ESA Manufacturer Registration in Ontario, Canada

Do you make elec­tric­al products sold in Ontario, Canada? Are you aware of the need to register your com­pany with the Electrical Safety Authority (ESA) in order to sell your products leg­ally? If not, spend some time and catch up on the new ESA Manufacturer’s Registry!

Electrical Safety Authority LogoThis story updated 4-​Feb-​2014.

Since February 17th, 2009, there has been an inter­est­ing dis­cus­sion thread on the PSES’s EMC-​PSTC list on the new Manufacturer’s Registry in the Province of Ontario, Canada. Since there was so much interest, I decided to try to sum­mar­ize things here.

Background

Ontario is the second old­est and the most pop­u­lous Province in Canada, with 12,160,282 people as of the 2006 census. Canada has 10 Provinces and three Territories. Ontario is Canada’s man­u­fac­tur­ing heart­land and is often a lead­er in new legis­la­tion.

ESA, or the Electrical Safety Authority as they are more prop­erly known, is the Authority Having Jurisdiction (AHJ) in the Province of Ontario, Canada. This means that they are author­ized by the Government of Ontario to reg­u­late elec­tric­al safety in the Province. ESA was formerly the inspec­tion arm of Ontario Hydro, a crown cor­por­a­tion dis­solved in 1998. ESA provides build­ing and equip­ment elec­tric­al inspec­tion ser­vices to the pub­lic and industry in the Province, and pub­lishes the Ontario Electrical Code. The Code is adap­ted dir­ectly from CSA’s Canadian Electrical Code – Part 1 (CSA C22.1), with Provincial devi­ations.

On 1-​Aug-​07, the Ministry of Small Business and Consumer Services filed Ontario Regulation 438/​07, Product Safety. This new reg­u­la­tion enables the Electrical Safety Authority to reg­u­late the safety of elec­tric­al products and equip­ment sold and used in Ontario.

The reg­u­la­tion was phased in to ensure that ESA and stake­hold­ers had enough time to devel­op tech­nic­al guid­ance to sup­port the reg­u­la­tion.

  • On 1-​Oct-​07 the sec­tions of the reg­u­la­tion that gov­ern approv­al of elec­tric­al products (cur­rently con­tained in the Ontario Electrical Safety Code) and that allow notice be giv­en to the pub­lic of unsafe elec­tric­al products came into effect.
  • On 1-​Jan-​08 oth­er sec­tions relat­ing to ESA’s invest­ig­at­ive and order-​making powers came into effect.
  • On 1-​Jul-​08 sec­tions of the reg­u­la­tion requir­ing organ­iz­a­tions to report ser­i­ous elec­tric­al incid­ents or defects came into effect.
  • On 1-​Apr-​09 the Registry will open and man­u­fac­tur­ers can begin to register with ESA. For man­u­fac­tur­ers cur­rently selling products in Ontario, regis­tra­tions must be com­pleted by 30-​Aug-​09. This require­ment is cur­rently post­poned. For more inform­a­tion, see this art­icle. If your com­pany wants to begin selling products in Ontario, the com­pany must register before products can be sold.

What is the Registry?

Recent Changes in the Ontario Electricity Act have increased the require­ments for report­ing of “ser­i­ous incid­ents” with elec­tric­al ori­gins. These require­ments are found in Ontario Regulation 438 on Product Safety. In the past, sig­ni­fic­ant num­bers of injur­ies caused by either unap­proved equip­ment, or fraud­u­lently marked equip­ment have occurred. When ESA has invest­ig­ated the equip­ment, they run into prob­lems with find­ing the ori­gin­at­or of the gear, and there­fore the per­son or com­pany who bears respons­ib­il­ity for the prob­lem. The new addi­tions to the reg­u­la­tion address this by requir­ing report­ing of severe injur­ies caused by elec­tric­al equip­ment. In order to improve trace­ab­il­ity of elec­tric­al products sold in Ontario, ESA intro­duced the Manufacturer’s Registry, and made it man­dat­ory under their author­ity as the AHJ in Ontario. See the Ontario Regulation. Registration begins 1-​Apr-​09. Registration must be com­pleted by 30-​Aug-​09. The man­dat­ory Registration dead­line has been indef­in­itely post­poned. A fee of $350 Canadian dol­lars must be paid in the first year, with a reduced fee in each fol­low­ing year.

Manufacturers of elec­tric­al equip­ment for sale in Ontario are required to register with ESA, regard­less of wheth­er they are loc­ated in Ontario or else­where. Failure to register will mean that cer­ti­fied or labeled elec­tric­al products will be deemed to be unap­proved and non-​compliant with the Ontario Electrical Code. Under Regulation 438, it is illeg­al to sell, dis­play or use unap­proved elec­tric­al products [Section 5]. Under the Industrial Establishments reg­u­la­tions (part of the Ontario Occupational Health and Safety Act), it is illeg­al to use unap­proved elec­tric­al products in the work­place [Section 40]. Similar require­ments are also found in the Construction Regulations (Ontario Regulation 213, Section 185).

More inform­a­tion on the Registry can be found on the ESA web site in the Product Safety area. There are a num­ber of FAQ’s avail­able from this page as well. They include:

The regis­tra­tion is per man­u­fac­turer and NOT per product, so once you have registered your com­pany you do not need to re-​register for every product.

Recognized elec­tric­al safety marks

ESA provides a list of all of the Certification and Inspection marks that are recog­nized in the province. As long as your product or the products you are selling bear one of these marks, the product can be dis­played, sold or used in the Province, pre­sum­ing the man­u­fac­turer is registered.

View the list of Recognized Marks and Field Evaluation Labels.

What is a ‘ser­i­ous incid­ent’?

Regulation 438 defines a ser­i­ous incid­ent in Section 1:

ser­i­ous elec­tric­al incid­ent or acci­dent” means an elec­tric­al incid­ent or acci­dent that,

(a) res­ults in death or ser­i­ous injury to a per­son,

(b) has the poten­tial to cause death or a risk of ser­i­ous injury to a per­son, or

© causes or has the poten­tial to cause sub­stan­tial prop­erty dam­age.

Reporting Requirements

Once your com­pany has registered with ESA, any ser­i­ous incid­ents occur­ring any­where you mar­ket your products becomes report­able, but only for products sold in Ontario.

Quoting from Regulation 438:

8. (1)  A man­u­fac­turer, whole­saler, import­er, product dis­trib­ut­or or retail­er that becomes aware of a ser­i­ous elec­tric­al incid­ent or acci­dent or a defect in the design, con­struc­tion or func­tion­ing of an elec­tric­al product or device that affects or is likely to affect the safety of any per­son or cause dam­age to prop­erty, shall report to the Authority as soon as prac­tic­able after becom­ing aware of the ser­i­ous elec­tric­al incid­ent or acci­dent or defect.

(2)  A cer­ti­fic­a­tion body or field eval­u­ation agency that becomes aware of a ser­i­ous elec­tric­al incid­ent or acci­dent or a defect in the design, con­struc­tion or func­tion­ing of an elec­tric­al product or device that was the sub­ject of a report giv­en by the cer­ti­fic­a­tion body or field eval­u­ation agency that affects or is likely to affect the safety of any per­son or cause dam­age to prop­erty shall report to the Authority as soon as prac­tic­able after becom­ing aware of the ser­i­ous elec­tric­al incid­ent or acci­dent or defect.

There is more to Section 8 of the reg­u­la­tion than quoted. Additional sub­sec­tions include inform­a­tion on what needs to be in the report and who needs to be involved in the invest­ig­a­tion. If you need to make a report, check the rest of Section 8 first.

For example, say that your com­pany man­u­fac­tures a wid­get, Model 1523. Model 1523 is sold in the USA, Ontario Canada, Mexico and India. The com­pany also man­u­fac­tures a dif­fer­ent wid­get, Model 2000, sold in the USA and Mexico.

At some point, reports of elec­tric­al shock and fires caused by Model 2000 start to come into your Product Safety depart­ment. Do you need to report this to ESA? NO – Model 2000 is not sold in Ontario, so severe incid­ents caused by that mod­el do not require report­ing to ESA.

Model 1523 has a clean record, so no report­ing is required there. After man­u­fac­tur­ing Model 1523 for a few years, a key com­pon­ent is changed for a cost reduced ver­sion from a dif­fer­ent sup­pli­er. Six months after the change, reports come in from Mexico and India that users have been killed by elec­tric shock received from units of Model 1523. After invest­ig­at­ing the reports, your Product Safety depart­ment determ­ines that the faulty units used the new com­pon­ent. Do you need to report this to ESA? YES – because Model 1523 is sold in Ontario.

Here’s anoth­er example. Your com­pany imports elec­tric­al products from a num­ber of coun­tries and sells them whole­sale to large retail­ers, some of whom have stores in Ontario. Do you need to register? NO – But you can­not leg­ally sell products from man­u­fac­tur­ers who are not registered in Ontario.

What if the products are impor­ted into Ontario but are not sold to users in the Province, and are only ware­housed and whole­saled to retail­ers or oth­er dis­trib­ut­ors out­side of Ontario? Do you need to register? NO – But you must com­ply with the require­ments in the oth­er jur­is­dic­tions where the product is sold. Check with the AHJ in each Province or Territory where your products are sold to determ­ine the require­ments.

What if I become aware of ser­i­ous incid­ents that are occur­ring with products I sell in Ontario? You MUST report them to ESA, wheth­er you make the product, import, dis­trib­ute or retail it.

What Products are Covered by the Regulations?

  • Consumer elec­tric­al products;
  • Commercial elec­tric­al products;
  • Electrical Medical Devices;
  • Industrial elec­tric­al products;
  • Wiring devices and products;
  • Battery-​operated devices used in Hazardous Locations;
  • Battery char­gers used with bat­tery oper­ated products;
  • Hardwired and plug-​in life safety products like Smoke Detectors and CO Detectors;
  • Certified com­pon­ents used in any of the above.

Will this become a Canadian National System?

This is not yet known. There are dis­cus­sions going on with the oth­er Provinces and Territories, how­ever these are very pre­lim­in­ary stages. ESA has stated that they are sup­port­ive of a National Program should it be developed, but at this time these require­ments exist only in Ontario.

Tax Grab?

Some people have expressed the opin­ion that this is simply a way to mask a new tax, since regis­tra­tion fees are pay­able on an annu­al basis. In fact, a means is required to fund the registry, and the fees col­lec­ted are to be used for that pur­pose. See the Funding Model Report. Since ESA’s man­date is to pro­tect the people of Ontario from elec­tric­al haz­ards, and since there are increas­ing num­bers of ser­i­ous incid­ents occur­ring where the products turn out be be unap­proved or fraud­u­lently marked, this is a reas­on­able way for the Authority to gain con­trol over the products enter­ing the mar­ket­place, and to hold every­one in the sup­ply chain respons­ible for ensur­ing that only approved products are sold in the Province.

Since there is no new mark­ing require­ment, and since reput­able man­u­fac­tur­ers are already cer­ti­fy­ing or labeling their products for sale, and fur­ther­more since the regis­tra­tion fee is quite small for any organ­iz­a­tion selling any quant­ity of product in the Province, this is not an oner­ous require­ment. You are still free to have any SCC accred­ited body whose mark is recog­nized in Ontario do the cer­ti­fic­a­tion work.

Will it work?

This is the big unknown. Canadians are known for cre­at­ing regis­tries in response to a per­ceived need to con­trol some­thing. Notable fail­ures include the National Do Not Call registry was sup­posed to allow Canadians to register their phone num­bers with the gov­ern­ment, who was then requir­ing Canadian based tele­marketers to scrub those num­bers from their call­ing data­bases. Unfortunately this only provided num­bers to off-​shore tele­marketers who are using the DNC Registry lists as a way to get num­bers to call.

It’s unfair to group this registry with the pre­vi­ous example for a num­ber of reas­ons. The imple­ment­a­tion of this registry is dif­fer­ent from the pre­vi­ous example in intent and exe­cu­tion. Compliance is mon­itored by the entire sup­ply chain. It prob­ably stands a pretty good chance of work­ing. Time will tell!

Update on this story

4-​Feb-​2014

Since this story was ori­gin­ally writ­ten in March of 2009, all men­tion of the Manufacturer’s Registry has dis­ap­peared from the ESA web site. When I have tried to con­tact people involved in the ori­gin­al roll out of the Registry, they do not respond. I have asked for the oppor­tun­ity to inter­view one per­son in par­tic­u­lar and have yet to receive any kind of reply.

It would seem that this pro­gram has been allowed to quietly die, how­ever the legis­la­tion that per­mit­ted it to be cre­ated in the first place remains unchanged. Depending on the mood of those in charge, it could the­or­et­ic­ally be brought back to life again.

Emergency Stop – What’s so confusing about that?

This entry is part 1 of 11 in the series Emergency Stop

I get a lot of calls and emails ask­ing about emer­gency stops. This is one of those decept­ively simple con­cepts that has man­aged to get very com­plic­ated over time. Not every machine needs or can bene­fit from an emer­gency stop. In some cases, it may lead to an unreas­on­able expect­a­tion of safety from the user, which can lead to injury if they don’t under­stand the haz­ards involved. Some product-​specific stand­ards

This entry is part 1 of 11 in the series Emergency Stop

I get a lot of calls and emails ask­ing about emer­gency stops. This is one of those decept­ively simple con­cepts that has man­aged to get very com­plic­ated over time. Not every machine needs or can bene­fit from an emer­gency stop. In some cases, it may lead to an unreas­on­able expect­a­tion of safety from the user, which can lead to injury if they don’t under­stand the haz­ards involved. Some product-​specific stand­ards man­date the require­ment for emer­gency stop, such as CSA Z434-​03, where robot con­trol­lers are required to provide emer­gency stop func­tion­al­ity and work cells integ­rat­ing robots are also required to have emer­gency stop cap­ab­il­ity.

Defining Emergency Stop

Old, non-compliant, E-Stop Button
This OLD but­ton is def­in­itely non-​compliant.

So what is an Emergency Stop, or e-​stop, and when do you need to have one? Let’s look at a few defin­i­tions taken from CSA Z432-​04:

Emergency situ­ation — an imme­di­ately haz­ard­ous situ­ation that needs to be ended or aver­ted quickly in order to pre­vent injury or dam­age.

Emergency stop — a func­tion that is inten­ded to avert harm or to reduce exist­ing haz­ards to per­sons, machinery, or work in pro­gress.

Emergency stop but­ton — a red mushroom-​headed but­ton that, when activ­ated, will imme­di­ately start the emer­gency stop sequence.

and one more:

6.2.3.5.3 Complementary pro­tect­ive meas­ures
Following the risk assess­ment, the meas­ures in this clause either shall be applied to the machine or shall be dealt with in the inform­a­tion for use.

Protective meas­ures that are neither inher­ently safe design meas­ures, nor safe­guard­ing (imple­ment­a­tion of guards and/​or pro­tect­ive devices), nor inform­a­tion for use may have to be imple­men­ted as required by the inten­ded use and the reas­on­ably fore­see­able mis­use of the machine. Such meas­ures shall include, but not be lim­ited to,

a) emer­gency stop;

b) means of res­cue of trapped per­sons; and

c) means of energy isol­a­tion and dis­sip­a­tion.

Modern, non-compliant e-stop button.
This more mod­ern but­ton is non-​compliant due to the RED back­ground and spring-​return but­ton.

So, an e-​stop is a sys­tem that is inten­ded for use in Emergency con­di­tions to try to lim­it or avert harm to someone or some­thing. It isn’t a safe­guard, but is con­sidered to be a Complementary Protective Measure. In terms of the Hierarchy of Controls, emer­gency stop sys­tems fall into the same level as Personal Protective Equipment like safety glasses, safety boots and hear­ing pro­tec­tion. So far so good.

Is an Emergency Stop Required?

Depending on the reg­u­la­tions and the stand­ards you choose to read, machinery is may not be required to have an Emergency Stop. Quoting from CSA Z432-​04:

6.2.5.2.1 Components and ele­ments to achieve the emer­gency stop func­tion
If, fol­low­ing a risk assess­ment, it is determ­ined that in order to achieve adequate risk reduc­tion under emer­gency cir­cum­stances a machine must be fit­ted with com­pon­ents and ele­ments neces­sary to achieve an emer­gency stop func­tion so that actu­al or impend­ing emer­gency situ­ations can be con­trolled, the fol­low­ing require­ments shall apply:

a) The actu­at­ors shall be clearly iden­ti­fi­able, clearly vis­ible, and read­ily access­ible.

b) The haz­ard­ous pro­cess shall be stopped as quickly as pos­sible without cre­at­ing addi­tion­al haz­ards.
If this is not pos­sible or the risk can­not be adequately reduced, this may indic­ate that an emer­gency stop func­tion may not be the best solu­tion (i.e., oth­er solu­tions should be sought). (Bolding added for emphas­is – DN)

c) The emer­gency stop con­trol shall trig­ger or per­mit the trig­ger­ing of cer­tain safe­guard move­ments where neces­sary.

Later in CSA Z432-​04 we find clause 7.17.1.2:

Each oper­at­or con­trol sta­tion, includ­ing pendants, cap­able of ini­ti­at­ing machine motion shall have a manu­ally ini­ti­ated emer­gency stop device.

To my know­ledge, this is the only gen­er­al level machinery stand­ard that makes this require­ment. Product fam­ily stand­ards often make spe­cif­ic require­ments, based on the opin­ion of the Technical Committee respons­ible for the stand­ard and their know­ledge of the spe­cif­ic type of machinery covered by their doc­u­ment.

Note: For more detailed pro­vi­sions on the elec­tric­al design require­ments, see NFPA 79 or IEC 60204 – 1.

Download NFPA stand­ards through ANSI

This more modern button is still wrong due to the RED background.
This more mod­ern but­ton is non-​compliant due to the RED back­ground.

If you read Ontario’s Industrial Establishments Regulation (Regulation 851), you will find that the only require­ment for an emer­gency stop is that it is prop­erly iden­ti­fied and loc­ated “with­in easy reach” of the oper­at­or. What does “prop­erly iden­ti­fied” mean? In Canada, the USA and Internationally, a RED oper­at­or device on a YELLOW back­ground, with or without any text behind it, is recog­nised as EMERGENCY STOP or EMERGENCY OFF, in the case of dis­con­nect­ing switches or con­trol switches. I’ve scattered some examples of dif­fer­ent com­pli­ant and non-​compliant e-​stop devices through this art­icle.

The EU Machinery Directive, 2006/​42/​EC, and Emergency Stop

Interestingly, the European Union has taken what looks like an oppos­ing view of the need for emer­gency stop sys­tems. Quoting from Annex I of the Machinery Directive:

1.2.4.3. Emergency stop
Machinery must be fit­ted with one or more emer­gency stop devices to enable actu­al or impend­ing danger to be aver­ted.

Notice the words “…actu­al or impend­ing danger…” This har­mon­ises with the defin­i­tion of Complementary Protective Measures, in that they are inten­ded to allow a user to “avert or lim­it harm” from a haz­ard. Clearly, the dir­ec­tion from the European per­spect­ive is that ALL machines need to have an emer­gency stop. Or do they? The same clause goes on to say:

The fol­low­ing excep­tions apply:

  • machinery in which an emer­gency stop device would not lessen the risk, either because it would not reduce the stop­ping time or because it would not enable the spe­cial meas­ures required to deal with the risk to be taken,
  • port­able hand-​held and/​or hand-​guided machinery.

From these two bul­lets it becomes clear that, just as in the Canadian and US reg­u­la­tions, machines only need emer­gency stops WHEN THEY CAN REDUCE THE RISK. This is hugely import­ant and often over­looked. If the risks can­not be con­trolled effect­ively with an emer­gency stop, or if the risk would be increased or new risks would be intro­duced by the action of an e-​stop sys­tem, then it should not be included in the design.

Carrying on with the same clause:

The device must:

  • have clearly iden­ti­fi­able, clearly vis­ible and quickly access­ible con­trol devices,
  • stop the haz­ard­ous pro­cess as quickly as pos­sible, without cre­at­ing addi­tion­al risks,
  • where neces­sary, trig­ger or per­mit the trig­ger­ing of cer­tain safe­guard move­ments.

Once again, this is con­sist­ent with the gen­er­al require­ments found in the Canadian and US reg­u­la­tions. The dir­ect­ive goes on to define the func­tion­al­ity of the sys­tem in more detail:

Once act­ive oper­a­tion of the emer­gency stop device has ceased fol­low­ing a stop com­mand, that com­mand must be sus­tained by engage­ment of the emer­gency stop device until that engage­ment is spe­cific­ally over­rid­den; it must not be pos­sible to engage the device without trig­ger­ing a stop com­mand; it must be pos­sible to dis­en­gage the device only by an appro­pri­ate oper­a­tion, and dis­en­ga­ging the device must not restart the machinery but only per­mit restart­ing.

The emer­gency stop func­tion must be avail­able and oper­a­tion­al at all times, regard­less of the oper­at­ing mode.

Emergency stop devices must be a back-​up to oth­er safe­guard­ing meas­ures and not a sub­sti­tute for them.

The first sen­tence of the first para­graph above is the one that requires e-​stop devices to latch in the activ­ated pos­i­tion. The last part of that sen­tence is even more import­ant: “…dis­en­ga­ging the device must not restart the machinery but only per­mit restart­ing.” That phrase requires that every emer­gency stop sys­tem has a second dis­crete action to reset the emer­gency stop sys­tem. Pulling out the e-​stop but­ton and hav­ing power come back imme­di­ately is not OK. Once that but­ton has been reset, a second action, such as push­ing a “POWER ON” or “RESET” but­ton to restore con­trol power is needed. Point of Clarification: I had a ques­tion come from a read­er ask­ing if com­bin­ing the e-​stop func­tion and the reset func­tion was accept­able. It can be, but only if:

  • The risk assess­ment for the machinery does not indic­ate any haz­ards that might pre­clude this approach; and
  • The device is designed with the fol­low­ing char­ac­ter­ist­ics:
  • The device must latch in the activ­ated pos­i­tion;
  • The device must have a “neut­ral” pos­i­tion where the machine’s emer­gency stop sys­tem can be reset, or where the machine can be enabled to run;
  • The reset pos­i­tion must be dis­tinct from the pre­vi­ous two pos­i­tions, and the device must spring-​return to the neut­ral pos­i­tion.

The second sen­tence har­mon­ises with the require­ments of the Canadian and US stand­ards.

Finally, the last sen­tence har­mon­ises with the idea of “Complementary Protective Measures” as described in CSA Z432.

How Many and Where?

Where? “Within easy reach”. Consider the loc­a­tions where you EXPECT an oper­at­or to be. Besides the main con­trol con­sole, these could include feed hop­pers, con­sum­ables feed­ers, fin­ished goods exit points… you get the idea. Anywhere you can reas­on­ably expect an oper­at­or to be under nor­mal cir­cum­stances is a reas­on­able place to put an e-​stop device. “Easy Reach” I inter­pret as with­in the arm-​span of an adult (pre­sum­ing the equip­ment is not inten­ded for use by chil­dren). This trans­lates to 500 – 600 mm either side of the centre line of most work­sta­tions.

How do you know if you need an emer­gency stop? Start with a stop/​start ana­lys­is. Identify all the nor­mal start­ing and stop­ping modes that you anti­cip­ate on the equip­ment. Consider all of the dif­fer­ent oper­at­ing modes that you are provid­ing, such as Automatic, Manual, Teach, Setting, etc. Identify all of the match­ing stop con­di­tions in the same modes, and ensure that all start func­tions have a match­ing stop func­tion.

Do a risk assess­ment. This is a basic require­ment in most jur­is­dic­tions today.

As you determ­ine your risk con­trol meas­ures (fol­low­ing the Hierarchy of Controls), look at what risks you might con­trol with an Emergency Stop. Remember that e-​stops fall below safe­guards in the hier­archy, so you must use a safe­guard­ing tech­nique if pos­sible, you can’t just default down to an emer­gency stop. IF the e-​stop can provide you with the addi­tion­al risk reduc­tion then use it, but first, reduce the risks in oth­er ways.

The Stop Function and Control Reliability Requirements

Finally, once you determ­ine the need for an emer­gency stop sys­tem, you need to con­sider the system’s func­tion­al­ity and con­trols archi­tec­ture. NFPA 79 is the ref­er­ence stand­ard for Canada and the USA, and you can find very sim­il­ar require­ments in IEC 60204 – 1 if you are work­ing in an inter­na­tion­al mar­ket. EN 60204 – 1 applies to the EU mar­ket for indus­tri­al machines.

Download NFPA stand­ards through ANSI
Download IEC stand­ards, International Electrotechnical Commission stand­ards.

Functional Stop Categories

NFPA 79 calls out three basic cat­egor­ies of stop func­tions. Note that these cat­egor­ies are NOT func­tion­al safety archi­tec­tur­al cat­egor­ies, but are cat­egor­ies describ­ing stop­ping func­tions. Reliability is not addressed in these sec­tions. Quoting from the stand­ard:

9.2.2 Stop Functions. The three cat­egor­ies of stop func­tions shall be as fol­lows:

(1) Category 0 is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actu­at­ors.

(2) Category 1 is a con­trolled stop with power to the machine actu­at­ors avail­able to achieve the stop then remove power when the stop is achieved.

(3) Category 2 is a con­trolled stop with power left avail­able to the machine actu­at­ors.

This E-Stop Button is correct.
This E-​Stop but­ton is CORRECT. Note the Push-​Pull-​Twist oper­at­or and the YELLOW back­ground.

A bit later, the stand­ards says:

9.2.5.3 Stop.
9.2.5.3.1 Each machine shall be equipped with a Category 0 stop.

9.2.5.3.2 Category 0, Category 1, and/​or Category 2 stops shall be provided where indic­ated by an ana­lys­is of the risk assess­ment and the func­tion­al require­ments of the machine. Category 0 and Category 1 stops shall be oper­a­tion­al regard­less of oper­at­ing modes, and Category 0 shall take pri­or­ity. Stop func­tion shall oper­ate by de-​energizing that rel­ev­ant cir­cuit and shall over­ride related start func­tions.

Note that 9.2.5.3.1 does NOT mean that every machine must have an e-​stop. It simply says that every machine must have a way to stop the machine that is equi­val­ent to “pulling the plug”. The main dis­con­nect on the con­trol pan­el can be used for this func­tion if sized and rated appro­pri­ately. For cord con­nec­ted equip­ment, the plug and sock­et used to provide power to the equip­ment can also serve this func­tion. The ques­tion of HOW to effect the Category 0 stop depends on WHEN it will be used – i.e. is it being used for a safety-​related func­tion? What risks must be reduced, or what haz­ards must be con­trolled by the stop func­tion?

You’ll also note that that pesky “risk assess­ment” pops up again in 9.2.5.3.2. You just can’t get away from it…

Control Reliability

Disconnect with E-Stop Colours indicates that this device is intended to be used for EMERGENCY SWITCHING OFF.
Disconnect with E-​Stop Colours indic­ates that this device is inten­ded to be used for EMERGENCY SWITCHING OFF.

Once you know what func­tion­al cat­egory of stop you need, and what degree of risk reduc­tion you are expect­ing from the emer­gency stop sys­tem, you can determ­ine the degree of reli­ab­il­ity required. In Canada, CSA Z432 gives us these cat­egor­ies: SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL MONITORED and CONTROL RELIABLE. These cat­egor­ies are being replaced slowly by Performance Levels (PL) as defined in ISO 13849 – 1 2007.

The short answer is that the great­er the risk reduc­tion required, the high­er the degree of reli­ab­il­ity required. In many cases, a SINGLE CHANNEL or SINGLE CHANNEL MONITORED solu­tion may be accept­able, par­tic­u­larly when there are more reli­able safe­guards in place. On the oth­er hand, you may require CONTROL RELIABLE designs if the e-​stop is the primary risk reduc­tion for some risks or spe­cif­ic tasks.

To add to the con­fu­sion, ISO 13849 – 1 appears to exclude com­ple­ment­ary pro­tect­ive meas­ures from its scope in Table 8 — Some International Standards applic­able to typ­ic­al machine safety func­tions and cer­tain of their char­ac­ter­ist­ics. At the very bot­tom of this table, Complementary Protective Measures are lis­ted, but they appear to be excluded from the stand­ard. I can say that there is noth­ing wrong with apply­ing the tech­niques in ISO 13849 – 1 to the reli­ab­il­ity ana­lys­is of a com­ple­ment­ary pro­tect­ive meas­ure that uses the con­trol sys­tem, so do this if it makes sense in your applic­a­tion.

ISO 13849-1:2006 Table 8
ISO 13849 – 1:2006 Table 8

Extra points go to any read­er who noticed that the ‘elec­tric­al haz­ard’ warn­ing label imme­di­ately above the dis­con­nect handle in the above photo is a) upside down, and b) using a non-​standard light­ing flash. Cheap haz­ard warn­ing labels, like this one, are often as good as none at all. I’ll be writ­ing more on haz­ard warn­ings in future posts.

Use of Emergency Stop as part of a Lockout Procedure or HECP.

One last note: Emergency stop sys­tems (with the excep­tion of emer­gency switch­ing off devices, such as dis­con­nect switches used for e-​stop) CANNOT be used for energy isol­a­tion in a Hazardous Energy Control Procedure (a.k.a. Lockout). Devices for this pur­pose must phys­ic­ally sep­ar­ate the energy source from the down­stream com­pon­ents. See CSA Z460 for more on that sub­ject.

Read our Article on Using E-​Stops in Hazardous Energy Control Procedures (HECP) includ­ing lock­out.

Pneumatic E-Stop Device
Pneumatic E-​Stop/​Isolation device.

Standards Referenced in this post:

CSA Z432-​04, Safeguarding of Machinery

NFPA 79 – 07, Electrical Standard for Industrial Machinery 
Download NFPA stand­ards at ANSI

IEC 60204 – 1:09,  SAFETY OF MACHINERYELECTRICAL EQUIPMENT OF MACHINESPART 1: GENERAL REQUIREMENTS

Download IEC stand­ards, International Electrotechnical Commission stand­ards.

ISO 13849−1−2006, Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design

See also

ISO 13850:06, SAFETY OF MACHINERYEMERGENCY STOPPRINCIPLES FOR DESIGN

Download IEC stand­ards, International Electrotechnical Commission stand­ards.
Download ISO Standards 

Why Conventional EMC Testing is Insufficient for Functional Safety

At the recent PSES Symposium, I atten­ded a couple of inter­est­ing work­shops on EMC and Functional Safety. One was called “Workshop on EMC & Functional Safety” presen­ted by Keith Armstrong, Bill Radasky and Jacques Delaballe. The oth­er was a paper present­a­tion called “Why Conventional EMC Testing is Insufficient for Functional Safety” presen­ted by Keith Armstrong. 

For read­ers who are new to the idea of Functional Safety, this field deals

At the recent PSES Symposium, I atten­ded a couple of inter­est­ing work­shops on EMC and Functional Safety. One was called “Workshop on EMC & Functional Safety” presen­ted by Keith Armstrong, Bill Radasky and Jacques Delaballe. The oth­er was a paper present­a­tion called “Why Conventional EMC Testing is Insufficient for Functional Safety” presen­ted by Keith Armstrong.

For read­ers who are new to the idea of Functional Safety, this field deals with the abil­ity of a product or sys­tem to func­tion in it’s inten­ded use envir­on­ment, or in any fore­see­able use envir­on­ments, while reli­ably provid­ing the pro­tec­tion required by the users. Here’s the form­al defin­i­tion taken from IEC 61508 – 4:1998:


3.1.9
func­tion­al safety
part of the over­all safety relat­ing to the EUC and the EUC con­trol sys­tem which depends on the cor­rect func­tion­ing of the E/​E/​PE safety-​related sys­tems, oth­er tech­no­logy safety-​related sys­tems and extern­al risk reduc­tion facil­it­ies

3.2.3
equip­ment under con­trol (EUC)
equip­ment, machinery, appar­at­us or plant used for man­u­fac­tur­ing, pro­cess, trans­port­a­tion, med­ic­al or oth­er activ­it­ies

NOTE – The EUC con­trol sys­tem is sep­ar­ate and dis­tinct from the EUC.

Table 1: (E/​E/​PE) elec­tric­al /​ elec­tron­ic /​ pro­gram­mable elec­tron­ic

Reliability require­ments are found in two key stand­ards, ISO 13849 and IEC 61508. These two stand­ards over­lap to some degree, and do not define reli­ab­il­ity cat­egor­ies in the same way, which fre­quently leads to con­fu­sion. In addi­tion there is a Machinery Sector Specific stand­ard based on IEC 61508, called IEC 62061, Safety of machinery – Functional safety of safety-​related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. These three stand­ards make ref­er­ence to EM effects on sys­tems but do not provide guid­ance on how to assess these phe­nom­ena. This is where IEC TS 61000−1−2 comes into play.

All three experts are mem­bers of IEC TC 77 and are dir­ectly engaged in writ­ing the second edi­tion of IEC TS 61000−1−2 (more info on this at the bot­tom of this post). This IEC Technical Specification deals with elec­tro­mag­net­ic (EM) effects on equip­ment that res­ult in func­tion­al safety prob­lems, like fail­ures in guard­ing cir­cuits, or fail­ures in some of the new pro­gram­mable safety sys­tems. This is becom­ing an increas­ingly import­ant issue as pro­gram­mable con­trols migrate into the tra­di­tion­ally hard­wired safety world. In fact, Keith poin­ted out that EM effects are present even in many of our “tried and true” cir­cuits, but the fail­ures have been incor­rectly attrib­uted to oth­er phe­nom­ena because most elec­tric­al engin­eers have not been used to think­ing about these phe­nom­ena, espe­cially in 24Vdc relay-​based con­trol cir­cuits.

In the work­shop, the presenters dis­cussed a typ­ic­al product life cycle, then went on to explore the typ­ic­al envir­on­ments that a product may be exposed to, includ­ing the EM and phys­ic­al envir­on­ments. They went on to dis­cuss the need for an EMC-​related Risk Assessment and then fin­ished up by look­ing at Electromagnetic Safety Planning. The whole work­shop took the entire second day of the Symposium.

A key point in the work­shop is that con­ven­tion­al EMC test­ing can­not prac­tic­ally prove that sys­tems are safe. This is due to the struc­ture of the EMC tests that are nor­mally under­taken, includ­ing the use of fixed mod­u­la­tion fre­quen­cies dur­ing immunity test­ing, fail­ure to assess inter­mod­u­la­tion effects and many oth­er issues. In addi­tion, EMC test­ing does not and can­not test for aging effects on per­form­ance, wear & tear and oth­er use-​related con­di­tions. The presenters dis­cussed a num­ber of ways that these prob­lems could be addressed and ways that test­ing could be exten­ded in select­ive ways to attack pre­dicted vul­ner­ab­il­it­ies. EMC test­ing does not con­sider the reli­ab­il­ity require­ments of the tested product (i.e. IEC 61508 – 1 SIL-​3 or SIL-​4).

On the fol­low­ing morn­ing, Keith Armstrong presen­ted his paper. In this paper, Mr. Armstrong went into con­sid­er­able detail on the short­com­ings of con­ven­tion­al EMC test­ing when it comes to Functional Safety. He sug­ges­ted some approaches that could be used by man­u­fac­tur­ers to address these issues in safety crit­ic­al applic­a­tions.

The work­shop present­a­tions and Mr. Armstong’s paper can be pur­chased through IEEE Xplore for those that did not attend the Symposium.

The IET has pub­lished a new book, avail­able for free from their web site, entitled Electromagnetic Compatibility for Functional Safety. This guide will be reviewed in a future post, so keep read­ing!

Keith Armstrong, Bill Radasky and Jacques Delaballe are mem­bers of IEC Technical Committee 77, writ­ing IEC TS 61000−1−2 Ed 2.0, ELECTROMAGNETIC COMPATIBILITY (EMC) – PART 1 – 2: GENERALMETHODOLOGY FOR THE ACHIEVEMENT OF THE FUNCTIONAL SAFETY OF ELECTRICAL AND ELECTRONIC EQUIPMENT WITH REGARD TO ELECTROMAGNETIC PHENOMENA. Edition 2 of this stand­ard should be pub­lished by Mar-​2009 accord­ing to the IEC.

Keith Armstrong is Principal Consultant at Cherry Clough Consultants in Brocton, UK.

Bill Radasky works with Metatech Corporation from his office in Goleta, California.

Jacques Delaballe works for Schneider Electric Industries SAS in Grenoble, France.