Monthly Archives: March 2009

ESA Manufacturer Registration in Ontario, Canada

Posted by on March 16, 2009 5 comments

Electrical Safety Authority LogoSince February 17th, 2009, there has been an inter­est­ing dis­cus­sion thread on the PSES’s EMC-​​PSTC list on the new Manufacturer’s Registry in the Province of Ontario, Canada. Since there was so much inter­est, I decided to try to sum­ma­rize things here.

Background

Ontario is the sec­ond old­est and the most pop­u­lous Province in Canada, with 12,160,282 peo­ple as of the 2006 cen­sus. Canada has 10 Provinces and three Territories. Ontario is Canada’s man­u­fac­tur­ing heart­land and is often a leader in new legislation.

ESA, or the Electrical Safety Authority as they are more prop­erly known, is the Authority Having Jurisdiction (AHJ) in the Province of Ontario, Canada. This means that they are autho­rized by the Government of Ontario to reg­u­late elec­tri­cal safety in the Province. ESA was for­merly the inspec­tion arm of Ontario Hydro, a crown cor­po­ra­tion dis­solved in 1998. ESA pro­vides build­ing and equip­ment elec­tri­cal inspec­tion ser­vices to the pub­lic and indus­try in the Province, and pub­lishes the Ontario Electrical Code. The Code is adapted directly from CSA’s Canadian Electrical Code — Part 1 (CSA C22.1), with Provincial deviations.

On 1-​​Aug-​​07, the Ministry of Small Business and Consumer Services filed Ontario Regulation 438/​07, Product Safety. This new reg­u­la­tion enables the Electrical Safety Authority to reg­u­late the safety of elec­tri­cal prod­ucts and equip­ment sold and used in Ontario.

The reg­u­la­tion was phased in to ensure that ESA and stake­hold­ers had enough time to develop tech­ni­cal guid­ance to sup­port the regulation.

  • On 1-​​Oct-​​07 the sec­tions of the reg­u­la­tion that gov­ern approval of elec­tri­cal prod­ucts (cur­rently con­tained in the Ontario Electrical Safety Code) and that allow notice be given to the pub­lic of unsafe elec­tri­cal prod­ucts came into effect.
  • On 1-​​Jan-​​08 other sec­tions relat­ing to ESA’s inves­tiga­tive and order-​​making pow­ers came into effect.
  • On 1-​​Jul-​​08 sec­tions of the reg­u­la­tion requir­ing orga­ni­za­tions to report seri­ous elec­tri­cal inci­dents or defects came into effect.
  • On 1-​​Apr-​​09 the Registry will open and man­u­fac­tur­ers can begin to reg­is­ter with ESA. For man­u­fac­tur­ers cur­rently sell­ing prod­ucts in Ontario, reg­is­tra­tions must be com­pleted by 30-​​Aug-​​09. This require­ment is cur­rently post­poned. For more infor­ma­tion, see this arti­cle. If your com­pany wants to begin sell­ing prod­ucts in Ontario, the com­pany must reg­is­ter before prod­ucts can be sold.

What is the Registry?

Recent Changes in the Ontario Electricity Act have increased the require­ments for report­ing of “seri­ous inci­dents” with elec­tri­cal ori­gins. These require­ments are found in Ontario Regulation 438 on Product Safety. In the past, sig­nif­i­cant num­bers of injuries caused by either unap­proved equip­ment, or fraud­u­lently marked equip­ment have occurred. When ESA has inves­ti­gated the equip­ment, they run into prob­lems with find­ing the orig­i­na­tor of the gear, and there­fore the per­son or com­pany who bears respon­si­bil­ity for the prob­lem. The new addi­tions to the reg­u­la­tion address this by requir­ing report­ing of severe injuries caused by elec­tri­cal equip­ment. In order to improve trace­abil­ity of elec­tri­cal prod­ucts sold in Ontario, ESA intro­duced the Manufacturer’s Registry, and made it manda­tory under their author­ity as the AHJ in Ontario. See the Ontario Regulation. Registration begins 1-​​Apr-​​09. Registration must be com­pleted by 30-​​Aug-​​09. The manda­tory Registration dead­line has been indef­i­nitely post­poned. A fee of $350 Canadian dol­lars must be paid in the first year, with a reduced fee in each fol­low­ing year.

Manufacturers of elec­tri­cal equip­ment for sale in Ontario are required to reg­is­ter with ESA, regard­less of whether they are located in Ontario or else­where. Failure to reg­is­ter will mean that cer­ti­fied or labeled elec­tri­cal prod­ucts will be deemed to be unap­proved and non-​​compliant with the Ontario Electrical Code. Under Regulation 438, it is ille­gal to sell, dis­play or use unap­proved elec­tri­cal prod­ucts [Section 5]. Under the Industrial Establishments reg­u­la­tions (part of the Ontario Occupational Health and Safety Act), it is ille­gal to use unap­proved elec­tri­cal prod­ucts in the work­place [Section 40]. Similar require­ments are also found in the Construction Regulations (Ontario Regulation 213, Section 185).

More infor­ma­tion on the Registry can be found on the ESA web site in the Product Safety area. There are a num­ber of FAQ’s avail­able from this page as well. They include:

The reg­is­tra­tion is per man­u­fac­turer and NOT per prod­uct, so once you have reg­is­tered your com­pany you do not need to re-​​register for every product.

Recognized elec­tri­cal safety marks

ESA pro­vides a list of all of the Certification and Inspection marks that are rec­og­nized in the province. As long as your prod­uct or the prod­ucts you are sell­ing bear one of these marks, the prod­uct can be dis­played, sold or used in the Province, pre­sum­ing the man­u­fac­turer is registered.

View the list of Recognized Marks and Field Evaluation Labels.

What is a ‘seri­ous incident’?

Regulation 438 defines a seri­ous inci­dent in Section 1:

seri­ous elec­tri­cal inci­dent or acci­dent” means an elec­tri­cal inci­dent or acci­dent that,

(a) results in death or seri­ous injury to a person,

(b) has the poten­tial to cause death or a risk of seri­ous injury to a per­son, or

© causes or has the poten­tial to cause sub­stan­tial prop­erty damage.

Reporting Requirements

Once your com­pany has reg­is­tered with ESA, any seri­ous inci­dents occur­ring any­where you mar­ket your prod­ucts becomes reportable, but only for prod­ucts sold in Ontario.

Quoting from Regulation 438:

8. (1)  A man­u­fac­turer, whole­saler, importer, prod­uct dis­trib­u­tor or retailer that becomes aware of a seri­ous elec­tri­cal inci­dent or acci­dent or a defect in the design, con­struc­tion or func­tion­ing of an elec­tri­cal prod­uct or device that affects or is likely to affect the safety of any per­son or cause dam­age to prop­erty, shall report to the Authority as soon as prac­ti­ca­ble after becom­ing aware of the seri­ous elec­tri­cal inci­dent or acci­dent or defect.

(2)  A cer­ti­fi­ca­tion body or field eval­u­a­tion agency that becomes aware of a seri­ous elec­tri­cal inci­dent or acci­dent or a defect in the design, con­struc­tion or func­tion­ing of an elec­tri­cal prod­uct or device that was the sub­ject of a report given by the cer­ti­fi­ca­tion body or field eval­u­a­tion agency that affects or is likely to affect the safety of any per­son or cause dam­age to prop­erty shall report to the Authority as soon as prac­ti­ca­ble after becom­ing aware of the seri­ous elec­tri­cal inci­dent or acci­dent or defect.

There is more to Section 8 of the reg­u­la­tion than quoted. Additional sub­sec­tions include infor­ma­tion on what needs to be in the report and who needs to be involved in the inves­ti­ga­tion. If you need to make a report, check the rest of Section 8 first.

For exam­ple, say that your com­pany man­u­fac­tures a wid­get, Model 1523. Model 1523 is sold in the USA, Ontario Canada, Mexico and India. The com­pany also man­u­fac­tures a dif­fer­ent wid­get, Model 2000, sold in the USA and Mexico.

At some point, reports of elec­tri­cal shock and fires caused by Model 2000 start to come into your Product Safety depart­ment. Do you need to report this to ESA? NO — Model 2000 is not sold in Ontario, so severe inci­dents caused by that model do not require report­ing to ESA.

Model 1523 has a clean record, so no report­ing is required there. After man­u­fac­tur­ing Model 1523 for a few years, a key com­po­nent is changed for a cost reduced ver­sion from a dif­fer­ent sup­plier. Six months after the change, reports come in from Mexico and India that users have been killed by elec­tric shock received from units of Model 1523. After inves­ti­gat­ing the reports, your Product Safety depart­ment deter­mines that the faulty units used the new com­po­nent. Do you need to report this to ESA? YES — because Model 1523 is sold in Ontario.

Here’s another exam­ple. Your com­pany imports elec­tri­cal prod­ucts from a num­ber of coun­tries and sells them whole­sale to large retail­ers, some of whom have stores in Ontario. Do you need to reg­is­ter? NO — But you can­not legally sell prod­ucts from man­u­fac­tur­ers who are not reg­is­tered in Ontario.

What if the prod­ucts are imported into Ontario but are not sold to users in the Province, and are only ware­housed and whole­saled to retail­ers or other dis­trib­u­tors out­side of Ontario? Do you need to reg­is­ter? NO — But you must com­ply with the require­ments in the other juris­dic­tions where the prod­uct is sold. Check with the AHJ in each Province or Territory where your prod­ucts are sold to deter­mine the requirements.

What if I become aware of seri­ous inci­dents that are occur­ring with prod­ucts I sell in Ontario? You MUST report them to ESA, whether you make the prod­uct, import, dis­trib­ute or retail it.

What Products are Covered by the Regulations?

  • Consumer elec­tri­cal products;
  • Commercial elec­tri­cal products;
  • Electrical Medical Devices;
  • Industrial elec­tri­cal products;
  • Wiring devices and products;
  • Battery-​​operated devices used in Hazardous Locations;
  • Battery charg­ers used with bat­tery oper­ated products;
  • Hardwired and plug-​​in life safety prod­ucts like Smoke Detectors and CO Detectors;
  • Certified com­po­nents used in any of the above.

Will this become a Canadian National System?

This is not yet known. There are dis­cus­sions going on with the other Provinces and Territories, how­ever these are very pre­lim­i­nary stages. ESA has stated that they are sup­port­ive of a National Program should it be devel­oped, but at this time these require­ments exist only in Ontario.

Tax Grab?

Some peo­ple have expressed the opin­ion that this is sim­ply a way to mask a new tax, since reg­is­tra­tion fees are payable on an annual basis. In fact, a means is required to fund the reg­istry, and the fees col­lected are to be used for that pur­pose. See the Funding Model Report. Since ESA’s man­date is to pro­tect the peo­ple of Ontario from elec­tri­cal haz­ards, and since there are increas­ing num­bers of seri­ous inci­dents occur­ring where the prod­ucts turn out be be unap­proved or fraud­u­lently marked, this is a rea­son­able way for the Authority to gain con­trol over the prod­ucts enter­ing the mar­ket­place, and to hold every­one in the sup­ply chain respon­si­ble for ensur­ing that only approved prod­ucts are sold in the Province.

Since there is no new mark­ing require­ment, and since rep­utable man­u­fac­tur­ers are already cer­ti­fy­ing or label­ing their prod­ucts for sale, and fur­ther­more since the reg­is­tra­tion fee is quite small for any orga­ni­za­tion sell­ing any quan­tity of prod­uct in the Province, this is not an oner­ous require­ment. You are still free to have any SCC accred­ited body whose mark is rec­og­nized in Ontario do the cer­ti­fi­ca­tion work.

Will it work?

This is the big unknown. Canadians are known for cre­at­ing reg­istries in response to a per­ceived need to con­trol some­thing. Notable fail­ures include the National Do Not Call reg­istry was sup­posed to allow Canadians to reg­is­ter their phone num­bers with the gov­ern­ment, who was then requir­ing Canadian based tele­mar­keters to scrub those num­bers from their call­ing data­bases. Unfortunately this only pro­vided num­bers to off-​​shore tele­mar­keters who are using the DNC Registry lists as a way to get num­bers to call.

It’s unfair to group this reg­istry with the pre­vi­ous exam­ple for a num­ber of rea­sons. The imple­men­ta­tion of this reg­istry is dif­fer­ent from the pre­vi­ous exam­ple in intent and exe­cu­tion. Compliance is mon­i­tored by the entire sup­ply chain. It prob­a­bly stands a pretty good chance of work­ing. Time will tell!

Emergency Stop — What’s so confusing about that?

Posted by on March 6, 2009 1 comment
Emergency Stop on machine console
This entry is part 1 of 9 in the series Emergency Stop

I get a lot of calls and emails ask­ing about emer­gency stops. This is one of those decep­tively sim­ple con­cepts that has man­aged to get very com­pli­cated over time. Not every machine needs or can ben­e­fit from an emer­gency stop. In some cases, it may lead to an unrea­son­able expec­ta­tion of safety from the user, which can lead to injury if they don’t under­stand the haz­ards involved. Some product-​​specific stan­dards man­date the require­ment for emer­gency stop, such as CSA Z434-​​03, where robot con­trollers are required to pro­vide emer­gency stop func­tion­al­ity and work cells inte­grat­ing robots are also required to have emer­gency stop capability.

Defining Emergency Stop

Old, non-compliant, E-Stop Button

This OLD but­ton is def­i­nitely non-​​compliant.

So what is an Emergency Stop, or e-​​stop, and when do you need to have one? Let’s look at a few def­i­n­i­tions taken from CSA Z432-​​04:

Emergency sit­u­a­tion — an imme­di­ately haz­ardous sit­u­a­tion that needs to be ended or averted quickly in order to pre­vent injury or damage.

Emergency stop — a func­tion that is intended to avert harm or to reduce exist­ing haz­ards to per­sons, machin­ery, or work in progress.

Emergency stop but­ton — a red mushroom-​​headed but­ton that, when acti­vated, will imme­di­ately start the emer­gency stop sequence.

and one more:

6.2.3.5.3 Complementary pro­tec­tive mea­sures
Following the risk assess­ment, the mea­sures in this clause either shall be applied to the machine or shall be dealt with in the infor­ma­tion for use.

Protective mea­sures that are nei­ther inher­ently safe design mea­sures, nor safe­guard­ing (imple­men­ta­tion of guards and/​or pro­tec­tive devices), nor infor­ma­tion for use may have to be imple­mented as required by the intended use and the rea­son­ably fore­see­able mis­use of the machine. Such mea­sures shall include, but not be lim­ited to,

a) emer­gency stop;

b) means of res­cue of trapped per­sons; and

c) means of energy iso­la­tion and dissipation.

Modern, non-compliant e-stop button.

This more mod­ern but­ton is non-​​compliant due to the RED back­ground and spring-​​return button.

So, an e-​​stop is a sys­tem that is intended for use in Emergency con­di­tions to try to limit or avert harm to some­one or some­thing. It isn’t a safe­guard, but is con­sid­ered to be a Complementary Protective Measure. So far so, good.

Is an Emergency Stop Required?

Depending on the reg­u­la­tions and the stan­dards you choose to read, machin­ery is not required to have  an Emergency Stop. Quoting from CSA Z432-​​04:

6.2.5.2.1 Components and ele­ments to achieve the emer­gency stop func­tion
If, fol­low­ing a risk assess­ment, it is deter­mined that in order to achieve ade­quate risk reduc­tion under emer­gency cir­cum­stances a machine must be fit­ted with com­po­nents and ele­ments nec­es­sary to achieve an emer­gency stop func­tion so that actual or impend­ing emer­gency sit­u­a­tions can be con­trolled, the fol­low­ing require­ments shall apply:

a) The actu­a­tors shall be clearly iden­ti­fi­able, clearly vis­i­ble, and read­ily accessible.

b) The haz­ardous process shall be stopped as quickly as pos­si­ble with­out cre­at­ing addi­tional haz­ards.
If this is not pos­si­ble or the risk can­not be ade­quately reduced, this may indi­cate that an emer­gency stop func­tion may not be the best solu­tion (i.e., other solu­tions should be sought). (Bolding added for empha­sis — DN)

c) The emer­gency stop con­trol shall trig­ger or per­mit the trig­ger­ing of cer­tain safe­guard move­ments where necessary.

Note: For more detailed pro­vi­sions, see NFPA 79.

Download NFPA stan­dards through ANSI

This more modern button is still wrong due to the RED background.

This more mod­ern but­ton is non-​​compliant due to the RED background.

In fact, if you read Ontario’s Industrial Establishments reg­u­la­tion (Regulation 851), you will find that the only require­ment for an emer­gency stop is that it is prop­erly iden­ti­fied and located “within easy reach” of the oper­a­tor. What does “prop­erly iden­ti­fied” mean? In Canada, the USA and Internationally, a RED oper­a­tor device on a YELLOW back­ground, with or with­out any text behind it, is rec­og­nized as EMERGENCY STOP or EMERGENCY OFF, in the case of dis­con­nect­ing switches or con­trol switches. I’ve scat­tered some exam­ples of dif­fer­ent com­pli­ant and non-​​compliant e-​​stop devices through this article.

The EU Machinery Directive, 2006/​42/​EC, and Emergency Stop

Interestingly, the European Union has taken what looks like an oppos­ing view of the need for emer­gency stop sys­tems. Quoting from Annex I of the Machinery Directive:

1.2.4.3. Emergency stop
Machinery must be fit­ted with one or more emer­gency stop devices to enable actual or impend­ing dan­ger to be averted.

Notice the words “…actual or impend­ing dan­ger…” This har­mo­nizes with the def­i­n­i­tion of Complementary Protective Measures, in that they are intended to allow a user to “avert or limit harm” from a haz­ard. Clearly, the direc­tion from the European per­spec­tive is that ALL machines need to have an emer­gency stop. Or do they? The same clause goes on to say:

The fol­low­ing excep­tions apply:

  • machin­ery in which an emer­gency stop device would not lessen the risk, either because it would not reduce the stop­ping time or because it would not enable the spe­cial mea­sures required to deal with the risk to be taken,
  • portable hand-​​held and/​or hand-​​guided machinery.

From these two bul­lets it becomes clear that, just as in the Canadian and US reg­u­la­tions, machines only need emer­gency stops WHEN THEY CAN REDUCE THE RISK. This is hugely impor­tant, and often over­looked. If the risks can­not be con­trolled effec­tively with an emer­gency stop, or if the risk would be increased or new risks would be intro­duced by the action of an e-​​stop sys­tem, then it should not be included in the design.

Carrying on with the same clause:

The device must:

  • have clearly iden­ti­fi­able, clearly vis­i­ble and quickly acces­si­ble con­trol devices,
  • stop the haz­ardous process as quickly as pos­si­ble, with­out cre­at­ing addi­tional risks,
  • where nec­es­sary, trig­ger or per­mit the trig­ger­ing of cer­tain safe­guard movements.

Once again, this is con­sis­tent with the gen­eral require­ments found in the Canadian and US reg­u­la­tions. The direc­tive goes on to define the func­tion­al­ity of the sys­tem in more detail:

Once active oper­a­tion of the emer­gency stop device has ceased fol­low­ing a stop com­mand, that com­mand must be sus­tained by engage­ment of the emer­gency stop device until that engage­ment is specif­i­cally over­rid­den; it must not be pos­si­ble to engage the device with­out trig­ger­ing a stop com­mand; it must be pos­si­ble to dis­en­gage the device only by an appro­pri­ate oper­a­tion, and dis­en­gag­ing the device must not restart the machin­ery but only per­mit restarting.

The emer­gency stop func­tion must be avail­able and oper­a­tional at all times, regard­less of the oper­at­ing mode.

Emergency stop devices must be a back-​​up to other safe­guard­ing mea­sures and not a sub­sti­tute for them.

The first sen­tence of the first para­graph above is the one that requires e-​​stop devices to latch in the acti­vated posi­tion. The last part of that sen­tence is even more impor­tant: “…dis­en­gag­ing the device must not restart the machin­ery but only per­mit restart­ing.” That phrase requires that every emer­gency stop sys­tem have a sec­ond dis­crete action to reset the emer­gency stop sys­tem. Pulling out the e-​​stop but­ton and hav­ing power come back imme­di­ately is not OK. Once that but­ton has been reset, a sec­ond action, such as push­ing a “POWER ON” or “RESET” but­ton to restore con­trol power is needed. Point of Clarification: I had a ques­tion come from a reader ask­ing if com­bin­ing the e-​​stop func­tion and the reset func­tion was accept­able. It can be, but only if:

  • The risk assess­ment for the machin­ery does not indi­cate any haz­ards that might pre­clude this approach; and
  • The device is designed with the fol­low­ing characteristics:
  • The device must latch in the acti­vated position;
  • The device must have a “neu­tral” posi­tion where the machine’s emer­gency stop sys­tem can be reset, or where the machine can be enabled to run;
  • The reset posi­tion must be dis­tinct from the pre­vi­ous two posi­tions, and the device must spring-​​return to the neu­tral position.

The sec­ond sen­tence har­mo­nizes with the require­ments of the Canadian and US standards.

Finally, the last sen­tence har­mo­nizes with the idea of “Complementary Protective Measures” as described in CSA Z432.

How Many and Where?

Where? “Within easy reach”. Consider the loca­tions where you EXPECT an oper­a­tor to be. Besides the main con­trol con­sole, these could include feed hop­pers, con­sum­ables feed­ers, fin­ished goods exit points… you get the idea. Anywhere you can rea­son­ably expect an oper­a­tor to be under nor­mal cir­cum­stances is a rea­son­able place to put an e-​​stop device. “Easy Reach” I inter­pret as within the arm-​​span of an adult (pre­sum­ing the equip­ment is not intended for use by chil­dren). This trans­lates to 500–600 mm either side of the cen­ter line of most work stations.

How do you know if you need an emer­gency stop? Start with a stop/​start analy­sis. Identify all the nor­mal start­ing and stop­ping modes that you antic­i­pate on the equip­ment. Consider all of the dif­fer­ent oper­at­ing modes that you are pro­vid­ing, such as Automatic, Manual, Teach, Setting, etc. Identify all of the match­ing stop con­di­tions in the same modes, and ensure that all start func­tions have a match­ing stop function.

Do a risk assess­ment. This is a basic require­ment in most juris­dic­tions today.

As you deter­mine your risk con­trol mea­sures (fol­low­ing the hier­ar­chy of con­trols), look at what risks you might con­trol with an Emergency Stop. Remember that e-​​stops fall below safe­guards in the hier­ar­chy, so you must use a safe­guard­ing tech­nique if pos­si­ble, you can’t just default down to an emer­gency stop. IF the e-​​stop can pro­vide you with the addi­tional risk reduc­tion, then use it but first,  reduce the risks in other ways.

The Stop Function and Control Reliability Requirements

Finally, once you deter­mine the need for an emer­gency stop sys­tem, you need to con­sider the system’s func­tion­al­ity and con­trols archi­tec­ture. NFPA 79 is the ref­er­ence stan­dard for Canada, although you can find very sim­i­lar require­ments in IEC 60204–1 if you are work­ing in an inter­na­tional market.

Download NFPA stan­dards through ANSI
Download IEC stan­dards, International Electrotechnical Commission standards.

Functional Stop Categories

NFPA 79 calls out three basic cat­e­gories of stop. Note that these are NOT reli­a­bil­ity cat­e­gories, but are func­tional cat­e­gories. Reliability is not addressed in these sec­tions. Quoting from the standard:

9.2.2 Stop Functions. The three cat­e­gories of stop func­tions shall be as follows:

(1) Category 0 is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actuators.

(2) Category 1 is a con­trolled stop with power to the machine actu­a­tors avail­able to achieve the stop then remove power when the stop is achieved.

(3) Category 2 is a con­trolled stop with power left avail­able to the machine actuators.

This E-Stop Button is correct.

This E-​​Stop but­ton is CORRECT. Note the Push-​​Pull-​​Twist oper­a­tor and the YELLOW background.

A bit later, the stan­dards says:

9.2.5.3 Stop.
9.2.5.3.1 Each machine shall be equipped with a Category 0 stop.

9.2.5.3.2 Category 0, Category 1, and/​or Category 2 stops shall be pro­vided where indi­cated by an analy­sis of the risk assess­ment and the func­tional require­ments of the machine. Category 0 and Category 1 stops shall be oper­a­tional regard­less of oper­at­ing modes, and Category 0 shall take pri­or­ity. Stop func­tion shall oper­ate by de-​​energizing that rel­e­vant cir­cuit and shall over­ride related start functions.

Note that 9.2.5.3.1 does NOT mean that every machine must have an e-​​stop. It sim­ply says that every machine must have a way to stop the machine that is equiv­a­lent to “pulling the plug”. The main dis­con­nect on the con­trol panel can be used for this func­tion if sized and rated appro­pri­ately. The ques­tion of HOW to effect the Category 0 stop depends on WHEN it will be used — i.e. what risks must be reduced, or what haz­ards must be con­trolled by the e-​​stop.

You’ll also note that that pesky “risk assess­ment” pops up again in 9.2.5.3.2. You just can’t get away from it…

Control Reliability

Disconnect with E-Stop Colours indicates that this device is intended to be used for EMERGENCY SWITCHING OFF.

Disconnect with E-​​Stop Colours indi­cates that this device is intended to be used for EMERGENCY SWITCHING OFF.

Once you know what func­tional cat­e­gory of stop you need, and what degree of risk reduc­tion you are expect­ing from the emer­gency stop sys­tem, you can deter­mine the degree of reli­a­bil­ity required. In Canada, CSA Z432 gives us these cat­e­gories: SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL MONITORED and CONTROL RELIABLE. These cat­e­gories are being replaced slowly by Performance Levels (PL) as defined in ISO 13849–1 2007.

The short answer is that the greater the risk reduc­tion required, the higher the degree of reli­a­bil­ity required. In many cases, a SINGLE CHANNEL or SINGLE CHANNEL MONITORED solu­tion may be accept­able, par­tic­u­larly when there are more reli­able safe­guards in place. On the other hand, you may require CONTROL RELIABLE designs if the e-​​stop is the pri­mary risk reduc­tion for some risks or spe­cific tasks.

Extra points go to any reader who noticed that the ‘elec­tri­cal haz­ard’ warn­ing label imme­di­ately above the dis­con­nect han­dle in the above photo is a) upside down, and b) using a non-​​standard light­ing flash. Cheap haz­ard warn­ing labels, like this one, are often as good as none at all. I’ll be writ­ing more on haz­ard warn­ings in future posts.

Use of Emergency Stop as part of a Lockout Procedure or HECP.

One last note: Emergency stop sys­tems (with the excep­tion of emer­gency switch­ing off devices, such as dis­con­nect switches used for e-​​stop) CANNOT be used for energy iso­la­tion in a Hazardous Energy Control Procedure (a.k.a. Lockout). Devices for this pur­pose must phys­i­cally sep­a­rate the energy source from the down-​​stream com­po­nents. See CSA Z460-​​05 for more on that subject.

Read our Article on Using E-​​Stops in HECP.

Pneumatic E-Stop Device

Pneumatic E-​​Stop/​Isolation device.

Standards Referenced in this post:

CSA Z432-​​04, Safeguarding of Machinery

NFPA 79–07, Electrical Standard for Industrial Machinery
Download NFPA stan­dards at ANSI

IEC 60204–1:09,  SAFETY OF MACHINERYELECTRICAL EQUIPMENT OF MACHINESPART 1: GENERAL REQUIREMENTS

Download IEC stan­dards, International Electrotechnical Commission standards.

ISO 13849−1−2007, Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 1: General prin­ci­ples for design

See also

ISO 13850:06, SAFETY OF MACHINERYEMERGENCY STOPPRINCIPLES FOR DESIGN

Download IEC stan­dards, International Electrotechnical Commission stan­dards.
Download ISO Standards

All original content on these pages is fingerprinted and certified by Digiprove
Performance Optimization WordPress Plugins by W3 EDGE