Emergency Stop Categories

Emergency Stop on machine console
This entry is part 5 of 13 in the series Emer­gency Stop

I’ve noticed a lot of peo­ple look­ing for infor­ma­tion on Emer­gency Stop cat­e­gories recent­ly; this arti­cle is aimed at those read­ers who want to under­stand this top­ic in more depth. First, a clar­i­fi­ca­tion: Emer­gency stop cat­e­gories DO NOT EXIST, but stop cat­e­gories do. A stop cat­e­go­ry is a descrip­tion of a con­trol func­tion — what the con­trol does — and not the archi­tec­ture of the sys­tem that pro­vides the func­tion. Stop cat­e­gories are often con­fused with cir­cuit or sys­tem archi­tec­ture cat­e­gories from EN 954–1[1] and ISO 13849–1 [2].  The con­fu­sion between these two sets of Cat­e­gories often leads to incor­rect assump­tions about the appli­ca­tion of these require­ments.

Emer­gency stop” is a descrip­tion of a con­trol func­tion, with the added “emer­gency” telling you WHEN this stop func­tion is intend­ed to be used — only dur­ing an emer­gency sit­u­a­tion. A “cycle stop” is also a func­tion­al descrip­tion that tells the user WHAT the stop func­tion does. Both the emer­gency stop func­tion and the cycle stop func­tion use the SAME stop cat­e­gories, with some lim­i­ta­tions on the emer­gency stop func­tion. More about that lat­er in this arti­cle.

Stop Categories

The stop cat­e­gories dis­cussed here are not exclu­sive to emer­gency stop func­tions. They are STOP func­tions and may be used for nor­mal stop­ping func­tions as well as the Emer­gency Stop func­tion.

Stop cat­e­gories and func­tion­al safe­ty sys­tem archi­tec­ture cat­e­gories are not the same, and there are sig­nif­i­cant dif­fer­ences that need to be under­stood by con­trol sys­tem design­ers. I’m going to sling a num­ber of stan­dards at you in this post, and I will pro­vide ref­er­ences at the end if you want to dig deep­er.

Func­tion­al safe­ty archi­tec­tur­al cat­e­gories are defined and described in ISO 13849–1, and I’ve writ­ten quite a bit on these in the past. If you want to know more about Cat­e­gories B, 1–4, check out this series of posts on ISO 13849–1 Cat­e­gories.

Originating Standards

There are three stan­dards that define the require­ments for stop cat­e­gories, and thank­ful­ly they are fair­ly close­ly har­monised, mean­ing that the def­i­n­i­tions for the cat­e­gories are essen­tial­ly the same in each doc­u­ment. They are:

  • ISO 13850, Safe­ty of machin­ery — Emer­gency stop func­tion — Prin­ci­ples for design [3]
  • IEC 60204–1, Safe­ty of machin­ery — Elec­tri­cal equip­ment of machines — Part 1: Gen­er­al require­ments (aka EN 60204–1) [4]
  • NFPA 79, Elec­tri­cal Stan­dard for Indus­tri­al Machin­ery [5]

A new Cana­di­an stan­dard was added in 2016, CSA C22.2 No. 301 [9]. This stan­dard draws heav­i­ly on a num­ber of stan­dards for core mate­r­i­al, includ­ing IEC 60204–1 and NFPA 79. No. 301 uses iden­ti­cal def­i­n­i­tions for stop func­tion cat­e­gories.

Down­load ANSI stan­dards

Down­load IEC stan­dards

Stop Category Definitions

Emergency Stop ButtonThe stop cat­e­gories are bro­ken down into three gen­er­al groups in [4], [5], and  [9]:

  • Cat­e­go­ry 0 — Equiv­a­lent to pulling the plug;
  • Cat­e­go­ry 1 — Bring things to a grace­ful stop, then pull the plug; and
  • Cat­e­go­ry 2 — Bring things to a stop and hold them there under pow­er.

Let’s look at the def­i­n­i­tions in more detail. For com­par­i­son, I’m going to show the def­i­n­i­tions from the stan­dards side-by-side.

Table 1
Com­par­i­son of Stop Cat­e­gories
Cat­e­go­ry IEC 60204–1 NFPA 79 CSA C22.2 No. 301
0 stop­ping by imme­di­ate removal of pow­er to the machine actu­a­tors (i.e. an uncon­trolled stop – see 3.56); is an uncon­trolled stop by imme­di­ate­ly remov­ing pow­er to the machine actu­a­tors.

stop­ping by imme­di­ate removal of pow­er to the machine actu­a­tors (i.e., an uncon­trolled stop;

1 a con­trolled stop (see 3.11) with pow­er avail­able to the machine actu­a­tors to achieve the stop and then removal of pow­er when the stop is achieved; is a con­trolled stop with pow­er to the machine actu­a­tors avail­able to achieve the stop then remove pow­er when the stop is achieved.

a con­trolled stop with pow­er avail­able to the machine actu­a­tors to achieve the stop and then removal of pow­er when the stop is achieved;

2 a con­trolled stop with pow­er left avail­able to the machine actu­a­tors. is a con­trolled stop with pow­er left avail­able to the machine actu­a­tors.

a con­trolled stop with pow­er left avail­able to the machine actu­a­tors.

Def­i­n­i­tions from IEC 60204–1:

3.11 con­trolled stop
>stop­ping of machine motion with elec­tri­cal pow­er to the machine actu­a­tors main­tained dur­ing the stop­ping process
3.56 uncon­trolled stop
stop­ping of machine motion by remov­ing elec­tri­cal pow­er to the machine actu­a­tors
NOTE This def­i­n­i­tion does not imply any par­tic­u­lar state of oth­er stop­ping devices, for exam­ple mechan­i­cal or hydraulic brakes.

As you can see, the Stop Cat­e­go­ry descrip­tions are vir­tu­al­ly iden­ti­cal, with the pri­ma­ry dif­fer­ence being the use of the def­i­n­i­tions in the IEC stan­dard instead of includ­ing that infor­ma­tion in the descrip­tion as in the NFPA stan­dard.

Down­load ANSI stan­dards

Down­load IEC stan­dards

Minimum Requirements

[4], [5], and [9] require that all machines have at least a Cat­e­go­ry 0 stop. This could be achieved by switch­ing off (i.e., by using the dis­con­nect­ing means to switch off pow­er for exam­ple), by phys­i­cal­ly “pulling the plug” from the pow­er sup­ply sock­et on the wall, or through a ‘mas­ter con­trol relay’ cir­cuit, or through an emer­gency stop cir­cuit. Note that this does not require that all machines have an e-stop!! The need for an emer­gency stop func­tion is deter­mined in two ways:

  1. Exis­tence of a Type-C (i.e., machine spe­cif­ic) tech­ni­cal stan­dard that requires that type of machin­ery to have an emer­gency stop func­tion, or
  2. through the risk assess­ment, based on the poten­tial to avoid or lim­it harm.

If these goals can­not be achieved through an emer­gency stop func­tion, there is no require­ment to have one. I have yet to read leg­is­la­tion (not stan­dards) in any juris­dic­tion that states that all machines must have an e-stop. Cer­tain class­es of machines may have this require­ment, nor­mal­ly defined in the rel­e­vant type-C machin­ery stan­dard, e.g., ISO 10218–1 [10] for indus­tri­al robots.

ISO 13850 lim­its the selec­tion of stop cat­e­go­ry to Cat­e­go­ry 0 or 1 and excludes Cat­e­go­ry 2. This exclu­sion can be found in NFPA 79, IEC 60204–1, and CSA C22.2 No. 301 as well. Cat­e­go­ry 2 may only be used for oper­a­tional or “nor­mal” stop­ping func­tions.

To learn more about how to deter­mine the need for an emer­gency stop, see, “Emer­gency Stop – What’s so con­fus­ing about that?”

Selecting a Stop Function

How do you decide on what stop cat­e­go­ry to use? First, a risk assess­ment is required. Sec­ond, a start/stop analy­sis should be con­duct­ed. More on this top­ic a bit lat­er.

Once the risk assess­ment is com­plete, ask these ques­tions:

1) Will the machin­ery stop safe­ly using an uncon­trolled stop?

If the machin­ery does not have a sig­nif­i­cant amount of iner­tia, mean­ing it won’t coast more than a very short time, then a Cat­e­go­ry 0 stop may be all that is required.

2) If the machin­ery can coast when pow­er is removed, or if the machin­ery can be stopped more quick­ly under con­trol than when pow­er is sim­ply removed, then a Cat­e­go­ry 1 stop is like­ly the best choice, even if the pow­er-off coast­ing time is fair­ly short.

Ver­ti­cal axes that may col­lapse when pow­er is removed will like­ly need addi­tion­al mechan­i­cal hard­ware to pre­vent the tool­ing from falling dur­ing an emer­gency stop con­di­tion. This could be a mechan­i­cal brake or oth­er means that will pre­vent the tool­ing from falling unex­pect­ed­ly.

3) If the machin­ery includes devices that require pow­er to keep them in a safe state, then a Cat­e­go­ry 2 stop is like­ly the best choice.

If you choose to use a Cat­e­go­ry 2 stop, be aware that leav­ing pow­er on the machin­ery leaves the user open to haz­ards relat­ed to hav­ing pow­er on the machin­ery. Care­ful risk assess­ment is required in these cas­es espe­cial­ly.

Cat­e­go­ry 2 stops are not per­mit­ted for emer­gency stop func­tions, although you may use them for nor­mal stop func­tions. ISO 13850, IEC 60204–1, and NFPA 79  explic­it­ly lim­it emer­gency stop func­tions to Cat­e­gories 0 and 1. CSA C22.2 No. 301 per­mits the use of Cat­e­go­ry 2 stop func­tions for emer­gency stop­ping.

Risk Assessment and Stop/Start Analysis

Risk assess­ment is crit­i­cal to the spec­i­fi­ca­tion of all safe­ty-relat­ed func­tions. While emer­gency stop is not a safe­guard, it is con­sid­ered to be a ‘com­ple­men­tary pro­tec­tive mea­sure’ [6, 6.2.3.5.3], [7, 3.19, 6.3]. Under­stand­ing the haz­ards that need to be con­trolled and the degree of risk relat­ed to the haz­ards is basic design infor­ma­tion that will pro­vide spe­cif­ic direc­tion on the stop cat­e­go­ry required and the degree of con­trol reli­a­bil­i­ty nec­es­sary to pro­vide the expect­ed risk reduc­tion.

Stop/Start Analy­sis is quite sim­ple, orig­i­nat­ing in ISO 12100. It amounts to con­sid­er­ing all of the intend­ed stop/start con­di­tions for the machin­ery and then includ­ing con­di­tions that may result from rea­son­ably fore­see­able fail­ure modes of the machin­ery and fore­see­able mis­us­es of the machin­ery. Cre­ate a table with three columns as a start­ing point, sim­i­lar to Table 2.

Table 2
Exam­ple Start/Stop Analy­sis

Descrip­tion Start Con­di­tion Stop Con­di­tion
Lubri­cant Pump Lubri­cant Pump Start But­ton Pressed Lubri­cant Pump Stop But­ton Pressed
Low Lubri­cant Lev­el in reser­voir
High-pres­sure drop across lubri­cant fil­ter
Main Spin­dle Motor Start enabled and Start But­ton Pressed Low Lubri­cant Pres­sure
Stop but­ton pressed
Feed Advance motor Feed Advance but­ton pressed Feed Stop but­ton pressed
Feed end of trav­el lim­it reached
Emer­gency Stop All motions stop, lubri­cant pump remains run­ning

The above table is sim­ply an exam­ple of what a start/stop analy­sis might look like. You can have as much detail as you like.

Control Reliability Requirements

Both ISO 13849–1 and IEC 62061 [8] base the ini­tial require­ments for reli­a­bil­i­ty on the out­come of the risk assess­ment (PLr or SILr). If the stop­ping con­di­tion is part of nor­mal oper­a­tion, then sim­ple cir­cuit require­ments (i.e. PLa, Cat­e­go­ry 1) are all that may be required. If the stop­ping con­di­tion is intend­ed to be an Emer­gency Stop, then addi­tion­al analy­sis is need­ed to deter­mine exact­ly what may be required.

More Information

How have you typ­i­cal­ly imple­ment­ed your stops and emer­gency stop sys­tems?

Have you ever used the START/STOP analy­sis method?

I care about what you think as a read­er, so please leave me com­ments and ques­tions! If you would pre­fer to dis­cuss your ques­tion pri­vate­ly,  con­tact me direct­ly.

Ed. Note: This arti­cle was updat­ed 15-Jan-2018.

References

5% Dis­count on All Stan­dards with code: CC2011 

[1]          Safe­ty of Machin­ery — Safe­ty Relat­ed Parts of Con­trol Sys­tems — Part 1: Gen­er­al Prin­ci­ples for Design. CEN Stan­dard EN 954–1.1996.

[2]          Safe­ty of Machin­ery — Safe­ty Relat­ed Parts of Con­trol Sys­tems — Part 1: Gen­er­al Prin­ci­ples for Design. ISO Stan­dard 13849–1. 2015. Down­load ISO Stan­dards 

[3]          Safe­ty of machin­ery — Emer­gency stop func­tion — Prin­ci­ples for design. ISO Stan­dard 13850. 2015

[4]          Elec­tri­cal Equip­ment of Indus­tri­al Machines. IEC Stan­dard 60204–1. 2009. Down­load IEC stan­dards

[5]          Elec­tri­cal Stan­dard for Indus­tri­al Machin­ery, ANSI/NFPA Stan­dard 79, 2015. Down­load stan­dards from ANSI

[6]          Safe­guard­ing of Machin­ery. CSA Stan­dard Z432, 2016.

[7]          Safe­ty of machin­ery — Gen­er­al prin­ci­ples for design — Risk assess­ment and risk reduc­tion. ISO Stan­dard 12100. 2010.

[8]          Safe­ty of machin­ery – Func­tion­al safe­ty of safe­ty-relat­ed elec­tri­cal, elec­tron­ic and pro­gram­ma­ble elec­tron­ic con­trol sys­tems. IEC Stan­dard 62061. 2005.

[9]         Indus­tri­al elec­tri­cal machin­ery. CSA Stan­dard C22.2 No. 301. 2016.

[10]       Robots and robot­ic devices — Safe­ty require­ments for indus­tri­al robots — Part 1: Robots. ISO Stan­dard 10218–1. 2011.

Series Nav­i­ga­tionGuard­ing Emer­gency Stop DevicesUsing E-Stops in Lock­out Pro­ce­dures

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.