Emergency Stop – What’s so confusing about that?

Emergency Stop on machine console
This entry is part 1 of 11 in the series Emergency Stop

I get a lot of calls and emails asking about emergency stops. This is one of those deceptively simple concepts that has managed to get very complicated over time. Not every machine needs or can benefit from an emergency stop. In some cases, it may lead to an unreasonable expectation of safety from the user, which can lead to injury if they don’t understand the hazards involved. Some product-specific standards mandate the requirement for emergency stop, such as CSA Z434-03, where robot controllers are required to provide emergency stop functionality and work cells integrating robots are also required to have emergency stop capability.

Defining Emergency Stop

Old, non-compliant, E-Stop Button
This OLD button is definitely non-compliant.

So what is an Emergency Stop, or e-stop, and when do you need to have one? Let’s look at a few definitions taken from CSA Z432-04:

Emergency situation — an immediately hazardous situation that needs to be ended or averted quickly in order to prevent injury or damage.

Emergency stop — a function that is intended to avert harm or to reduce existing hazards to persons, machinery, or work in progress.

Emergency stop button — a red mushroom-headed button that, when activated, will immediately start the emergency stop sequence.

and one more: Complementary protective measures
Following the risk assessment, the measures in this clause either shall be applied to the machine or shall be dealt with in the information for use.

Protective measures that are neither inherently safe design measures, nor safeguarding (implementation of guards and/or protective devices), nor information for use may have to be implemented as required by the intended use and the reasonably foreseeable misuse of the machine. Such measures shall include, but not be limited to,

a) emergency stop;

b) means of rescue of trapped persons; and

c) means of energy isolation and dissipation.

Modern, non-compliant e-stop button.
This more modern button is non-compliant due to the RED background and spring-return button.

So, an e-stop is a system that is intended for use in Emergency conditions to try to limit or avert harm to someone or something. It isn’t a safeguard, but is considered to be a Complementary Protective Measure. In terms of the Hierarchy of Controls, emergency stop systems fall into the same level as Personal Protective Equipment like safety glasses, safety boots and hearing protection. So far so good.

Is an Emergency Stop Required?

Depending on the regulations and the standards you choose to read, machinery is may not be required to have an Emergency Stop. Quoting from CSA Z432-04: Components and elements to achieve the emergency stop function
If, following a risk assessment, it is determined that in order to achieve adequate risk reduction under emergency circumstances a machine must be fitted with components and elements necessary to achieve an emergency stop function so that actual or impending emergency situations can be controlled, the following requirements shall apply:

a) The actuators shall be clearly identifiable, clearly visible, and readily accessible.

b) The hazardous process shall be stopped as quickly as possible without creating additional hazards.
If this is not possible or the risk cannot be adequately reduced, this may indicate that an emergency stop function may not be the best solution (i.e., other solutions should be sought). (Bolding added for emphasis – DN)

c) The emergency stop control shall trigger or permit the triggering of certain safeguard movements where necessary.

Later in CSA Z432-04 we find clause

Each operator control station, including pendants, capable of initiating machine motion shall have a manually initiated emergency stop device.

To my knowledge, this is the only general level machinery standard that makes this requirement. Product family standards often make specific requirements, based on the opinion of the Technical Committee responsible for the standard and their knowledge of the specific type of machinery covered by their document.

Note: For more detailed provisions on the electrical design requirements, see NFPA 79 or IEC 60204-1.

Download NFPA standards through ANSI

This more modern button is still wrong due to the RED background.
This more modern button is non-compliant due to the RED background.

If you read Ontario’s Industrial Establishments regulation (Regulation 851), you will find that the only requirement for an emergency stop is that it is properly identified and located “within easy reach” of the operator. What does “properly identified” mean? In Canada, the USA and Internationally, a RED operator device on a YELLOW background, with or without any text behind it, is recognized as EMERGENCY STOP or EMERGENCY OFF, in the case of disconnecting switches or control switches. I’ve scattered some examples of different compliant and non-compliant e-stop devices through this article.

The EU Machinery Directive, 2006/42/EC, and Emergency Stop

Interestingly, the European Union has taken what looks like an opposing view of the need for emergency stop systems. Quoting from Annex I of the Machinery Directive: Emergency stop
Machinery must be fitted with one or more emergency stop devices to enable actual or impending danger to be averted.

Notice the words “…actual or impending danger…” This harmonizes with the definition of Complementary Protective Measures, in that they are intended to allow a user to “avert or limit harm” from a hazard. Clearly, the direction from the European perspective is that ALL machines need to have an emergency stop. Or do they? The same clause goes on to say:

The following exceptions apply:

  • machinery in which an emergency stop device would not lessen the risk, either because it would not reduce the stopping time or because it would not enable the special measures required to deal with the risk to be taken,
  • portable hand-held and/or hand-guided machinery.

From these two bullets it becomes clear that, just as in the Canadian and US regulations, machines only need emergency stops WHEN THEY CAN REDUCE THE RISK. This is hugely important, and often overlooked. If the risks cannot be controlled effectively with an emergency stop, or if the risk would be increased or new risks would be introduced by the action of an e-stop system, then it should not be included in the design.

Carrying on with the same clause:

The device must:

  • have clearly identifiable, clearly visible and quickly accessible control devices,
  • stop the hazardous process as quickly as possible, without creating additional risks,
  • where necessary, trigger or permit the triggering of certain safeguard movements.

Once again, this is consistent with the general requirements found in the Canadian and US regulations. The directive goes on to define the functionality of the system in more detail:

Once active operation of the emergency stop device has ceased following a stop command, that command must be sustained by engagement of the emergency stop device until that engagement is specifically overridden; it must not be possible to engage the device without triggering a stop command; it must be possible to disengage the device only by an appropriate operation, and disengaging the device must not restart the machinery but only permit restarting.

The emergency stop function must be available and operational at all times, regardless of the operating mode.

Emergency stop devices must be a back-up to other safeguarding measures and not a substitute for them.

The first sentence of the first paragraph above is the one that requires e-stop devices to latch in the activated position. The last part of that sentence is even more important: “…disengaging the device must not restart the machinery but only permit restarting.” That phrase requires that every emergency stop system have a second discrete action to reset the emergency stop system. Pulling out the e-stop button and having power come back immediately is not OK. Once that button has been reset, a second action, such as pushing a “POWER ON” or “RESET” button to restore control power is needed. Point of Clarification: I had a question come from a reader asking if combining the e-stop function and the reset function was acceptable. It can be, but only if:

  • The risk assessment for the machinery does not indicate any hazards that might preclude this approach; and
  • The device is designed with the following characteristics:
  • The device must latch in the activated position;
  • The device must have a “neutral” position where the machine’s emergency stop system can be reset, or where the machine can be enabled to run;
  • The reset position must be distinct from the previous two positions, and the device must spring-return to the neutral position.

The second sentence harmonizes with the requirements of the Canadian and US standards.

Finally, the last sentence harmonizes with the idea of “Complementary Protective Measures” as described in CSA Z432.

How Many and Where?

Where? “Within easy reach”. Consider the locations where you EXPECT an operator to be. Besides the main control console, these could include feed hoppers, consumables feeders, finished goods exit points… you get the idea. Anywhere you can reasonably expect an operator to be under normal circumstances is a reasonable place to put an e-stop device. “Easy Reach” I interpret as within the arm-span of an adult (presuming the equipment is not intended for use by children). This translates to 500-600 mm either side of the center line of most work stations.

How do you know if you need an emergency stop? Start with a stop/start analysis. Identify all the normal starting and stopping modes that you anticipate on the equipment. Consider all of the different operating modes that you are providing, such as Automatic, Manual, Teach, Setting, etc. Identify all of the matching stop conditions in the same modes, and ensure that all start functions have a matching stop function.

Do a risk assessment. This is a basic requirement in most jurisdictions today.

As you determine your risk control measures (following the hierarchy of controls), look at what risks you might control with an Emergency Stop. Remember that e-stops fall below safeguards in the hierarchy, so you must use a safeguarding technique if possible, you can’t just default down to an emergency stop. IF the e-stop can provide you with the additional risk reduction then use it, but first reduce the risks in other ways.

The Stop Function and Control Reliability Requirements

Finally, once you determine the need for an emergency stop system, you need to consider the system’s functionality and controls architecture. NFPA 79 is the reference standard for Canada and the USA, and you can find very similar requirements in IEC 60204-1 if you are working in an international market. EN 60204-1 applies in the EU market for industrial machines.

Download NFPA standards through ANSI
Download IEC standards, International Electrotechnical Commission standards.

Functional Stop Categories

NFPA 79 calls out three basic categories of stop. Note that these are NOT reliability categories, but are functional categories. Reliability is not addressed in these sections. Quoting from the standard:

9.2.2 Stop Functions. The three categories of stop functions shall be as follows:

(1) Category 0 is an uncontrolled stop by immediately removing power to the machine actuators.

(2) Category 1 is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.

(3) Category 2 is a controlled stop with power left available to the machine actuators.

This E-Stop Button is correct.
This E-Stop button is CORRECT. Note the Push-Pull-Twist operator and the YELLOW background.

A bit later, the standards says: Stop. Each machine shall be equipped with a Category 0 stop. Category 0, Category 1, and/or Category 2 stops shall be provided where indicated by an analysis of the risk assessment and the functional requirements of the machine. Category 0 and Category 1 stops shall be operational regardless of operating modes, and Category 0 shall take priority. Stop function shall operate by de-energizing that relevant circuit and shall override related start functions.

Note that does NOT mean that every machine must have an e-stop. It simply says that every machine must have a way to stop the machine that is equivalent to “pulling the plug”. The main disconnect on the control panel can be used for this function if sized and rated appropriately. For cord connected equipment, the plug and socket used to provide power to the equipment can also serve this function. The question of HOW to effect the Category 0 stop depends on WHEN it will be used – i.e. is it being used for a safety related function? What risks must be reduced, or what hazards must be controlled by the stop function?

You’ll also note that that pesky “risk assessment” pops up again in You just can’t get away from it…

Control Reliability

Disconnect with E-Stop Colours indicates that this device is intended to be used for EMERGENCY SWITCHING OFF.
Disconnect with E-Stop Colours indicates that this device is intended to be used for EMERGENCY SWITCHING OFF.

Once you know what functional category of stop you need, and what degree of risk reduction you are expecting from the emergency stop system, you can determine the degree of reliability required. In Canada, CSA Z432 gives us these categories: SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL MONITORED and CONTROL RELIABLE. These categories are being replaced slowly by Performance Levels (PL) as defined in ISO 13849-1 2007.

The short answer is that the greater the risk reduction required, the higher the degree of reliability required. In many cases, a SINGLE CHANNEL or SINGLE CHANNEL MONITORED solution may be acceptable, particularly when there are more reliable safeguards in place. On the other hand, you may require CONTROL RELIABLE designs if the e-stop is the primary risk reduction for some risks or specific tasks.

To add to the confusion, ISO 13849-1 appears to exclude complementary protective measures from its scope in Table 8 — Some International Standards applicable to typical machine safety functions and certain of their characteristics. At the very bottom of this table, Complementary Protective Measures are listed, but they appear to be excluded from the standard. I can say that there is nothing wrong with applying the techniques in ISO 13849-1 to the reliability analysis of a complementary protective measure that uses the control system, so do this if it makes sense in your application.

ISO 13849-1:2006 Table 8
ISO 13849-1:2006 Table 8

Extra points go to any reader who noticed that the ‘electrical hazard’ warning label immediately above the disconnect handle in the above photo is a) upside down, and b) using a non-standard lighting flash. Cheap hazard warning labels, like this one, are often as good as none at all. I’ll be writing more on hazard warnings in future posts.

Use of Emergency Stop as part of a Lockout Procedure or HECP.

One last note: Emergency stop systems (with the exception of emergency switching off devices, such as disconnect switches used for e-stop) CANNOT be used for energy isolation in a Hazardous Energy Control Procedure (a.k.a. Lockout). Devices for this purpose must physically separate the energy source from the down-stream components. See CSA Z460 for more on that subject.

Read our Article on Using E-Stops in HECP.

Pneumatic E-Stop Device
Pneumatic E-Stop/Isolation device.

Standards Referenced in this post:

CSA Z432-04, Safeguarding of Machinery

NFPA 79-07, Electrical Standard for Industrial Machinery
Download NFPA standards at ANSI


Download IEC standards, International Electrotechnical Commission standards.

ISO 13849-1-2006, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design

See also


Download IEC standards, International Electrotechnical Commission standards.
Download ISO Standards

Series NavigationChecking Emergency Stop Systems

Author: Doug Nix

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog.

Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity.

Follow me on Academia.edu//a.academia-assets.com/javascripts/social.js

  • Herman Tesseur

    Hello Mister Nix,

    In CSA Z432-04 we find clause
    Each operator control station, including pendants, capable of initiating machine motion shall have a manually initiated emergency stop device.
    Can we find the same rule somewhere in the EU regulation?

    • Herman,

      1) That version of the standard is withdrawn and has been replaced by CSA Z432-16.
      2) Have a look at EN 60204-1, 9.2.4,, and 10.7.1. This standard is harmonised under both the Machinery Directive 2006/42/EC and the Low Voltage Directive, 2014/35/EU.

  • Kaleemullah Memon

    Hello. I have one question regarding the emergency stop push buttons for the machines. Can we use Normal Open Contact push button with lead break detection in the cicuit. Is there any reference standard which pemits use of NO contact estop button with lead break detection

    • None of the standards make explicit requirements for the contact functionality for any estop device, including buttons, however, ISO 13849-1 requires that all categories of architecture except Category B use “well-tried safety principles” which include opening a circuit in order to turn something off. The lists covering the requirements for well-tried safety principles can be found in ISO 13849-2, Annexes A-D, Tables A.2, B.2, C.2 and D.2.

      Based on this, use of a normally open contact for initiation of emergency stop would not meet the criteria for any architecture Category except B. Since ISO 13850 requires that emergency stop systems provide at least ISO 13849-1 PLc, and since PLc requires Category 1, 2 or 3 architecture, the use of a normally open contact would not be acceptable.

  • Adam Johnson

    Hello Mr. Nix. Can you tell me if the EU directive shows any requirements for E-Stop devices on Engine Driven machines such as Pressure Washers? I know on most industrial electric industrial equipment it is required but I am having a hard time believing that it may be required for an engine driven pressure washer. The pressure washer uses a key switch to start the engine and enables other devices to operate. When the key switch is off it disables the entire system.

    • Adam, great question!

      To understand the requirements, the first stop is the Machinery Directive, 2006/42/EC, Annex I. In Annex I, you will find clause Emergency stop:

      Machinery must be fitted with one or more emergency stop devices to enable actual or impending danger to be averted.

      The following exceptions apply:
      — machinery in which an emergency stop device would not lessen the risk, either because it would not reduce the stopping time or because it would not enable the special measures required to deal with the risk to be taken,
      — portable hand-held and/or hand-guided machinery.

      The device must:
      — have clearly identifiable, clearly visible and quickly accessible control devices,
      — stop the hazardous process as quickly as possible, without creating additional risks,
      — where necessary, trigger or permit the triggering of certain safeguard movements.

      Since a pressure washer is covered by the second bullet in the third paragraph, “portable hand-held and/or hand-guided machinery”, there is no requirement for an e-stop system on any hand-guided pressure washing system, regardless of energy source.

  • Pedro F Fernández

    Hello Mr. Nix,

    is it legally possible to install an emergency stop push button in a machine for a different purpose than emergency stopping it? Obviously, without the ’emergency stop’ marking.

    Thank you.

    • I’m confused as to why you would want to do what you are suggesting, and here’s why: There is a fundamental functional difference between the way an emergency stop function works, and how a normal stop function works. Let me explain a bit more.

      In a normal stopping condition, there is no urgency as to how quickly the stop occurs. The stop may have constraints placed on it for repeatability, i.e., you always want a power press ram to stop at top-dead-centre in normal operation, but with regard to the stopping time involved, normally the time it takes is the time it takes. Also, you don’t want to inadvertently damage the machinery by forcing an unduly quick stop. Power remains on the system and no recovery mode is required because the machine has never gone outside the normal control envelope. Normal stopping is usually done via the process PLC or controller, and no functional safety requirements apply because normal stopping is not usually considered to be a safety function. There are exceptions of course, like the service brake on mobile machinery which is both a normal process function and a safety function.

      In an emergency stopping condition, the primary goal is to bring the machinery to a stop as quickly as possible, and damaging the machinery to do this is permitted. To do this the function may include high-friction mechanical braking systems, and may use the maximum available deceleration possible with variable frequency drives, servo or stepper systems. Complete removal of power at the end of the stopping cycle is the final step. The machine will normally need some kind of recovery mode because the system may be partially or completely out of control during the emergency stopping time. In fact, this may be WHY an emergency stop was invoked. Emergency stop is classified as a Complementary Protective Measure (see ISO 12100:2010), and is always considered to be a safety function. ISO 13850 requires PLc / SIL1 as a minimum performance level for emergency stopping functions.

      As you can see, the two functions are completely different. From a legality standpoint, to my knowledge there are no laws or regulations in any jurisdiction that regulate which type of stop function you choose – that is strictly a design decision. Once taken, that decision then drives the rest of the requirements regarding the details of the way the function is realized.

      • Pedro F Fernández

        Hello, Mr Nix.

        Thank you for your extensive answer. It must be I didn’t explain my question very well. I meant if I could install an emergency stop button, which for example has a particular mechanism for rearm it, for any other purpose than emergency stopping or stopping at all a machine. I was just wondering if an engineer or technician thinks of a function for what the hardware of an emergency button is just right, it would be acceptable or not to use it for it.

        • If you are wondering if you can use an e-stop device, like a latching pushbutton for example, for other purposes, the answer is technically YES, and practically NO. The relevant standards (IEC 60204-1, ISO 13850, NFPA 79, CSA C22.2 #301, etc.) limit the use of the colour RED for emergency stop device actuators – that is, the head of the pushbutton. Also, mushroom head operators on pushbuttons are normally only used for e-stop devices. To my knowledge, none of the component manufacturers make latching pushbuttons with anything other than a red, mushroom head operator. So, based on that I cannot see how you could use a device intended for e-stop in anything other than an e-stop system without violating the requirements of one or more standards. IF you can find a latching pushbutton with a BLACK, WHITE, GRAY, or BLUE operator device, you could certainly use it for other purposes, consistent with the coding requirements given in the standards.

          • Pedro F Fernández

            Ok, that was exactly what I was looking for. Thank you.

          • 🙂 Glad I could help!

  • Enrique Jimenez

    Is it possible to connect several emergency stops for different motors located in the same area, connect them to a junction box, wire a multicore cable towards the substation to another junction box, and then segregate towards the MCC drive for each of the motors? or is it mandatory a single cable for each of the emergency stops. Motors are not related to each other.

    • Enrique,

      From a purely functional perspective, this would work, however, you are creating a single point of failure for multiple emergency stop systems (I’m assuming that each e-stop affects different machinery).

      If you read ISO 13850, you will find that the minimum Performance Level is ISO 13849-1 PLc. PLc can be achieved using Category 1, 2 or 3 architecture. If you do this using Category 1 or 2, no channel separation is possible, since these are both single-channel architectures. If you use Category 3, then channel separation is one of the basic Common Cause Failure mitigation methods, so grouping the channels in a single cable would eliminate the possibility of separating the channels.

      So the short answer is: It depends on the architecture of the control system, but no matter what, it creates a single point of failure for all the systems grouped in that cable.

  • Mark Dalton

    Hi All, Just wanted to query is it possible to put a clear plastic cover over an E-stop for accidental activations, This cover would just be a lift panel with the estop as normal under it.

  • Jonathan Siglos

    educational information posted about emergency stop (e-stop) are very interesting keep your good work. By the way i understand most of the new generations of engines, machinery and equipment are manufactured with built in safety and protection devices. In any case when they are in operation any problems may arise such as pressure, temperature and mechanical problems it will give and alarm if not rectified subsequently the system will stop it to avert further damage. Please bare with me its my only own opinion..

  • Pingback: Doug Nix()