Dead man switch

A dead man's switch (see alternative names) is a switch that is designed to be activated or deactivated if the human operator becomes incapacitated, such as through death, loss of consciousness, or being bodily removed from control. Originally applied to switches on a vehicle or machine, it has since come to be used to describe other intangible uses, as in computer software.

These switches are usually used as a form of fail-safe where they stop a machine with no operator from a potentially dangerous action or incapacitate a device as a result of accident, malfunction, or misuse. They are common in such applications in locomotives, aircraft refuelling, freight elevators, lawn mowers, tractors, personal watercraft, outboard motors, chainsaws, snowblowers, tread machines, snowmobiles, amusement rides, and many medical imaging devices. On some machines, these switches merely bring the machines back to a safe state, such as reducing the throttle to idle or applying brakes while leaving the machines still running and ready to resume normal operation once control is reestablished.

Dead man's switches are not always used to stop machines and prevent harm; such switches can also be used as a fail-deadly, since a spring-operated switch can be used to complete a circuit, not only to break it. This allows a dead man's switch to be used to activate a harmful device, such as a bomb or IED. The switch that arms the device is only kept in its "off" position by continued pressure from the user's hand. The device will activate when the switch is released, so that if the user is knocked out or killed while holding the switch, the bomb will detonate. The Special Weapons Emergency Separation System is an application of this concept in the field of nuclear weapons. A more extreme version is Russia's Dead Hand program, which allows for automatic launch of nuclear missiles should a number of conditions be met, even if all Russian leadership were to be killed.

A similar concept is the handwritten letters of last resort from the Prime Minister of the United Kingdom to the commanding officers of the four British ballistic missile submarines. They contain orders on what action to take if the British government is destroyed in a nuclear attack. After a prime minister leaves office the letters are destroyed unopened.

This concept has been employed with computer data, where sensitive information has been previously encrypted and released to the public, and the "switch" is the release of the decryption key, as with Vault 7.

Background

Interest in dead man's controls increased with the introduction of electric trams (streetcars in North America) and especially electrified rapid transit trains. The first widespread use came with the introduction of the mass-produced Birney One-Man Safety (tram) Car, though dead-man equipment was fairly rare on US streetcars until the successful PCC streetcar, which had a left-foot-operated dead man's pedal in conjunction with the right-foot-operated brake and power pedals. This layout has continued to be used on some modern trams around the world. In conventional steam railroad trains, there was always a second person with the engineer, the ''fireman'', who could almost always bring the train to a stop if necessary. For many decades two people were assigned to electric and diesel locomotives as well, even though a single person could theoretically operate them.

With modern urban and suburban railway systems, the driver is typically alone in an enclosed cab. Automatic devices were already beginning to be deployed on newer installations of the New York City Subway system in the early 20th century. The Malbone Street Wreck on the Brooklyn Rapid Transit system in 1918, though not caused by driver incapacitation, did spur the need for universal deployment of such devices to halt trains in the event of the operator's disability. According to a Manhattan borough historian, there have been at least three instances where the dead man's switch was used successfully – in 1927, 1940, and 2010.

The status and operation of both vigilance and dead man's switch may be recorded on the train's event recorder (commonly known as a ''black box'').

Types

Handle

Many dead man's switches are mounted in the control handle of a vehicle or machine and engage if the operator ever loses their grip.

Vehicles

Handle switches are still used on modern trams and trains. Pneumatically or electrically linked dead man's controls involve relatively simple modifications of the ''controller handle'', the device that regulates traction power. If pressure is not maintained on the controller, the train's emergency brakes are applied. Typically, the controller handle is a horizontal bar, rotated to apply the required power for the train. Attached to the bottom of the handle is a rod that when pushed down contacts a solenoid or switch inside the control housing. The handle springs up if pressure is removed, releasing the rod's contact with the internal switch, instantly cutting power and applying the brakes.

Though there are ways that this type of dead man's control could conceivably fail, in practice they have proven highly reliable. On some earlier equipment, pressure was not maintained on the entire controller, but on a large button protruding from the controller handle. This button also had to be pressed continuously, typically with the palm of the hand so that the button was flush with the top of the handle. Another method used, particularly with some lever-type controllers, which are rotated rather than pushed or pulled, requires that the handle on the lever be turned through 90 degrees and held in that position while the train is in operation. Some dead man's controls only work in the mid position and not with full pressure (see pilot valve).

In modern New York City Subway trains, for example, the dead man's switch is incorporated into the train's speed control. On the R142A car, the train operator must continually hold the lever in place in order for the train to move.

An example of a passenger vehicle using a dead man's switch is on Tesla electric vehicles. When the driver has engaged the semi-autonomous driving system "Autopilot", they must keep their hands on the steering wheel. If the driver takes their hands off the steering wheel for more than 30 seconds, a loud alarm will sound inside the car to wake sleeping drivers, if the driver leaves their hands off for more than a minute, then the car will engage its hazard warning lights, and bring the car to a stop. This is done because the Autopilot system is not capable of full-self driving, and requires that the driver be able to take over operation of the vehicle without warning, should the car encounter a problem it doesn't know how to solve. This system uses a torque sensor on the steering wheel of the vehicle: when a driver is simply holding the wheel, they are still applying a small amount of torque to the wheel, confirming for the car that the driver is being attentive; if the driver turns the wheel with more force, all vehicle controls are handed back to the driver immediately.

Machinery

Handle-mounted dead man's switches are also used on many hand-held tools and lawn equipment, typically those that rotate or have blades such as saws, drills and lawn mowers. On saws for example, they incorporate a squeeze throttle trigger into the handle. If the user loses grip of the saw, the springs in the throttle trigger will push it back out to the off or idle setting, stopping the blade from spinning. Some tools go further and have a trigger guard built into the handle, similar to firearm safeties. Only when the user presses in the trigger guard first will it then release its lock on the trigger and allow the trigger to be pressed in. Typically, trigger guards can only be pressed in while the user has a firm grip of the handle.

Every walk-behind mower sold in the US since 1982 has a dead man's switch called an "operator-presence control", which by law must stop the blades within three seconds after the user releases the controls. Attached across the handle is a mechanical lever connected by a flexible cable to the kill switch on the engine. While mowing, the operator must always squeeze the lever against the handle. If the operator ever loses grip of the handle, the blade will disengage or the engine will stop, stopping the blades from spinning and (if equipped) any drive wheels from turning. On mowers where the engine stops, this switch configuration also acts as the engine's main kill switch; when the operator wants to stop the engine, he can release the dead man's switch intentionally.

Touch sensor

On some vehicles, including the diesel-electric railway locomotives in Canada, and on Nottingham Express Transit vehicles, the tram's speed controller is fitted with a capacitive touch sensor to detect the driver's hand. If the hand is removed for more than a short period of time, the track brakes are activated. Gloves, if worn, have to be finger-less for the touch sensor to operate. A backup dead-man's switch button is provided on the side of the controller for use in the case of a failed touch sensor or if it is too cold to remove gloves.

Pedal

A pedal can be used instead of a handle. While some pedal switches must simply be held down in order for the machine to function (this system is often found on amusement rides, where the operator is likely to remain in a standing position for a lengthy period of time while the ride is in motion), this method has some shortcomings. In the Waterfall train disaster, south of Sydney, Australia, in 2003, The driver slumped on his seat, keeping the pedal depressed when he died suddenly of a heart attack.

There are some solutions to this issue that are now used in modern pedal systems. The pedal can have a vigilance function built in, where drivers must release and re-press the pedal in response to an audible signal. This prevents it from being defeated by the above circumstances and is a standard feature on most British DSD systems.

Some types of locomotive are fitted with a three-position pedal, which must normally be kept in the mid position. This lessens the likelihood of accidentally defeating it, although it may still be possible to deliberately do so. Adding a vigilance function to this type of pedal results in a very safe system. However, isolation devices are still provided in case of equipment failure, so a deliberate override is still possible. These isolation devices usually have tamper-evident seals fitted for that reason.

Seat switches

The dead man's switch can also be located beneath the seat of a vehicle or machine and engages if the operator is not in the seat holding the switch down. On modern tractors, the switch will cut the engine while the transmission is engaged or the power take-off is spinning. On riding lawn mowers, the switch is often more extreme where the switch will cut the engine even if the mower is parked and the blades aren't spinning. Seat switches can also be used to keep small children from even starting the vehicle since they wouldn't weigh enough to completely hold down a switch adjusted to an adolescent's or adult's weight.

Key switches

On recreational vehicles such as boats, personal watercraft and snowmobiles, and on the control panel of many amusement rides, the user or operator has a cord or lanyard attached to their wrist or life jacket, that is in turn attached to a key mounted on the dead man's switch. Should the rider fall off the vehicle or the operator at least move away from the controls, the cord will be pulled out of the dead man's switch, turning off the engine or setting the throttle position to "idle". On powered boats in particular this cord is often called a "kill cord" (for powered boats use around the wrist is not recommended, as it may slip off without cutting the engine). If the helmsman goes overboard or is forced away from the controls, the engine cuts out. This prevents the boat from continuing under power but out of control, risking injury to anyone in or out of the water including passengers who may have fallen out or may still be in the boat, and collision damage to any property in the path of this out of control boat; this in turn prevents or limits damage to the boat itself from striking other objects. It is a common and dangerous practice to defeat the kill cord by fixing it to part of the boat instead of the operator; for convenience. This has been the cause of accidents, some of which were fatal or caused limb loss.

Some luggage carts at airports and exercise treadmills have this feature. In the case of treadmills, the dead man's switch usually consists of an external magnet attached to a cord that clips to the user. If the user falls or walks away without turning off the treadmill, the switch cuts power to the treadmill belt.

In information security, kill cords are also used in computers to turn off the machine if the user is separated from it.

Altimeter switches

Strategic Air Command developed a dead man's switch for its nuclear bombers, known as Special Weapons Emergency Separation System (SWESS), that ensured the nuclear payload detonated in the event of the crew becoming incapacitated through enemy action. The purpose of this device, unlike other examples mentioned above, was fail-deadly rather than fail-safe. Once armed, the system would detonate the onboard nuclear weapons if the aircraft dropped below a predetermined level, typically due to being shot down.

Vigilance control

The main safety failing with the basic dead man's system is the possibility of the operating device being held permanently in position, either deliberately or accidentally. Vigilance control was developed to detect this condition by requiring that the dead man's device be released momentarily and re-applied at timed intervals. There has also been a proposal to introduce a similar system to automotive cruise controls.

Software

Software versions of dead man's switches are generally only used by people with technical expertise, and can serve several purposes, such as sending a notification to friends or deleting and encrypting data. The "non-event" triggering these can be almost anything, such as failing to log in for 7 consecutive days, not responding to an automated e-mail, ping, a GPS-enabled telephone not moving for a period of time, or merely failing to type a code within a few minutes of a computer's boot. An example of a software-based dead man's switch is one that starts when the computer boots up and can encrypt or delete user-specified data if an unauthorized user should ever gain access to the protected computer. Google's Inactive Account Manager allows the account holder to nominate someone else to access their services if not used for an extended period (the default is three months). Newer solutions available to the public utilize the growing market of mobile devices and instead of sending an automated e-mail, they will send a push notification directly to the mobile device and can alert family and friends in a much more convenient way.

Spacecraft

Many spacecraft use a form of dead man's switch to guard against command system failures. A timer is established that is normally reset by the receipt of any valid command (including one whose sole function is to reset the timer). If the timer expires, the spacecraft enters a "command loss" algorithm that cycles through a predefined sequence of hardware or software modes (such as the selection of a backup command receiver) until a valid command is received. The spacecraft may also enter a safe mode to protect itself while waiting for further commands.

While having some similarities to a dead man's switch, this type of device (a command loss timer) is not actually a dead man's switch, because it aims to recover from a hardware failure rather than the absence of human operators. It is generally called a watchdog timer, and is also used extensively in nuclear power control systems. System components on a spacecraft that put it into a safe mode or cause it to execute default behaviors when no command is received within a predefined time window can be considered a dead man's switch, but hardware or software that attempts to receive a command from human operators through an alternate channel is an auto-recovering or adaptive communications system, not a dead man's switch. Voyager 2 recovered from a command receiver failure with a command loss timer.

Train

In most trains, a basic level of protection is provided by a "dead man's handle" or pedal. If the driver is taken ill and releases this, the power will be shut off and an emergency brake application will be initiated to stop the train.

More recent safety standards do not consider this to be adequate, as the driver may slump over the dead man's handle and continue to hold it down even though they are not capable of controlling the train. Modern trains overcome this risk with the addition of a vigilance system to the dead man's system. A buzzer or bell sounds every minute or so in order to alert the motorman or engineer. If they do not respond by moving a controller, or releasing and then re-applying the dead man's handle, the system will automatically initiate an emergency brake application. Most major rail systems in the world use this equipment, both in their freight and passenger operations. It is also used on the R143 and other New York City Subway cars while under CBTC operation. In the US, older locomotives produced before 1995 do not carry this feature, but given the modular nature of the system it is not uncommon to find them retrofitted.

Aircraft

Some aeroplanes use vigilance control to minimize hypoxia, descending to lower altitude if the pilot is unresponsive.

In 2019, the Garmin G3000 became the first general aviation avionics suite capable of automatically diverting an aircraft to the nearest airport and landing it in the event a pilot fails to interact with the aircraft's controls or respond to system prompts. This automation capability has been made possible by advancements in computing, control, and navigation technologies and is of particular importance in a general aviation setting since private aircraft are often flown by only a single pilot.

Blackmail

The term "dead man's switch" is sometimes used to describe a form of defensive blackmail or insurance file in which the release of damaging material is threatened if anything happens to a person.

Alternative names

*Replacement of "switch" with "control" or name denoting a specific type of switch, ''e.g.'', "button", "trigger", "throttle", "pedal", "handle", "grip", or "brake"
*Replacement of "dead man's" or "dead-man" with "enabling" or "live-man" (commonly used in the robotics industry)
*"Driver's Safety Device" ("DSD") (the official term in the UK for switches of this type as used on railway trains)
*"Operator Presence Control" ("OPC")
*"Vigilance control"
*"Alerter system" (in higher-order systems in which the switch activates to sound an alarm rather than deactivates to disable the higher-order system)
*"Kill cord" on boats, treadmills, computers, etc.

See also

*BusKill
*Security switch
*Train protection system

References

External links

Deadmans on French trams and guided (trolley) buses
(PDF)
Kill Cords: Lessons from the Milly RIB Report

{{DEFAULTSORT:Dead Man's Switch
Occupational safety and health
Railway safety
Safety switches
Locomotive parts