Reader Question: Multiple E-​Stops and Resets

This entry is part 7 of 13 in the series Emergency Stop

Control Panel with Emergency Stop Button.I had an inter­est­ing ques­tion come in from a read­er today that is rel­ev­ant to many situations:

When you have mul­tiple E-​Stop but­tons I have often got­ten into an argu­ment that says you can have a reset beside each one. I was taught that you were required to have a single point of reset. Who is correct?”

— Michael Barb, Sr. Electrical Engineer

The Short Answer

There is noth­ing in the EU, US or Canadian reg­u­la­tions that would for­bid hav­ing mul­tiple reset but­tons. However, you must under­stand the over­lap­ping require­ments for emer­gency stop and pre­ven­tion of unex­pec­ted start-up.

The Long Answer:

First I need to define two dif­fer­ent types of reset for clarity:

  1. Emergency Stop Device Reset: Each e-​stop device, i.e. but­ton, pull cord, foot switch, etc., is required to latch in the activ­ated state and must be indi­vidu­ally reset. Resetting the e-​stop device is NOT per­mit­ted to re-​start the machinery, only to per­mit restart­ing. (NFPA 79, CSA Z432, ISO 14118).
  2. Restarting the machine is a sep­ar­ate delib­er­ate action from reset­ting the emer­gency stop device(s).

ANSI B11-​2008 provides some dir­ect guid­ance on this topic:

7.2.2 Zones

A machine or an assembly of machines may be divided into sev­er­al con­trol zones (e.g., for emer­gency stop­ping, stop­ping as a res­ult of safe­guard­ing devices, start-​up, isol­a­tion or energy dis­sip­a­tion). The machine and con­trols in dif­fer­ent zones shall be defined and iden­ti­fied. Controls for machines in zones can be loc­al for each machine, across sev­er­al machines in a zone, or glob­ally for machines across zones. The con­trol require­ments shall be based on the oper­a­tion­al require­ments and on the risk assessment.The inter­faces between zones, includ­ing syn­chron­iz­a­tion and inde­pend­ent oper­a­tion, shall be designed such that no func­tion in one zone cre­ates a hazard(s) /​ haz­ard­ous situ­ation in anoth­er zone.

CSA Z432-​04 has sim­il­ar wording:

6.2.1.8.4

When zones can be determ­ined, their delim­it­a­tions shall be evid­ent (includ­ing the effect of the asso­ci­ated emer­gency stop device). This shall also apply to the effect of isol­a­tion and energy dissipation.

Let’s take a case with a single e-​stop but­ton first. The same require­ments apply for all e-​stop devices. The require­ments include:

  1. Button must be in ‘easy-​reach’ of the nor­mal oper­at­or pos­i­tion. I con­sider ‘easy-​reach’ to be the range I can touch while sit­ting or stand­ing at the nor­mal oper­at­or pos­i­tion. This pos­i­tion is not neces­sar­ily in front of the con­trol pan­el. This is the pos­i­tion where the oper­at­or is expec­ted to be while car­ry­ing out the tasks expec­ted of them when the machine is oper­at­ing. This is the require­ment that drives hav­ing mul­tiple but­tons in most cases.
  2. E-​stop devices can­not be loc­ated so that the oper­at­or must reach over or past a haz­ard to activ­ate them.
  3. The but­ton must latch in the oper­ated position.
  4. The but­ton must be robust enough to handle the mech­an­ic­al and elec­tric­al stresses that will be placed on it when used. i.e. rugged but­tons are required.
  5. When the e-​stop device is reset – i.e returned to the ‘RUN’ pos­i­tion – the machine is NOT per­mit­ted to restart. It is only PERMITTED to restart. It must be restar­ted through anoth­er delib­er­ate action, like press­ing a ‘Power On’ button.

So what do you do with the ‘POWER ON’ or safety cir­cuit reset but­ton? The first ques­tion to ask is: ‘What hap­pens when I reset this cir­cuit, apply­ing power to the con­trol circuits?”

Case A: If it is impossible to see the entire machine from the loc­a­tion of the reset but­ton, then I would recom­mend a single reset but­ton loc­ated at the HMI or main con­sole. The oper­at­or must check to make sure the machine is clear before re-​applying power. Where the machine is too big to be com­pletely vis­ible from the main oper­at­or con­sole, then I would also recommend:

  • warn­ing horn, 
  • warn­ing lights, and 
  • a start-​up delay that is long enough to allow a per­son to get clear of the machine before it starts moving.

Case B: If the machine is simply ‘enabled’ at this point, but no motion occurs, then mul­tiple ‘reset’ or ‘power on’ but­tons may be accept­able, depend­ing on the out­come of the risk assess­ment and start/​stop ana­lys­is. Having said that, the oper­at­or will likely have to return to a main con­sole to reset the machine and restart oper­a­tion, and chances are there is only one HMI screen on the machine, so there may not be any advant­age to hav­ing mul­tiple reset buttons.

I would recom­mend doing two things to get a good handle on this: Conduct a detailed risk assess­ment and include all nor­mal oper­a­tions and all main­ten­ance oper­a­tions. Then con­duct a start/​stop ana­lys­is to look at all of the start­ing and stop­ping con­di­tions that you can reas­on­ably fore­see. Combine the res­ults of these two ana­lyses to find the start­ing and stop­ping con­di­tions with the highest risk, and then determ­ine if hav­ing mul­tiple reset but­tons will con­trib­ute to the risk or not. You may also want to look at the con­trol reli­ab­il­ity require­ments for the emer­gency stop sys­tem based on the out­come of the risk assess­ment and the start/​stop analysis.

In a case where there are mul­tiple emer­gency stop devices, loc­a­tions are import­ant. There must be one at each nor­mal work­sta­tion to meet the reg­u­lat­ory require­ments in most jur­is­dic­tions, and with­in ‘easy reach’. You may also want some inside the machine if it is pos­sible to gain full body access inside the machinery. i.e. inside a robot work cell. Make sure that the but­tons or oth­er devices are loc­ated so that a per­son exposed to the hazard(s) inside the machine is not required to reach over or past the haz­ard to get to the button.

Michael, I hope that settles the argument!

Series NavigationUsing E-​​Stops in Lockout ProceduresUpdates to Popular Articles

Author: Doug Nix

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. Follow me on Academia.edu//a.academia-assets.com/javascripts/social.js

  • Anthony,
    I decided to revise Case A after I read your com­ment because I real­ized that it was a bad example, and spe­cific­ally non-​compliant with the require­ments. I hope you can agree with the new version! 🙂

  • As far as Canadian reg’s go, case ‘A’ should not hap­pen. An e-​stop reset shall not ini­ti­ate motion. If I were to per­form a PHSR on a machine that fell into Case ‘A’, I would have to report a non-compliance.

    Any con­trol sys­tem I have designed myself only re-​homed it’s ser­vos on the press of the machine start but­ton, or sep­ar­ate manu­al mode con­trols on the HMI.

    Regarding mul­tiple e-​stops, what the CSA Z432 7.17.1.2 actu­ally says is any con­trol sta­tion that can cause motion must have a manu­ally ini­ti­ate e-​stop device.

    • Anthony,
      Thanks for your com­ment! I really appre­ci­ate hear­ing from my readers!

      I agree with you, and I would report a non-​compliance with Reg 851 and CSA Z432 as well. Unfortunately, I have seen machines where this was the case, and since the read­er did not tell me where he was loc­ated geo­graph­ic­ally or give me any spe­cif­ic machinery details to work with I could not be more spe­cif­ic. I did spe­cific­ally state that reset­ting of the e-​stop sys­tem may only PERMIT restart of the machine and is not allowed to actu­ally cause restarting.

      I agree with your ref­er­ence to Z432 and Clause 7.17, how­ever I don’t think it goes far enough, par­tic­u­larly in light of Reg 851 Clause 27(b), that requires that an e-​stop device be with­in easy reach of the oper­at­or. Limiting install­a­tion to work­sta­tions with con­trols that can start motion MAY not be enough. Consider a con­vey­or sys­tem that may have the start/​stop con­trols loc­ated at one end and a manu­al unload­ing sta­tion at the oppos­ite end. There are no con­trols at the unload sta­tion that can cause motion, but loc­at­ing an e-​stop there is sens­ible and required by Clause 27(b), as well as Z432 and ASME B20.1.

      My con­trol sys­tem designs have had sim­il­ar func­tion­al­ity to yours. I nor­mally require a) the e-​stop device to be reset, b) the emer­gency stop sys­tem to be reset (this usu­ally re-​applies power to the con­trol sys­tem), and then c) the pro­cess can be reset /​ homed /​ whatever in order to pre­pare for restart­ing the oper­a­tion of the machine.