Skip to content

Emergency Stop Categories

2010 September 27
Emergency Stop on machine console
This entry is part 4 of 10 in the series Emergency Stop

I’ve noticed a lot of peo­ple look­ing for infor­ma­tion on Emergency Stop cat­e­gories recently; this arti­cle is aimed at those read­ers who want to under­stand this topic in more depth. Stop cat­e­gories are often con­fused with cir­cuit or sys­tem archi­tec­ture cat­e­gories from EN 954–1[1] and ISO 13849–1 [2]. The con­fu­sion between these two sets of Categories often leads to incor­rect assump­tions about the appli­ca­tion of these requirements.

Categories

The first point to make is that these cat­e­gories are not exclu­sive to emer­gency stop func­tions. They are STOP func­tions, and may be used for nor­mal stop­ping as well as e-​​stop.

Stop cat­e­gories and con­trol reli­a­bil­ity cat­e­gories are not the same, and there are sig­nif­i­cant dif­fer­ences that need to be under­stood by con­trol sys­tem design­ers. I’m going to sling a num­ber of stan­dards at you in this post, and I will pro­vide ref­er­ences at the end if you want to dig deeper.

Control reli­a­bil­ity cat­e­gories are defined and described in ISO 13849–1, and I’ve writ­ten quite a bit on these in the past. If you want to know more about Categories B, 1–4, check out this series of posts on ISO 13849–1 Categories.

Originating Standards

OK, so let’s talk about stop func­tion cat­e­gories. There are two stan­dards that define these cat­e­gories, and thank­fully they are har­mo­nized, mean­ing that the def­i­n­i­tions for the cat­e­gories are essen­tially the same in each doc­u­ment. They are:

  • IEC 60204–1, Safety of machin­ery — Electrical equip­ment of machines — Part 1: General require­ments (aka EN 60204–1) [3]
  • NFPA 79, Electrical Standard for Industrial Machinery [4]

Note that Canada does not have a stan­dard at the moment that specif­i­cally describes these same cat­e­gories, how­ever CSA Z432 [6] does make ref­er­ence to NFPA 79, bring­ing the cat­e­gories in that way, albeit indirectly.

Download ANSI standards

Download IEC standards

Category Definitions

Emergency Stop ButtonThe cat­e­gories are bro­ken down into three gen­eral groups:

  • Category 0 — Equivalent to pulling the plug;
  • Category 1 — Bring things to a grace­ful stop, then pull the plug; and
  • Category 2 — Bring things to a stop and hold them there under power.

Let’s look at the def­i­n­i­tions in more detail. For com­par­i­son, I’m going to show the def­i­n­i­tions from the two stan­dards side-​​by-​​side.

Table 1
Comparison of Stop Function Categories
Category IEC 60204–1 NFPA 79
0 stop­ping by imme­di­ate removal of power to the machine actu­a­tors (i.e. an uncon­trolled stop – see 3.56); is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actuators.
1 a con­trolled stop (see 3.11) with power avail­able to the machine actu­a­tors to achieve the stop and then removal of power when the stop is achieved; is a con­trolled stop with power to the machine actu­a­tors avail­able to achieve the stop then remove power when the stop is achieved.
2 a con­trolled stop with power left avail­able to the machine actuators. is a con­trolled stop with power left avail­able to the machine actuators.

Definitions from IEC 60204–1:

3.11 con­trolled stop

stop­ping of machine motion with elec­tri­cal power to the machine actu­a­tors main­tained dur­ing the stop­ping process

3.56 uncon­trolled stop

stop­ping of machine motion by remov­ing elec­tri­cal power to the machine actuators

NOTE This def­i­n­i­tion does not imply any par­tic­u­lar state of other stop­ping devices, for exam­ple mechan­i­cal or hydraulic brakes.

As you can see, the two sets of Category descrip­tions are vir­tu­ally iden­ti­cal, with the pri­mary dif­fer­ence being the use of the def­i­n­i­tions in the IEC stan­dard instead of includ­ing that infor­ma­tion in the descrip­tion as in the NFPA standard.

Download ANSI standards

Download IEC standards

Minimum Requirements

Both stan­dards require that all machines have at least a Category 0 stop. This could be achieved by switch­ing off (by using the dis­con­nect­ing means for exam­ple), by phys­i­cally “pulling the plug” from the power sup­ply socket on the wall, through a ‘master-​​control relay’ cir­cuit, or through an emer­gency stop cir­cuit. Note that this does not require that all machines have an e-​​stop!!

To learn more about how to deter­mine the need for emer­gency stop, see my ear­lier post Emergency Stop – What’s so con­fus­ing about that?

Selecting a Stop Function

How do you decide on what cat­e­gory to use? First, a risk assess­ment is required. Second, a start/​stop analy­sis should be con­ducted. This is quite sim­ple, being a straight­for­ward analy­sis of the start­ing and stop­ping con­di­tions for the machin­ery. Next, ask these questions:

1) Will the machin­ery stop safely under an uncon­trolled stop?

If the machin­ery does not have a sig­nif­i­cant amount of iner­tia, mean­ing it won’t coast more than a very short time, then a Category 0 stop may be all that is required.

2) If the machin­ery coasts, or if the machin­ery can be stopped more quickly under con­trol than when power is sim­ply removed, then a Category 1 stop is likely the best choice.

3) If the machin­ery includes devices that require power to keep them in a safe state, then a Category 2 stop is likely the best choice.

If you choose to use a Category 2 stop, be aware that leav­ing power on the machin­ery leaves the user open to haz­ards related to hav­ing power on the machin­ery. Careful risk assess­ment is required in these cases especially.

Risk Assessment and Stop/​Start Analysis

Risk assess­ment is crit­i­cal to the spec­i­fi­ca­tion of all safety–related func­tions. While emer­gency stop is not a safe­guard, it is con­sid­ered to be a ‘com­ple­men­tary pro­tec­tive mea­sure’ [6, 6.2.3.5.3], [7, 3.19, 6.3]. Understanding the haz­ards that need to be con­trolled and the degree of risk related to the haz­ards is basic design infor­ma­tion that will pro­vide spe­cific direc­tion on the stop cat­e­gory required and the degree of con­trol reli­a­bil­ity nec­es­sary to pro­vide the expected risk reduction.

Stop/​Start Analysis is quite sim­ple. It amounts to con­sid­er­ing all of the intended stop/​start con­di­tions for the machin­ery, and then includ­ing con­di­tions that may result from rea­son­ably fore­see­able fail­ure modes of the machin­ery and fore­see­able mis­uses of the machin­ery. Create a table with three columns as a start­ing point, sim­i­lar to Table 2.

Table 2
Example Start/​Stop Analysis

Description Start Condition Stop Condition
Lubricant Pump Lubricant Pump Start Button Pressed Lubricant Pump Stop Button Pressed
Low Lubricant Level in reservoir
High pres­sure drop across lubri­cant filter
Main Spindle Motor Start enabled and Start Button Pressed Low Lubricant Pressure
Stop but­ton pressed
Feed Advance motor Feed Advance but­ton pressed Feed Stop but­ton pressed
Feed end of travel limit reached
Emergency Stop All motions stop, lubri­cant pump remains running

The above table is sim­ply an exam­ple of what a start/​stop analy­sis can look like. You can have as much detail as you like.

Control Reliability Requirements

Both ISO 13849–1 and IEC 62061 [8] base the ini­tial require­ments for reli­a­bil­ity on the out­come of the risk assess­ment (PLr or SILr). If the stop­ping con­di­tion is part of nor­mal oper­a­tion, then sim­ple cir­cuit require­ments (i.e. PLa, Category 1) are all that may be required. If the stop­ping con­di­tion is intended to be an Emergency Stop, then addi­tional analy­sis is needed to deter­mine exactly what may be required.

More Information

How have you typ­i­cally imple­mented your stops and emer­gency stop systems?

Have you ever used the START/​STOP analy­sis method?

I care about what you think as a reader, so please leave me com­ments and ques­tions! If you would pre­fer to dis­cuss your ques­tion pri­vately,  con­tact me directly.

References

5% Discount on All Standards with code: CC2011 

[1]          Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design. CEN Standard EN 954–1.1996.

[3]          Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design. ISO Standard 13849–1. 2006. Download ISO Standards 

[4]          Electrical Equipment of Industrial Machines. IEC Standard 60204–1. 2009. Download IEC standards

[5]          Electrical Standard for Industrial Machinery, ANSI/​NFPA Standard 79, 2007. Download stan­dards from ANSI

[6]          Safeguarding of Machinery. CSA Standard Z432, 2004. CSA Store

[7]          Safety of machin­ery — General prin­ci­ples for design — Risk assess­ment and risk reduc­tion. ISO Standard 12100. 2010.

[8]          Safety of machin­ery – Functional safety of safety-​​related elec­tri­cal, elec­tronic and pro­gram­ma­ble elec­tronic con­trol sys­tems. IEC Standard 62061. 2005.

Post By Doug Nix (95 Posts)

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://​www​.com​pli​an​cein​sight​.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog.

Doug’s work includes teach­ing machin­ery risk assess­ment tech­niques pri­vately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as pro­vid­ing tech­ni­cal ser­vices and train­ing pro­grams to clients related to risk assess­ment, indus­trial machin­ery safety, safety-​​related con­trol sys­tem inte­gra­tion and reli­a­bil­ity, laser safety and reg­u­la­tory conformity.

Website: → Compliance inSight Consulting Inc.

Connect

Series NavigationGuarding Emergency Stop DevicesBusting Emergency Stop MythsUsing E-​​​​Stops in Lockout Procedures
  • Pingback: izmed khoirul anwar

  • Pingback: izmed khoirul

  • http://www.boschrexroth.nl Wouter

    Hi Doug,

    Again a great read!
    Although I am nor­mally involved in design­ing “incom­plete Machines” accord­ing the European Machine Directive (2006÷42), this topic is also impor­tant for me to under­stand fully. More and more I see that knowl­edge of these kinds of top­ics greatly add to the value you can sup­ply your cus­tomers with. There is a fine bal­ance between design­ing a “incom­plete machine” and deliv­er­ing a solu­tion the cus­tomer can actu­ally use to build a safe com­plete machine and under­stands what the lim­i­ta­tions and ben­e­fits are. Thanks again.

    • http://www.complianceinsight.ca/ Doug Nix

      Wouter,

      Thanks for the kind words. As I’m sure you know, the only real dif­fer­ence between com­plete machines and incom­plete machines are instal­la­tion instruc­tions that detail the resid­ual risks that the user must safe­guard once the prod­uct is inte­grated into the final machin­ery or instal­la­tion. The need for emer­gency stop is deter­mined in exactly the same way. One major myth that I run into here in Canada is “All machines must have an emer­gency stop”. This is incor­rect. If an emer­gency stop will not improve the like­li­hood of avoid­ing harm or reduce the sever­ity of injury, then there is no ben­e­fit to hav­ing one. Selection of the right cat­e­gory of stop is equally impor­tant, since many motor dri­ven loads that use a VFD, servo or step­per drive can be stopped more quickly under con­trol than by sim­ply drop­ping power.

      Thanks again for your comments!

All original content on these pages is fingerprinted and certified by Digiprove
WordPress Login Protected by Clef
%d bloggers like this: