to the motor.
- The controller should monitor both the contactor and the speed controller, so that if the first fault develops in one of them, re-starting is not possible until the fault has been cleared.
- The contactor should be operated directly by the safety circuit and by the controller, in accordance with the clause 188.8.131.52:
Electrical safety devices shall act directly on the equipment controlling the supply to the driving machine.
If, because the power to be transmitted, relay contactors are used to control the driving machine, these shall be considered as equipment directly controlling the supply to the driving machine for starting and stopping.
Moreover, the controller should monitor the end of the safety line, so that it only initiates a start sequence if all the safety devices are made.
Figure 1: Safety circuit directly acting on the main contactor
A similar argument can be developed for the brake circuitry in regard to the number of contactors operating the brake (operational brake). In fact the new draft, pr EN 115 requires two contactors in series operating the brake circuit.
3. Thermal Protection
The thermal protection of the motor, can be achieved in two ways:
13.3.2 Motors directly connected to the mains shall be protected against overloads by means of manual reset (except as provided for in 13.3.3) automatic circuit-breakers which shall cut off the supply to the motor in all live conductors.
13.3.3 When the detection of overloads operates on the basis of temperature increases in the windings of the motor, the circuit-breaker may be closed automatically after sufficient cooling down has taken place.
Most solid state speed controllers can achieve the first method of protection by measuring the current to the motor, and infering the temperature.
4. Application of Brakes
EN115 specifies that both brakes will only be applied simultaneously in the cases of overspeed (12.6.4 a) and reverse of direction (12.6.4 b). The second condition could also be achieved using underspeed detection.
12.6.4 The auxiliary brake shall become effective in either of the following conditions:
- before the speed exceeds a value of 1.4 times the rated speed;
- by the time the steps and pallets or the belt change from the preset direction of motion.
Its operation shall positively open the control circuit. It is not necessary that this device is operated electrically such as is the operational brake mentioned in 12.4.2.
12.6.5 Auxiliary brakes are permitted to operate together with the operational brake when in case of power failure or of an interruption of a safety circuit the stopping distances according to 184.108.40.206 and 220.127.116.11 are kept; otherwise a simultaneous operation of the two brakes is only permitted under the conditions of 12.6.4.
Clause 12.6.5 clearly states that if both brakes are to apply in the case of a power failure, this is allowed if the stopping distances are adhered to. Alternatively, on some systems, this is achieved by including a controller delay on the operation of the auxiliary brake. Nevertheless, in the case of power failure, it is not possible to delay the application of the auxiliary brake, unless an electrical storage device is used.
Moreover, although the standard specifies stopping distances, it does not specify any limit on jerk rates.
The standard also prohibits any intentional delay in the application of the operational brake. The use of diodes in parallel to the brake coils, causes delay in the application of the auxiliary brake which could amount to around 100-500 msec, but this is not classified as intentional delay.
5. The Use of Electronic Speed Governors
The use of an electronic speed governor, in place of a mechanical "ball type" governor, is similar to the difference between a safety contact and a safety device. Thus a mechanical speed governor would be classified as a safety contact, whereas an electronic speed governor would be classified as a safety device, because it will not be directly operating on the main contactors.
In general for both of these safety devices:
18.104.22.168 Electrical safety devices shall act directly on the equipment controlling the supply to the driving machine.
If because of the power to be transmitted, relay contactors are used to control the driving machine, these shall be considered as equipment directly controlling the supply to the driving machine for starting and stopping.
When a safety contact is used to achieve the function of a safety device, the following applies:
22.214.171.124.1 The operation of a safety contact shall be by positive mechanical separation of the circuit breaking devices.
This clause seems to exclude the use of semiconductor devices.
When a safety circuit is used to achieve the function of a safety device, and it is not directly cutting the supply to the contactors, it should satisfy, inter alia, clause 126.96.36.199.
In the case of the electronic speed governor, the combination of the two faults could be manifested in the two conditions:
- First fault: The malfunctioning of the electronic speed governor, or the welding of the contactor or relay which it is controlling, the contact of which is connected in the safety circuit.
- Second fault: The overspeeding of the escalator, due to a fault in the speed controller.
The combination of these two faults would lead to the dangerous situation of the escalator overspeeding with no control on it. If the first fault is not monitored the minute it takes place, then it would not be detected by users or operators of the escalator until the second fault takes place leading to a dangerous situation.
The standard considers that the possibility of both faults taking place before the escalator has stopped is remote, and need not be accounted for in the design.
So, The condition of the electronic unit as well as the condition of the contactor which it operates should be monitored, and any restarting of the escalator should not be possible until the fault has been cleared.
This could be done in the case of the electronic unit, by having another monitor which detects a pulse signal (like a "heart beat" message) from the electronic unit, and raises an alarm if it does not receive it within a predetermined time period (i.e., a watchdog function). As for the contactor, this could be done by using a normally closed contact from the contactor, which should be used in the start sequence circuit, thus preventing any starting if the contact is open (i.e., the contactor is welded). These two checks can be easily implemented in a controller, but the first check would not be easy in the case of the relay controllers, unless additional circuitry is added.
6. Monitoring of Safety Contacts
There is a need with modern solid state controllers to monitor the state of safety contacts and safety devices. This is useful in condition monitoring and in troubleshooting, where the information about the safety devices in stored in the solid state controller. Several methods exist for achieving this objective, provided that the do not jeopardize the integrity of the safety circuit. This section discusses some of these methods, with their advantages and disadvantages.
6.1 The use of double pole safety contacts.
In this method, the safety devices are equipped with double pole contacts (Figure 2). One pair of contacts is hardwired in the safety circuit. The other pair is used by the solid state controller for monitoring.
The disadvantage of double pole contacts is that they are not always available on every safety device.
Figure 2: The use of double pole contacts.
6.2 The use of electronic interface circuits wired to the safety circuit.
In some cases, the safety device has only one pair of contacts. In such a case, the contact is wired in the safety circuit, and an electronic circuit interface is used to feed the information to the controller. The Interface Unit is optically isolated from the controller, and incorporates a resistor for limiting the current, a full wave rectifier (if the safety circuit voltage is AC) and a capacitor for filtering.
As shown in Figure 3, the input from point B does not necessarily represent the status of the safety contact Y. It represents the status of all the safety contacts before Y. Thus, in order to derive the status of the device Y, it is necessary to combine the signals A and B.
Device Y is open if and only if (point A is energised while point B is not energised); i.e., Y is open is true if A is High and B is Low. If both A and B are low, nothing can be said about the status of device Y. Device Y is closed if and only if B is High.
Figure 3: The use of an electronic interface unit to monitor the safety line
The use of such a configuration can lead to a dangerous situation in the case of a fault. As shown in the figure, if the common line connected to the terminals of the interface units becomes loose or disconnected, the equivalent impedance of these units might short out a safety contact. The equivalent circuit is shown in the following figure, where the equivalent impedance of all the IU's is:
Zeq = Z/m + Z/n = Z/4 + Z/2 = 3Z/4
The comparative values of the equivalent impedance (Zeq) and the impedance of the main contactor(s), will could possibly lead to the operation of the main contactors, while a safety device is open, which is a dangerous situation.
To protect against this situation, the value of Z has to be selected carefully. Moreover, several common points should be connected between the common side of the IU's and the common point.
Figure 4: Possible failure mode
Figure 5: Equivalent impedance of interface unit.
The advantage of this method is that only one contact is needed. The main disadvantage is that their is no checking by the controller on the first fault taking place (i.e., the disconnection of the common line), before the next common line becomes disconnected. For this reason, it does not comply with EN 115, because it relies on visual checking rather than automatic checking of the integrity of the connections.
6.3 The use of a safety relay with redundancy checking
In the case where only one pair of contacts are available, it can be used to operate a relay (Figure 6). But, it is necessary that the controller also monitor the feed to the relay, as well as the status of the relay. In the case where a discrepancy is detected, this shows that a fault has occured within the relay, and the controller will switch the escalator off, and raise an alarm.
Figure 6: Redundancy checking circuit.
6.4 The use of double pole safety devices with a safety relay.
The use and application of safety relays is specified in the standard BS 2771 (EN 60 204), as follows:
5.7.1 Where intermediate relays are used in safety circuits (i.e. a failure of which would make special safety measure ineffective), redundancy shall be provided by using a pair of such relays which work together, with contacts of each of them connected into the relevant circuits in such a way that if one relay fails, the safety circuit remains effective.
Such relays shall be checked automatically at least once in each ON/OFF cycle of the machine for closing and opening.
These relays are available from manufacurers, packaged in one enclosure (e.g. Square D, Pilz - see references).
Such a safety relay could be used, which is operated via double pole contacts from the safety device (Figure 7). The safety relay is self checking. Two pairs of output contacts are used from the relay. One pair is hardwired in the safety circuit, while the other is used by the controller for monitoring.
Figure 7: The use of a safety relay.
The same method can be achieved by using two separate relays operated by a single safety contact, and checking both relays by the controller. The controller will raise an alarm if a discrepancy is detected between signals received from the two relays.
7. Safety Critical Software
The software for escalators falls within the category of safety critical software. So in order to assess the safety of the controller, it is necessary to understand how the controller operates in detail. This is easy to carry out with relay controllers, because all one needs is a schematic diagram of the relay controller, in order to understand the method of operation. On the other hand, in the case of solid state controllers, a complete software listing is necessary in order to carry out such a check.
Most proprietary products are microprocessor based and thus are written in assembly language. Assembly language is the most basic form of programming language, and is very difficult to understand. The more attractive alternative is to write the software in a so-called high level language, which is easy to understand, and is well documented, thus enabling future modifications.
It is the responsibility of the auditing party to ensure that the operation of such controllers complies with the standards and the safety requirements, whether this checking is done by the designer himself or by a third party on the customer's behalf or by the owner himself, there is a clear need to be able to understand the software fully, with all the possible combinations and implications. Moreover, the proper documentation of the software will enable the designer to keep up to date with any changes and modifications. This is just software common practice. This is not possible with proprietary products, especially if a low level language is used (e.g., assembly) which is difficult to understand, and especially if the manufacturer is not willing to disclose his software listing to a third party or to the owner for auditing purposes.
Many conditions and statements in the code are good examples of the above argument, where it is virtually impossible to ensure compliance unless a detailed analysis of the software is undertaken. Such an analysis would not only require knowledge of the software listing, but also its presentation in a friendly and understandable format, which is easy to maintain.
In the field of PLC controllers, the standards have started to address this issue of a standard presentation (see IEC 1131 part 3, which is still in draft format).
8. Electrical Requirements
The standard on "Electrical equipment of industrial machines EN 60 204" (which has been previously mentioned in the context of safety relays), details many of the safety requirement necessary in electrical design of controllers. Although "cranes, lifts, conveyors" are excluded from the scope of this standard, it is quite useful to be used as a general guideline, in cases were there is no conflict between it and the standard for escalators (EN115).
The following clauses are example of such requirements:
- For large machines, for long lines or where there are many contacts in series, a control voltage of 24 V or 48 V is not recommended because of voltage drop.
- If a.c. and d.c. control circuits are used, each one shall be supplied by its own winding with appropriate insulation between them.
- For the supply of electronic control and signalling circuits, the use of transformers is mandatory.
188.8.131.52 It is recommended that valves, clutches and other solenoids are supplied from a separate control circuit which is protected separately from the control circuit supplying relays and contactors.
- Control circuits fed from a transformer and not connected to the protective circuit shall be provided with an insulation surveying device, which either indicates an earth fault or interrupts the circuit automatically after an earth fault.
184.108.40.206 Interlocking controls for contrary motions
All contactors, relays and electronic devices, which control elements of the machine that would cause danger when actuated at the same time, for example which initiate contrary motions, shall be protected against incorrect operation. Reversing contactors, controlling the direction of rotation of a motor, shall be interlocked in such a way that in normal service no short circuit can occur when switching.
220.127.116.11 Protection by enclosures.
...Opening an enclosure shall only be possible under the condition that one of the following paragraphs a) to c) is repected:
- The use of a key or tool is necessary...
- Disconnection of all live parts inside the enclosure before the enclosure can be opened.
- Where an enclosure needs to be opened only occasionally, the opening without the use of a key or a tool and without disconnection of live parts shall be possible only, if a barrier is provided inside the enclosure preventing contact with live parts...
The following clause applies to the design of hand held inspection units for escalators:
- If control with both hands, and with both hands only, is necessary for the safety of the operator(s) (i.e. where the operator(s) must be forced to take their hands out of dangerous zones), the equipment shall include two CYCLE START push-buttons for each operator. All these buttons shall be held in the actuated state simultaneously during the whole duration of the cycle, or at least up the time when the further progress of the cycle is no longer dangerous.
- Each pair of buttons shall be so arranged that the operation requires action of both hands of the operator(s).
The difference between safety contacts and safety circuits, as interpreted by EN115 has been discussed. The general clause on faults leading to a dangerous situation and how to avoid it is the main theme of the electrical aspect of the standard.
It has been shown that two electrical devices are needed at least to interuupt the supply to the main drive motor. A similar arguemnt can be developed for the operational brake.
There is a need to monitor the status of safety devices for troubleshooting purposes. Several methods exist, but the best method is to use double pole safety devices, where one contact feeds the solid state controller and the other is wired in the safety circuit.
Several electrical requirements are covered by regulations and standards which are not specific escalator standards, but which can be used if no conflict exists.
- Brithsh Standards Institution, 1986, "Lifts and Service lits: Part 1. Safety rules for the construction and installation of electric lift s", AMD 5840, 29 September 1989.
- British Standards Institution, 1992, "pr EN 115: Safety rules for the construction and installation of escalators and passenger conveyors", draft for public comment, document no. 92/75489, 20 May 1992.
- British Standards Institution, 1986, "BS2771: Part1: 1986/ EN 60204: Part 1: 1985: Electrical equipment of industrial machines: Part 1. Specification for general requirements".
- British Standards Institution, 1990, "BS 5486: Part 1: 1990/ EN 60439-1: 1990: Low voltage switchgear and controlgear assemblies: Part 1. Requirements for type tested and partially type-tested assemblies".
- British Standards Institutuion, 1983, "BS5656, EN115: Safety rules for the construction and installation of escalators and passenger conveyors".
- CEN (European Committee for Standardization), 1992, "EN414: 1992, Safety of Machinery - Rules for drafting and presentation of safety standards", February 1992.
- Health and Safety Executive, 1990, "Memorandum of guidance on the Electricity at Work Regulations 1989", Health and Safety series booklet HS(R)25.
- International Electrotechnical Committee, "IEC 1131-1 Programmable controllers, Part 1: General Information", First Edition 1992-10, CEI/IEC 1131-1 (E):1992.
- International Electrotechnical Committee, "IEC 1131-2 Programmable controller, Part 2: Equipment requirements and tests", first edition 1992-10, 1992.
- ISO, 1990, "ISO/TR 11071-1, Comparison of worldwide lift safety standards", Technical committee ISO/TC 178, Lifts, escalators, passenger converyors, 90/81081.
- Pilz U.K., "Type PNOZ 2: Emergency stop unit in accordance with VDE 0113, IEC 204-1 and BS 2771".
- Square D, "Safety guard system Preventa: Monitoring modules Type GSK for Emergency stop and safety circuits".
- The Institution of Electrical Engineers, 1991, "Regulations for electrical installations", Sixteenth Edition, 1991.