The emergency stop switch is a good idea, but there could be better solutions based on actual risk profiles for equipment with trap and entanglement risks when guarding is not a solution and operators may be close to the machine. Dead man switches are an obvious solution, where release of switch automatically opens the connector. Most windlasses that I have used have such a switch, but they can fail closed as well. A kill chord switch is an obvious way to provide usage control and a safe, remote way to kill power. Some of the equipment I have used has a tight wire which if touched trips a cutout, which is good for long spaces (cockpit) where operator could be anywhere, and distant from switch
It is difficult to rationalize why powered winches and windlasses on yachts don’t come with safety features beyond the breaker, which can be quite a distance away from the device and those operating the boat from deck. It is difficult to understand the rationale behind that. In the consumer market, in the UK, plenty of equipment that is not made for industrial, or professional use, has kill switches on the device so why not yachts? I think there is something around regulations associated with vessels that go to sea, even leisure vessels. The whole electrical safety, gas safety et cetera, after market, is poorly regulated, at least in the UK.
On my coded yachts, there is no requirement for such safety isolations on winches and windlasses, although a risk assessment is expected; procedures are the lowest level of risk control.
A terrible incident with so many cheese holes lining up: faulty winch, ignorance of breaker location, ignorance around safe operation, ignorance of emergency procedures.
On my own boat, my windlass breaker is beside the wheel, just inside the cockpit locker lid, but I sail single handed. Raising the anchor does have a risk of the getting entangled and the deadman switch failing. What then? I could operate the cone clutch lever to disengage the gypsy, or cat head. Food for thought.
Lots of good thoughts, as usual from you. Good point on the windlass. Our partial solution to that problem was always “don’t get your hands or loose clothing near the thing when it’s running”, but that’s far from great. For double handed crews maybe the answer is also a kill switch on the binnacle that the helms-person can press if the foredeck crew starts screaming.
I guess you could argue that electric winches already have dead-man switches since they are spring loaded and normally open, but clearly that has not been enough.
Yes these switches need to be pressed to operate the winch.
The problem is that they could fault in the way the contacts stay closed, even when you depress the switch. So you need a emergency power cutout.
The outboard kill switches are not built for the current driving these winches.
Philip Wilkie
December 4, 2025 5:26 am
As an industrial automation engineer who regularly designs and implements systems with a similar potential to maim or kill – this incident raises a number of serious red flags. Clearly this is a systemic issue. Electric winches all carry this risk. Relying on a single control switch to stop or limit torque does not meet any comparable industrial standard.
If this was a conveyor system where there was the very real potential for a person to be entangled in a moving nip, exactly the same as a winch, there would be safety rated emergency stop switches, pull-ropes, and removal of energy from the winch would have at least two layers of isolation.
This accident was a classic case of a ‘hidden fault’ that only became apparent when the hazard occurred – ie it would not stop the winch when required but you only found this out too late. Industrial safety systems use a number of different methods to ensure that a hidden fault like this will prevent the system from starting in the first place.
For example the control switch would normally have two contacts that are independently monitored using separately coded pulses. The two contacts have to operate either in parallel or in complement to each other with a less than say 50msec offset between them. This eliminates wiring that’s shorted to ground or supply, and requires both contacts to independently actuate at the same time.
The winch itself would have two contactors in series, each independently monitored so that they both have to simultaneously operate. If one ‘welds’ closed the other one will not close. Or it might have an electronic drive which incorporated “Safe Torque Off” arrangement that guaranteed the winch would not move.
The logic is so arranged that unless everything is considered ‘healthy’ the winch cannot run.
I’m only drawing a comparison here – an actual engineered solution would require more research and thought, but the general idea might be similar.
If anyone wants to geek out on the details – here’s an example of the kind of technology I’m talking about: https://literature.rockwellautomation.com/idc/groups/literature/do
Really interesting. Obviously on a boat we also have to be guided by practicality, but still, I can see nothing that would preclude incorporating at least the double contact switch you mention, which, alone, would be a huge step forward.
Matt Marsh
December 4, 2025 6:16 am
Rotating machinery is terrifying. And this is coming from an engineer whose day job involves multi-kilowatt lasers that are capable of turning an inch of solid steel into vapour in twenty milliseconds, hooked up to robots that can swing a sixty-kilo weight around at seven g acceleration.
There is a *very* strong tendency, in the recreational marine sector, to skip the best parts of the hierarchy of controls (elimination, substitution, engineering controls) and go straight to “oh, the operator will of course follow the administrative controls and have the correct PPE”. That simply does not pass muster in any professional / industrial environment. Administrative controls & standard operating procedures are important, but they’re a backup to a properly functioning set of engineered safety systems – not a replacement.
There’s also a tendency in this sector to skip the risk assessment entirely. Risk assessments are tedious and not fun. ISO 12100, EN/ISO 13849-1 and EN/IEC 62061 are quite a slog to work through. But they’re necessary.
I see a lot of significant design flaws in electric winch systems, and this accident exemplifies several of them. Philip’s comment, above, nicely summarizes the proper solutions – you use monitored relays/contactors that fail open when faulted, dual-channel switches, control signals coded with timed pulses so that shorts to power or to ground will throw a fault and disable the machine…
You are dealing here with a machine whose risk assessment has multiple lines at SIL 2 / SIL 3, but implemented in a way that has a probability of dangerous failure on the order of 0.00001 per hour. There’s a three-orders-of-magnitude gap between the actual implementation’s safety performance and the safety performance required to properly mitigate the risk.
That’s sobering indeed, particularly your last parra.
Eric Klem
December 4, 2025 1:39 pm
Hi All,
Lots of good thoughts above on emergency stop switches, deadmen, etc.
Of course, the best safety system is to never have the unsafe situation in the first place. I suspect that there was a failure of ergonomics that put the person in a place where this accident could start. Thinking about our boat, no one should ever have reason to be near the line entering a winch when using the winch. With central pedestals, I realize that can be a bit harder but still something to be careful about when laying out a deck. I have seen more than a few layouts that are dangerous because of where they put people from an entrapment or being in a springback zone.
Similarly, if you are going to implement something like an E-stop, you need to think about how to mount it so that it will be accessible. It is easy to not be realistic about this and say that you can reach it but maybe with the hand that is the one that is likely to be entrapped or something. On the equipment that I work on, nuisance trips are a real safety hazard too so we actually spend a lot of time trying to figure out where to make it accessible but also something that will never be accidentally used.
The other thing that springs to mind is that you need a plan for if you ever have to use the E-stop. You could well already be in an entrapment situation and if you are solo, that could be a real problem. Resetting the E-stop might allow the winch to turn back on. It is possible that you might be blocking the self-tailing so can’t release the line or there might be an override. Probably the simplest solution would be to have a sheath knife mounted right next to the E-stop but there are other options.
Thankfully I have never witnessed someone being killed by something like this but I have seen a hand go mostly through a block (powered winch run by another person but the only contributing factor was the speed) and someone get their hand caught in a windlass with 3/4″ chain.
Indeed, Eric – the best way to prevent machinery accidents is to set up the entire process in a way that makes sure that the moving machine and the people never occupy the same space at the same time.
The ergonomics of this setup were, from the photos available, not great. But also not terribly unusual. With drum winches, there is always some point at which the person’s hands must be on or very near to the winch while you wind or clear a line. You need to be damned sure, therefore, that the machine can’t move by itself while the person is in that space.
A big red button to hit after (or, if possible, just before) someone gets hurt is necessary, but not sufficient. The overall engineering of the system – not just the e-stop, but all the regular controls, force vectors, motion paths, power supply, operator & machine working volumes, etc. – needs to be carefully planned so as to minimize the risks. And then you need standard operating procedures that take all of this into account.
Our industrial robots pose a similar risk, as do CNC mills and lathes, and we use two solutions there. One is guard doors and light fences so that, if a machine is in automatic mode, it will kill the drives and engage the brakes the moment anyone gets within some defined distance away from it. The other, used in manual mode, is a 3-position grip switch interlock on the robot control pendant: you have to hold it at a certain pressure to enable the drives. If you panic and release it, OR if you panic and squeeze it too hard, it kills the drives and engages the brakes. Either way, it will not restart by itself when the interlock is cleared – it will wait for a separate command from the operator to re-energize the drives before it will accept any further commands.
Most powered winches I’ve seen have no such requirement, and will immediately start the moment they see power.
And you definitely need a plan for dealing with what happens after you stop the machine. Nobody thinks up their best plan in 10 seconds while they’re panicked. The checklists an air pilot or a chemical plant foreman uses to quickly work the problem are drawn up via careful line-by-line discussion over long periods of time, so that hours of thinking can go into a task that must be executed within 10 seconds.
Last edited 19 days ago by Matt Marsh
Nan Hanway
December 8, 2025 9:50 am
Am I mistaken that a good, sharp knife close at hand would have been the quickest way to free the skipper, whether or not electronic safety measures were employed?
My guess (and it is just that) is that it’s unlikely that a crew member would react fast enough to avert the fatality, or at least maiming, by cutting the line alone.
I have had to cut a line ( high loaded genoa sheet) once in an emergency and, although I was a young and experienced bowman, with a very sharp knife on my hip, the whole process of assessing the situation and actually cutting the line took way longer than I would be comfortable with in a winch entrapment situation.
The other problem with cutting the line is the risk of injury to both the person entrapped and the rescuer.
In summary, I agree with you: cutting the line would likely be required, but that we need to stop the winch first so that we have time to do that effectively and safely. So both a to hand knife and a stop button are required on any boat with electric winches.
Robert Krinner
December 8, 2025 10:29 am
All these winch switches will get
faulty over time. They are not industrian grade switches, which you could mount instead.
Luckily a emergency stop is easy to implement, just shortcut the winch power uppon hitting and the breaker will immediately flip.
I’m confused. Why would you short circuit (I assume that’s what you mean) and trip a breaker with all the attendant risks rather than just insert a made for purpose and readily available normally open contactor in the power line?
Peter Johnstone
December 8, 2025 10:36 am
The later Gunboats that we built had emergency off buttons for their electric/hydraulic winches. Safe operational procedures need to be discussed and posted. Keep limbs, clothing and hair away from possible trap points between the line and winch, keep eyes on whatever is being adjusted, educate about what to do with a ‘runaway’ winch situation (reduce wraps to allow the winch to spin without gripping the sheet or halyard, while shutting off power to the winch with stop button, and turning off breaker). The foot and hand buttons have a long history of moisture short circuits. Drip covers, good sealing and other solutions can be pre-emptive measures. Powered winch operation is a critical part of any safety briefing aboard.
Hi Peter, Good to hear you fitted emergency stops, good on you. And I agree, part of the problem is that most of us don’t train properly for use of electric winches.
Joseph Grenier
December 8, 2025 11:13 am
This was inadvertent but my winches are single speed when electrified. We usually haul the line around by hand until we would need a winch handle, make off to the self tailer, and push the button to finish the trim. The slow action might just be what saves a finger or worse. Thanks for the topic though, my guests will have more instructions from here on out for sure.
Jordan Bettis
December 10, 2025 1:11 am
Power winches are one of the reasons why fishing is one of the most dangerous professions there is.
It seems bonkers to me the current design of sailboats where they just keep embiggening everything and when the size get so big you exceed what muscle power can handle you start putting heavy industrial equipment in the same space people sit around drinking sundowners.
I have electric winches with switches close to the winch. Be a pain but moving them away would be a start.
Would one big kill switch for all rotating machines work?
This could be by the helm and open solenoids on winches, windlass, and bow thruster.
If these are in series to the regular switch/ solenoids they have lower usage and failure rate.
Of course this is making the hardware safer and is in addition to safe procedures – pick one hand: that’s the only one involved with winches and their lines.
Sure, you could wire it that way. One switch on the helm could open several normally open contactors. Sounds like a good idea, at least for the winches and windlass.
And I agree, thinking about switch position and how we manage the winches is equally important.
An e-stop mounted directly on a machine will stop all movement and stored-energy functions for that specific machine.
An e-stop on a wall, bulkhead, column, etc. will trip the e-stops on all machines in that zone.
In a sailboat cockpit, the latter option is preferable. It is a small zone and nobody should have to stop and think “which machine does this button go with” – any of the big red buttons should stop all the machines.
It’s crucially important that the operator be able to hit the e-stop *while* the emergency situation is developing. If your right hand is already entangled then you will need to use the other hand, or a knee or foot, to trip the e-stop. This might mean using multiple buttons, or it might mean using a cable-pull safety switch with a tripwire routed so that any crew member can kick it with their toe.
E-stop controls, like any controls, should be clearly labelled as to their functionality. The ones in my labs have a five-inch yellow surround marked
E-STOP
(big red button)
THIS CELL ONLY
The emergency stop switch is a good idea, but there could be better solutions based on actual risk profiles for equipment with trap and entanglement risks when guarding is not a solution and operators may be close to the machine. Dead man switches are an obvious solution, where release of switch automatically opens the connector. Most windlasses that I have used have such a switch, but they can fail closed as well. A kill chord switch is an obvious way to provide usage control and a safe, remote way to kill power. Some of the equipment I have used has a tight wire which if touched trips a cutout, which is good for long spaces (cockpit) where operator could be anywhere, and distant from switch
It is difficult to rationalize why powered winches and windlasses on yachts don’t come with safety features beyond the breaker, which can be quite a distance away from the device and those operating the boat from deck. It is difficult to understand the rationale behind that. In the consumer market, in the UK, plenty of equipment that is not made for industrial, or professional use, has kill switches on the device so why not yachts? I think there is something around regulations associated with vessels that go to sea, even leisure vessels. The whole electrical safety, gas safety et cetera, after market, is poorly regulated, at least in the UK.
On my coded yachts, there is no requirement for such safety isolations on winches and windlasses, although a risk assessment is expected; procedures are the lowest level of risk control.
A terrible incident with so many cheese holes lining up: faulty winch, ignorance of breaker location, ignorance around safe operation, ignorance of emergency procedures.
On my own boat, my windlass breaker is beside the wheel, just inside the cockpit locker lid, but I sail single handed. Raising the anchor does have a risk of the getting entangled and the deadman switch failing. What then? I could operate the cone clutch lever to disengage the gypsy, or cat head. Food for thought.
Hi Alastair,
Lots of good thoughts, as usual from you. Good point on the windlass. Our partial solution to that problem was always “don’t get your hands or loose clothing near the thing when it’s running”, but that’s far from great. For double handed crews maybe the answer is also a kill switch on the binnacle that the helms-person can press if the foredeck crew starts screaming.
I guess you could argue that electric winches already have dead-man switches since they are spring loaded and normally open, but clearly that has not been enough.
Yes these switches need to be pressed to operate the winch.
The problem is that they could fault in the way the contacts stay closed, even when you depress the switch. So you need a emergency power cutout.
The outboard kill switches are not built for the current driving these winches.
As an industrial automation engineer who regularly designs and implements systems with a similar potential to maim or kill – this incident raises a number of serious red flags. Clearly this is a systemic issue. Electric winches all carry this risk. Relying on a single control switch to stop or limit torque does not meet any comparable industrial standard.
If this was a conveyor system where there was the very real potential for a person to be entangled in a moving nip, exactly the same as a winch, there would be safety rated emergency stop switches, pull-ropes, and removal of energy from the winch would have at least two layers of isolation.
This accident was a classic case of a ‘hidden fault’ that only became apparent when the hazard occurred – ie it would not stop the winch when required but you only found this out too late. Industrial safety systems use a number of different methods to ensure that a hidden fault like this will prevent the system from starting in the first place.
For example the control switch would normally have two contacts that are independently monitored using separately coded pulses. The two contacts have to operate either in parallel or in complement to each other with a less than say 50msec offset between them. This eliminates wiring that’s shorted to ground or supply, and requires both contacts to independently actuate at the same time.
The winch itself would have two contactors in series, each independently monitored so that they both have to simultaneously operate. If one ‘welds’ closed the other one will not close. Or it might have an electronic drive which incorporated “Safe Torque Off” arrangement that guaranteed the winch would not move.
The logic is so arranged that unless everything is considered ‘healthy’ the winch cannot run.
I’m only drawing a comparison here – an actual engineered solution would require more research and thought, but the general idea might be similar.
If anyone wants to geek out on the details – here’s an example of the kind of technology I’m talking about:
https://literature.rockwellautomation.com/idc/groups/literature/do
Hi Philip,
Really interesting. Obviously on a boat we also have to be guided by practicality, but still, I can see nothing that would preclude incorporating at least the double contact switch you mention, which, alone, would be a huge step forward.
Rotating machinery is terrifying. And this is coming from an engineer whose day job involves multi-kilowatt lasers that are capable of turning an inch of solid steel into vapour in twenty milliseconds, hooked up to robots that can swing a sixty-kilo weight around at seven g acceleration.
There is a *very* strong tendency, in the recreational marine sector, to skip the best parts of the hierarchy of controls (elimination, substitution, engineering controls) and go straight to “oh, the operator will of course follow the administrative controls and have the correct PPE”. That simply does not pass muster in any professional / industrial environment. Administrative controls & standard operating procedures are important, but they’re a backup to a properly functioning set of engineered safety systems – not a replacement.
There’s also a tendency in this sector to skip the risk assessment entirely. Risk assessments are tedious and not fun. ISO 12100, EN/ISO 13849-1 and EN/IEC 62061 are quite a slog to work through. But they’re necessary.
I see a lot of significant design flaws in electric winch systems, and this accident exemplifies several of them. Philip’s comment, above, nicely summarizes the proper solutions – you use monitored relays/contactors that fail open when faulted, dual-channel switches, control signals coded with timed pulses so that shorts to power or to ground will throw a fault and disable the machine…
You are dealing here with a machine whose risk assessment has multiple lines at SIL 2 / SIL 3, but implemented in a way that has a probability of dangerous failure on the order of 0.00001 per hour. There’s a three-orders-of-magnitude gap between the actual implementation’s safety performance and the safety performance required to properly mitigate the risk.
Hi Matt,
That’s sobering indeed, particularly your last parra.
Hi All,
Lots of good thoughts above on emergency stop switches, deadmen, etc.
Of course, the best safety system is to never have the unsafe situation in the first place. I suspect that there was a failure of ergonomics that put the person in a place where this accident could start. Thinking about our boat, no one should ever have reason to be near the line entering a winch when using the winch. With central pedestals, I realize that can be a bit harder but still something to be careful about when laying out a deck. I have seen more than a few layouts that are dangerous because of where they put people from an entrapment or being in a springback zone.
Similarly, if you are going to implement something like an E-stop, you need to think about how to mount it so that it will be accessible. It is easy to not be realistic about this and say that you can reach it but maybe with the hand that is the one that is likely to be entrapped or something. On the equipment that I work on, nuisance trips are a real safety hazard too so we actually spend a lot of time trying to figure out where to make it accessible but also something that will never be accidentally used.
The other thing that springs to mind is that you need a plan for if you ever have to use the E-stop. You could well already be in an entrapment situation and if you are solo, that could be a real problem. Resetting the E-stop might allow the winch to turn back on. It is possible that you might be blocking the self-tailing so can’t release the line or there might be an override. Probably the simplest solution would be to have a sheath knife mounted right next to the E-stop but there are other options.
Thankfully I have never witnessed someone being killed by something like this but I have seen a hand go mostly through a block (powered winch run by another person but the only contributing factor was the speed) and someone get their hand caught in a windlass with 3/4″ chain.
Eric
Indeed, Eric – the best way to prevent machinery accidents is to set up the entire process in a way that makes sure that the moving machine and the people never occupy the same space at the same time.
The ergonomics of this setup were, from the photos available, not great. But also not terribly unusual. With drum winches, there is always some point at which the person’s hands must be on or very near to the winch while you wind or clear a line. You need to be damned sure, therefore, that the machine can’t move by itself while the person is in that space.
A big red button to hit after (or, if possible, just before) someone gets hurt is necessary, but not sufficient. The overall engineering of the system – not just the e-stop, but all the regular controls, force vectors, motion paths, power supply, operator & machine working volumes, etc. – needs to be carefully planned so as to minimize the risks. And then you need standard operating procedures that take all of this into account.
Our industrial robots pose a similar risk, as do CNC mills and lathes, and we use two solutions there. One is guard doors and light fences so that, if a machine is in automatic mode, it will kill the drives and engage the brakes the moment anyone gets within some defined distance away from it. The other, used in manual mode, is a 3-position grip switch interlock on the robot control pendant: you have to hold it at a certain pressure to enable the drives. If you panic and release it, OR if you panic and squeeze it too hard, it kills the drives and engages the brakes. Either way, it will not restart by itself when the interlock is cleared – it will wait for a separate command from the operator to re-energize the drives before it will accept any further commands.
Most powered winches I’ve seen have no such requirement, and will immediately start the moment they see power.
And you definitely need a plan for dealing with what happens after you stop the machine. Nobody thinks up their best plan in 10 seconds while they’re panicked. The checklists an air pilot or a chemical plant foreman uses to quickly work the problem are drawn up via careful line-by-line discussion over long periods of time, so that hours of thinking can go into a task that must be executed within 10 seconds.
Am I mistaken that a good, sharp knife close at hand would have been the quickest way to free the skipper, whether or not electronic safety measures were employed?
Hi Nan,
Good point, I have wondered about that too.
My guess (and it is just that) is that it’s unlikely that a crew member would react fast enough to avert the fatality, or at least maiming, by cutting the line alone.
I have had to cut a line ( high loaded genoa sheet) once in an emergency and, although I was a young and experienced bowman, with a very sharp knife on my hip, the whole process of assessing the situation and actually cutting the line took way longer than I would be comfortable with in a winch entrapment situation.
The other problem with cutting the line is the risk of injury to both the person entrapped and the rescuer.
In summary, I agree with you: cutting the line would likely be required, but that we need to stop the winch first so that we have time to do that effectively and safely. So both a to hand knife and a stop button are required on any boat with electric winches.
All these winch switches will get
faulty over time. They are not industrian grade switches, which you could mount instead.
Luckily a emergency stop is easy to implement, just shortcut the winch power uppon hitting and the breaker will immediately flip.
Hi Robert,
I’m confused. Why would you short circuit (I assume that’s what you mean) and trip a breaker with all the attendant risks rather than just insert a made for purpose and readily available normally open contactor in the power line?
The later Gunboats that we built had emergency off buttons for their electric/hydraulic winches. Safe operational procedures need to be discussed and posted. Keep limbs, clothing and hair away from possible trap points between the line and winch, keep eyes on whatever is being adjusted, educate about what to do with a ‘runaway’ winch situation (reduce wraps to allow the winch to spin without gripping the sheet or halyard, while shutting off power to the winch with stop button, and turning off breaker). The foot and hand buttons have a long history of moisture short circuits. Drip covers, good sealing and other solutions can be pre-emptive measures. Powered winch operation is a critical part of any safety briefing aboard.
Hi Peter, Good to hear you fitted emergency stops, good on you. And I agree, part of the problem is that most of us don’t train properly for use of electric winches.
This was inadvertent but my winches are single speed when electrified. We usually haul the line around by hand until we would need a winch handle, make off to the self tailer, and push the button to finish the trim. The slow action might just be what saves a finger or worse. Thanks for the topic though, my guests will have more instructions from here on out for sure.
Power winches are one of the reasons why fishing is one of the most dangerous professions there is.
It seems bonkers to me the current design of sailboats where they just keep embiggening everything and when the size get so big you exceed what muscle power can handle you start putting heavy industrial equipment in the same space people sit around drinking sundowners.
Hi Jordan,
I agree: https://www.morganscloud.com/2024/10/02/when-is-a-cruising-sailboat-too-big/
I have electric winches with switches close to the winch. Be a pain but moving them away would be a start.
Would one big kill switch for all rotating machines work?
This could be by the helm and open solenoids on winches, windlass, and bow thruster.
If these are in series to the regular switch/ solenoids they have lower usage and failure rate.
Of course this is making the hardware safer and is in addition to safe procedures – pick one hand: that’s the only one involved with winches and their lines.
Hi Stanley,
Sure, you could wire it that way. One switch on the helm could open several normally open contactors. Sounds like a good idea, at least for the winches and windlass.
And I agree, thinking about switch position and how we manage the winches is equally important.
In general, people will expect that:
In a sailboat cockpit, the latter option is preferable. It is a small zone and nobody should have to stop and think “which machine does this button go with” – any of the big red buttons should stop all the machines.
It’s crucially important that the operator be able to hit the e-stop *while* the emergency situation is developing. If your right hand is already entangled then you will need to use the other hand, or a knee or foot, to trip the e-stop. This might mean using multiple buttons, or it might mean using a cable-pull safety switch with a tripwire routed so that any crew member can kick it with their toe.
E-stop controls, like any controls, should be clearly labelled as to their functionality. The ones in my labs have a five-inch yellow surround marked
E-STOP
(big red button)
THIS CELL ONLY
or
E-STOP
(big red button)
ALL EQUIPMENT