- Emergency Stop — What’s so confusing about that?
- Checking Emergency Stop Systems
- Busting Emergency Stop Myths
- Guarding Emergency Stop Devices
- Emergency Stop Categories
- Using E-Stops in Lockout Procedures
- Reader Question: Multiple E-Stops and Resets
- Updates to Popular Articles
- New contact block design for Emergency Stop devices from Siemens
- Emergency stop devices: the risks of installer liability
I’ve noticed a lot of people looking for information on Emergency Stop categories recently; this article is aimed at those readers who want to understand this topic in more depth. Stop categories are often confused with circuit or system architecture categories from EN 954–1 and ISO 13849–1 . The confusion between these two sets of Categories often leads to incorrect assumptions about the application of these requirements.
The first point to make is that these categories are not exclusive to STOP functions, and may be used for normal stopping as well as .functions. They are
Stop categories and control reliability categories are not the same, and there are significant differences that need to be understood by control system designers. I’m going to sling a number of standards at you in this post, and I will provide references at the end if you want to dig deeper.
Control reliability categories are defined and described in ISO 13849–1, and I’ve written quite a bit on these in the past. If you want to know more about Categories B, 1–4, check out this series of posts on ISO 13849–1 Categories.
OK, so let’s talk about stop function categories. There are two standards that define these categories, and thankfully they are harmonized, meaning that the definitions for the categories are essentially the same in each document. They are:
- IEC 60204–1, Safety of machinery — Electrical equipment of machines — Part 1: General requirements (aka EN 60204–1) 
- NFPA 79, Electrical Standard for Industrial Machinery 
Note that Canada does not have a standard at the moment that specifically describes these same categories, however CSA Z432  does make reference to NFPA 79, bringing the categories in that way, albeit indirectly.
- Category 0 — Equivalent to pulling the plug;
- Category 1 — Bring things to a graceful stop, then pull the plug; and
- Category 2 — Bring things to a stop and hold them there under power.
Let’s look at the definitions in more detail. For comparison, I’m going to show the definitions from the two standards side-by-side.
|Category||IEC 60204–1||NFPA 79|
|0||stopping by immediate removal of power to the machine actuators (i.e. an uncontrolled stop – see 3.56);||is an uncontrolled stop by immediately removing power to the machine actuators.|
|1||a controlled stop (see 3.11) with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved;||is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.|
|2||a controlled stop with power left available to the machine actuators.||is a controlled stop with power left available to the machine actuators.|
Definitions from IEC 60204–1:
3.11 controlled stop
stopping of machine motion with electrical power to the machine actuators maintained during the stopping process
3.56 uncontrolled stop
stopping of machine motion by removing electrical power to the machine actuators
NOTE This definition does not imply any particular state of other stopping devices, for example mechanical or hydraulic brakes.
As you can see, the two sets of Category descriptions are virtually identical, with the primary difference being the use of the definitions in the IEC standard instead of including that information in the description as in the NFPA standard.
Both standards require that all machines have at least a Category 0 stop. This could be achieved by switching off (by using the disconnecting means for example), by physically “pulling the plug” from the power supply socket on the wall, through a ‘master-control relay’ circuit, or through an emergency stop circuit. Note that this does not require that all machines have an e-stop!!
To learn more about how to determine the need for emergency stop, see my earlier post Emergency Stop – What’s so confusing about that?
Selecting a Stop Function
How do you decide on what category to use? First, ais required. Second, a start/stop analysis should be conducted. This is quite simple, being a straightforward analysis of the starting and stopping conditions for the machinery. Next, ask these questions:
1) Will the machinery stop safely under an uncontrolled stop?
If the machinery does not have a significant amount of inertia, meaning it won’t coast more than a very short time, then a Category 0 stop may be all that is required.
2) If the machinery coasts, or if the machinery can be stopped more quickly under control than when power is simply removed, then a Category 1 stop is likely the best choice.
3) If the machinery includes devices that require power to keep them in a safe state, then a Category 2 stop is likely the best choice.
If you choose to use a Category 2 stop, be aware that leaving power on the machinery leaves the user open to hazards related to having power on the machinery. Careful risk assessment is required in these cases especially.
Risk Assessment and Stop/Start Analysis
Risk assessment is critical to the specification of all–related functions. While emergency stop is not a safeguard, it is considered to be a ‘complementary ’ [6, 184.108.40.206.3], [7, 3.19, 6.3]. Understanding the hazards that need to be controlled and the degree of risk related to the hazards is basic design information that will provide specific direction on the stop category required and the degree of control reliability necessary to provide the expected risk reduction.
Stop/Start Analysis is quite simple. It amounts to considering all of the intended stop/start conditions for the machinery, and then including conditions that may result from reasonably foreseeable failure modes of the machinery and foreseeable misuses of the machinery. Create a table with three columns as a starting point, similar to Table 2.
Example Start/Stop Analysis
|Description||Start Condition||Stop Condition|
|Lubricant Pump||Lubricant Pump Start Button Pressed||Lubricant Pump Stop Button Pressed|
|Low Lubricant Level in reservoir|
|High pressure drop across lubricant filter|
|Main Spindle Motor||Start enabled and Start Button Pressed||Low Lubricant Pressure|
|Stop button pressed|
|Feed Advance motor||Feed Advance button pressed||Feed Stop button pressed|
|Feed end of travel limit reached|
|Emergency Stop||All motions stop, lubricant pump remains running|
The above table is simply an example of what a start/stop analysis can look like. You can have as much detail as you like.
Control Reliability Requirements
Both ISO 13849–1 and IEC 62061  base the initial requirements for reliability on the outcome of the risk assessment (PLr or SILr). If the stopping condition is part of normal operation, then simple circuit requirements (i.e. PLa, Category 1) are all that may be required. If the stopping condition is intended to be an Emergency Stop, then additional analysis is needed to determine exactly what may be required.
How have you typically implemented your stops and emergency stop systems?
Have you ever used the START/STOP analysis method?
I care about what you think as a reader, so please leave me comments and questions! If you would prefer to discuss your question privately, contact me directly.
 Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design. CEN Standard EN 954–1.1996.
 Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design. ISO Standard 13849–1. 2006. Download ISO Standards
 Electrical Equipment of Industrial Machines. IEC Standard 60204–1. 2009. Download IEC standards
 Electrical Standard for Industrial Machinery, ANSI/NFPA Standard 79, 2007. Download standards from ANSI
 Safeguarding of Machinery. CSA Standard Z432, 2004. CSA Store
 Safety of machinery — General principles for design — Risk assessment and risk reduction. ISO Standard 12100. 2010.
 Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems. IEC Standard 62061. 2005.