Skip to content


William J. Helfrich
Supervisory Electrical Engineer
Mine Safety and Health Administration
Mine Electrical Systems Division
Cochrans Mill Road, P.O. Box 18233
Pittsburgh, Pennsylvania 15213


Several accidents have occurred involving mine hoists at both coal and metal/nonmetal mines. One of the accidents that was investigated revealed several faults with the design of the hoist's control system. This paper will discuss the electrical safety features in mine hoists along with areas in the hoist's control system that are considered critical. The hoist accident that occurred to a service hoist will be reviewed along with the modifications made to the hoist. Finally, maintenance and design criteria are reviewed.


The basic intent of the safety stop circuit in a hoist control is to de-energize the prime mover running the hoist and to simultaneously set the brakes on the hoist, thereby stopping the hoist as quickly as possible. There are limits on the deceleration rate of the hoist which will not be discussed in this paper.

The hoist safety stop circuit normally consists of a series of safety device contacts connected electrically to keep a relay energized. This relay in turn keeps the main power contactor closed, thereby supplying the power to the prime mover, and permitting the brakes to be operated by the hoist control. If this relay is de-energized, the power will be removed from the prime mover and the brake controlling solenoids will be de-energized. Brake solenoids are designed so that de-energizing them will set the brake, and if the brake is properly adjusted, the hoist will stop. The nomenclature for this relay depends upon the manufacturer of the electrical controls being used:

    U.V.R. - Under Voltage Relay;

    MR - Master Relay;

    ESR - Emergency Stop Relay; and

    MX - Control Relay.
The many different conditions which would cause an emergency stop are discussed later in this report.


A safety or emergency stop circuit contains many normally open contacts connected in series with a relay. These normally open contacts represent the various items which will initiate an emergency stop when they indicate a fault has occurred. These faults are of such magnitude that if the hoist is not stopped immediately, serious damage to men and machinery could result. There are nine areas that are protected by the emergency stop circuit:

    1. Emergency stop button (E-Stop button);

    2. Overtravel;

    3. Overspeed;

    4. Motor faults;

    5. Brake faults;

    6. Main power faults;

    7. Rope faults;

    8. Control power faults; and

    9. Drive train faults.

The following is a discussion of these various faults, why they are necessary and typical devices used to detect the faults. Figure 1 is a typical master relay circuit diagram showing several of the possible fault conditions and should be used as a reference to understand how all the safety features are connected.

Fig. 1. Typical Fault Stop Circuit

Emergency Stop Button

To protect against the possible failure of any protective device or the possible occurrence of conditions that are not detected by the protective devices, emergency stop buttons are designed into the safety stop circuit. These buttons are normally red, mushroom type, push-button switches. They are located at areas of the hoist where personnel may be located and where accidents or faults are likely to occur. Electrically, these buttons can be either directly or indirectly wired into the safety stop circuit. If they are wired in directly, the normally closed contacts of all emergency stop buttons are connected in series with the safety stop circuit. Thus, activating any emergency stop button will drop out the safety stop circuit relay and stop the hoist. If it is wired indirectly, the normally closed emergency stop buttons are in series with an auxiliary relay that is energized through a normally open contact from this auxiliary relay.

A normally open contact from this auxiliary relay is then wired in series with the safety stop circuit. Activating any emergency stop button will de-energize the auxiliary relay and de-energize the safety stop circuit, thus stopping the hoist.


There are two types of overtravel conditions, hoist overtravel and lower overtravel. These overtravel conditions can be detected at three different locations: (1) in the hoist house, (2) at the bottom of the shaft, or (3) at the top of the shaft. Quite often the condition is detected at both the hoist house and at the top of the shaft.

A device known as the Lilly Controller, mounted in the hoist house, is commonly used to detect hoist and lower overtravel conditions.

A cam or programmed-type limit switch, which is mounted in the hoist house and driven from the drum, is sometimes used on an overtravel indicator. Contacts from this device are also used in other parts of the mine hoist controls for such conditions as "slow down" and "stop."

Another device commonly used for indicating overtravel is a mechanized limit switch mounted at the top or bottom of the shaft. This switch is activated from either the hoist cage or the counter weight, when counter-weighted hoists are used. No matter where the overtravel switch is mounted or which type of switch is used, it is electrically connected in series and placed in the emergency stop circuit. Quite often two separate types of hoist and lower overtravel limits are used. A Lilly Controller with hoist and lower overtravel limits is normally used and is mounted in the hoist house. In addition, mechanical limit switches mounted in the shaft way are also used.

An overtravel condition can occur for a number of reasons, the most common being misadjustment of the brakes. If this condition occurs, a means must be provided to allow the hoist to be taken out of the overtravel condition. A bypass switch is normally used to accomplish this. The bypass switch electrically shorts out either the hoist or lower overtravel switch to allow the hoist to be taken out of the overtravel condition. This function is referred to as "backout of overtravel."

The device used to accomplish this is normally a spring-loaded pistol-grip switch. It not only shorts out either the hoist or lower overtravel switch, but normally only allows the hoist to be operated in either the hoist or lower direction, depending upon which overtravel condition the hoist is in. This is necessary in order to keep the hoist from traveling further into the overtravel condition. Normally this also only allows manual operation of the hoist. If it is activated during the automatic operation of the hoist, the switch also will normally stop the hoist. Since it is spring-loaded, it only permits operation of the hoist at the point where the manual control for the hoist is located. The overtravel contacts and the backout of overtravel switch are shown in the fault stop circuitry in figure 1.


Hoist overspeed is a serious condition and can result in severe damage to equipment and injury to personnel. There are normally three types of overspeed conditions. The most critical is the hoist overspeed which is set to stop the hoist when the man cage exceeds a predetermined speed. This is usually detected by the Lilly controller which is normally set up as a programmed overspeed device., This means that if the hoist goes faster than the designed speed when accelerating or decelerating at the top or bottom or while running at its normal speed in the shaftway, the Lilly Controller will detect this condition and emergency stop the hoist. Figure 2 shows the normal speed curve while hoisting or lowering. The dotted line shows at what speed the drive will trip as a function of the length of the shaft. This overspeed device is wired into the emergency stop circuit, as shown in figure 1.

Fig. 2. Hoist Speed and Overspeed

Another device commonly used on hoist drives is a motor overspeed device. This is normally found on DC drives and is attached to the DC drive motor to protect the DC drive motor from going too fast destroying itself. Normally this is a centrifugal switch which is set to trip at one specific speed setting, not usually to protect the hoist man cage, but to protect the motor from excessive speed. Its setting is a function of the motor speed design and is higher than the trip setting of the Lilly Controller. Also it is not a programmed type of overspeed device, meaning its overspeed setting does not change as a function of hoist travel. Its contacts are wired into the fault stop circuitry, and it is usually designed so that when the device has been activated, it must be manually reset before the emergency stop circuitry is reset. The one advantage this device has over the Lilly overspeed is that it is mechanically connected to the motor drive shaft which is substantially connected to the hoist drive. It is therefore very unlikely that the device would become uncoupled mechanically from the hoist cage except from rope breakage. The Lilly Controller, however, is coupled to the hoist drum through gear reducers and quite often through a synchronizer which could be subject to failure.

The last overspeed device is the motor generator set overspeed. This is only found in DC hoists that use an AC motor and a DC generator to convert the fixed AC voltage, commonly available, to an adjustable DC voltage for controlling the mine hoist. The purpose of this overspeed device is to protect the AC motor and the DC generator from an overspeed condition. An overspeed on this motor generator set can occur if the DC motor is connected to an overhauling load such as when lowering a heavy load. The motor is actually acting as a generator and supplying power to the generator which is acting as a motor. The generator is thus tending to cause the AC motor to overspeed and could, if the load was heavy enough, cause damage to the generator and AC motor. This overspeed device is usually the same type as the motor overspeed. It is centrifugally operated and must be manually reset. Electrically it is connected, as shown in figure 1, in series with the fault string and will stop the hoist when a overspeed condition occurs. A tripping of this device would normally indicate that a large load was being lowered or that a severe imbalance existed in a counter weighted hoist.

Motor Faults

Hoist motor faults normally consist of three items: overload, field loss, or a ground.

A DC motor armature loop will normally have connected with it a timed overcurrent device which is sized to protect the DC motor and DC generator if an overcurrent condition were to exist for any length of time. A contact from this device is electrically connected in series with the fault string and will stop the drive in an emergency. Overloads are also used on AC motors and are connected in series with the AC motor. They serve the same function when used for DC motors.

Hoist drives using DC motors normally vary only the armature voltage and separately excite the field of DC motor.

Anytime a DC shunt-wound motor armature is supplied power, the field of the motor must also be supplied power in order to keep the motor from going too fast and destroying itself. Therefore, a DC drive should include field loss protection. Normally this is accomplished by a current relay which is placed in series with the DC motor field. The relay is then adjusted to pick up at a certain value and then drop out at a lower value. Sometimes two field loss relays are used. This is a much better method since the field loss relays are then placed on both sides of the DC motor field. In this way any accidental grounds in either the motor or the DC power supply will not defeat the field loss protection due to the redundancy of the relays. Contacts from these relays are then wired in series with the emergency stop circuit. Therefore, any field loss occurrence will stop the hoist.

The last fault associated with the drive motor is a ground in the armature circuit of the motor. This normally applies just to DC motors. The ground relay is placed in the armature circuit in a manner that it will detect a ground in both the DC motor and generator. When a ground resistance below a predetermined value is detected, the relay is energized. It then mechanically latches in and opens a contact. This normally opens a contact in series with the safety stop circuit. Thus, once a ground is detected, the ground detector must be manually reset before the hoist is operated again.

Brake Fault

There are several brake conditions monitored by limit switches which will each cause an emergency stop of the hoist: (1) brake wear, with a switch that monitors the thickness of the braking material; (2) broken links, with a switch that monitors the mechanical linkages on the brake mechanism, and (3) brake weights, with a switch that monitors the drop of the brakes weights due to a loss of air pressure. If the brake weights start to drop, an emergency stop of the hoist occurs. These are just a few of the more common items monitored on air brake systems, and they apply more to air brake systems than to hydraulic or disk brake systems. Hydraulic and disk brake systems have additional mechanical limit switches which monitor the integrity of these systems. Main Power Faults

If the power supply feeding the hoist motors should become de-energized due to an internal fault, an emergency stop of the hoist would be initiated. This would occur if the power supply were either a motor-generated set or a static power supply. Detection of loss of power is done by a normally open contact which monitors the MG set or static power supply input voltage. This contact is then placed in series with the fault string. An emergency stop of the hoist is necessary. For this reason, since a normal stop of the hoist is defeated due to loss of regeneration capability.

Main Power Faults

If the power supply feeding the hoist motors should become de-energized due to an internal fault, an emergency stop of the hoist would be initiated. This would occur if the power supply were either a motor-generator set or a static power supply. Detection of loss of power is done by a normally open contact which monitors the MG set or static power supply input voltage. This contact is then placed in series with the fault string. An emergency stop of the hoist is necessary. For this reason, since a normal stop of the hoist is defeated due to loss of regeneration capability.

Rope Faults

There are normally two items monitored concerning the hoist rope, slack rope and jammed conveyance. Slack rope is normally detected by a cable stretched across the opening where the hoist ropes leave the hoist house. This cable is tied into a normally closed limit switch. If the hoist ropes should "go slack," the cable would move and then open the limit switch. This limit switch, in series with the fault string, would cause an emergency stop.

If a conveyance should jam, the hoist drive would still be turning and then the hoist rope would either be stopped or turning at a much slower rate than the hoist drive. Detection of this condition is accomplished by a friction driven tachometer driven from the hoist ropes. This tachometer signal is then compared with the hoist drive tachometer signal using an electronic comparator circuit. If the two signals are the same, nothing occurs. If one signal becomes larger than the other, a detection relay is activated and the hoist is stopped. This contact on the detection relay is normally open. Therefore, if the circuit should become deenergized, the relay will activate an emergency stop.

Control Power Faults

The main problem concerning control power is the monitoring of either loss of voltage or undervoltage. The three areas where control power faults may occur are the AC control power, DC control power, or the regulator control power. AC and DC control power are normally monitored by way of a normally open contact on a relay whose coil is connected to the AC or DC supply being monitored. The DC supply is inherently monitored by the master relay in the fault string being supplied from the DC supply. Therefore, a loss of the DC supply will cause this relay to be de-energized and an emergency stop to occur. The AC supply is also inherently monitored since all the solenoids which control the hoist brakes are supplied from this source. Therefore, any loss of AC power will cause the brakes to set which will cause an emergency stop.

The regulator supply is normally more closely supervised than the AC and DC supplies. This is because a slight increase or decrease in voltage will cause the drive to go out of calibration, which would mean that the speed, voltage, and current could be substantially higher or lower than the design specifications. Therefore, the regulator power supply is monitored for both undervoltage and overvoltage conditions. In addition, sometimes the reference to the speed regulator and the actual speed of the hoist are compared. If they should go out of balance then an emergency stop of the hoist will occur.

Drive Train Faults

Generally, critical control elements are mechanically driven from the hoist drum shaft. The drum shaft drives these devices through a synchronizer which is used to recalibrate the position of the devices after a trip cycle. Included among these devices are the Lilly Controller and the program limit switch. In order to assure that the devices are connected and operating, a tachometer is usually also driven from the synchronizer. The output of the tachometer is compared with the motor speed tachometer. If the two do not compare, this would indicate that a problem has occurred in the device's mechanical drive train, which in effect defeats the Lilly Controller and program limit switch's operation. If this occurs, the comparator circuit initiates an emergency stop of the hoist.

The devices discussed previously do not encompass all of the protective features which may be on a hoist. These are just the most prominent and the ones that all hoist manufacturers normally incorporate.


According to a study made by E.D. Seals of MSHA's Health and Safety Analysis Center in Denver, Colorado, defective equipment and maintenance errors accounted for 69.4 percent of the total hoisting accidents at metal and nonmetal mines during 1978, 1979, and 1980. The main instances of defective equipment are directly related to brakes and electrical devices. Maintenance errors in the United States average 18 percent a year. Mr. Seals concludes that there is a potential for an accident which could involve from one to over a hundred miners.

To date, there has not been a study such as this made on hoisting accidents at coal mines. There have, however, been accidents involving hoists at coal mines including one particular hoist accident at a coal mine service hoist. The hoist was a counterweight friction hoist. The cage was empty at the time of the wreck and was driven into the head frame. In this particular accident, the cage was at the bottom and the hoist was operating in the automatic mode. The cage was called to the top. At this time, the bells rang, indicating the hoist would start to move. The brakes went to the prime position, but the motor did not turn. Since this seemed out of the ordinary, personnel at the top pressed the emergency stop button. One of the miners noticed an arc from a cabinet indicating that the loop contactor had opened. At this moment, the motor started turning and accelerating. The brakes did not set at this time. The MG set AC motor was de-energized, but the hoist still did not stop. The AC control power breaker was opened. This set the brakes, and almost at the same time the cage hit the head frame. When the cage hit, the hoist ropes broke and fell down the shaft, taking out a major portion of the shaft-way electrical conduit. Tests made shortly after the accident did not reveal any problems in the hoist house wiring. The shaft-way wiring and controls could not be evaluated since the conduit had been damaged.

After repairs were completed on the hoist, tests were again conducted in an effort to determine the cause of the accident. Due to various delays, repairs were not completed until six months after the accident.

The regulator portion of the drive ultimately controls the direction the hoist is going to move. The direction is determined by the polarity of the speed reference. This reference is changed by either picking up or dropping out a relay internal to the regulator. This relay receives its signal from a direction latch relay, which in turn receives its signal from the up or down relays. If one of these relays were to fail to initiate the latching or unlatching of the direction latch, the regulator would think it was in the previous direction and when called upon to hoist, would actually lower the conveyance. Contacts on these types of relays, the up and down, have been known to fail due to dirt on the contact tips. If the drive was called upon to hoist, but instead the regulator went to lower, the regulator might go into current limit, the drive would not move and the first condition which lead to the wreck would occur.

This condition was simulated by lifting the wire to the direction latch relay causing it to latch in the lower position when called upon to hoist. The drive was then directed to hoist. The drive went lower, but did not reach current limit and therefore continued in the lower direction. It was discovered at this point that the counterweight did not have as much weight on it as it did the day of the wreck. This is important because when the hoist is in the lower mode, it is actually lifting the counterweight which is much heavier than an empty cage. It was then decided to load the counterweight to full load as it had been the day of the wreck

As can be see from figure 3, the hoist did not move, but the current is very high (1,080 amperes).

Fig. 3. Direction Latch Test

Figure 4 is the stall test made to determine where the hoist would stall in the lower direction, 1,110 amperes.

Fig. 4. Lower Current Limit Stall Test

As can be seen from figures 3 and 4, there is only 30 amperes difference between the lower stall current (1,110 amperes) and the current drawn in the simulation test (1,080 amperes).

Although nothing conclusive was found, two highly probable answers were determined to the following questions: (1) why did the cage fail to move when called to the top? and, (2) Why did the brakes fail to set when the E-stop button was actuated? The answer to question one became fairly obvious after the tests had been performed on the direction latch relay. The fact that only 30 amperes would be needed to cause the cage to go from a lower to a stall condition was proven during these tests. This amounts to less than a 3 percent increase in load on the motor. Since the tests were made during summer while the ambient temperature was approximately 75 °F and the accident occurred in the winter when the ambient temperature was approximately 30°F, lubricant stiffness could have caused this additional load. Also, the mechanical equipment was completely realigned after the wreck, which means that the equipment could have been slightly out of alignment, causing an additional load. Also, since the hoist was completely rechecked during the six months, this gave it additional time to loosen up and lower the load the motor had seen in the winter. This additional load would have made the hoist stall and set motionless when called to hoist, if the direction latch had failed to latch in the opposite direction.

The answer to the second condition of the brake's failure to set once the E-Stop button was actuated and the loop contactor dropped out, can be explained electrically by looking at the design of the fault stop circuitry and the vulnerability of the brake solenoid circuitry. When the E-Stop button is actuated, the emergency stop relay drops out. This in turn drops out the master relay, which drops out the loop contactor and de-energizes the brake solenoid, which sets the brakes. We know that an arc was seen coming from the adjacent cabinet once the E-Stop button had been actuated. The arc would be due to the loop contactor opening under load and interrupting the 1,100 amperes flowing in the loop circuit; therefore, the master relay dropped out since this is the only way the loop contactor could be dropped out. The "B" wire, as shown in figure 5, energizes the brake solenoids and is energized from the "A" wire through a set of contacts on the master relay. The "A" and "B" wires also go to various other control boxes and to the bottom level stations in the mine shaft. A short from the "B" to the "A" wire would have kept the brake solenoids from de-energizing and the brakes from setting even though the master relay had dropped out. No short between these wires was found in the wiring that was not damaged during the wreck. Nothing conclusive could be found in the cables which had been damaged during the wreck. Investigations of the color coding of the wiring in the junction box on the side of the head frame, where the mine shaft cables were terminated, revealed that "B" and "A" wires were the same color. The addition of the "A" wire to the wires which go down the shaft had been made prior to the hoist being placed into operation to allow the indicator lamps to light even though the master relay was dropped out. It was assumed, therefore, that a short existed between the "A" and "B" wires which kept the brakes from setting when the master relay dropped out.


There were several changes made in the hoist's original design in order to improve the reliability of the hoist control. The first major change was the addition of a redundant or auxiliary master relay to insure that the brakes set once a fault or E-Stop condition occurred. This relay opens independently once the E-Stop button is actuated, the E-Stop button in the hoist house is actuated, the motor overspeed trips, or the Lilly overspeed trip occurs. The master auxiliary relay would then drop out the master relay, the loop contactor, and the brake solenoids, setting the brakes. The wiring for this auxiliary relay is isolated from the normal master relay circuit to insure that the brakes operate and the loop contactor drops out even though the wiring in the head frame may be damaged. The master relay cannot be energized unless the master auxiliary relay is also energized and the master auxiliary can not pick up unless the master relay picks up. Activating the E-Stop button in the hoist house also dumps the air out of the brake cylinders, thereby, setting the brakes with the brake weights. The right side of the brake magnet valves are de-energized by the master auxiliary relay setting the brakes independently from the master relay which de-energized the left side of the magnet valves. The control circuit was also modified to prevent the "A" wire from leaving the hoist house and going out to the shaft-way circuits. To prevent the drive from operating in the opposite direction from the called for direction, latch contacts were put in series with the up and down contacts to prevent inadvertent energizing of the relay if the direction latch relay had not changed state.

Fig. 5. Modified Hoist Brake Circuit


Since this accident, there have been several other incidents in which hoists have wrecked or have come close to wrecking. With the potential for these accidents to cause serious injuries or fatalities to miners, several manufacturers and mine operators have been searching for methods to improve hoist reliability. MSHA has also been working with these people to improve future designs of hoist controls and to modify, where necessary, existing hoist control systems. There are two major areas associated with hoist controls that deserve special attention.


Maintenance plays an important role in keeping a hoist system safe. In general, the system as designed and installed by the hoist manufacturer is a safe system. It is when this system is not properly maintained that the system becomes unsafe. Maintenance should consist of periodic testing of the system's safety features as described earlier in this paper. All emergency stop functions should be exercised to determine if they are working as initially installed.

This checkout should be done in a systematic manner by people familiar with the control and it's protective devices. A record of these tests should also be kept. When critical control functions are found to be inoperative, they should be repaired before any personnel are permitted to use the hoist. In addition to checking the protective features of the hoist, performance tests should also be made on the complete system. These tests would include speed, current, and voltage recordings of the hoist under various operating conditions. Recordings should also be made under emergency stops when the hoist is carrying full, normal, and light loads. Special attention should be made to the deceleration rates when stopping in an emergency to determine the integrity of the mechanical braking system. By keeping records of these recordings, a comparison can be made to determine if the system has deteriorated.

If modifications must be made to the hoist system, the hoist manufacturer or experts in this area should be consulted. Modifications to one part of the hoist may seriously defeat a safety feature in another part of the hoist system. A permanent record of any changes to any part of the hoist should be maintained.

The performance of the hoist control system may seriously be diminished by the substitution of devices into the hoist control system.

Another important rule to keep in mind when making tests, repairs, or modifications to the hoist system is that, if it become necessary to defeat safety features, those features should be recertified after the tests, repairs, or modifications are made and before the hoist is placed back in operation.


Design of control systems is very critical to the safety of the person riding the conveyance. Circuits should be designed so that a removal of power will stop the hoist. Also the initiation of an emergency stop, normal stop, or protective stop should not be dependent upon the energization of a relay. Critical areas of the control system should be made redundant. For example, a magnet valve in the brake control should be de-energized or energized from both sides of the coil instead of just one side of the coil. Critical circuits which leave the protected area of the hoist house should be isolated so that a short or an open in them will not defeat a safety feature in the hoist control.

After a hoist system has been designed, the design should be reviewed to make sure there are no sneak circuits that could occur which would defeat the safety features. Careful attention to the causes of emergency stops occurring must be made, keeping in ind that each time an emergency stop occurs the loop contact is opened. This could become critical if the mechanical braking system is not intact and will not stop the hoist. Under these conditions, it may be more desirable to bring the hoist to a controlled stop instead of an emergency stop. It should always be remembered that when an emergency stop is called for, there is an instant of time when the mechanical brakes are not set and the loop contactor is opened. During this period of time, the hoist has no braking system, electrical or mechanical, connected to it, and the potential for a severe hoist accident is very high.