Busting Emergency Stop Myths

Posted by Doug Nix on September 3, 2010

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

This entry is part 4 of 9 in the series Emergency Stop

There are a number of myths that have grown up around emergency stops over the years. These myths can lead to injury or death, so it’s time for a little Myth Busting here on the MS101 blog!

What does ‘emergency’ mean?

Consider for a moment the roots of the word ‘emergency’. This word comes from the word ‘emergent’, meaning a situation that is developing or emerging in the moment. Emergency stop systems are intended to help the user deal with potentially hazardous conditions that are emerging in the moment. These conditions have probably arisen because the designers of the machinery failed to consider all the foreseeable uses of the equipment, or because someone has chosen to misuse the equipment in a way that was not intended by the designers. The key function of an Emergency Stop system is to provide the user with a backup to the primary safeguards. These systems are referred to as “Complementary Protective Measures” and are intended to give the user a chance to “avert or limit harm” in a hazardous situation. With that in mind, let’s look at three myths I hear about regularly.

Myth #1 – The Emergency Stop Is A Safety Device

Waterwheel and belt. Credit: Harry Matthews & http://www.old-engine.com

A Fitz Water Wheel and Belt Drive, Credit: Harry Matthews & http://www.old-engine.com

Early in the Industrial Revolution machine builders realized that users of their machinery needed a way to quickly stop a machine when something went wrong. At that time, overhead line-shafts were driven by large central power sources like waterwheels, steam engines or large electric motors. Machinery was coupled to the central shafts with pulleys, clutches and belts which transmitted the power to the machinery.

See pictures of a line-shaft powered machine shop or click the image below.

Line Shaft in the Mt. Wilson Observatory Machine Shop

Photo: Larry Evans & www.oldengine.org

These central engines powered an entire factory, so they were much larger than an individual motor sized for a modern machine. In addition, they could not be easily stopped, since stopping the central power source would mean stopping the entire factory – not a welcome choice. Emergency stop devices were born in this environment.

Learn more about Line Shafts at Harry’s Old Engines.

Due to their early use as a safety device, some have incorrectly considered emergency stop systems safeguarding devices. Modern standards make the difference very clear. The easiest way to understand the current meaning of the term “EMERGENCY STOP” is to begin by looking at the international standards published by IEC¹ and ISO².

emergency stop³
emergency stop function
function that is intended to
—   avert arising, or reduce existing, hazards to persons, damage to machinery or to work in progress,
—   be initiated by a single human action

NOTE 1
Hazards, for the purposes of this International Standard, are those which can arise from
—   functional irregularities (e.g. machinery malfunction, unacceptable properties of the material processed, human error),
—   normal operation.

It is important to understand that an emergency stop function is “initiated by a single human action”. This means that it is not automatic, and therefore cannot be considered to be a risk control measure for operators or bystanders. Emergency stop may provide the ability to avoid or reduce harm, by providing a means to stop the equipment once something has already gone wrong. Your next actions will usually be to call 911 and administer first aid.

Safeguarding systems act automatically to prevent a person from becoming involved with the hazard in the first place. This is a reduction in the probability of a hazardous situation arising, and may also involve a reduction in the severity of injury by controlling the hazard (i.e., slowing or stopping rotating machinery before it can be reached.) This constitutes a risk control measure and can be shown to reduce the risk of injury to an exposed person.

Emergency stop is reactive; safeguarding systems are proactive.

In Canada, CSA defines emergency stop as a ‘Complementary Protective Measure’ in CSA Z432-04⁶:

6.2.2.1.1
Safeguards (guards, protective devices) shall be used to protect persons from the hazards that cannot reasonably be avoided or sufficiently limited by inherently safe design. Complementary protective measures involving additional equipment (e.g., emergency stop equipment) may have to be taken.

6.2.3.5.3 Complementary protective measures
Following the risk assessment, the measures in this clause either shall be applied to the machine or shall be dealt with in the information for use.
Protective measures that are neither inherently safe design measures, nor safeguarding (implementation of guards and/or protective devices), nor information for use may have to be implemented as required by the intended use and the reasonably foreseeable misuse of the machine. Such measures shall include, but not be limited to,
(a) emergency stop;
(b) means of rescue of trapped persons; and
© means of energy isolation and dissipation.

In the USA, three standards apply: ANSI B11, ANSI B11.19–2003, and NFPA 79:

ANSI B11-2008
3.80 stop: Immediate or controlled cessation of machine motion or other hazardous situations. There are many terms used to describe the different kinds of stops, including user– or supplier-specific terms, the operation and function of which is determined by the individual design. Definitions of some of the more commonly used “stop” terminology include:
3.80.2 emergency stop: The stopping of a machine tool, manually initiated, for emergency purposes;
7.6 Emergency stop
Electrical, pneumatic and hydraulic emergency stops shall conform to requirements in the ANSI B11 machine-specific standard or NFPA 79.
Informative Note 1: An emergency stop is not a safeguarding device. See also, B11.19.
Informative Note 2: For additional information, see ISO 13850 and IEC 60204–1.
ANSI B11.19–2003
12.9 Stop and emergency stop devices
Stop and emergency stop devices are not safeguarding devices. They are complementary to the guards, safeguarding device, awareness barriers, signals and signs, safeguarding methods and safeguarding procedures in clauses 7 through 11.
Stop and emergency stop devices shall meet the requirements of ANSI / NFPA 79.
E12.9
Emergency stop devices include but are not limited to, buttons, rope-pulls, and cable-pulls.
A safeguarding device detects or prevents inadvertent access to a hazard, typically without overt action by the individual or others. Since an individual must actuate an emergency stop device to issue the stop command, usually in reaction to an event or hazardous situation, it neither detects nor prevents exposure to the hazard.
If an emergency stop device is to be interfaced into the control system, it should not reduce the level of performance of the safety function (see section 6.1 and Annex C).

NFPA 79 deals with the electrical functions of the emergency stop function which is not directly relevant to this article, so that is why I haven’t quoted directly from that document here.

As you can clearly see, the essential definitions of these devices in the US and Canada match very closely, although the US does not specifically use the term ‘complementary protective measures’.

Myth #2 – Cycle Stop And Emergency Stop Are Equivalent

Emergency stop systems act primarily by removing power from the prime movers in a machine, ensuring that power is removed and the equipment brought to a standstill as quickly as possible, regardless of the portion of the operating cycle that the machine is in. After an emergency stop, the machine is inoperable until the emergency stop system is reset. In some cases, emergency stopping the machine may damage the equipment due to the forces involved in halting the process quickly.

Cycle stop is a control system command function that is used to bring the machine cycle to a graceful stop at the end of the current cycle. The machine is still fully operable and may still be in automatic mode at the completion of this stop.

Again, referring to ANSI B11-2008:

3.80.1 controlled stop: The stopping of machine motion while retaining power to the machine actuators during the stopping process. Also referred to as Category 1 or 2 stop (see also NFPA 79: 2007, 9.2.2);
3.80.2 emergency stop: The stopping of a machine tool, manually initiated, for emergency purposes;

Myth #3 – Emergency Stop Systems Can Be Used For Energy Isolation

Fifteen to twenty years ago it was not uncommon to see emergency stop buttons fitted with locking devices. The locking device allowed a person to prevent the resetting of the emergency stop device. This was done as part of a “lockout procedure”. Lockout is one aspect of hazardous energy control procedures (HECP). HECPs recognize that live work needs to be done from time to time, and that normal safeguards may be bypassed or disconnected temporarily, to allow diagnostics and testing to be carried out. This process is detailed in two current standards, CSA Z460 and ANSI Z244.1. Note that these locking devices are still available for sale, and can be used as part of an HECP to prevent the emergency stop system or other controls from being reset until the machine is ready for testing. They cannot be used to isolate an energy source.

No current standard allows for the use of control devices such as push buttons or selector switches to be used as energy isolation devices.

CSA Z460-05 specifically prohibits this use in their definition of ‘energy isolation devices’:

Energy-isolating device — a mechanical device that physically prevents the transmission or release of energy, including but not limited to the following: a manually operated electrical circuit breaker; a disconnect switch; a manually operated switch by which the conductors of a circuit can be disconnected from all ungrounded supply conductors; a line valve; a block; and other devices used to block or isolate energy (push-button selector switches and other control-type devices are not energy-isolating devices).⁴

Similar requirements are found in ANSI Z244.1⁵ and in ISO 13850³.

Myth #4 — All Machines are Required to have an Emergency Stop

Some machine designers believe that all machines are required to have an emergency stop. This is simply not true.

Emergency stop systems may be useful where they can provide a back-up to other safeguarding systems. To understand where to use an emergency stop, a start-stop analysis must be carried out as part of the design process. This analysis will help the designer develop a clear understanding of the normal start and stop conditions for the machine. The analysis also needs to include failure modes for all of the stop functions. It is here that the emergency stop can be helpful. If removing power will cause the hazard to cease in a short time, or if the hazard can be quickly contained in some way, then emergency stop is a valid choice. If the hazard will remain for a considerable time following removal of power, then emergency stop will have no effect and is useless for avoiding or limiting harm.

For example, consider an oven. If the burner stop control failed, and assuming that the only hazard we are concerned with is the hot surfaces inside the oven, then using an emergency stop to turn the burners off only results in the start of the natural cooling cycle of the oven. In some cases that could take hours or days, so the emergency stop has no value. It might be useful for controlling other hazards, such as fire, that might be related to the same failure. Without a full analysis of the failure modes of the control system, a sound decision cannot be made.

Simple machines like drill presses and table saws are seldom fitted with emergency stop systems. These machines, which can be very dangerous, could definitely benefit from having an emergency stop. They are sometimes fitted with a disconnecting device with a red and yellow handle that can be used for ‘emergency switching off’. This differs from emergency stop because the machine, and the hazard, will typically re-start immediately when the emergency switching off device is turned back on. This is not permitted with emergency stop, where resetting the emergency stop device only permits the restarting of the machine through other controls. Reset of the emergency stop device is not permitted to reapply power to the machine on its own.

These requirements are detailed in ISO 13850³, CSA Z432⁶ and other standards.

Design Considerations

Emergency Stop is a control that is often designed in with little thought and used for a variety of things that it was never intended to be used to accomplish. The three myths discussed in this article are the tip of the iceberg.

Consider these questions when thinking about the design and use of emergency stop systems:

Have all the intended uses and foreseeable misuses of the equipment been considered?
What do I expect the emergency stop system to do for the user of the machine? (The answer to this should be in the risk assessment.)
How much risk reduction am I expecting to achieve with the emergency stop?
How reliable does the emergency stop system need to be?
Am I expecting the emergency stop to be used for other purposes, like ‘Power Off’, energy isolation, or regular stopping of the machine? (The answer to this should be ‘NO’.)

Taking the time to assess the design requirements before designing the system can help ensure that the machine controls are designed to provide the functionality that the user needs, and the risk reduction that is required. The answers lie in the five questions above.

Have any of these myths affected you?

Got any more myths about e-stops you’d like to share?

I really appreciate hearing from my readers! Leave a comment or email it to us and we’ll consider adding it to this article, with credit of course!

References

5% Discount on All Standards with code: CC2011

IEC – International Electrotechnical Commission. Download IEC standards, International Electrotechnical Commission standards.
ISO – International Organization for Standardization Download ISO Standards
Safety of machinery — Emergency stop — Principles for design, ISO 13850, 2006, ISO, Geneva, Switzerland.
Control of Hazardous Energy – Lockout and Other Methods, CSA Z460, 2005, Canadian Standards Association, Toronto, Canada.
Buy CSA Standards online at CSA.ca
Safeguarding of Machinery, CSA Z432-04, Canadian Standards Association, Toronto, Canada.
Control of Hazardous Energy – Lockout/Tagout and Alternative Methods, ANSI/ASSE Z244.1, 2003, American National Standards Institute / American Society of Safety Engineers, Des Plaines, IL, USA.
Download ANSI standards
American National Standard for Machine Tools – Performance Criteria for Safeguarding, ANSI B11.19–2003, American National Standards Institute, Des Plaines, IL, USA.
General Safety Requirements Common to ANSI B11 Machines, ANSI B11-2008, American National Standards Institute, Des Plaines, IL, USA.
Electrical Standard for Industrial Machinery, NFPA 79–2007, NFPA, 1 Batterymarch Park, Quincy, MA 02169–7471, USA.
Buy NFPA Standards online.

5% Discount on All Standards with code: CC2011

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog.

Doug’s work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity.

Connect me on Facebook | Twitter | Google + | LinkedIn | Website

Acknowledgements: See citations in the article.

Some Rights Reserved

Series NavigationGuarding Emergency Stop DevicesEmergency Stop Categories

Canada, Control Functions, Emergency Stop, EU European Union, Guards and Guarding, Hazardous Energy Control Procedures, International, Lockout, Robotics, USAe-stop, Emergency Stop, ISO 13850

← Guarding Emergency Stop Devices

IEC/TR 62061–1 Reviewed →

3 Comments.

MachinerySafety - trackback on September 3, 2010 at 15:21
Doug Nix September 3, 2010 at 15:05
Roberta Nelson Shea,
Thanks for the comment. I decided after reading your thoughts that I would add the quotation from CSA Z460 back into the post. I took it out earlier for brevity, but I think it adds.
If you’ve got any other Myths you’d like to add to this post from your own experience, email them to me and I’ll add them in!
Roberta Nelson Shea September 3, 2010 at 13:06
Doug,
Well stated! The topic of Emergency Stops/ Stopping is all to frequently mis-understood. It is not meant for safeguarding, but meant as a means of preventing FURTHER damage. Safeguarding is used to PREVENT injury.
Also locking an emergency stop device is NOT an energy isolation means and would not comply with the requirements of the Control of Hazardous Energy.
Roberta

Trackbacks and Pingbacks:

MachinerySafety - Trackback on 2010/09/03/ 15:21

Original content here is published under these license terms:		X

License Type:	Non-commercial, Attribution, Share Alike

License Summary:	You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.

License URL:	http://creativecommons.org/licenses/by-nc-sa/3.0/

Machinery Safety 101

Safe designs for safe workplaces