Emergency Stop Categories

Emergency Stop on machine console
This entry is part 5 of 11 in the series Emergency Stop

I’ve noticed a lot of people looking for information on Emergency Stop categories recently; this article is aimed at those readers who want to understand this topic in more depth. Stop categories are often confused with circuit or system architecture categories from EN 954-1[1] and ISO 13849-1 [2]. The confusion between these two sets of Categories often leads to incorrect assumptions about the application of these requirements.

Categories

The first point to make is that these categories are not exclusive to emergency stop functions. They are STOP functions, and may be used for normal stopping as well as e-stop.

Stop categories and control reliability categories are not the same, and there are significant differences that need to be understood by control system designers. I’m going to sling a number of standards at you in this post, and I will provide references at the end if you want to dig deeper.

Control reliability categories are defined and described in ISO 13849-1, and I’ve written quite a bit on these in the past. If you want to know more about Categories B, 1-4, check out this series of posts on ISO 13849-1 Categories.

Originating Standards

OK, so let’s talk about stop function categories. There are three standards that define the requirements for emergency stop categories, and thankfully they are fairly closely harmonized, meaning that the definitions for the categories are essentially the same in each document. They are:

  • ISO 13850, Safety of machinery — Emergency stop function — Principles for design [3]
  • IEC 60204-1, Safety of machinery – Electrical equipment of machines – Part 1: General requirements (aka EN 60204-1) [4]
  • NFPA 79, Electrical Standard for Industrial Machinery [5]

Note that Canada does not have a standard at the moment that specifically describes these same categories, however CSA Z432 [6] does make reference to NFPA 79, bringing the categories in that way, albeit indirectly.

Download ANSI standards

Download IEC standards

Category Definitions

Emergency Stop ButtonThe categories are broken down into three general groups in [4], and [5]:

  • Category 0 – Equivalent to pulling the plug;
  • Category 1 – Bring things to a graceful stop, then pull the plug; and
  • Category 2 – Bring things to a stop and hold them there under power.

Let’s look at the definitions in more detail. For comparison, I’m going to show the definitions from the two standards side-by-side.

Table 1
Comparison of Stop Function Categories
Category IEC 60204-1 NFPA 79
0 stopping by immediate removal of power to the machine actuators (i.e. an uncontrolled stop – see 3.56); is an uncontrolled stop by immediately removing power to the machine actuators.
1 a controlled stop (see 3.11) with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved; is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.
2 a controlled stop with power left available to the machine actuators. is a controlled stop with power left available to the machine actuators.

 

Definitions from IEC 60204-1:

3.11 controlled stop

stopping of machine motion with electrical power to the machine actuators maintained during the stopping process

3.56 uncontrolled stop

stopping of machine motion by removing electrical power to the machine actuators

NOTE This definition does not imply any particular state of other stopping devices, for example mechanical or hydraulic brakes.

As you can see, the two sets of Category descriptions are virtually identical, with the primary difference being the use of the definitions in the IEC standard instead of including that information in the description as in the NFPA standard.

Download ANSI standards

Download IEC standards

Minimum Requirements

Both standards require that all machines have at least a Category 0 stop. This could be achieved by switching off (by using the disconnecting means for example), by physically “pulling the plug” from the power supply socket on the wall, through a ‘master-control relay’ circuit, or through an emergency stop circuit. Note that this does not require that all machines have an e-stop!!

ISO 13850 limits the selection of stop category to Category 0 or 1, and excludes Category 2. Category 2 may only be used for operational or “normal” stopping functions.

To learn more about how to determine the need for emergency stop, see my earlier post Emergency Stop – What’s so confusing about that?

Selecting a Stop Function

How do you decide on what category to use? First, a risk assessment is required. Second, a start/stop analysis should be conducted. This is quite simple, being a straightforward analysis of the starting and stopping conditions for the machinery. Next, ask these questions:

1) Will the machinery stop safely under an uncontrolled stop?

If the machinery does not have a significant amount of inertia, meaning it won’t coast more than a very short time, then a Category 0 stop may be all that is required.

2) If the machinery coasts, or if the machinery can be stopped more quickly under control than when power is simply removed, then a Category 1 stop is likely the best choice.

3) If the machinery includes devices that require power to keep them in a safe state, then a Category 2 stop is likely the best choice.

If you choose to use a Category 2 stop, be aware that leaving power on the machinery leaves the user open to hazards related to having power on the machinery. Careful risk assessment is required in these cases especially.

Category 2 stops are not permitted for emergency stopping, although you may use them for normal stop functions. ISO 13850, IEC 60204-1, and NFPA 79 explicitly limit emergency stop functions to Categories 0 and 1.

Risk Assessment and Stop/Start Analysis

Risk assessment is critical to the specification of all safety-related functions. While emergency stop is not a safeguard, it is considered to be a ‘complementary protective measure’ [6, 6.2.3.5.3], [7, 3.19, 6.3]. Understanding the hazards that need to be controlled and the degree of risk related to the hazards is basic design information that will provide specific direction on the stop category required and the degree of control reliability necessary to provide the expected risk reduction.

Stop/Start Analysis is quite simple. It amounts to considering all of the intended stop/start conditions for the machinery, and then including conditions that may result from reasonably foreseeable failure modes of the machinery and foreseeable misuses of the machinery. Create a table with three columns as a starting point, similar to Table 2.

Table 2
Example Start/Stop Analysis

Description Start Condition Stop Condition
Lubricant Pump Lubricant Pump Start Button Pressed Lubricant Pump Stop Button Pressed
Low Lubricant Level in reservoir
High pressure drop across lubricant filter
Main Spindle Motor Start enabled and Start Button Pressed Low Lubricant Pressure
Stop button pressed
Feed Advance motor Feed Advance button pressed Feed Stop button pressed
Feed end of travel limit reached
Emergency Stop All motions stop, lubricant pump remains running

The above table is simply an example of what a start/stop analysis can look like. You can have as much detail as you like.

Control Reliability Requirements

Both ISO 13849-1 and IEC 62061 [8] base the initial requirements for reliability on the outcome of the risk assessment (PLr or SILr). If the stopping condition is part of normal operation, then simple circuit requirements (i.e. PLa, Category 1) are all that may be required. If the stopping condition is intended to be an Emergency Stop, then additional analysis is needed to determine exactly what may be required.

More Information

How have you typically implemented your stops and emergency stop systems?

Have you ever used the START/STOP analysis method?

I care about what you think as a reader, so please leave me comments and questions! If you would prefer to discuss your question privately,  contact me directly.

References

5% Discount on All Standards with code: CC2011 

[1]          Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design. CEN Standard EN 954-1.1996.

[2]          Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design. ISO Standard 13849-1. 2006. Download ISO Standards 

[3]          Safety of machinery — Emergency stop function — Principles for design. ISO Standard 13850. 2006

[4]          Electrical Equipment of Industrial Machines. IEC Standard 60204-1. 2009. Download IEC standards

[5]          Electrical Standard for Industrial Machinery, ANSI/NFPA Standard 79, 2007. Download standards from ANSI

[6]          Safeguarding of Machinery. CSA Standard Z432, 2004. CSA Store

[7]          Safety of machinery — General principles for design — Risk assessment and risk reduction. ISO Standard 12100. 2010.

[8]          Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems. IEC Standard 62061. 2005.

Series NavigationGuarding Emergency Stop DevicesUsing E-Stops in Lockout Procedures

Author: Doug Nix

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog.

Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity.

Follow me on Academia.edu//a.academia-assets.com/javascripts/social.js

  • controlsgirl

    Another great discussion! I stumbled upon this because many servos include the STO function. I looked in the manual of the product that I am working with on this particular product and the manual claims the STO function to be compliant with a safe stop 0. However, every time I see a servo with STO capability implemented, there is still a contactor killing the line feed into the servo that is driven by the same conditions as the STO signals. It seems as if STO would replace the need to use a contactor to break the feed coming into the servo. Am I incorrect? Are there still advantages to opening up the line connection with a contactor in addition to using STO? If it is redundant, are you aware of any manufacturing plants that still require both?

    • Interesting question. I’m actually planning an article on this topic right now, but I’ve got a couple of additional pieces to finish out the 13849 series first.

      If the drive has STO, it will already have the capability to provide a reliable zero-torque condition to the motor. If you look at the specs for the drive you will find that the STO function will normally have a PL or SIL rating, or a PFHd given. If the STO function is rated as PLe, for example, there is no need for an additional line contactor upstream of the drive unless the drive installation calls for one.

      “Safe-off”, “safe-stop” and similar terms are used by drive manufacturers but are not reflected in the technical standards for these products, and so don’t have a standardised technical definition.

      This question is complex enough that I can’t fully address it here, but I will try to hit the whole topic in the article when I publish it.

      Thanks for your continued interest!

  • T-mac

    Am I allowed to wire coded magnetic switches or keyed interlock switches in series with an E-stop or will I need to use 2 seperate safety relays?
    Just found your site, thanks for taking the time to inform us, greatly appreciated.

    • T-mac,

      It’s not so much a case of “allowed to” wire them in series or not. Let me explain.

      Best practice is to separate the e-stop function and the safeguarding functions. This is done for a few of reasons:

      1) Emergency Stop controls are considered to be “complementary protective measures”, not safeguards. They are manually activated, and should normally be infrequently used. This is because they are used to back up the primary safeguards, like interlocked guards, or safeguarding devices. As backup devices, they typically require a lower level of reliability than the primary safeguards. ISO 13850, which defines emergency stop functions, requires a minimum performance level of PLc for these systems, however, higher performance levels may be required based on the risk assessment.

      2) Safeguards are required to act automatically, without the user being aware of the operation of the function. The reliability of the safety function is driven directly by the risk assessment. On most industrial machinery, these systems require PLc, PLd, or PLe.

      3) Recovery from an emergency stop condition, and recovery from a safeguarding condition are often quite different. Depending on what kind of emergency stop function is selected (IEC 60204-1/NFPA 79 Category 0 or 1), the effects on the machine can be quite severe, and recovery can be complex. Safeguarding conditions commonly use Category 1 or 2 stop functions, which are more controlled and generally don’t leave the machine badly disordered. Recovery is normally simpler. Since safeguarding conditions are more common as operators open doors/gates or break light curtain fields, the machine reactions usually need to be different from what happens in an emergency situation.

      Daisy-chaining devices, whether it’s e-stop buttons, interlock switches, or something else, can create fault-masking conditions, where a failure can occur in one device in the chain, but the fault is masked by the operation of another device in the chain. This can be a serious problem, since ISO 13849-1 requires that systems with Category 3 or 4 architectures detect faults either as they occur, or on the next demand on the safety function. Masked faults may be detected, and this leads to failure modes that are not permitted, nor are they what you want in your control system.

      Where you have e-stop devices or interlocks that are infrequently used, they may not be tested frequently enough to meet the testing requirements of the architecture you’ve selected, and this may lead to masked faults as well.

      So, in general, combining emergency stop functions with safeguarding functions is considered bad practice, even though it is still often done. I would recommend separating the functions for all of the reasons given, and I would also recommend against daisy chaining input devices to a single safety relay.

      • T-mac

        I would generally seperate them as I have always done in the past.
        This application is installing coded mag switches on new guarding. There is a PILZ safety PLC installed on the machine and my request to purchase the PLC software (along with the new PSR after modifying the program) was declined.
        The switches are rated to be used cat 4 and there is a monthly procedure where the operators test the E-stops, and interlocks on the equipment.
        The existing guarding is done by light curtains that bring the machine the a “cycle stop” as not to destroy the product and make for a longer restart/set up.
        The new guarding is at a much closer proximity to the actual hazard and I need the machine to stop immediately.
        Although not ideal, wiring in series would still be accepted in this scenario?

        • T-mac,

          If the new guarding is close to the tooling, the first thing I would suggest is a stop time test. You need to know if the guarding is within the minimum safety distance. You use the same calculation as used for a light curtain, Ds=KxT, K=1600 mm/s or 63 in/s. T is the stopping time in seconds. Since you mention that the machine is already using stop category 1, the stopping time may be quite long.

          If the guards are too close to the hazards to meet this safety distance, then you will need to implement guard locking. This can be combined with a “request to enter” function, or can simply be held locked until the machine is stopped, either at the end of a cycle, or until the machine is switched out of automatic mode and into manual mode. There are tons of options in how to do this.

          WRT your comments about the interlock switches being Category 4, all this tells you is that the switch/controller combination uses Category 4 architecture. There will be a PL associated with this – have a look at the data sheet. This information is used in assessing the safety system PL. The two pieces of information are important. You may also find an MTTFd spec, and this is also important, but less so than the the PL initially.

          • T-mac

            Machine stoping via the current estop is instant, no coasting, no reversing by tension upon the material.
            This “new” pinch point is a roller that was previously missed and now being addressed.
            The hinged guards that are now on that roller(s) are roughly 3.5″ away. The door has to be swung out when opened which adds a little more distance when accessing.
            I should have gave more info about the application in my first question, sorry.

          • T-mac,

            Thanks for the additional information. Unfortunately, no machinery stops instantaneously, since that would require infinite negative acceleration. Even if the stopping time is very short, let’s say 100 ms for argument sake, the safety distance is Ds=63″/s * 0.100 s = 6.3″. To make the 3.5″ distance work the stopping time would have to be 3.5/63=0.055 s. So, thing 1: Stop Time Test. Without this you cannot say that the interlocked door will provide the protection required. If you can’t do the test for any reason, then go to interlocked doors with guard locking. You will need a zero-speed detection system so that the lock cannot be released until the web/roller speed = zero.

            WRT the opening of the guard and the additional distance that you would like to claim, unless the interlock is activated before a gap appears between the door and the frame, you really can’t make this claim. You need to measure the gap between the edge of the door and the frame at the point where the interlock activates, and then apply the openings table in ANSI B11.19, or ISO 13857, or CSA Z432 to determine the safety distance related to the gap.

            So, there are TWO distance requirements: 1) the gap between door and frame when the interlock is activated, and 2) based on the stopping time.

            Guard locking eliminates both of these considerations, since the guard cannot be opened when the hazard exists.

            Hope that helps!

          • T-mac

            Helps alot.
            I always install my switches as close to tripping as possible without nuisance tripping.
            It might take a little trial and error during installation but I think it’s worth it later.

          • controlsgirl

            Great question and great answers so far. I had to dig to answer this question myself some years ago. Correct me if I am wrong. If I remember right, by daisy chaining you only get to cat3, or perhaps pl d. Doug mentions fault masking. I believe that when daisy chained you lose your exclusive diagnostics for each device. One device could be jumpered or shorted and the circuit would not diagnose this when another estop is pressed, released, and the system is reset). I believe this is an example of the defining difference between the last two levels. I also believe this example is an exsmple that Doug mentions in one of his posts about how a device can be advertised as cat4 amd misleading because the circuit is not designed to cat 4. The manufacturers are simply stating that the device has what is need to be designed into a cat 4 circuit.

          • Hey, controlsgirl! You are essentially correct about fault masking. There is an ISO Technical Report that discusses this issue, ISO/TR 24119, https://www.iso.org/standard/63160.html, which is relevant to this discussion. Schmersal also publishes a free white paper on this topic, http://www.schmersalusa.com/cms17/opencms/html/en/service/contributions.html?id=28, which you may find interesting.

            In ISO/TR 24119 there is a table that shows the reduction in PL that occurs depending on the number of daisy-chained devices and the frequency of use of the devices. Loss of Diagnostic Coverage due to fault masking results in a reduction of PL. It’s possible to go from PLe to PLc if you have enough devices daisy-chained. Hmmmm, I think I feel another article coming on… 😉

            BTW, this is not a case of manufacturers misleading users, but rather one of misapplication of a device. Keep in mind that a “safety relay” or other similar devices can be assessed under ISO 13849 or IEC 62061 and provided with a PL or SIL. That allows the designer to treat that device as a black-box with defined reliability characteristics. The problem comes when someone wants to assume that they will achieve a certain degree of reliability simply because they used a certain component. It just doesn’t work that way.

  • gina

    For roll forming machines, our company determined with a risk assessment, that the rollers need to retract upon hitting the e-stop button. Unfortunately, that does not meet the NFPA79 E-stop categories. Do you know of a code provision for this scenario?

    • Gina,

      Good question. NFPA 79 offers two options for e-stop functions: Category 0, which immediately removes power from the hazardous motions (similar to “pulling the plug”), and Category 1, which allows for a graceful stop under control, followed by removal of power.

      If the best way to minimize the risk is to lift the forming rollers, then this is the necessary approach. In my opinion, this falls under Category 1 stop functions, since motion is permitted for a brief time after the e-stop device is activated. The key to this is the pneumatics appropriately so that the rollers won’t fall or drift when the Category 0 stop occurs. The other key part of this is selecting and setting up the motor drive so that the drive stops as quickly as possible before going to a zero energy state. You will need a drive with Safe Torque Off, or equivalent.

      If you need additional help with this, I would be happy to discuss it with you offline. 🙂

      • gina

        Thank you for the reply, that is what I was thinking as well. Additionally, we found ANSI B11.12 E6.5 that allows for the rolls to raise/open on pressing e-stop. They are calling it a category 1 e-stop also. Thanks again!

        • You’re welcome! Sorry I didn’t think about B11.12 – I guess I assumed you were already using that in your design.

          Let me know if there is anything else I can help you with!

  • Andrew, you need to have a look at a safety relay catalog from any of the big manufacturers, Rockwell/Allen-Bradley, ABB/Jokab, Pilz, Telemecanique/Square-D, Schmersal, OMRON/STI, Pizzato, etc. All of them have suggested schematic diagrams in the catalogs. All modern safety relay products provide the required test frequency for automatic testing if they are correctly implemented in the system design. That does not remove your responsibility as a designer to mitigate the undetectable dangerous faults to those with an MTTFd < 30 a (for PLc applications, lower for lower Performance Levels).

    There is more to this than just a schematic.

  • andrew

    of how to go about doing it?

  • andrew

    i need a diagram

  • Pingback: izmed khoirul anwar()

  • Pingback: izmed khoirul()

  • Hi Doug,

    Again a great read!
    Although I am normally involved in designing “incomplete Machines” according the European Machine Directive (2006/42), this topic is also important for me to understand fully. More and more I see that knowledge of these kinds of topics greatly add to the value you can supply your customers with. There is a fine balance between designing a “incomplete machine” and delivering a solution the customer can actually use to build a safe complete machine and understands what the limitations and benefits are. Thanks again.

    • Wouter,

      Thanks for the kind words. As I’m sure you know, the only real difference between complete machines and incomplete machines are installation instructions that detail the residual risks that the user must safeguard once the product is integrated into the final machinery or installation. The need for emergency stop is determined in exactly the same way. One major myth that I run into here in Canada is “All machines must have an emergency stop”. This is incorrect. If an emergency stop will not improve the likelihood of avoiding harm or reduce the severity of injury, then there is no benefit to having one. Selection of the right category of stop is equally important, since many motor driven loads that use a VFD, servo or stepper drive can be stopped more quickly under control than by simply dropping power.

      Thanks again for your comments!