Machinery Safety 101

There are a number of myths that have grown up around emergency stops over the years. These myths can lead to injury or death, so it’s time for a little Myth Busting here on the MS101 blog!

Myth #1 – The Emergency Stop Is A Safety Device

Early in the Industrial Revolution machine builders realized that users of their machinery needed a way to quickly stop a machine when something went wrong. At that time, overhead line shafts were driven by large central power sources like waterwheels, steam engines or large electric motors. Machinery was coupled to the central shafts with pulleys, clutches and long leather or fabric belts which transmitted the power to the machinery.

See pictures of a lineshaft powered machine shop.

These central engines were sized to power the entire load of the factory, so they were much larger than an individual motor sized for a particular machine might be on a modern machine. In addition, they could not be easily stopped, and stopping the central power source for the factory would mean stopping the entire factory – not a welcome choice. Emergency stop devices were born in this environment.

Due to their early use as a safety device, emergency stop systems have incorrectly come to be looked upon as safeguarding devices by some. Modern standards make the differentiation very clear. The easiest way to understand the current meaning of the term “EMERGENCY STOP” is to begin by looking at the international standards published by IEC and ISO.

emergency stop
emergency stop function

function that is intended to

—   avert arising, or reduce existing, hazards to persons, damage to machinery or to work in progress,

—   be initiated by a single human action

NOTE 1

Hazards, for the purposes of this International Standard, are those which can arise from

—   functional irregularities (e.g. machinery malfunction, unacceptable properties of the material processed, human error),

—   normal operation.

Safety of machinery – Emergency stop – Principles for design, ISO 13850, Geneva, 2006

Reading this definition, it is important to understand first that the function is “initiated by a single human action”. This means that it is not an automatic function, and therefore cannot be considered to be a factor in risk reduction to operators or bystanders from the machinery. It does provide the ability to avert or reduce hazards by providing a means to stop the equipment once something has already gone wrong.

Safeguarding systems, on the other hand, act automatically to prevent a person from becoming involved with the hazard in the first place. This is a reduction in the probability of a hazardous situation arising, and it may also involve a reduction in the severity of injury by controlling the hazard, i.e. stopping rotating machinery before it can be reached. This constitutes a risk control measure and can be shown to reduce the risk of injury to an exposed person.

In Canada, CSA defines emergency stop as a ‘Complementary Protective Measure’ in CSA Z432-04, §6.2.2.1.1 and 6.2.3.5.3:

6.2.2.1.1
Safeguards (guards, protective devices) shall be used to protect persons from the hazards that cannot reasonably be avoided or sufficiently limited by inherently safe design. Complementary protective measures involving additional equipment (e.g., emergency stop equipment) may have to be taken.

6.2.3.5.3 Complementary protective measures
Following the risk assessment, the measures in this clause either shall be applied to the machine or shall be dealt with in the information for use.
Protective measures that are neither inherently safe design measures, nor safeguarding (implementation of guards and/or protective devices), nor information for use may have to be implemented as required by the intended use and the reasonably foreseeable misuse of the machine. Such measures shall include, but not be limited to,
(a) emergency stop;
(b) means of rescue of trapped persons; and
(c) means of energy isolation and dissipation.

Myth #2 – Cycle Stop And Emergency Stop Are Equivalent

Emergency stop systems act primarily by removing power from the prime movers in a machine. This can be done in a variety of ways that are outside the scope of this article, but the intent is to ensure that power can be removed and the equipment brought to a standstill as quickly as possible, regardless of the portion of the operating cycle that the machine is in. At the end of an emergency stop, the machine is inoperable until the emergency stop is reset. In some cases, emergency stopping the machine may damage the equipment due to the forces involved in halting the process quickly.

Cycle stop is a control system command function that is used to bring the machine cycle to a graceful stop at the end of the current cycle. The machine is still fully operable and may still be in automatic mode at the completion of this stop.

Myth #3 – Emergency Stop Systems Can Be Used For Control Of Hazardous Energy Procedures

Fifteen to twenty years ago it was not uncommon to see emergency stop buttons fitted with locking devices that would allow a person to depress the button and then fit a lock or tag to prevent the resetting of the emergency stop device. This was done as part of a “lockout procedure”. The term “lockout” has been expanded recently to include additional means of hazardous energy control in recognition of the fact that live work does need to be done from time to time, and that normal safeguards may be bypassed or disconnected temporarily to allow diagnostics and testing to be carried out. This process is more correctly called “control of hazardous energy” and is detailed in two current standards, CSA Z460 and ANSI Z244.1.

No current standard allows for the use of control devices such as push buttons or selector switches to be used as energy isolation devices for hazardous energy control, regardless of the type of control circuit it is connected into, or the reliability of that circuit.

Got any more myths about e-stops you’d like to share? Leave a comment or email it to us and we’ll consider adding it to this article!

References

1. IEC – International Electrotechnical Commission.
2. ISO – International Organization for Standardization
3. Safety of machinery — Emergency stop — Principles for design, ISO 13850, 2006, ISO, Geneva, Switzerland.
4. Control of Hazardous Energy ­– Lockout and Other Methods, CSA Z460, 2005, Canadian Standards Association, Toronto, Canada.
5. Control of Hazardous Energy – Lockout/Tagout and Alternative Methods, ANSI ASSE Z244.1, 2003, American National Standards Institute / American Society of Safety Engineers, Des Plaines, IL, USA.

A lot of confusion exists when it comes to Emergency Stop systems, and clients often ask me if it is ‘OK’ to guard emergency stop devices like e-stop buttons, foot pedals, pull-cords, etc. Without getting into a ton of regulatory details, this article will look at the requirements in for emergency stop devices in three key jurisdictions: Canada, the USA and the European Union.

If you need information on the functional aspects of emergency stop systems, see “Emergency Stop – What’s so confusing about that?“

Why Guard an Emergency Stop?

Generally, emergency stop devices, or e-stop devices as they’re often called, need to be protected from unintentional use. This problem occurs because e-stop devices have to be located close to where people work in order to be useful. An e-stop you can’t reach when you need it may as well not be there in the first place. So emergency stops are located at ‘normal operator stations’. This often means they are located under the edge of a machine table, or on an operator control bar like that used on power presses, putting the e-stop within reach, but also in the ‘line-of-fire’ when it comes to the operator’s normal movements.

To prevent unintended operation, people often want to put rings, collars, or worse – covers – on or around the e-stop device to keep people from bumping the device. Some of these can be done and should be done, and others are never permitted for good reason.

Regulatory Requirements

Let’s take a look at the key requirements from the regulations world wide:

1. Emergency Stop devices must be clearly identified. The technical standards require that emergency stop devices be coloured RED with a YELLOW background.
2. They must be located within easy reach of the operator. This applies to all normal workstations where operators interact with the machine. For maintenance and service activities where workers may be in locations other than normal workstations, a pendant or other portable control must be used to cause machine motion. This device must include an emergency stop control along with other complementary safeguarding devices such as enabling devices and hold-to-run controls. Where access is only allowed under lockout conditions, this is not required.
3. Buttons must be palm or mushroom-shaped devices.
4. Devices must require manual resetting. This means that the device must latch in the operated position and require a deliberate action to reset the device. This includes actions such as: pulling put a pressed button, twisting a button to release the latched condition, pressing a reset button on a pull-cord to reset the tripped condition, etc.
5. Unguarded. This means that easy access to the device may not be impeded, considering the personal protective equipment (PPE) that workers are required to wear. Devices that would be considered to be guards would include:

• Close fitting rings or collars that require a worker to insert a finger inside the ring or collar to reach the device and activate it,
• covers that close over the device to prevent access,
• locking device that prevent access to the device, etc.

So, considering point 5 above, isn’t this the end of the discussion? Not at all! There are a few factors to consider first.

An important consideration is the potential for accidental operation. Depending on the machine or process, accidental operation of emergency stop devices may result in significant lost production and/or damage to equipment. In cases like this, it is reasonable to protect the device from accidental operation as long as the measures taken to protect the device do not impede the operation of the device in emergency conditions.

ISO 13850 2006 supports this idea in Clause 4.4 Emergency stop device:

4.4.2 An emergency stop device shall be located at each operator control station, except where the risk assessment indicates that this is not necessary, as well as at other locations, as determined by the risk assessment. It shall be positioned such that it is readily accessible and capable of non-hazardous actuation by the operator and others who could need to actuate it. Measures against inadvertent actuation should not impair its accessibility. (Author’s Note: Bold text added for emphasis.)

Summing Up

The key difference between North American thinking and International/EU thinking is in the term “unguarded” as used in the North American standards, versus ISO 13850, § 4.2.2, where the designer is reminded, “Measures against inadvertent actuation should not impair its accessibility.”

In my opinion it is reasonable to protect an emergency stop device from inadvertent operation by placing a ring or other similar structure around an emergency stop device as long as the structure does not impair easy access to the device by the operator.

I know this opinion appears initially to go against the established North American standards, however it can be logically argued, based on the definition of the word “guard”.

A guard is a device that prevents access to something, usually a hazard. Considering that we are talking about a control that is designed to reduce or limit harm, any structure that does not prevent access to the emergency stop device associated with the structure should be considered to be acceptable.

That said, devices like:

• hinged covers;
• doors;
• locking devices;
• narrow collars; and
• any other device or structure

that unduly limits access to the emergency stop device cannot be considered acceptable.

Effects of PPE

The phrase ‘unduly limits access’ has specific meaning here. If workers are expected to be wearing PPE on the body part used to activate the emergency stop device, such as gloves or boots for example, then the structure placed around the emergency stop device must take the added dimensions of the PPE and the reduction in tactile capability that may occur (e.g. heavy work gloves make it hard to feel things easily), and must compensate for the effects of the PPE. Big gloves/boots = Big opening in the structure.

Lighting and protective eyewear can also play a part. You may need to use reflective or luminescent paint to highlight the location of the device in low light environments or where very dark eyewear is required, like that needed by welders or used by workers around some infrared lasers with open beam paths.

Effects of State-of-Mind

It’s also important to consider the likely state-of-mind of a worker needing to use an emergency stop device. They are either urgently trying to stop the machine because,

1. another safeguard has failed an someone is involved with a hazard, including themselves, or
2. the machine is damaging itself or the product and they need to limit the damage.

Both scenarios have a high level of urgency attached to them. The human mind tends to miss obvious things including training, when placed under high levels of stress. Structures placed around emergency stop devices, such as covers, that completely block access, even though they may be easily opened, may be enough to prevent access in an emergency.

The answer you’ve all been waiting for!

So in the end, can you put a structure around an emergency stop to reduce inadvertent operation of the device:

YES!

Just make sure that you consider all the factors that may affect it’s use, document your analysis, and don’t unduly restrict access to the device.

Need more help? Feel free to email me!

---

References

IEC – International Electrotechnical Commission

ISO – International Organization for Standardization

Safety of machinery — Emergency stop — Principles for design, ISO 13850, 2006, ISO, Geneva, Switzerland.

Control of Hazardous Energy ­– Lockout and Other Methods, CSA Z460, 2005, Canadian Standards Association, Toronto, Canada.

Control of Hazardous Energy – Lockout/Tagout and Alternative Methods, ANSI ASSE Z244.1, 2003, American National Standards Institute / American Society of Safety Engineers, Des Plaines, IL, USA.