How an EMC problem can kill people and a company

[Siwastaja]

People keep speaking of kill buttons, but electric cars don't have those and electric bicycles don't have either.

Kill buttons do not exists because people (marketing, politicians and legislation) expect that "normal people" feel uneasy around them. This is the classical "do not remind about the bad things" concept.

Yes, I'm serious. It's a known issue that a lot of people do not use seat belts. It's a similar issue psychologically. Luckily, seat belts got into the legislation at the correct time slot, with some good sense for sane safety culture back then.

The designers for such systems definitely want to design a product that is safe without an emergency stop switch. I would, too! I just know I cant't do it, hence the emergency stop switch exists (actually two of them symmetrically in my product, so that people don't need to waste time trying to remember which side it was...)

There's no problem with heavy machinery such as lathes, since deep down we think that a machinist is OK with all this, and doesn't need sugar coating the world around them.

But for general public, the "stupid people", as legislators and product managers erroneously think - the switch is a "disgrace" to their "safe product"; admitting that something could go wrong is not good for business value.

Accidents, on the other hand, are quickly forgotten. Unless there are stop switches, which are the problem because they remind you about the accidents all the time.

Let me give you an actual real-life example where this shows very well.

Until recently, a lot of old elevators, some hundred years old, were still in use here; now there has been a trend to upgrade them. These old elevators do not have inner doors. The safety issue here is of course obvious. Until about early 1980's, they were like this. This being said, all of these old things do have a simple safety feature:

A stop button!

It isn't a big red mushroom thing, but nevertheless a button which says "stop". It's not dramatic: it stops the elevator. If you push it accidentally, no harm done: press the floor button again and off we go.

Now, most of these old elevators have been upgraded (completely rebuilt and replaced with new stock elevators) to modern "safety standards". What this means, there are inner doors (and I'm sure controlling them involves 100000 pages of safety paperwork and 100000 lines of autogenerated and "formally verified" microcontroller code.)

But there is no STOP button! Total number of stop buttons I have seen in any modern elevator designed after year 2000: absolutely zero.

Now, the typical accident nowadays with these elevators goes like this:
1) You have a dog. Your dog is in leash. You walk inside the modern, "safe" elevator
2) Someone presses a button. Doors start to close slooooooooowly.
3) Your dog suddenly gets an idea to go outside.
4) You quickly push "open the doors" button, but you are late: the safety-certified MCU with its safety-certified and formally verified code is no longer registering inputs because that's not in the specification.
5) The doors continue closing, sloooowly. Everyone starts to freak out. The elevator starts moving slowly and steadily to keep up the ironic atmosphere of waiting your dog to be killed by the stuck leash between the inner doors.
6) People try to franctically push all switches and do everything they can. There is no way. Your dog is killed in a slow process.

The doors are fine, but the "safety sensors" are not up to task and do not prevent these accidents from happening. But, because everything is perfectly engineered to the rules, with millions of pages of safety standards completely followed, against all common sense, the STOP button has been legally removed from the elevators.

The bottom line:

The modern safety culture just totally sucks. It's as bloated and inefficient as modern software. (And, funnily, it often is based on a large piece of software. If anyone sees a problem with that, the typical solution is to double the amount of software to make it "redundant". Go figure.)

[Jeroen3]

I have seen stop buttons in some non-public elevators. But you cannot restart it after pressing it. You need a key.
Similarly, jumping in a moving elevator will issue the emergency stop. Why?

[coppercone2]

well I am a proponent of EDC, you should have a knife on your belt if you are walking something with a leash. That's common sense to me, I feel unease roping down an animal.

Same for wearing clothing with a zipper... if you catch on fire you wanna be able to cut it off immediately. If the zipper gets stuck. Also for cutting stuck seat belts, or even removing shoe laces.

IMO elevators suck and fuck with me psychologically. A good elevator IMO would have a indicator of where the elevator is on every floor, not with dummy lights but an actual bar graph type deal that shows its actual height in the building, so anyone can see if the thing is fucking stuck. Some windows into the elevator shaft would not hurt too. I don't use the things anyway. Last thing I wanna do is urinate on the floor next to a stranger because my legs hurt. But they should be built better for crippled people anyway.  And if you use it frequently you would have an analog parameter to look at, like its speed and how smooth its moving, so you have an idea that its working properly. Any degradation in expected behavior might tip off a elevator technician early.

[Siwastaja]

Well due to electric vehicles predominantly using brushless motors makes some sort of computer in the chain unavoidable.

The greatest thing in brushless motors, safety-wise, is that they do need the "computer in the chain". Because they stop instantly, if the computer generating the 3-phase waveforms stops. And making a complex computer stop is simple. Short the Vcc line for the MCU, and the motor stops, 100% guaranteed. Cut the power to the MOSFET/IGBT gate drivers at the same time to be extra sure.

There are quite a few incidents with conversion EVs when done with brushed DC motors. You know, poorly specified contactors do weld short...

You can even make your safety switch short two phases of the BLDC motors together, and it will brake. But this is ugly. A reliable mechanical brake is of course a must in a passanger vehicle capable of some serious speeds, and it should indeed work through the normal braking interface. It's not going to ruin the range. The amount of energy retrieved back during heavy braking (quick stops) in miniscule.

[coppercone2]

I wonder realistically how much of the consumer base they would lose if they put a Kill switch on it? Is it some long term dastardly plot to eliminate mechanical breaks in the future? (it's so good we don't even need a kill switch?)

Who came up with this design philosophy?

[coppercone2]

https://www.quora.com/Why-do-older-elevators-have-emergency-stop-buttons-whereas-newer-elevators-dont

This is interesting though, it gets into the whole robocop thing of machines making better decisions then man.. It's also a potential rape box

But eventually with cars becoming networked and having collision avoidance AI radar and shit you have to make a serious decision to push a e-stop button... will the law give man the power? And what if it gets hacked? I could see it happening in 3rd world countries for kidnappings.

I think I will take the stairs though, thanks. Heart health and all. And if I get a electric car I will wire a kill switch.

[Marco]

People keep speaking of kill buttons, but electric cars don't have those and electric bicycles don't have either.

My sis works with mentally challenged people and the slightly larger electrical cart they have has one. The Stint should have had deadman's cord in my opinion, too trivial to fall off. Commercial vehicles for passengers should have higher safety standards than consumer vehicles.

On a normal bicycle you can throw the steering wheel 90 degrees, you can always stop right quick by falling over. In a car you have two mechanical breaking systems with enough power to fight the engine. The Stint has less control than a bicycle and the breaks did not have sufficient power to fight the engine at full power. The thing was a mess and an accident waiting to happen.

[Cyberdragon]

Most consumers of Elevator equipment have no idea how to properly configure or maintain the device. Even if they think they do...they don't. The elvator techs do, but they only fix what's needed and only so often, and since a lot of people can't identify a fault when it occurs, you get crap like

jumping in a moving elevator will issue the emergency stop. Why?

Which looks like some sort of way overadjusted sensor (better not be deliberate). It should never stop unless there is a real problem, this would be likely be classified as a serious fault.

[RobK_NL]

The Stint has less control than a bicycle and the breaks did not have sufficient power to fight the engine at full power. .

My own, human powered, cargo bike weighs about 45kg, has meticulously maintained breaks, but in case of an emergency, it would still require the weight and power of that same human to stop the thing just short of dead.

A Stint weighs just under 300kg empty and has a ~1000W motor. Try and stop that ...
They are quite agile, though, so the driver could have made a sharp turn. But I can well imagine the confusion and the growing panic when there's no response from the vehicle and before you know it, it's too late.

These things were specifically designed to move children, they even have frigging seatbelts because, you know, "safety first". So why not a kill switch?

[Mr. Scram]

My sis works with mentally challenged people and the slightly larger electrical cart they have has one. The Stint should have had deadman's cord in my opinion, too trivial to fall off. Commercial vehicles for passengers should have higher safety standards than consumer vehicles.

On a normal bicycle you can throw the steering wheel 90 degrees, you can always stop right quick by falling over. In a car you have two mechanical breaking systems with enough power to fight the engine. The Stint has less control than a bicycle and the breaks did not have sufficient power to fight the engine at full power. The thing was a mess and an accident waiting to happen.

Can you show us an electric car, shuttle or bus with a safety stop? I don't think there are many road vehicles that have one, if any.

While I appreciate the criticism and ideas of the people here, I have to admit many sound rather hindsighty. As is the case with so many accidents, in hindsight all the critics come out to point out the obvious flaws that apparently weren't so obvious before the accident.

[jmelson]

Similarly, jumping in a moving elevator will issue the emergency stop. Why?

Cable-suspended elevators have multiple safety systems.  One of them is a slack cable sensor.  They generally have 4 cables, each of which could support the elevator cab, at least for a short time.  A sensor detects if ANY cable loses tension.  This will happen BEFORE the cable totally fails, but as a few of the strands break.  It becomes longer than the other 3 cables, thus going slack.  This generally requires all cables to be replaced before the elevator can be returned to service.

The hoist engine at the top of the shaft has a mechanical brake that can wear out.  This brake holds the car in place when the drive shuts down after a few minutes of non-use.  If the brake fails, the empty car would start to move up, as the counterweight weighs more than the empty car.  There's a system to detect movement when the car is not supposed to be moving.

Finally, there's an overspeed sensor.  This consists of a FIFTH cable, smaller than the main cables, connected to a wheel at the top with a latching flyball governor.  It is set to trip at JUST above the normal elevator speed.  If the elevator exceeds the normal speed, the flyball governor flips, and has to be reset by the elevator repairman.  Jumping in the elevator while it is moving can get the overspeed cables bouncing and flapping, and causing it to trip the overspeed sensor.  it might also get the suspension cables to flap enough to trigger the slack cable sensor.

If these sensors trip, they cut power to the emergency brakes on the car, which are designed to halt a fully-loaded elevator car while descending, and are designed as fail-safe.  Loss of power will trip them, too.

Jon

[lamello]

Can you show us an electric car, shuttle or bus with a safety stop? I don't think there are many road vehicles that have one, if any.

Every of those vehicles have one, it's called: working breaks.

The stint has a combined motor and breaks. So if the motor goes crazy, there is a great possibility the breaks are not responding.
This and combined with a weak mechanical break, a plain example of a bad design, safety as an afterthought.

I am also interested how this vehicle is allowed by the government on the public road.

[Cyberdragon]

Jumping in the elevator while it is moving can get the overspeed cables bouncing and flapping, and causing it to trip the overspeed sensor.  it might also get the suspension cables to flap enough to trigger the slack cable sensor. 

It should not do that, that's improper maintenance. Everyone in the elevator jumping might cause that, but one person causing it is an overactive sensor that should be recalibrated. Unless you happen to be...well...excessively large.

[cdev]

This is my favorite elevator scene..

[ruffy91]

Pleas stop breaking cars.
This is a huge environmental issue if all your cars have pedals which cause your car to break so you have to get a new car every time you hit it..

[Berni]

Jumping in the elevator while it is moving can get the overspeed cables bouncing and flapping, and causing it to trip the overspeed sensor.  it might also get the suspension cables to flap enough to trigger the slack cable sensor. 

It should not do that, that's improper maintenance. Everyone in the elevator jumping might cause that, but one person causing it is an overactive sensor that should be recalibrated. Unless you happen to be...well...excessively large.

You can generate pretty significant forces by jumping. A plank that can hold the weight 3 people can be easily broken by 1 person jumping on it. If whatever you are standing on also has a pronounced enough resonance frequency you can sense it and tune jumping to match it. This uses the mass of the structure itself to exert even larger forces. And id imagine elevators can have a resonance under a few Hertz as a combination of the cable stretch and the mass of the cabin (You can clearly feel the oscillation if you jump).

Yeah you could probably make it a lot less likely to trip from a person jumping unless they really try hard and catch resonance but i'm sure most people prefer the safety systems to be on a hairline trigger just in case something does go wrong (Even tho elevators are incredibly safe things)

[nctnico]

Off-topic: Elevators and karma. True story. One of my relatives helps people to make travel arrangements like booking flights and train tickets. About 6 persons from a larger group found it necessary to go into an elevator which was specified for 4 persons. As a result the elevator got stuck between two floors. This made them miss the train so over 1000 euro worth of train tickers down the drain and on top of that they got charged with another 1000 euros for needing to be resqued from the elevator. Speaking of expensive mistakes.

[LapTop006]

Off-topic: Elevators and karma. True story. One of my relatives helps people to make travel arrangements like booking flights and train tickets. About 6 persons from a larger group found it necessary to go into an elevator which was specified for 4 persons. As a result the elevator got stuck between two floors. This made them miss the train so over 1000 euro worth of train tickers down the drain and on top of that they got charged with another 1000 euros for needing to be resqued from the elevator. Speaking of expensive mistakes.

Hah, reminds me of the lifts at $JOB[-1], for a while they were regularly breaking down, and while the tech's would always get people out quite quickly, it got annoying fast (I only got stuck once).

One of our building neighbours was a government department, who, as the story goes, moved out after the minister got stuck in the lifts.

[b_force]

Today on the news, the company is filing for bankruptcy.

I feel actually sad for them.
I can understand that investigation was needed, but because of all the drama (thanks to the media), their name basically isn't worth anything anymore.

[Kjelt]

I can understand that investigation was needed, but because of all the drama (thanks to the media), their name basically isn't worth anything anymore.

Their product is under investigation, it was declared not road safe, all outstanding orders were cancelled and their rental business stopped overnight.
Since that was their only product, revenues stopped over night, no income and a lot of paychecks to pay : over and out.

[nctnico]

Today on the news, the company is filing for bankruptcy.

I feel actually sad for them.
I can understand that investigation was needed, but because of all the drama (thanks to the media), their name basically isn't worth anything anymore.

IMHO the company (called Stint) should have handled things better. From what has been in the news they went into some kind of denial mode and went against the findings of the government agencies. That is a fight you'll always lose. The frustrating part of dealing with government agencies is that even when they are wrong they are still right.

[Kjelt]

IMHO the company (called Stint) should have handled things better. From what has been in the news they went into some kind of denial mode and went against the findings of the government agencies. That is a fight you'll always lose. The frustrating part of dealing with government agencies is that even when they are wrong they are still right. 

I agree but don't think it would have changed the outcome.
The government covered their asses almost immediately when the accident occurred trying to prevent that they would be sued by allowing an unsafe vehicle on the road, or as they say prevent future accidents (read as: prevent future lawsuits).
So the outcome would have been the same, no road allowance, no income from new sales or rents: game over.

[b_force]

The frustrating part of dealing with government agencies is that even when they are wrong they are still right.

That's what I mean I feel sad for them.

Also if this wasn't been in the news so big and the government didn't respond so dramatic, the whole investigation procedure would have been different.
I said it before, I agree that some critical safety system seems to be missing, but this way time, effort, money and even maybe a potential very nice product is just completely being wasted. (not to talk about the workers who have to find a new job, also not very nice to have on your CV)
That's what you get when people only think about the problems, and not about solutions, so unfortunate.

[Kjelt]

This does not have to be the end.
The inventor/owner can still wait till the storm is over in the mean time invent all necessary safety systems to upgrade the 3500 stints that have been sold and then when the time is right sell these upgrades and restart sales with the safe version.

[b_force]

This does not have to be the end.
The inventor/owner can still wait till the storm is over in the mean time invent all necessary safety systems to upgrade the 3500 stints that have been sold and then when the time is right sell these upgrades and restart sales with the safe version.

Paid how?