ⓘ Dead mans switch. A dead mans switch is a switch that is designed to be activated or deactivated if the human operator becomes incapacitated, such as through de ..

                                     

ⓘ Dead mans switch

A dead mans switch is a switch that is designed to be activated or deactivated if the human operator becomes incapacitated, such as through death, loss of consciousness, or being bodily removed from control. Originally applied to switches on a vehicle or machine, it has since come to be used to describe other intangible uses like in computer software.

These switches are usually used as a form of fail-safe where they stop a machine with no operator from a potentially dangerous action or incapacitate a device as a result of accident, malfunction, or misuse. They are common in such applications in locomotives, aircraft refuelling, freight elevators, lawn mowers, tractors, personal watercraft, outboard motors, chainsaws, snowblowers, tread machines, snowmobiles, amusement rides, and many medical imaging devices. On some machines, these switches merely bring the machines back to a safe state, such as reducing the throttle to idle or applying brakes while leaving the machines still running and ready to resume normal operation once control is reestablished.

Dead mans switches are not always used to stop machines and prevent harm. These switches can also be used as a fail-deadly. A spring-operated switch can also be used to complete a circuit when it is no longer held down. This means that a dead mans switch may be used to activate a harmful device, such as a bomb or IED. The user holds down a switch of some sort in their hand which arms the device. The device will activate when the switch is released, so that if the user is knocked out or killed while holding the switch, the bomb will detonate. The Special Weapons Emergency Separation System is an application of this concept in the field of nuclear weapons. A more extreme version is Russias Dead Hand program, which allows for automatic launch of nuclear missiles should a number of conditions be met, even if all Russian leadership were to be killed.

A similar concept is the handwritten letters of last resort from the Prime Minister of the United Kingdom to the commanding officers of the four British ballistic missile submarines. They contain orders on what action to take if the British government were destroyed in a nuclear attack. After a prime minister leaves office the letters are destroyed unopened.

This concept has been employed with computer data, where sensitive information has been previously encrypted and released to the public, and the "switch" is the release of the decryption key, as with WikiLeaks "insurance files".

                                     

1. Background

Interest in dead-mans controls increased with the introduction of electric trams streetcars in North America and especially electrified rapid transit trains. The first widespread use came with the introduction of the mass-produced Birney One-Man Safety tramCar, though dead-man equipment was fairly rare on US streetcars until the successful PCC streetcar, which had a left-foot-operated dead-mans pedal in conjunction with the right-foot-operated brake and power pedals. This layout has continued to be used on some modern trams around the world. In conventional steam railroad trains, there was always a second person with the engineer, the fireman, who could almost always bring the train to a stop if necessary. For many decades this practice continued on electric and diesel locomotives, even though a single person could theoretically operate them.

With modern urban and suburban railway systems, the driver is typically alone in an enclosed cab. Automatic devices were already beginning to be deployed on newer installations of the New York City Subway system in the early 20th century. The Malbone Street Wreck on the Brooklyn Rapid Transit system in 1918, though not caused by driver incapacitation, did spur the need for universal deployment of such devices to halt trains in the event of the operators disability. According to a Manhattan borough historian, there have been at least three instances where the dead-mans switch was used successfully – in 1927, 1940, and 2010.

The status and operation of both vigilance and dead-mans switch may be recorded on the trains event recorder commonly known as a black box.

                                     

2.1. Types Handle

Many dead mans switches are mounted in the control handle of a vehicle or machine and engage if the operator ever loses their grip.

                                     

2.2. Types Machinery

Handle-mounted dead mans switches are also used on many hand-held tools and lawn equipment, typically those that rotate or have blades such as saws, drills and lawn mowers. On saws for example, they incorporate a squeeze throttle trigger into the handle. If the user loses grip of the saw, the springs in the throttle trigger will push it back out to the off or idle setting, stopping the blade from spinning. Some tools go further and have a trigger guard built into the handle, similar to firearm safeties. Only when the user presses in the trigger guard first will it then release its lock on the trigger and allow the trigger to be pressed in. Typically, trigger guards can only be pressed in while the user has a firm grip of the handle.

Every walk-behind mower sold in the US since 1982 has a dead mans switch called an "operator-presence control", which by law must stop the blades within 3 seconds after the user lets go of the controls. Attached across their handle is a mechanical lever connected by a flexible cable to the kill switch on the engine. While mowing, the operator must always squeeze the lever against the handle. If the operator ever loses grip of the handle the engine will die, stopping the blades from spinning and if equipped, any drive wheels from turning. This switch configuration also acts as the main kill switch for the engine. When the operator wants to stop the engine, they intentionally release the dead mans switch.



                                     

2.3. Types Touch sensor

On some vehicles, including the diesel-electric railway locomotives in Canada, and on Nottingham Express Transit vehicles, the trams speed controller is fitted with a capacitive touch sensor to detect the drivers hand. If the hand is removed for more than a short period of time, the track brakes are activated. Gloves, if worn, have to be finger-less for the touch sensor to operate. A back up dead-mans switch button is provided on the side of the controller for use in the case of a failed touch sensor or if it is too cold to remove gloves.

                                     

2.4. Types Pedal

A pedal can be used instead of a handle. While some pedal switches must simply be held down in order for the machine to function this system is often found on amusement rides, where the operator is likely to remain in a standing position for a lengthy period of time while the ride is in motion, this method has some shortcomings. In the Waterfall train disaster, south of Sydney, Australia, in 2003, it appeared that the driver slumped on his seat, keeping the pedal depressed when he died suddenly of a heart attack. This also happened to a Canadian National Railway Railliner passenger train in the 1970s, but the problem was noticed by other crew members and the train safely halted.

There are some solutions to this issue that are now used in modern pedal systems. The pedal can have a vigilance function built in, where drivers must release and re-press the pedal in response to an audible signal. This prevents it from being defeated by the above circumstances and is a standard feature on most British DSD systems.

Some types of locomotive are fitted with a three-position pedal, which must normally be kept in the mid-position. This also lessens the likelihood of accidentally defeating it, although it may still be possible to deliberately do so. Adding a vigilance function to this type of pedal results in a very safe system. However, isolation devices are still provided in case of equipment failure, so a deliberate override is still possible. These isolation devices usually have tamper-evident seals fitted for that reason.

                                     

2.5. Types Seat switches

The dead mans switch can also be located beneath the seat of a vehicle or machine and engages if the operator is not in the seat holding the switch down. On modern tractors, the switch will cut the engine while the transmission is engaged or the power take-off is spinning. On riding lawn mowers, the switch is often more extreme where the switch will cut the engine even if the mower is parked and the blades arent spinning. Seat switches can also be used to keep small children from even starting the vehicle since they wouldnt weigh enough to completely hold down a switch adjusted to an adolescents or adults weight.



                                     

2.6. Types Key switches

On recreational vehicles such as boats, personal watercraft and snowmobiles, and on the control panel of many amusement rides, the user or operator has a cord or lanyard attached to his or her wrist or life jacket, that is in turn attached to a key mounted on the dead mans switch. Should the rider fall off the vehicle or the operator at least move away from the controls, the cord will be pulled out of the dead mans switch, turning off the engine or setting the throttle position to "idle". On powered boats in particular this cord is often called a "kill cord" for powered boats use around the wrist is not recommended. If the helmsman goes overboard or is forced away from the controls, the engine cuts out. This prevents the boat from continuing under power but out of control, risking injury to anyone in or out of the water including passengers who may have fallen out or may still be in the boat, and collision damage to any property in the path of this out of control boat. It is a common and dangerous practice to defeat the kill cord by fixing it to part of the boat instead of the operator; for convenience. This has been the cause of accidents, some of which were fatal, and/or that have caused limb loss.

Some luggage carts at airports and exercise treadmills have this feature. In the case of treadmills, the dead mans switch usually consists of an external magnet attached to a cord that clips to the user. If the user falls or walks away without turning off the treadmill, the switch cuts power to the treadmill belt.



                                     

2.7. Types Altimeter switches

Strategic Air Command developed a dead mans switch for its nuclear bombers, known as Special Weapons Emergency Separation System SWESS, that ensured the nuclear payload detonated in the event of the crew becoming incapacitated through enemy action. The purpose of this device, unlike other examples mentioned above, was fail-deadly rather than fail-safe. Once armed, the system would detonate the onboard nuclear weapons if the aircraft dropped below a predetermined level, typically due to being shot down.

                                     

3. Vigilance control

The main safety failing with the basic dead mans system is the possibility of the operating device being held permanently in position, either deliberately or accidentally. Vigilance control was developed to detect this condition by requiring that the dead mans device be released momentarily and re-applied at timed intervals. There has also been a proposal to introduce a similar system to automotive cruise controls. A hybrid between a dead mans switch and a vigilance control device is a dead-mans vigilance device.

                                     

3.1. Vigilance control Software

Software versions of dead mans switches are generally only used by people with technical expertise, and can serve several purposes, such as sending a notification to friends or deleting and encrypting data. The "non-event" triggering these can be almost anything, such as failing to log in for 7 consecutive days, not responding to an automated e-mail, ping, a GPS-enabled telephone not moving for a period of time, or merely failing to type a code within a few minutes of a computers boot. An example of a software-based dead mans switch is one which starts when the computer boots up and can encrypt or delete user-specified data if an unauthorized user should ever gain access to the protected computer. Googles Inactive Account Manager allows the account holder to nominate someone else to access their services if not used for an extended period the default is three months. An example of a software-based dead mans switch is deadswitch.eu. Newer solutions available to the public utilize the growing market of mobile devices and instead of sending an automated e-mail, they will send a push notification directly to the mobile device and can alert family and/or friends in a much more convenient way.



                                     

3.2. Vigilance control Spacecraft

Many spacecraft use a form of dead mans switch to guard against command system failures. A timer is established that is normally reset by the receipt of any valid command including one whose sole function is to reset the timer. If the timer expires, the spacecraft enters a "command loss" algorithm that cycles through a predefined sequence of hardware and/or software modes such as the selection of a backup command receiver until a valid command is received. The spacecraft may also enter a safe mode to protect itself while waiting for further commands.

While having some similarities to a dead mans switch, this type of device a command loss timer is not actually a dead mans switch, because it aims to recover from a hardware failure rather than the absence of human operators. It is generally called a watchdog timer, and is also used extensively in nuclear power control systems. System components on a spacecraft that put it into a safe mode or cause it to execute default behaviors when no command is received within a predefined time window can be considered a dead mans switch, but hardware or software that attempts to receive a command from human operators through an alternate channel is an auto-recovering or adaptive communications system, not a dead mans switch. Voyager 2 recovered from a command receiver failure with a command loss timer.

                                     

3.3. Vigilance control Train

In most trains, a basic level of protection is provided by a "Deadmans handle" or pedal. If the driver is taken ill and releases this, the power will be shut off and an emergency brake application will be initiated to stop the train.

More recent safety standards do not consider this to be adequate, as the driver may slump over the deadmans handle and continue to hold it down even though they are not capable of controlling the train. Modern trains overcome this risk with the addition of a vigilance system to the deadmans system. A buzzer or bell sounds every minute or so in order to alert the motorman or engineer. If they do not respond by moving a controller, or releasing and then re-applying the deadmans handle, the system will automatically initiate an emergency brake application. Most major rail systems in the world use this equipment, both in their freight and passenger operations. It is also used on the R143 and other New York City Subway cars while under CBTC operation. In the US, older locomotives produced before 1995 do not carry this feature, but given the modular nature of the system it is not uncommon to find them retrofitted.



                                     

3.4. Vigilance control Aircraft

Some airplanes use vigilance control to minimize hypoxia; descending to lower altitude if the pilot is unresponsive.

In 2019, the Garmin G3000 became the first general aviation avionics suite capable of automatically diverting an aircraft to the nearest airport and landing it in the event a pilot fails to interact with the aircrafts controls or respond to system prompts. This automation capability has been made possible by advancements in computing, control, and navigation technologies and is of particular importance in a general aviation setting since private aircraft are often flown by only a single pilot.

                                     

4. Alternative names

  • Replacement of "switch" with "control" or name denoting a specific type of switch, e.g., "button", "trigger", "throttle", "pedal", "handle", or "brake"
  • "Kill cord" on a boat.
  • "Operator Presence Control" "OPC"
  • Replacement of "dead mans" or "dead-man" with "enabling" or "live-man" commonly used in the robotics industry
  • "Vigilance control"
  • "Drivers Safety Device" "DSD" the official term in the UK for switches of this type as used on railway trains
  • "Alerter system" in higher-order systems in which the switch activates to sound an alarm rather than deactivates to disable the higher-order system