Emergency Stop Categories

Emergency Stop on machine console
This entry is part 5 of 13 in the series Emergency Stop

I’ve noticed a lot of people look­ing for inform­a­tion on Emergency Stop cat­egor­ies recently; this art­icle is aimed at those read­ers who want to under­stand this top­ic in more depth. Stop cat­egor­ies are often con­fused with cir­cuit or sys­tem archi­tec­ture cat­egor­ies from EN 954 – 1[1] and ISO 13849 – 1 [2]. The con­fu­sion between these two sets of Categories often leads to incor­rect assump­tions about the applic­a­tion of these requirements.

Categories

The cat­egor­ies dis­cussed here are not exclus­ive to emer­gency stop func­tions. They are STOP func­tions and may be used for the nor­mal stop func­tions as well as the E-​stop function.

Stop cat­egor­ies and func­tion­al safety sys­tem archi­tec­ture cat­egor­ies are not the same, and there are sig­ni­fic­ant dif­fer­ences that need to be under­stood by con­trol sys­tem design­ers. I’m going to sling a num­ber of stand­ards at you in this post, and I will provide ref­er­ences at the end if you want to dig deeper.

Functional safety archi­tec­tur­al cat­egor­ies are defined and described in ISO 13849 – 1, and I’ve writ­ten quite a bit on these in the past. If you want to know more about Categories B, 1 – 4, check out this series of posts on ISO 13849 – 1 Categories.

Originating Standards

There are three stand­ards that define the require­ments for emer­gency stop cat­egor­ies, and thank­fully they are fairly closely har­mon­ised, mean­ing that the defin­i­tions for the cat­egor­ies are essen­tially the same in each doc­u­ment. They are:

  • ISO 13850, Safety of machinery — Emergency stop func­tion — Principles for design [3]
  • IEC 60204 – 1, Safety of machinery – Electrical equip­ment of machines – Part 1: General require­ments (aka EN 60204 – 1) [4]
  • NFPA 79, Electrical Standard for Industrial Machinery [5]

A new Canadian stand­ard was added in 2016, CSA C22.2 No. 301 [9]. This stand­ard draws heav­ily on a num­ber of stand­ards for core mater­i­al, includ­ing IEC 60204 – 1 and NFPA 79. No. 301 uses identic­al defin­i­tions for stop func­tion categories.

Download ANSI standards

Download IEC standards

Stop Category Definitions

Emergency Stop ButtonThe cat­egor­ies are broken down into three gen­er­al groups in [4], [5], and  [9]:

  • Category 0 – Equivalent to pulling the plug;
  • Category 1 – Bring things to a grace­ful stop, then pull the plug; and
  • Category 2 – Bring things to a stop and hold them there under power.

Let’s look at the defin­i­tions in more detail. For com­par­is­on, I’m going to show the defin­i­tions from the two stand­ards side-by-side.

Table 1
Comparison of Stop Function Categories
Category IEC 60204 – 1 NFPA 79 CSA C22.2 No. 301
0 stop­ping by imme­di­ate remov­al of power to the machine actu­at­ors (i.e. an uncon­trolled stop – see 3.56); is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actuators.

stop­ping by imme­di­ate remov­al of power to the machine actu­at­ors (i.e., an uncon­trolled stop;

1 a con­trolled stop (see 3.11) with power avail­able to the machine actu­at­ors to achieve the stop and then remov­al of power when the stop is achieved; is a con­trolled stop with power to the machine actu­at­ors avail­able to achieve the stop then remove power when the stop is achieved.

a con­trolled stop with power avail­able to the machine actu­at­ors to achieve the stop and then remov­al of power when the stop is achieved;

2 a con­trolled stop with power left avail­able to the machine actuators. is a con­trolled stop with power left avail­able to the machine actuators.

a con­trolled stop with power left avail­able to the machine actuators.

Definitions from IEC 60204 – 1:

3.11 con­trolled stop
>stop­ping of machine motion with elec­tric­al power to the machine actu­at­ors main­tained dur­ing the stop­ping process
3.56 uncon­trolled stop
stop­ping of machine motion by remov­ing elec­tric­al power to the machine actuators
NOTE This defin­i­tion does not imply any par­tic­u­lar state of oth­er stop­ping devices, for example mech­an­ic­al or hydraul­ic brakes.

As you can see, the Category descrip­tions are vir­tu­ally identic­al, with the primary dif­fer­ence being the use of the defin­i­tions in the IEC stand­ard instead of includ­ing that inform­a­tion in the descrip­tion as in the NFPA standard.

Download ANSI standards

Download IEC standards

Minimum Requirements

[4], [5], and [9] require that all machines have at least a Category 0 stop. This could be achieved by switch­ing off (i.e., by using the dis­con­nect­ing means to switch off power for example), by phys­ic­ally “pulling the plug” from the power sup­ply sock­et on the wall, or through a ‘mas­ter con­trol relay’ cir­cuit, or through an emer­gency stop cir­cuit. Note that this does not require that all machines have an e-​stop!! The need for an emer­gency stop func­tion is determ­ined through the risk assess­ment, based on the poten­tial to avoid or lim­it harm. If these goals can­not be achieved through an emer­gency stop func­tion, there is no require­ment to have one. I have yet to read legis­la­tion in any jur­is­dic­tion that states that all machines must have an e-​stop. Certain classes of machines may have this require­ment, nor­mally defined in the rel­ev­ant machinery stand­ard, e.g., ISO 10218 – 1 [10] for indus­tri­al robots.

ISO 13850 lim­its the selec­tion of stop cat­egory to Category 0 or 1 and excludes Category 2. This exclu­sion can be found in NFPA 79, IEC 60204 – 1, and CSA C22.2 No. 301 as well. Category 2 may only be used for oper­a­tion­al or “nor­mal” stop­ping functions.

To learn more about how to determ­ine the need for an emer­gency stop, see, “Emergency Stop – What’s so con­fus­ing about that?”

Selecting a Stop Function

How do you decide on what cat­egory to use? First, a risk assess­ment is required. Second, a start/​stop ana­lys­is should be con­duc­ted. More on this top­ic a bit later.

Once the risk assess­ment is com­plete, ask these questions:

1) Will the machinery stop safely under an uncon­trolled stop?

If the machinery does not have a sig­ni­fic­ant amount of iner­tia, mean­ing it won’t coast more than a very short time, then a Category 0 stop may be all that is required.

2) If the machinery can coast when power is removed, or if the machinery can be stopped more quickly under con­trol than when power is simply removed, then a Category 1 stop is likely the best choice, even if the power-​off coast­ing time is fairly short.

Vertical axes that may col­lapse when power is removed will likely need addi­tion­al mech­an­ic­al hard­ware to pre­vent the tool­ing from fall­ing dur­ing an emer­gency stop con­di­tion. This could be a mech­an­ic­al brake or oth­er means that will pre­vent the tool­ing from fall­ing unexpectedly.

3) If the machinery includes devices that require power to keep them in a safe state, then a Category 2 stop is likely the best choice.

If you choose to use a Category 2 stop, be aware that leav­ing power on the machinery leaves the user open to haz­ards related to hav­ing power on the machinery. Careful risk assess­ment is required in these cases especially.

Category 2 stops are not per­mit­ted for emer­gency stop­ping, although you may use them for nor­mal stop func­tions. ISO 13850, IEC 60204 – 1, and NFPA 79  expli­citly lim­it emer­gency stop func­tions to Categories 0 and 1. CSA C22.2 No. 301 per­mits the use of Category 2 stop func­tions for emer­gency stopping.

Risk Assessment and Stop/​Start Analysis

Risk assess­ment is crit­ic­al to the spe­cific­a­tion of all safety-​related func­tions. While emer­gency stop is not a safe­guard, it is con­sidered to be a ‘com­ple­ment­ary pro­tect­ive meas­ure’ [6, 6.2.3.5.3], [7, 3.19, 6.3]. Understanding the haz­ards that need to be con­trolled and the degree of risk related to the haz­ards is basic design inform­a­tion that will provide spe­cif­ic dir­ec­tion on the stop cat­egory required and the degree of con­trol reli­ab­il­ity neces­sary to provide the expec­ted risk reduction.

Stop/​Start Analysis is quite simple, ori­gin­at­ing in ISO 12100. It amounts to con­sid­er­ing all of the inten­ded stop/​start con­di­tions for the machinery and then includ­ing con­di­tions that may res­ult from reas­on­ably fore­see­able fail­ure modes of the machinery and fore­see­able mis­uses of the machinery. Create a table with three columns as a start­ing point, sim­il­ar to Table 2.

Table 2
Example Start/​Stop Analysis

Description Start Condition Stop Condition
Lubricant Pump Lubricant Pump Start Button Pressed Lubricant Pump Stop Button Pressed
Low Lubricant Level in reservoir
High-​pressure drop across lub­ric­ant filter
Main Spindle Motor Start enabled and Start Button Pressed Low Lubricant Pressure
Stop but­ton pressed
Feed Advance motor Feed Advance but­ton pressed Feed Stop but­ton pressed
Feed end of travel lim­it reached
Emergency Stop All motions stop, lub­ric­ant pump remains running

The above table is simply an example of what a start/​stop ana­lys­is might look like. You can have as much detail as you like.

Control Reliability Requirements

Both ISO 13849 – 1 and IEC 62061 [8] base the ini­tial require­ments for reli­ab­il­ity on the out­come of the risk assess­ment (PLr or SILr). If the stop­ping con­di­tion is part of nor­mal oper­a­tion, then simple cir­cuit require­ments (i.e. PLa, Category 1) are all that may be required. If the stop­ping con­di­tion is inten­ded to be an Emergency Stop, then addi­tion­al ana­lys­is is needed to determ­ine exactly what may be required.

More Information

How have you typ­ic­ally imple­men­ted your stops and emer­gency stop systems?

Have you ever used the START/​STOP ana­lys­is method?

I care about what you think as a read­er, so please leave me com­ments and ques­tions! If you would prefer to dis­cuss your ques­tion privately,  con­tact me dir­ectly.

Ed. Note: This art­icle was updated 25-Aug-2017.

References

5% Discount on All Standards with code: CC2011 

[1]          Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design. CEN Standard EN 954 – 1.1996.

[2]          Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design. ISO Standard 13849 – 1. 2015. Download ISO Standards 

[3]          Safety of machinery — Emergency stop func­tion — Principles for design. ISO Standard 13850. 2015

[4]          Electrical Equipment of Industrial Machines. IEC Standard 60204 – 1. 2009. Download IEC standards

[5]          Electrical Standard for Industrial Machinery, ANSI/​NFPA Standard 79, 2015. Download stand­ards from ANSI

[6]          Safeguarding of Machinery. CSA Standard Z432, 2016.

[7]          Safety of machinery — General prin­ciples for design — Risk assess­ment and risk reduc­tion. ISO Standard 12100. 2010.

[8]          Safety of machinery – Functional safety of safety-​related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. IEC Standard 62061. 2005.

[9]         Industrial elec­tric­al machinery. CSA Standard C22.2 No. 301. 2016.

[10]       Robots and robot­ic devices — Safety require­ments for indus­tri­al robots — Part 1: Robots. ISO Standard 10218 – 1. 2011.

Series NavigationGuarding Emergency Stop DevicesUsing E-​​Stops in Lockout Procedures

Author: Doug Nix

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. Follow me on Academia.edu//a.academia-assets.com/javascripts/social.js

  • con­trols­girl

    Another great dis­cus­sion! I stumbled upon this because many ser­vos include the STO func­tion. I looked in the manu­al of the product that I am work­ing with on this par­tic­u­lar product and the manu­al claims the STO func­tion to be com­pli­ant with a safe stop 0. However, every time I see a servo with STO cap­ab­il­ity imple­men­ted, there is still a con­tact­or killing the line feed into the servo that is driv­en by the same con­di­tions as the STO sig­nals. It seems as if STO would replace the need to use a con­tact­or to break the feed com­ing into the servo. Am I incor­rect? Are there still advant­ages to open­ing up the line con­nec­tion with a con­tact­or in addi­tion to using STO? If it is redund­ant, are you aware of any man­u­fac­tur­ing plants that still require both?

    • Interesting ques­tion. I’m actu­ally plan­ning an art­icle on this top­ic right now, but I’ve got a couple of addi­tion­al pieces to fin­ish out the 13849 series first.

      If the drive has STO, it will already have the cap­ab­il­ity to provide a reli­able zero-​torque con­di­tion to the motor. If you look at the specs for the drive you will find that the STO func­tion will nor­mally have a PL or SIL rat­ing, or a PFHd giv­en. If the STO func­tion is rated as PLe, for example, there is no need for an addi­tion­al line con­tact­or upstream of the drive unless the drive install­a­tion calls for one.

      Safe-​off”, “safe-​stop” and sim­il­ar terms are used by drive man­u­fac­tur­ers but are not reflec­ted in the tech­nic­al stand­ards for these products, and so don’t have a stand­ard­ised tech­nic­al definition.

      This ques­tion is com­plex enough that I can’t fully address it here, but I will try to hit the whole top­ic in the art­icle when I pub­lish it.

      Thanks for your con­tin­ued interest!

      • Further to this com­ment, watch the blog on 3-​Jul-​17 for the art­icle on STO, SS1, SS2 and SOS func­tions for motor drives!

  • T-​mac

    Am I allowed to wire coded mag­net­ic switches or keyed inter­lock switches in series with an E-​stop or will I need to use 2 seper­ate safety relays?
    Just found your site, thanks for tak­ing the time to inform us, greatly appreciated.

    • T-​mac,

      It’s not so much a case of “allowed to” wire them in series or not. Let me explain.

      Best prac­tice is to sep­ar­ate the e-​stop func­tion and the safe­guard­ing func­tions. This is done for a few of reasons:

      1) Emergency Stop con­trols are con­sidered to be “com­ple­ment­ary pro­tect­ive meas­ures”, not safe­guards. They are manu­ally activ­ated, and should nor­mally be infre­quently used. This is because they are used to back up the primary safe­guards, like inter­locked guards, or safe­guard­ing devices. As backup devices, they typ­ic­ally require a lower level of reli­ab­il­ity than the primary safe­guards. ISO 13850, which defines emer­gency stop func­tions, requires a min­im­um per­form­ance level of PLc for these sys­tems, how­ever, high­er per­form­ance levels may be required based on the risk assessment.

      2) Safeguards are required to act auto­mat­ic­ally, without the user being aware of the oper­a­tion of the func­tion. The reli­ab­il­ity of the safety func­tion is driv­en dir­ectly by the risk assess­ment. On most indus­tri­al machinery, these sys­tems require PLc, PLd, or PLe.

      3) Recovery from an emer­gency stop con­di­tion, and recov­ery from a safe­guard­ing con­di­tion are often quite dif­fer­ent. Depending on what kind of emer­gency stop func­tion is selec­ted (IEC 60204 – 1/​NFPA 79 Category 0 or 1), the effects on the machine can be quite severe, and recov­ery can be com­plex. Safeguarding con­di­tions com­monly use Category 1 or 2 stop func­tions, which are more con­trolled and gen­er­ally don’t leave the machine badly dis­ordered. Recovery is nor­mally sim­pler. Since safe­guard­ing con­di­tions are more com­mon as oper­at­ors open doors/​gates or break light cur­tain fields, the machine reac­tions usu­ally need to be dif­fer­ent from what hap­pens in an emer­gency situation.

      Daisy-​chaining devices, wheth­er it’s e-​stop but­tons, inter­lock switches, or some­thing else, can cre­ate fault-​masking con­di­tions, where a fail­ure can occur in one device in the chain, but the fault is masked by the oper­a­tion of anoth­er device in the chain. This can be a ser­i­ous prob­lem, since ISO 13849 – 1 requires that sys­tems with Category 3 or 4 archi­tec­tures detect faults either as they occur, or on the next demand on the safety func­tion. Masked faults may be detec­ted, and this leads to fail­ure modes that are not per­mit­ted, nor are they what you want in your con­trol system.

      Where you have e-​stop devices or inter­locks that are infre­quently used, they may not be tested fre­quently enough to meet the test­ing require­ments of the archi­tec­ture you’ve selec­ted, and this may lead to masked faults as well.

      So, in gen­er­al, com­bin­ing emer­gency stop func­tions with safe­guard­ing func­tions is con­sidered bad prac­tice, even though it is still often done. I would recom­mend sep­ar­at­ing the func­tions for all of the reas­ons giv­en, and I would also recom­mend against daisy chain­ing input devices to a single safety relay.

      • T-​mac

        I would gen­er­ally seper­ate them as I have always done in the past.
        This applic­a­tion is installing coded mag switches on new guard­ing. There is a PILZ safety PLC installed on the machine and my request to pur­chase the PLC soft­ware (along with the new PSR after modi­fy­ing the pro­gram) was declined.
        The switches are rated to be used cat 4 and there is a monthly pro­ced­ure where the oper­at­ors test the E-​stops, and inter­locks on the equipment.
        The exist­ing guard­ing is done by light cur­tains that bring the machine the a “cycle stop” as not to des­troy the product and make for a longer restart/​set up.
        The new guard­ing is at a much closer prox­im­ity to the actu­al haz­ard and I need the machine to stop immediately.
        Although not ideal, wir­ing in series would still be accep­ted in this scenario?

        • T-​mac,

          If the new guard­ing is close to the tool­ing, the first thing I would sug­gest is a stop time test. You need to know if the guard­ing is with­in the min­im­um safety dis­tance. You use the same cal­cu­la­tion as used for a light cur­tain, Ds=KxT, K=1600 mm/​s or 63 in/​s. T is the stop­ping time in seconds. Since you men­tion that the machine is already using stop cat­egory 1, the stop­ping time may be quite long.

          If the guards are too close to the haz­ards to meet this safety dis­tance, then you will need to imple­ment guard lock­ing. This can be com­bined with a “request to enter” func­tion, or can simply be held locked until the machine is stopped, either at the end of a cycle, or until the machine is switched out of auto­mat­ic mode and into manu­al mode. There are tons of options in how to do this.

          WRT your com­ments about the inter­lock switches being Category 4, all this tells you is that the switch/​controller com­bin­a­tion uses Category 4 archi­tec­ture. There will be a PL asso­ci­ated with this – have a look at the data sheet. This inform­a­tion is used in assess­ing the safety sys­tem PL. The two pieces of inform­a­tion are import­ant. You may also find an MTTFd spec, and this is also import­ant, but less so than the the PL initially.

          • T-​mac

            Machine stop­ing via the cur­rent estop is instant, no coast­ing, no revers­ing by ten­sion upon the material.
            This “new” pinch point is a roller that was pre­vi­ously missed and now being addressed.
            The hinged guards that are now on that roller(s) are roughly 3.5″ away. The door has to be swung out when opened which adds a little more dis­tance when accessing.
            I should have gave more info about the applic­a­tion in my first ques­tion, sorry.

          • T-​mac,

            Thanks for the addi­tion­al inform­a­tion. Unfortunately, no machinery stops instant­an­eously, since that would require infin­ite neg­at­ive accel­er­a­tion. Even if the stop­ping time is very short, let’s say 100 ms for argu­ment sake, the safety dis­tance is Ds=63″/s * 0.100 s = 6.3″. To make the 3.5″ dis­tance work the stop­ping time would have to be 3.5/63=0.055 s. So, thing 1: Stop Time Test. Without this you can­not say that the inter­locked door will provide the pro­tec­tion required. If you can’t do the test for any reas­on, then go to inter­locked doors with guard lock­ing. You will need a zero-​speed detec­tion sys­tem so that the lock can­not be released until the web/​roller speed = zero.

            WRT the open­ing of the guard and the addi­tion­al dis­tance that you would like to claim, unless the inter­lock is activ­ated before a gap appears between the door and the frame, you really can’t make this claim. You need to meas­ure the gap between the edge of the door and the frame at the point where the inter­lock activ­ates, and then apply the open­ings table in ANSI B11.19, or ISO 13857, or CSA Z432 to determ­ine the safety dis­tance related to the gap. 

            So, there are TWO dis­tance require­ments: 1) the gap between door and frame when the inter­lock is activ­ated, and 2) based on the stop­ping time.

            Guard lock­ing elim­in­ates both of these con­sid­er­a­tions, since the guard can­not be opened when the haz­ard exists.

            Hope that helps!

          • T-​mac

            Helps alot.
            I always install my switches as close to trip­ping as pos­sible without nuis­ance tripping.
            It might take a little tri­al and error dur­ing install­a­tion but I think it’s worth it later.

          • con­trols­girl

            Great ques­tion and great answers so far. I had to dig to answer this ques­tion myself some years ago. Correct me if I am wrong. If I remem­ber right, by daisy chain­ing you only get to cat3, or per­haps pl d. Doug men­tions fault mask­ing. I believe that when daisy chained you lose your exclus­ive dia­gnostics for each device. One device could be jumpered or shor­ted and the cir­cuit would not dia­gnose this when anoth­er estop is pressed, released, and the sys­tem is reset). I believe this is an example of the defin­ing dif­fer­ence between the last two levels. I also believe this example is an exsmple that Doug men­tions in one of his posts about how a device can be advert­ised as cat4 amd mis­lead­ing because the cir­cuit is not designed to cat 4. The man­u­fac­tur­ers are simply stat­ing that the device has what is need to be designed into a cat 4 circuit. 

          • Hey, con­trols­girl! You are essen­tially cor­rect about fault mask­ing. There is an ISO Technical Report that dis­cusses this issue, ISO/​TR 24119, https://​www​.iso​.org/​s​t​a​n​d​a​r​d​/​6​3​1​6​0​.​h​tml, which is rel­ev­ant to this dis­cus­sion. Schmersal also pub­lishes a free white paper on this top­ic, http://​www​.schmersa​lusa​.com/​c​m​s​1​7​/​o​p​e​n​c​m​s​/​h​t​m​l​/​e​n​/​s​e​r​v​i​c​e​/​c​o​n​t​r​i​b​u​t​i​o​n​s​.​h​t​m​l​?​i​d​=28, which you may find interesting.

            In ISO/​TR 24119 there is a table that shows the reduc­tion in PL that occurs depend­ing on the num­ber of daisy-​chained devices and the fre­quency of use of the devices. Loss of Diagnostic Coverage due to fault mask­ing res­ults in a reduc­tion of PL. It’s pos­sible to go from PLe to PLc if you have enough devices daisy-​chained. Hmmmm, I think I feel anoth­er art­icle com­ing on… 😉

            BTW, this is not a case of man­u­fac­tur­ers mis­lead­ing users, but rather one of mis­ap­plic­a­tion of a device. Keep in mind that a “safety relay” or oth­er sim­il­ar devices can be assessed under ISO 13849 or IEC 62061 and provided with a PL or SIL. That allows the design­er to treat that device as a black-​box with defined reli­ab­il­ity char­ac­ter­ist­ics. The prob­lem comes when someone wants to assume that they will achieve a cer­tain degree of reli­ab­il­ity simply because they used a cer­tain com­pon­ent. It just doesn’t work that way.

  • gina

    For roll form­ing machines, our com­pany determ­ined with a risk assess­ment, that the rollers need to retract upon hit­ting the e-​stop but­ton. Unfortunately, that does not meet the NFPA79 E-​stop cat­egor­ies. Do you know of a code pro­vi­sion for this scenario?

    • Gina,

      Good ques­tion. NFPA 79 offers two options for e-​stop func­tions: Category 0, which imme­di­ately removes power from the haz­ard­ous motions (sim­il­ar to “pulling the plug”), and Category 1, which allows for a grace­ful stop under con­trol, fol­lowed by remov­al of power.

      If the best way to min­im­ize the risk is to lift the form­ing rollers, then this is the neces­sary approach. In my opin­ion, this falls under Category 1 stop func­tions, since motion is per­mit­ted for a brief time after the e-​stop device is activ­ated. The key to this is the pneu­mat­ics appro­pri­ately so that the rollers won’t fall or drift when the Category 0 stop occurs. The oth­er key part of this is select­ing and set­ting up the motor drive so that the drive stops as quickly as pos­sible before going to a zero energy state. You will need a drive with Safe Torque Off, or equivalent.

      If you need addi­tion­al help with this, I would be happy to dis­cuss it with you offline. 🙂

      • gina

        Thank you for the reply, that is what I was think­ing as well. Additionally, we found ANSI B11.12 E6.5 that allows for the rolls to raise/​open on press­ing e-​stop. They are call­ing it a cat­egory 1 e-​stop also. Thanks again!

        • You’re wel­come! Sorry I didn’t think about B11.12 – I guess I assumed you were already using that in your design. 

          Let me know if there is any­thing else I can help you with!

  • Andrew, you need to have a look at a safety relay cata­log from any of the big man­u­fac­tur­ers, Rockwell/​Allen-​Bradley, ABB/​Jokab, Pilz, Telemecanique/​Square-​D, Schmersal, OMRON/​STI, Pizzato, etc. All of them have sug­ges­ted schem­at­ic dia­grams in the cata­logs. All mod­ern safety relay products provide the required test fre­quency for auto­mat­ic test­ing if they are cor­rectly imple­men­ted in the sys­tem design. That does not remove your respons­ib­il­ity as a design­er to mit­ig­ate the undetect­able dan­ger­ous faults to those with an MTTFd < 30 a (for PLc applic­a­tions, lower for lower Performance Levels).

    There is more to this than just a schematic.

  • andrew

    of how to go about doing it?

  • andrew

    i need a diagram

  • Pingback: izmed khoirul anwar()

  • Pingback: izmed khoirul()

  • Hi Doug,

    Again a great read!
    Although I am nor­mally involved in design­ing “incom­plete Machines” accord­ing the European Machine Directive (2006/​42), this top­ic is also import­ant for me to under­stand fully. More and more I see that know­ledge of these kinds of top­ics greatly add to the value you can sup­ply your cus­tom­ers with. There is a fine bal­ance between design­ing a “incom­plete machine” and deliv­er­ing a solu­tion the cus­tom­er can actu­ally use to build a safe com­plete machine and under­stands what the lim­it­a­tions and bene­fits are. Thanks again.

    • Wouter,

      Thanks for the kind words. As I’m sure you know, the only real dif­fer­ence between com­plete machines and incom­plete machines are install­a­tion instruc­tions that detail the resid­ual risks that the user must safe­guard once the product is integ­rated into the final machinery or install­a­tion. The need for emer­gency stop is determ­ined in exactly the same way. One major myth that I run into here in Canada is “All machines must have an emer­gency stop”. This is incor­rect. If an emer­gency stop will not improve the like­li­hood of avoid­ing harm or reduce the sever­ity of injury, then there is no bene­fit to hav­ing one. Selection of the right cat­egory of stop is equally import­ant, since many motor driv­en loads that use a VFD, servo or step­per drive can be stopped more quickly under con­trol than by simply drop­ping power.

      Thanks again for your comments!