Daily Archives: September 3, 2010

Busting Emergency Stop Myths

Posted by on September 3, 2010 3 comments
Emergency Stop on machine console
This entry is part 4 of 9 in the series Emergency Stop

There are a num­ber of myths that have grown up around emer­gency stops over the years. These myths can lead to injury or death, so it’s time for a lit­tle Myth Busting here on the MS101 blog!

What does ‘emer­gency’ mean?

Consider for a moment the roots of the word ‘emer­gency’. This word comes from the word ‘emer­gent’, mean­ing a sit­u­a­tion that is devel­op­ing or emerg­ing in the moment. Emergency stop sys­tems are intended to help the user deal with poten­tially haz­ardous con­di­tions that are emerg­ing in the moment. These con­di­tions have prob­a­bly arisen because the design­ers of the machin­ery failed to con­sider all the fore­see­able uses of the equip­ment, or because some­one has cho­sen to mis­use the equip­ment in a way that was not intended by the design­ers. The key func­tion of an Emergency Stop sys­tem is to pro­vide the user with a backup to the pri­mary safe­guards. These sys­tems are referred to as “Complementary Protective Measures” and are intended to give the user a chance to “avert or limit harm” in a haz­ardous sit­u­a­tion. With that in mind, let’s look at three myths I hear about regularly.

Myth #1 – The Emergency Stop Is A Safety Device

Waterwheel and belt. Credit: Harry Matthews & http://www.old-engine.com

A Fitz Water Wheel and Belt Drive, Credit: Harry Matthews & http://​www​.old​-engine​.com

Early in the Industrial Revolution machine builders real­ized that users of their machin­ery needed a way to quickly stop a machine when some­thing went wrong. At that time, over­head line-​​shafts were dri­ven by large cen­tral power sources like water­wheels, steam engines or large elec­tric motors. Machinery was cou­pled to the cen­tral shafts with pul­leys, clutches and belts which trans­mit­ted the power to the machinery.

See pic­tures of a line-​​shaft pow­ered machine shop or click the image below.

Line Shaft in the Mt. Wilson Observatory Machine Shop

Photo: Larry Evans & www​.old​engine​.org

These cen­tral engines pow­ered an entire fac­tory, so they were much larger than an indi­vid­ual motor sized for a mod­ern machine. In addi­tion, they could not be eas­ily stopped, since stop­ping the cen­tral power source would mean stop­ping the entire fac­tory – not a wel­come choice. Emergency stop devices were born in this environment.

Learn more about Line Shafts at Harry’s Old Engines.

Due to their early use as a safety device, some have incor­rectly con­sid­ered emer­gency stop sys­tems safe­guard­ing devices. Modern stan­dards make the dif­fer­ence very clear. The eas­i­est way to under­stand the cur­rent mean­ing of the term “EMERGENCY STOP” is to begin by look­ing at the inter­na­tional stan­dards pub­lished by IEC1 and ISO2.

emer­gency stop3
emer­gency stop function

func­tion that is intended to

—   avert aris­ing, or reduce exist­ing, haz­ards to per­sons, dam­age to machin­ery or to work in progress,

—   be ini­ti­ated by a sin­gle human action

NOTE 1

Hazards, for the pur­poses of this International Standard, are those which can arise from

—   func­tional irreg­u­lar­i­ties (e.g. machin­ery mal­func­tion, unac­cept­able prop­er­ties of the mate­r­ial processed, human error),

—   nor­mal operation.

It is impor­tant to under­stand that an emer­gency stop func­tion is “ini­ti­ated by a sin­gle human action”. This means that it is not auto­matic, and there­fore can­not be con­sid­ered to be a risk con­trol mea­sure for oper­a­tors or bystanders. Emergency stop may pro­vide the abil­ity to avoid or reduce harm, by pro­vid­ing a means to stop the equip­ment once some­thing has already gone wrong. Your next actions will usu­ally be to call 911 and admin­is­ter first aid.

Safeguarding sys­tems act auto­mat­i­cally to pre­vent a per­son from becom­ing involved with the haz­ard in the first place. This is a reduc­tion in the prob­a­bil­ity of a haz­ardous sit­u­a­tion aris­ing, and may also involve a reduc­tion in the sever­ity of injury by con­trol­ling the haz­ard (i.e., slow­ing or stop­ping rotat­ing machin­ery before it can be reached.) This con­sti­tutes a risk con­trol mea­sure and can be shown to reduce the risk of injury to an exposed person.

Emergency stop is reac­tive; safe­guard­ing sys­tems are proac­tive.

In Canada, CSA defines emer­gency stop as a ‘Complementary Protective Measure’ in CSA Z432-​​046:

6.2.2.1.1
Safeguards (guards, pro­tec­tive devices) shall be used to pro­tect per­sons from the haz­ards that can­not rea­son­ably be avoided or suf­fi­ciently lim­ited by inher­ently safe design. Complementary pro­tec­tive mea­sures involv­ing addi­tional equip­ment (e.g., emer­gency stop equip­ment) may have to be taken.

6.2.3.5.3 Complementary pro­tec­tive mea­sures
Following the risk assess­ment, the mea­sures in this clause either shall be applied to the machine or shall be dealt with in the infor­ma­tion for use.
Protective mea­sures that are nei­ther inher­ently safe design mea­sures, nor safe­guard­ing (imple­men­ta­tion of guards and/​or pro­tec­tive devices), nor infor­ma­tion for use may have to be imple­mented as required by the intended use and the rea­son­ably fore­see­able mis­use of the machine. Such mea­sures shall include, but not be lim­ited to,

(a) emer­gency stop;
(b) means of res­cue of trapped per­sons; and
© means of energy iso­la­tion and dissipation.

In the USA, three stan­dards apply: ANSI B11ANSI B11.19–2003, and NFPA 79:

ANSI B11-​​2008

3.80 stop: Immediate or con­trolled ces­sa­tion of machine motion or other haz­ardous sit­u­a­tions. There are many terms used to describe the dif­fer­ent kinds of stops, includ­ing user– or supplier-​​specific terms, the oper­a­tion and func­tion of which is deter­mined by the indi­vid­ual design. Definitions of some of the more com­monly used “stop” ter­mi­nol­ogy include:

3.80.2 emer­gency stop: The stop­ping of a machine tool, man­u­ally ini­ti­ated, for emer­gency purposes;

7.6 Emergency stop

Electrical, pneu­matic and hydraulic emer­gency stops shall con­form to require­ments in the ANSI B11 machine-​​specific stan­dard or NFPA 79.
Informative Note 1: An emer­gency stop is not a safe­guard­ing device. See also, B11.19.
Informative Note 2: For addi­tional infor­ma­tion, see ISO 13850 and IEC 60204–1.

ANSI B11.19–2003

12.9 Stop and emer­gency stop devices

Stop and emer­gency stop devices are not safe­guard­ing devices. They are com­ple­men­tary to the guards, safe­guard­ing device, aware­ness bar­ri­ers, sig­nals and signs, safe­guard­ing meth­ods and safe­guard­ing pro­ce­dures in clauses 7 through 11.

Stop and emer­gency stop devices shall meet the require­ments of ANSI /​ NFPA 79.

E12.9

Emergency stop devices include but are not lim­ited to, but­tons, rope-​​pulls, and cable-​​pulls.

A safe­guard­ing device detects or pre­vents inad­ver­tent access to a haz­ard, typ­i­cally with­out overt action by the indi­vid­ual or oth­ers. Since an indi­vid­ual must actu­ate an emer­gency stop device to issue the stop com­mand, usu­ally in reac­tion to an event or haz­ardous sit­u­a­tion, it nei­ther detects nor pre­vents expo­sure to the hazard.

If an emer­gency stop device is to be inter­faced into the con­trol sys­tem, it should not reduce the level of per­for­mance of the safety func­tion (see sec­tion 6.1 and Annex C).

NFPA 79 deals with the elec­tri­cal func­tions of the emer­gency stop func­tion which is not directly rel­e­vant to this arti­cle, so that is why I haven’t quoted directly from that doc­u­ment here.

As you can clearly see, the essen­tial def­i­n­i­tions of these devices in the US and Canada match very closely, although the US does not specif­i­cally use the term ‘com­ple­men­tary pro­tec­tive measures’.

Myth #2 – Cycle Stop And Emergency Stop Are Equivalent

Emergency stop sys­tems act pri­mar­ily by remov­ing power from the prime movers in a machine, ensur­ing that power is removed and the equip­ment brought to a stand­still as quickly as pos­si­ble, regard­less of the por­tion of the oper­at­ing cycle that the machine is in. After an emer­gency stop, the machine is inop­er­a­ble until the emer­gency stop sys­tem is reset. In some cases, emer­gency stop­ping the machine may dam­age the equip­ment due to the forces involved in halt­ing the process quickly.

Cycle stop is a con­trol sys­tem com­mand func­tion that is used to bring the machine cycle to a grace­ful stop at the end of the cur­rent cycle. The machine is still fully oper­a­ble and may still be in auto­matic mode at the com­ple­tion of this stop.

Again, refer­ring to ANSI B11-​​2008:

3.80.1 con­trolled stop: The stop­ping of machine motion while retain­ing power to the machine actu­a­tors dur­ing the stop­ping process. Also referred to as Category 1 or 2 stop (see also NFPA 79: 2007, 9.2.2);

3.80.2 emer­gency stop: The stop­ping of a machine tool, man­u­ally ini­ti­ated, for emer­gency purposes;

Myth #3 – Emergency Stop Systems Can Be Used For Energy Isolation

Disconnect Switch with Lock and TagFifteen to twenty years ago it was not uncom­mon to see emer­gency stop but­tons fit­ted with lock­ing devices.  The lock­ing device allowed a per­son to pre­vent the reset­ting of the emer­gency stop device. This was done as part of a “lock­out pro­ce­dure”. Lockout is one aspect of haz­ardous energy con­trol pro­ce­dures (HECP).  HECPs rec­og­nize that live work needs to be done from time to time, and that nor­mal safe­guards may be bypassed or dis­con­nected tem­porar­ily, to allow diag­nos­tics and test­ing to be car­ried out. This process is detailed in two cur­rent stan­dards, CSA Z460 and ANSI Z244.1. Note that these lock­ing devices are still avail­able for sale, and can be used as part of an HECP to pre­vent the emer­gency stop sys­tem or other con­trols from being reset until the machine is ready for test­ing. They can­not be used to iso­late an energy source.

No cur­rent stan­dard allows for the use of con­trol devices such as push but­tons or selec­tor switches to be used as energy iso­la­tion devices.

CSA Z460-​​05 specif­i­cally pro­hibits this use in their def­i­n­i­tion of ‘energy iso­la­tion devices’:

Energy-​​isolating device — a mechan­i­cal device that phys­i­cally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: a man­u­ally oper­ated elec­tri­cal cir­cuit breaker; a dis­con­nect switch; a man­u­ally oper­ated switch by which the con­duc­tors of a cir­cuit can be dis­con­nected from all ungrounded sup­ply con­duc­tors; a line valve; a block; and other devices used to block or iso­late energy (push-​​button selec­tor switches and other control-​​type devices are not energy-​​isolating devices).4

Similar require­ments are found in ANSI Z244.15 and in ISO 138503.

Myth #4 — All Machines are Required to have an Emergency Stop

Some machine design­ers believe that all machines are required to have an emer­gency stop. This is sim­ply not true.

Emergency stop sys­tems may be use­ful where they can pro­vide a back-​​up to other safe­guard­ing sys­tems. To under­stand where to use an emer­gency stop, a start-​​stop analy­sis must be car­ried out as part of the design process. This analy­sis will help the designer develop a clear under­stand­ing of the nor­mal start and stop con­di­tions for the machine. The analy­sis also needs to include fail­ure modes for all of the stop func­tions. It is here that the emer­gency stop can be help­ful. If remov­ing power will cause the haz­ard to cease in a short time, or if the haz­ard can be quickly con­tained in some way, then emer­gency stop is a valid choice. If the haz­ard will remain for a con­sid­er­able time fol­low­ing removal of power, then emer­gency stop will have no effect and is use­less for avoid­ing or lim­it­ing harm.

For exam­ple, con­sider an oven. If the burner stop con­trol failed, and assum­ing that the only haz­ard we are con­cerned with is the hot sur­faces inside the oven, then using an emer­gency stop to turn the burn­ers off only results in the start of the nat­ural cool­ing cycle of the oven. In some cases that could take hours or days, so the emer­gency stop has no value. It might be use­ful for con­trol­ling other haz­ards, such as fire, that might be related to the same fail­ure. Without a full analy­sis of the fail­ure modes of the con­trol sys­tem, a sound deci­sion can­not be made.

Simple machines like drill presses and table saws are sel­dom fit­ted with emer­gency stop sys­tems. These machines, which can be very dan­ger­ous, could def­i­nitely ben­e­fit from hav­ing an emer­gency stop. They are some­times fit­ted with a dis­con­nect­ing device with a red and yel­low han­dle that can be used for ‘emer­gency switch­ing off’. This dif­fers from emer­gency stop because the machine, and the haz­ard, will typ­i­cally re-​​start imme­di­ately when the emer­gency switch­ing off device is turned back on. This is not per­mit­ted with emer­gency stop, where reset­ting the emer­gency stop device only per­mits the restart­ing of the machine through other con­trols. Reset of the emer­gency stop device is not per­mit­ted to reap­ply power to the machine on its own.

These require­ments are detailed in ISO 138503, CSA Z4326 and other standards.

Design Considerations

Emergency Stop is a con­trol that is often designed in with lit­tle thought and used for a vari­ety of things that it was never intended to be used to accom­plish. The three myths dis­cussed in this arti­cle are the tip of the iceberg.

Consider these ques­tions when think­ing about the design and use of emer­gency stop systems:

  1. Have all the intended uses and fore­see­able mis­uses of the equip­ment been considered?
  2. What do I expect the emer­gency stop sys­tem to do for the user of the machine? (The answer to this should be in the risk assessment.)
  3. How much risk reduc­tion am I expect­ing to achieve with the emer­gency stop?
  4. How reli­able does the emer­gency stop sys­tem need to be?
  5. Am I expect­ing the emer­gency stop to be used for other pur­poses, like ‘Power Off’, energy iso­la­tion, or reg­u­lar stop­ping of the machine? (The answer to this should be ‘NO’.)

Taking the time to assess the design require­ments before design­ing the sys­tem can help ensure that the machine con­trols are designed to pro­vide the func­tion­al­ity that the user needs, and the risk reduc­tion that is required. The answers lie in the five ques­tions above.

Have any of these myths affected you?

Got any more myths about e-​​stops you’d like to share?

I really appre­ci­ate hear­ing from my read­ers! Leave a com­ment or email it to us and we’ll con­sider adding it to this arti­cle, with credit of course!

References

5% Discount on All Standards with code: CC2011

  1. IEC – International Electrotechnical Commission. Download IEC stan­dards, International Electrotechnical Commission standards.
  2. ISO – International Organization for Standardization Download ISO Standards
  3. Safety of machin­ery — Emergency stop — Principles for design, ISO 13850, 2006, ISO, Geneva, Switzerland.
  4. Control of Hazardous Energy ­– Lockout and Other Methods, CSA Z460, 2005, Canadian Standards Association, Toronto, Canada.
    Buy CSA Standards online at CSA​.ca
  5. Safeguarding of Machinery, CSA Z432-​​04, Canadian Standards Association, Toronto, Canada.
  6. Control of Hazardous Energy – Lockout/​Tagout and Alternative Methods, ANSI/​ASSE Z244.1, 2003, American National Standards Institute /​ American Society of Safety Engineers, Des Plaines, IL, USA.
    Download ANSI standards
  7. American National Standard for Machine Tools – Performance Criteria for Safeguarding, ANSI B11.19–2003, American National Standards Institute, Des Plaines, ILUSA.
  8. General Safety Requirements Common to ANSI B11 Machines, ANSI B11-​​2008, American National Standards Institute, Des Plaines, ILUSA.
  9. Electrical Standard for Industrial Machinery, NFPA 79–2007, NFPA, 1 Batterymarch Park, Quincy, MA 02169–7471, USA.
    Buy NFPA Standards online.

5% Discount on All Standards with code: CC2011

Copyright secured by Digiprove © 2011
Acknowledgements: See cita­tions in the article.
Some Rights Reserved

Guarding Emergency Stop Devices

Posted by on September 3, 2010 6 comments
This entry is part 3 of 9 in the series Emergency Stop

A lot of con­fu­sion exists when it comes to Emergency Stop sys­tems, and clients often ask me if it is ‘OK’ to guard emer­gency stop devices like e-​​stop but­tons, foot ped­als, pull-​​cords, etc. Without get­ting into a ton of reg­u­la­tory details, this arti­cle will look at the require­ments in for emer­gency stop devices in three key juris­dic­tions: Canada, the USA and the European Union.

If you need infor­ma­tion on the func­tional aspects of emer­gency stop sys­tems, see “Emergency Stop — What’s so con­fus­ing about that?

Why Guard an Emergency Stop?

Generally, emer­gency stop devices, or e-​​stop devices as they’re often called, need to be pro­tected from unin­ten­tional use. This prob­lem occurs because e-​​stop devices have to be located close to where peo­ple work in order to be use­ful. An e-​​stop you can’t reach when you need it may as well not be there in the first place. So emer­gency stops are located at ‘nor­mal oper­a­tor sta­tions’. This often means they are located under the edge of a machine table, or on an oper­a­tor con­trol bar like that used on power presses, putting the e-​​stop within reach, but also in the ‘line-​​of-​​fire’ when it comes to the operator’s nor­mal movements.

To pre­vent unin­tended oper­a­tion, peo­ple often want to put rings, col­lars, or worse — cov­ers — on or around the e-​​stop device to keep peo­ple from bump­ing the device. Some of these can be done and should be done, and oth­ers are never per­mit­ted for good reason.

Regulatory Requirements

Let’s take a look at the key require­ments from the reg­u­la­tions world wide:

  1. Emergency Stop devices must be clearly iden­ti­fied. The tech­ni­cal stan­dards require that emer­gency stop devices be coloured RED with a YELLOW background.
  2. They must be located within easy reach of the oper­a­tor. This applies to all nor­mal work­sta­tions where oper­a­tors inter­act with the machine. For main­te­nance and ser­vice activ­i­ties where work­ers may be in loca­tions other than nor­mal work­sta­tions, a pen­dant or other portable con­trol must be used to cause machine motion. This device must include an emer­gency stop con­trol along with other com­ple­men­tary safe­guard­ing devices such as enabling devices and hold-​​to-​​run con­trols. Where access is only allowed under lock­out con­di­tions, this is not required.
  3. Buttons must be palm or mushroom-​​shaped devices.
  4. Devices must require man­ual reset­ting. This means that the device must latch in the oper­ated posi­tion and require a delib­er­ate action to reset the device. This includes actions such as: pulling put a pressed but­ton, twist­ing a but­ton to release the latched con­di­tion, press­ing a reset but­ton on a pull-​​cord to reset the tripped con­di­tion, etc.
  5. Unguarded. This means that easy access to the device may not be impeded, con­sid­er­ing the per­sonal pro­tec­tive equip­ment (PPE) that work­ers are required to wear. Devices that would be con­sid­ered to be guards would include:
  • Close fit­ting rings or col­lars that require a worker to insert a fin­ger inside the ring or col­lar to reach the device and acti­vate it,
  • cov­ers that close over the device to pre­vent access,
  • lock­ing device that pre­vent access to the device, etc.

So, con­sid­er­ing point 5 above, isn’t this the end of the dis­cus­sion? Not at all! There are a few fac­tors to con­sider first.

An impor­tant con­sid­er­a­tion is the poten­tial for acci­den­tal oper­a­tion. Depending on the machine or process, acci­den­tal oper­a­tion of emer­gency stop devices may result in sig­nif­i­cant lost pro­duc­tion and/​or dam­age to equip­ment. In cases like this, it is rea­son­able to pro­tect the device from acci­den­tal oper­a­tion as long as the mea­sures taken to pro­tect the device do not impede the oper­a­tion of the device in emer­gency conditions.

ISO 13850 2006 sup­ports this idea in Clause 4.4 Emergency stop device:

4.4.2 An emer­gency stop device shall be located at each oper­a­tor con­trol sta­tion, except where the risk assess­ment indi­cates that this is not nec­es­sary, as well as at other loca­tions, as deter­mined by the risk assess­ment. It shall be posi­tioned such that it is read­ily acces­si­ble and capa­ble of non-​​hazardous actu­a­tion by the oper­a­tor and oth­ers who could need to actu­ate it. Measures against inad­ver­tent actu­a­tion should not impair its acces­si­bil­ity. (Author’s Note: Bold text added for emphasis.)

Summing Up

The key dif­fer­ence between North American think­ing and International/​EU think­ing is in the term “unguarded” as used in the North American stan­dards, ver­sus ISO 13850, § 4.2.2, where the designer is reminded, “Measures against inad­ver­tent actu­a­tion should not impair its accessibility.”

In my opin­ion it is rea­son­able to pro­tect an emer­gency stop device from inad­ver­tent oper­a­tion by plac­ing a ring or other sim­i­lar struc­ture around an emer­gency stop device as long as the struc­ture does not impair easy access to the device by the operator.

I know this opin­ion appears ini­tially to go against the estab­lished North American stan­dards, how­ever it can be log­i­cally argued, based on the def­i­n­i­tion of the word “guard”.

A guard is a device that pre­vents access to some­thing, usu­ally a haz­ard. Considering that we are talk­ing about a con­trol that is designed to reduce or limit harm, any struc­ture that does not pre­vent access to the emer­gency stop device asso­ci­ated with the struc­ture should be con­sid­ered to be acceptable.

That said, devices like:

  • hinged cov­ers;
  • doors;
  • lock­ing devices;
  • nar­row col­lars; and
  • any other device or structure

that unduly lim­its access to the emer­gency stop device can­not be con­sid­ered acceptable.

Effects of PPE

The phrase ‘unduly lim­its access’ has spe­cific mean­ing here. If work­ers are expected to be wear­ing PPE on the body part used to acti­vate the emer­gency stop device, such as gloves or boots for exam­ple, then the struc­ture placed around the emer­gency stop device must take the added dimen­sions of the PPE and the reduc­tion in tac­tile capa­bil­ity that may occur (e.g. heavy work gloves make it hard to feel things eas­ily), and must com­pen­sate for the effects of the PPE. Big gloves/​boots = Big open­ing in the structure.

Lighting and pro­tec­tive eye­wear can also play a part. You may need to use reflec­tive or lumi­nes­cent paint to high­light the loca­tion of the device in low light envi­ron­ments or where very dark eye­wear is required, like that needed by welders or used by work­ers around some infrared lasers with open beam paths.

Effects of State-​​of-​​Mind

It’s also impor­tant to con­sider the likely state-​​of-​​mind of a worker need­ing to use an emer­gency stop device. They are either urgently try­ing to stop the machine because,

  1. another safe­guard has failed an some­one is involved with a haz­ard, includ­ing them­selves, or
  2. the machine is dam­ag­ing itself or the prod­uct and they need to limit the damage.

Both sce­nar­ios have a high level of urgency attached to them. The human mind tends to miss obvi­ous things includ­ing train­ing, when placed under high lev­els of stress. Structures placed around emer­gency stop devices, such as cov­ers, that com­pletely block access, even though they may be eas­ily opened, may be enough to pre­vent access in an emergency.

The answer you’ve all been wait­ing for!

So in the end, can you put a struc­ture around an emer­gency stop to reduce inad­ver­tent oper­a­tion of the device:

YES!

Just make sure that you con­sider all the fac­tors that may affect it’s use, doc­u­ment your analy­sis, and don’t unduly restrict access to the device.

Need more help? Feel free to email me!

References

IEC – International Electrotechnical Commission

ISO – International Organization for Standardization

Safety of machin­ery — Emergency stop — Principles for design, ISO 13850, 2006, ISO, Geneva, Switzerland.

Control of Hazardous Energy ­– Lockout and Other Methods, CSA Z460, 2005, Canadian Standards Association, Toronto, Canada.

Control of Hazardous Energy – Lockout/​Tagout and Alternative Methods, ANSI ASSE Z244.1, 2003, American National Standards Institute /​ American Society of Safety Engineers, Des Plaines, ILUSA.

All original content on these pages is fingerprinted and certified by Digiprove
Performance Optimization WordPress Plugins by W3 EDGE