The Case of the Machine that Malfunctioned

The Case of the Machine that Malfunctioned

Flawed design of electrical controls plays major role in operator injury

It seemed like any other day at the metal processing plant — a facility that buys sheet metal in large rolls, makes custom-sized pieces, and sells them. An experienced operator, who'd been working on the cut-to-length line for some time, knew the process like clockwork. Normally, the rollers that feed the metal into the cutting machine rotated approximately one-half turn after he released the JOG button. Unfortunately on this occasion, the motor continued to operate after he released it, pulling his right hand (along with the sheet metal) into the rollers and crushing it up to his wrist.

Due to its position on the machine, there was no way the victim could reach the emergency stop (E-STOP) button with his left hand. So he ultimately ended up kicking it with his right foot to bring it to a stop. Caught in the roller for several minutes screaming in pain before anyone noticed what had happened — due to the high noise level in plant environments like this — several coworkers finally came to the victim's aid, loosening the roller to remove his injured hand and driving him to the emergency room.

Brief background

What caused the metal processing machine to malfunction unexpectedly? To answer that question, it's important to review the events leading up to the accident.

This particular machine was part of a sheet metal cut-to-length line that included several pieces of equipment — all operated by a common control system — including a motorized arbor that unrolls the material, a leveler (Photo 1), which is a series of rollers offset from each other that straightens the material by alternately bending it in each direction, and a shear that cuts the material to size. A conveyor belt transports the cut material to the end of the line. This is where the main control panel is located (Photo 2).

The owner of this equipment had previously moved it from another facility, assembling it at the new plant several years before the accident. An outside electrical contractor installed all of the power and control wiring, using appropriate wiring methods and with acceptable workmanship. He also designed and built the main control panel, and installed E-STOP buttons at locations determined through discussions with the plant personnel. (Note: No one on the electrical contractor's team had any formal training in the design of machine safety systems.)

The accident occurred at the entrance to the leveler (Photo 1). When a new roll of metal is installed, the operator presses and releases the forward jog button, and then pushes the material into the front rollers, which turn just enough to grab it. The operator then moves to the main panel at the end of the line (Photo 2) and starts continuous operation. There was normally an angle-iron guard bolted to the machine frame in front of the rollers, which is visible at the front of the second roller in Photo 1.

The day before the accident, this line was running a very thick material through the system. The customer was on site and complained of scratches on the material surface. As a result, someone decided to remove the guard to eliminate the scratching. The following day, the guard remained off, although the line was set to run a lighter-gauge material.

The investigation

The worker (plaintiff) sued the electrical contractor, and the electrical contractor, in turn, sued the employer as a third-party defendant. The plaintiff's attorney hired me to investigate the accident. My investigation included several field inspections and a review of deposition transcripts and other documents.

There was very little documentation for the electrical system, although the electrical contractor produced a hand sketch of the control circuit that he had made at the time he designed it. The owner made changes to the machine controls between the time of the accident and my inspection, which were evident in photographs taken by others at various times. These changes were significant in that they prevented me from testing or inspecting some of the system in the condition that existed at the time of the accident. The wiring and controls that were present during my inspection showed no evidence of any faults or defective devices that would have been contributing factors to the accident. Next, I looked at several other possible causes.

Roller drive

At the time of the accident, the drive motor for the rollers was a variable mechanical drive. Two buttons on the main control panel allowed speed adjustment by operating a small motor on the drive that varied the pitch of the pulleys, thereby changing the mechanical ratio. A speed change took a relatively long time, and was generally done just once to set the operating speed. There was no change in speed for the jog mode.

Modern variable-frequency drives provide for instant speed changes in the run and jog functions, allowing the jog to operate at a much slower and safer speed if desired. The changes made after the accident included the addition of this type of drive.

The victim testified that on one previous occasion the rollers had continued to run. The supervisor reportedly checked everything, and could not find a problem.

Control circuit

The leveler motor can jog in both the forward and reverse direction, or latch on in the forward direction for continuous operation. With regard to this incident, I was only concerned with the forward circuit (Figure 1), which was a classic start-stop latching circuit with the addition of a momentary JOG button at the time of the accident. Although the circuit appears straightforward at first glance, it contained a design defect that caused the machine to malfunction.

With reference to Figure 1, pressing the START button completes the circuit through the STOP and START buttons, energizing the starter and closing the auxiliary contact (AUX), which operates with the starter. This also completes a second path through the normally closed (NC) JOG button contact and the AUX contact, which latches the starter on even after release of the START button. Pressing the STOP button opens the circuit, de-energizes the starter, and opens the AUX contact. The starter remains off on release of the STOP button. When the JOG button is pressed, the NC contact opens and the normally open (NO) contact closes, which energizes the starter. Although this closes the AUX contact, the latching circuit remains open because the NC contact is open. When the operator releases the JOG button, the NO contact opens, and the starter is de-energized and begins to lift. At this point, there is a race between the starter and JOG button. If the starter opens the AUX contact before the JOG button closes the NC contact, the latching circuit is open, the starter remains off, and the jog function works as designed. If, on the other hand, the JOG button NC contact closes before the starter opens the AUX contact, the latching circuit is completed through the NC and AUX contacts, which energizes the starter again and latches it on, just as if the operator had pressed the START button.

As designed, proper functioning of this circuit depends on a sequence of contact operations from two independent devices. Obviously, it worked most of the time, meaning that the starter responded faster than the button. However, on a random basis, depending on the operator's technique, or dirt or wear on the sliding surfaces of the starter, it would malfunction and allow the starter to latch on unexpectedly.

At least two options existed for a proper jog circuit design. Figure 2 above shows a typical recommendation from one of the major control manufacturers. Several variations to this circuit exist, but the key in all cases is the addition of a control relay that positively separates the jog function from the latching function, thereby eliminating the possibility of accidental latching.

A second option is to use a “JOG-RUN” selector switch to select the active operating mode. This is the method recommended in NFPA 79 Electrical Standard for Industrial Machinery, and was one of the modifications made to the machine after the accident.

Emergency stop

An E-STOP system stops the operation of a machine immediately when activated. In order to perform its safety function, it must be accessible to the operator. While an effective E-STOP system does not prevent the initial event, it can minimize the resulting injury if activated quickly.

The E-STOP button in this case was not easily accessible to an operator working near the rollers. Photo 1 shows the leveler panel containing the E-STOP button relocated from its position during the accident, which was on the machine frame approximately at the right edge of the photo.

Various industry literature and OSHA documents described at least four available techniques that would have provided effective E-STOP protection:

  • Placing multiple E-STOP buttons at appropriate positions on both sides of the machine and above the rollers.
  • Using a “body bar” along each side, so the operator would just need to lean forward to activate the E-STOP.
  • Using a “trip rod” hanging above the rollers, only requiring the operator to reach up and push or pull the rod.
  • Using an E-STOP cable to provide coverage along all of the potential operator positions.


The guard was a simple piece of angle iron with two bolts securing it to the machine frame. There was no means of adjustment of the clearance height. After the accident, the owner placed spacers under the guard to raise it. There was conflicting testimony about who removed the guard, who asked about replacing it, and who decided not to replace it.

One question that arose was whether the design of the controls should have anticipated removal of the guard for operation or maintenance reasons. For example, if the presence of the guard were critical for safety, an interlock switch could have disabled operation with the guard removed. Another option was a guard with a limited adjustment range, which would not have required removal for normal operation, and might have better satisfied functional requirements while continuing to provide the necessary safety function.

Forensic findings

Untrained individuals made control system and safety-related design decisions without regard to industry practice, accepted standards, or anticipated use or misuse of the machine. Several resulting factors contributed to this accident and injury.

  • The control circuit contained an inherent design defect that randomly caused the machine to malfunction, producing unexpected operation of the rollers. Proper design would have prevented this from happening.
  • The jog speed was the same as the operating speed. A safer slow-speed jog would have allowed more reaction time.
  • The guard was not present, thereby exposing the mechanical hazard. Proper guard design would have eliminated the need to remove it, or its removal would have disabled the machine.
  • The E-STOP button was inaccessible to the operator when loading the machine. A proper design would have placed an activating device where it was accessible under all anticipated conditions.

The lawsuit in this case settled prior to trial. A lesson to be learned is the prevalence of flaws in machine controls, as unqualified people, including maintenance technicians, electricians, and operators, perform control design that may lead to unforeseen accidents.

Miller is an electrical consultant and president of B. Miller Engineering in Deerfield, Ill.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.