Category Archives: International Robotics

Five things most machine builders do incorrectly

Posted by on August 6, 2010 10 comments

The Top Five errors I see machine builders make on a depress­ingly reg­u­lar basis:

1) Poor or Absent Risk Assessment

Risk assess­ments are fun­da­men­tal to safe machine design and lia­bil­ity lim­i­ta­tion, and are required by law in the EU. They are a included in all of the mod­ern North American machin­ery safety stan­dards as well.

Machine builders fre­quently have trou­ble with the risk assess­ment process, usu­ally because they fail to under­stand the process or because they fail to devote enough resources to get­ting it done.

If risk assess­ment is built into your design process, it becomes the norm for how you do busi­ness. Time and resources will auto­mat­i­cally be devoted to the process, and since it’s part of how you do things it will become rel­a­tively pain­less. Where peo­ple go wrong is in mak­ing it a ‘big deal’ one-​​time event. Also get­ting it done early in the design process and iter­ated as the design pro­gresses means that you have time to react to the find­ings, and you can com­plete any nec­es­sary changes at more cost-​​effective points in the design and build process. The worst time to do risk assess­ment is at the point where the machine is on the shop floor ready to start pro­duc­tion. Costs for mod­i­fi­ca­tion are then expo­nen­tially higher than dur­ing design and construction.

Poorly done, risk assess­ments become a lia­bil­ity defense lawyer’s worst night­mare and a plaintiff’s lawyer’s dream. Shortchanging the risk assess­ment process ensures that you will lose, either now or later.

Fight this prob­lem by: learn­ing how to con­duct a risk assess­ment, using qual­ity risk assess­ment soft­ware tools, and build­ing risk assess­ment into your stan­dard design process/​practice in your organization.

2) Failure to be Aware of Regulations & Use Design Standards

This one is a mys­tery to me.

Every mar­ket has prod­uct safety leg­is­la­tion, sup­ported by reg­u­la­tions. Granted, the scope and qual­ity of these reg­u­la­tions varies widely, but if you want to sell a prod­uct in a mar­ket, it doesn’t take a lot of effort to find out what reg­u­la­tions may apply.

Design stan­dards have been in exis­tence for a long time. Most pur­chase orders, at least for cus­tom machin­ery, con­tain lists of stan­dards that the equip­ment is required to meet at Factory Acceptance Testing (FAT).

Why machine builders fail to grasp that using these stan­dards can actu­ally give them a com­pet­i­tive edge, as well as help­ing them to meet reg­u­la­tory require­ments, I don’t know. If you do, please either com­ment on this story or send me an email  (dnixatcom­pli­an­cein­sightdotca)  . I’d love to hear your thoughts on this!

Fight this prob­lem by: Doing some research. Understand the mar­ket envi­ron­ment in which you sell your prod­ucts. If you aren’t sure how to do this, use a con­sul­tant to assist you. Buy the stan­dards, espe­cially if your client calls them out in their spec­i­fi­ca­tions. Read and apply them to your designs.

One great resource for infor­ma­tion on reg­u­la­tory envi­ron­ments and stan­dards appli­ca­tions is the IEEE Product Safety Engineering Society and the EMC-​​PSTC Listserv that they maintain.

3) Fixed Guard Design

Fixed guard­ing design is dri­ven by at least two fac­tors, a) pre­vent­ing peo­ple from access­ing haz­ards, and b) allow­ing raw mate­ri­als and prod­ucts into and out of the machinery.

Designers fre­quently go wrong by select­ing a fixed guard where a mov­able guard is nec­es­sary to per­mit fre­quent access (say more than once per shift). This is some­times done in an effort to avoid hav­ing to add inter­locks to the con­trol sys­tems. Frequently the guard will be removed and replaced a cou­ple of times, and then the screws will be left off, and even­tu­ally the guard itself will be left off, leav­ing the user with an unguarded haz­ard.

The other com­mon fault with fixed guards relates to the sec­ond fac­tor I men­tioned — get­ting raw mate­ri­als and prod­ucts in an out of the machine. There are lim­its on the size of open­ings that can be left in guards, depen­dent on the dis­tance from the open­ing to the haz­ards behind the guard and the size of the open­ing itself. Often the only fac­tor con­sid­ered is the size of the item that needs to enter or exit the machinery.

Both of these faults often occur because the guard­ing is not designed, but is allowed to hap­pen dur­ing machine build. The size and shape of the guards is then often dri­ven by con­ve­nience in fab­ri­ca­tion rather than by thought­ful design and appli­ca­tion of the min­i­mum code requirements.

Fight this prob­lem by: Designing the guards on your prod­uct rather than allow­ing them to hap­pen, based on the out­come of the risk assess­ment and the lim­its defined in the stan­dards. Tables for guard open­ings and safety dis­tances are avail­able in North American, EU and International standards.

4) Movable Guard Interlocking

Movable guards them­selves are usu­ally rea­son­ably well done. Note that I am not talk­ing about self adjust­ing guards like those found on a table saw for instance. I am talk­ing about guard doors, gates, and covers.

The prob­lem usu­ally comes with the design of the inter­lock that is required to go with the mov­able guard. The first part of the prob­lem goes back to my #1 mis­take: Risk Assessment. No risk assess­ment means that you can­not rea­son­ably hope to get the reli­a­bil­ity require­ments right for the inter­lock­ing sys­tem. Next, there are small but sig­nif­i­cant dif­fer­ences in how the Canadian, US, EU and International stan­dards han­dle con­trol reli­a­bil­ity, and the biggest dif­fer­ences occur in the higher reli­a­bil­ity classifications.

In the USA, the stan­dards speak of con­trol reli­able cir­cuits (see ANSI RIA R15.06–1999, 4.5.5). This require­ment is writ­ten in such a way that a sin­gle inter­lock­ing device, installed with dual chan­nel elec­tri­cal cir­cuits and suit­ably selected com­po­nents will meet the require­ments. No sin­gle ELECTRICAL com­po­nent fail­ure will lead to the loss of the safety func­tion, but a sin­gle mechan­i­cal fault could.

In Canada, the machin­ery and robot­ics stan­dards speak of con­trol reli­able sys­tems (see CSA Z432, 8.2.5), not cir­cuits as in the US stan­dards. This require­ment is writ­ten in such a way that TWO electro­mechan­i­cal inter­lock­ing devices are required, one in each elec­tri­cal chan­nel of the inter­lock­ing sys­tem. This per­mits the sys­tem to detect mechan­i­cal fail­ures such as bro­ken or miss­ing keys, and if dif­fer­ent types of inter­lock­ing devices are cho­sen, may also per­mit detec­tion of efforts to bypass the inter­lock. Most sin­gle mechan­i­cal faults and elec­tri­cal faults will be detected.

In the EU and Internationally, con­trol reli­a­bil­ity is much more highly devel­oped. Here, the appli­ca­tion of ISO 13849, IEC 62061 or IEC 61508 have taken con­trol reli­a­bil­ity to higher lev­els than any­thing seen to date in North America. Under these stan­dards, the required Performance Level (PLr) or Safety Integrity Level (SIL) must be known. This is based on the out­come of, you guessed it, the Risk Assessment. No risk assess­ment, or a poor risk assess­ment, dooms the designer to likely fail­ure. Significant skill is required to han­dle the analy­sis and design of safety related parts of con­trol sys­tems under these standards.

Fight this prob­lem by: Getting the train­ing you need to prop­erly apply these stan­dards and then using them in your designs.

5) Safety Distances

Safety dis­tances crop up any­where you don’t have a phys­i­cal bar­rier keep­ing the user away from the haz­ard. Whether its an open­ing in a fixed guard, a mov­able guard like a guard door or gate, or a presence-​​sensing safe­guard­ing device like a light cur­tain, safety dis­tances have to be con­sid­ered in the machine design. The eas­ier it is for the user to come in con­tact with the haz­ard, the more safety dis­tance matters.

Stopping per­for­mance of the machin­ery must be tested to val­i­date the safety dis­tances used. Failure to get the safety dis­tance right means that your guards will give your users a false sense of secu­rity, and will expose them to injury. This will also expose your com­pany to sig­nif­i­cant lia­bil­ity when some­one gets hurt, because they will. Its only a mat­ter of time.

Fight this prob­lem by: Testing safe­guard­ing devices.

6) Validation

OK, so this list should really be SIX things. Just con­sider this to be a bonus for read­ing this far!

Designs, and par­tic­u­larly safety crit­i­cal designs, must be tested. Let me say it again:

Safety Critical Designs MUST Be Tested.

Whatever the­ory you are work­ing under, whether it’s North American, European, International or some­thing else, you can­not afford miss­ing the val­i­da­tion step. Without val­i­da­tion you have no evi­dence that your sys­tem worked at all, let alone if it worked correctly.

Fight this prob­lem by: TESTING YOUR DESIGNS.

A wise man once said: “If you think safety is expen­sive, try hav­ing an acci­dent.” The gen­tle­man was involved in inves­ti­gat­ing the crash of a Sikorsky S-​​92 heli­copter off the coast of Newfoundland. 17 peo­ple died as a result of the fail­ure of two tita­nium studs that held an oil fil­ter onto the main gear­box, and the fact that the heli­copter failed the ‘1/​2-​​hour gear­box run-​​dry test’ that is required for all new heli­copter designs. This was a clear case of fail­ure in the risk assess­ment process com­pli­cated by fail­ure in the test process.

Watch the CBC doc­u­men­tary “Cougar 491″. This is def­i­nitely worth the time. If you are located out­side Canada, you will have a prob­lem with this link. Unfortunately, CBC does not stream it’s video out­side Canada. Sorry.

Do you use industrial robots? ANSI adopts ISO 10218–1 and changes the game

Posted by on December 11, 2009 2 comments

Material Handling Robot at workIf you are an indus­trial robot user or inte­gra­tor work­ing in North America, you know RIA’s ven­er­a­ble robot stan­dard, RIA R15.06. This stan­dard was a ground breaker in it’s day, advanc­ing the safe use of robotic tech­nol­ogy in thou­sands of work­places in the US and Canada. CSA adopted R15.06 and pub­lished it, with a few changes, as CSA Z434, pro­vid­ing near-​​harmonization in the US and Canadian markets.

These two stan­dards brought the first inklings of risk assess­ment and con­trol reli­a­bil­ity require­ments to North American equip­ment design­ers and inte­gra­tors and broke new ground.

The last revi­sion of R15.06 was pub­lished in 1999, and the last edi­tion of Z434 was in 2003. In 2007, RIA made the bold move to begin har­mo­niza­tion with the inter­na­tional world by adopt­ing ISO 10218–1, Robots for Industrial Environment – Safety Requirements Part 1 – Robot. This stan­dard effec­tively replaces Section 4 of R15.06, cov­er­ing the design require­ments for the robot itself, leav­ing the safety require­ments for the rest of the work cell to the exist­ing R15.06–1999. This stan­dard brings some truly excit­ing capa­bil­i­ties to robot users, including:

  • Wireless Teach Pendants
  • Synchronized mul­ti­ple robots
  • Collaborative robotic appli­ca­tions and
  • Programmable safety con­trollers for enve­lope limitation.

When ISO pub­lishes ISO 10218–2 in 2010 the rest of the cell safety require­ments should be cov­ered in that document.

CSA is cur­rently review­ing CSA Z434 — they may choose to adopt ISO 10218–1 and (even­tu­ally) ISO 10218–2 once it is pub­lished, or they may choose to sim­ply reaf­firm the exist­ing stan­dard and con­sider adopt­ing the ISO stan­dards in another 5 years.

Need to know more? I pre­sented a webi­nar on this stan­dard on 19-​​Nov-​​09 through my friends at Pilgrim Software. The recorded webi­nar can be down­loaded here. A copy of the pre­sen­ta­tion slides is also available.

[display_​podcast]

Emergency Stop — What’s so confusing about that?

Posted by on March 6, 2009 1 comment
Emergency Stop on machine console
This entry is part 1 of 9 in the series Emergency Stop

I get a lot of calls and emails ask­ing about emer­gency stops. This is one of those decep­tively sim­ple con­cepts that has man­aged to get very com­pli­cated over time. Not every machine needs or can ben­e­fit from an emer­gency stop. In some cases, it may lead to an unrea­son­able expec­ta­tion of safety from the user, which can lead to injury if they don’t under­stand the haz­ards involved. Some product-​​specific stan­dards man­date the require­ment for emer­gency stop, such as CSA Z434-​​03, where robot con­trollers are required to pro­vide emer­gency stop func­tion­al­ity and work cells inte­grat­ing robots are also required to have emer­gency stop capability.

Defining Emergency Stop

Old, non-compliant, E-Stop Button

This OLD but­ton is def­i­nitely non-​​compliant.

So what is an Emergency Stop, or e-​​stop, and when do you need to have one? Let’s look at a few def­i­n­i­tions taken from CSA Z432-​​04:

Emergency sit­u­a­tion — an imme­di­ately haz­ardous sit­u­a­tion that needs to be ended or averted quickly in order to pre­vent injury or damage.

Emergency stop — a func­tion that is intended to avert harm or to reduce exist­ing haz­ards to per­sons, machin­ery, or work in progress.

Emergency stop but­ton — a red mushroom-​​headed but­ton that, when acti­vated, will imme­di­ately start the emer­gency stop sequence.

and one more:

6.2.3.5.3 Complementary pro­tec­tive mea­sures
Following the risk assess­ment, the mea­sures in this clause either shall be applied to the machine or shall be dealt with in the infor­ma­tion for use.

Protective mea­sures that are nei­ther inher­ently safe design mea­sures, nor safe­guard­ing (imple­men­ta­tion of guards and/​or pro­tec­tive devices), nor infor­ma­tion for use may have to be imple­mented as required by the intended use and the rea­son­ably fore­see­able mis­use of the machine. Such mea­sures shall include, but not be lim­ited to,

a) emer­gency stop;

b) means of res­cue of trapped per­sons; and

c) means of energy iso­la­tion and dissipation.

Modern, non-compliant e-stop button.

This more mod­ern but­ton is non-​​compliant due to the RED back­ground and spring-​​return button.

So, an e-​​stop is a sys­tem that is intended for use in Emergency con­di­tions to try to limit or avert harm to some­one or some­thing. It isn’t a safe­guard, but is con­sid­ered to be a Complementary Protective Measure. So far so, good.

Is an Emergency Stop Required?

Depending on the reg­u­la­tions and the stan­dards you choose to read, machin­ery is not required to have  an Emergency Stop. Quoting from CSA Z432-​​04:

6.2.5.2.1 Components and ele­ments to achieve the emer­gency stop func­tion
If, fol­low­ing a risk assess­ment, it is deter­mined that in order to achieve ade­quate risk reduc­tion under emer­gency cir­cum­stances a machine must be fit­ted with com­po­nents and ele­ments nec­es­sary to achieve an emer­gency stop func­tion so that actual or impend­ing emer­gency sit­u­a­tions can be con­trolled, the fol­low­ing require­ments shall apply:

a) The actu­a­tors shall be clearly iden­ti­fi­able, clearly vis­i­ble, and read­ily accessible.

b) The haz­ardous process shall be stopped as quickly as pos­si­ble with­out cre­at­ing addi­tional haz­ards.
If this is not pos­si­ble or the risk can­not be ade­quately reduced, this may indi­cate that an emer­gency stop func­tion may not be the best solu­tion (i.e., other solu­tions should be sought). (Bolding added for empha­sis — DN)

c) The emer­gency stop con­trol shall trig­ger or per­mit the trig­ger­ing of cer­tain safe­guard move­ments where necessary.

Note: For more detailed pro­vi­sions, see NFPA 79.

Download NFPA stan­dards through ANSI

This more modern button is still wrong due to the RED background.

This more mod­ern but­ton is non-​​compliant due to the RED background.

In fact, if you read Ontario’s Industrial Establishments reg­u­la­tion (Regulation 851), you will find that the only require­ment for an emer­gency stop is that it is prop­erly iden­ti­fied and located “within easy reach” of the oper­a­tor. What does “prop­erly iden­ti­fied” mean? In Canada, the USA and Internationally, a RED oper­a­tor device on a YELLOW back­ground, with or with­out any text behind it, is rec­og­nized as EMERGENCY STOP or EMERGENCY OFF, in the case of dis­con­nect­ing switches or con­trol switches. I’ve scat­tered some exam­ples of dif­fer­ent com­pli­ant and non-​​compliant e-​​stop devices through this article.

The EU Machinery Directive, 2006/​42/​EC, and Emergency Stop

Interestingly, the European Union has taken what looks like an oppos­ing view of the need for emer­gency stop sys­tems. Quoting from Annex I of the Machinery Directive:

1.2.4.3. Emergency stop
Machinery must be fit­ted with one or more emer­gency stop devices to enable actual or impend­ing dan­ger to be averted.

Notice the words “…actual or impend­ing dan­ger…” This har­mo­nizes with the def­i­n­i­tion of Complementary Protective Measures, in that they are intended to allow a user to “avert or limit harm” from a haz­ard. Clearly, the direc­tion from the European per­spec­tive is that ALL machines need to have an emer­gency stop. Or do they? The same clause goes on to say:

The fol­low­ing excep­tions apply:

  • machin­ery in which an emer­gency stop device would not lessen the risk, either because it would not reduce the stop­ping time or because it would not enable the spe­cial mea­sures required to deal with the risk to be taken,
  • portable hand-​​held and/​or hand-​​guided machinery.

From these two bul­lets it becomes clear that, just as in the Canadian and US reg­u­la­tions, machines only need emer­gency stops WHEN THEY CAN REDUCE THE RISK. This is hugely impor­tant, and often over­looked. If the risks can­not be con­trolled effec­tively with an emer­gency stop, or if the risk would be increased or new risks would be intro­duced by the action of an e-​​stop sys­tem, then it should not be included in the design.

Carrying on with the same clause:

The device must:

  • have clearly iden­ti­fi­able, clearly vis­i­ble and quickly acces­si­ble con­trol devices,
  • stop the haz­ardous process as quickly as pos­si­ble, with­out cre­at­ing addi­tional risks,
  • where nec­es­sary, trig­ger or per­mit the trig­ger­ing of cer­tain safe­guard movements.

Once again, this is con­sis­tent with the gen­eral require­ments found in the Canadian and US reg­u­la­tions. The direc­tive goes on to define the func­tion­al­ity of the sys­tem in more detail:

Once active oper­a­tion of the emer­gency stop device has ceased fol­low­ing a stop com­mand, that com­mand must be sus­tained by engage­ment of the emer­gency stop device until that engage­ment is specif­i­cally over­rid­den; it must not be pos­si­ble to engage the device with­out trig­ger­ing a stop com­mand; it must be pos­si­ble to dis­en­gage the device only by an appro­pri­ate oper­a­tion, and dis­en­gag­ing the device must not restart the machin­ery but only per­mit restarting.

The emer­gency stop func­tion must be avail­able and oper­a­tional at all times, regard­less of the oper­at­ing mode.

Emergency stop devices must be a back-​​up to other safe­guard­ing mea­sures and not a sub­sti­tute for them.

The first sen­tence of the first para­graph above is the one that requires e-​​stop devices to latch in the acti­vated posi­tion. The last part of that sen­tence is even more impor­tant: “…dis­en­gag­ing the device must not restart the machin­ery but only per­mit restart­ing.” That phrase requires that every emer­gency stop sys­tem have a sec­ond dis­crete action to reset the emer­gency stop sys­tem. Pulling out the e-​​stop but­ton and hav­ing power come back imme­di­ately is not OK. Once that but­ton has been reset, a sec­ond action, such as push­ing a “POWER ON” or “RESET” but­ton to restore con­trol power is needed. Point of Clarification: I had a ques­tion come from a reader ask­ing if com­bin­ing the e-​​stop func­tion and the reset func­tion was accept­able. It can be, but only if:

  • The risk assess­ment for the machin­ery does not indi­cate any haz­ards that might pre­clude this approach; and
  • The device is designed with the fol­low­ing characteristics:
  • The device must latch in the acti­vated position;
  • The device must have a “neu­tral” posi­tion where the machine’s emer­gency stop sys­tem can be reset, or where the machine can be enabled to run;
  • The reset posi­tion must be dis­tinct from the pre­vi­ous two posi­tions, and the device must spring-​​return to the neu­tral position.

The sec­ond sen­tence har­mo­nizes with the require­ments of the Canadian and US standards.

Finally, the last sen­tence har­mo­nizes with the idea of “Complementary Protective Measures” as described in CSA Z432.

How Many and Where?

Where? “Within easy reach”. Consider the loca­tions where you EXPECT an oper­a­tor to be. Besides the main con­trol con­sole, these could include feed hop­pers, con­sum­ables feed­ers, fin­ished goods exit points… you get the idea. Anywhere you can rea­son­ably expect an oper­a­tor to be under nor­mal cir­cum­stances is a rea­son­able place to put an e-​​stop device. “Easy Reach” I inter­pret as within the arm-​​span of an adult (pre­sum­ing the equip­ment is not intended for use by chil­dren). This trans­lates to 500–600 mm either side of the cen­ter line of most work stations.

How do you know if you need an emer­gency stop? Start with a stop/​start analy­sis. Identify all the nor­mal start­ing and stop­ping modes that you antic­i­pate on the equip­ment. Consider all of the dif­fer­ent oper­at­ing modes that you are pro­vid­ing, such as Automatic, Manual, Teach, Setting, etc. Identify all of the match­ing stop con­di­tions in the same modes, and ensure that all start func­tions have a match­ing stop function.

Do a risk assess­ment. This is a basic require­ment in most juris­dic­tions today.

As you deter­mine your risk con­trol mea­sures (fol­low­ing the hier­ar­chy of con­trols), look at what risks you might con­trol with an Emergency Stop. Remember that e-​​stops fall below safe­guards in the hier­ar­chy, so you must use a safe­guard­ing tech­nique if pos­si­ble, you can’t just default down to an emer­gency stop. IF the e-​​stop can pro­vide you with the addi­tional risk reduc­tion, then use it but first,  reduce the risks in other ways.

The Stop Function and Control Reliability Requirements

Finally, once you deter­mine the need for an emer­gency stop sys­tem, you need to con­sider the system’s func­tion­al­ity and con­trols archi­tec­ture. NFPA 79 is the ref­er­ence stan­dard for Canada, although you can find very sim­i­lar require­ments in IEC 60204–1 if you are work­ing in an inter­na­tional market.

Download NFPA stan­dards through ANSI
Download IEC stan­dards, International Electrotechnical Commission standards.

Functional Stop Categories

NFPA 79 calls out three basic cat­e­gories of stop. Note that these are NOT reli­a­bil­ity cat­e­gories, but are func­tional cat­e­gories. Reliability is not addressed in these sec­tions. Quoting from the standard:

9.2.2 Stop Functions. The three cat­e­gories of stop func­tions shall be as follows:

(1) Category 0 is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actuators.

(2) Category 1 is a con­trolled stop with power to the machine actu­a­tors avail­able to achieve the stop then remove power when the stop is achieved.

(3) Category 2 is a con­trolled stop with power left avail­able to the machine actuators.

This E-Stop Button is correct.

This E-​​Stop but­ton is CORRECT. Note the Push-​​Pull-​​Twist oper­a­tor and the YELLOW background.

A bit later, the stan­dards says:

9.2.5.3 Stop.
9.2.5.3.1 Each machine shall be equipped with a Category 0 stop.

9.2.5.3.2 Category 0, Category 1, and/​or Category 2 stops shall be pro­vided where indi­cated by an analy­sis of the risk assess­ment and the func­tional require­ments of the machine. Category 0 and Category 1 stops shall be oper­a­tional regard­less of oper­at­ing modes, and Category 0 shall take pri­or­ity. Stop func­tion shall oper­ate by de-​​energizing that rel­e­vant cir­cuit and shall over­ride related start functions.

Note that 9.2.5.3.1 does NOT mean that every machine must have an e-​​stop. It sim­ply says that every machine must have a way to stop the machine that is equiv­a­lent to “pulling the plug”. The main dis­con­nect on the con­trol panel can be used for this func­tion if sized and rated appro­pri­ately. The ques­tion of HOW to effect the Category 0 stop depends on WHEN it will be used — i.e. what risks must be reduced, or what haz­ards must be con­trolled by the e-​​stop.

You’ll also note that that pesky “risk assess­ment” pops up again in 9.2.5.3.2. You just can’t get away from it…

Control Reliability

Disconnect with E-Stop Colours indicates that this device is intended to be used for EMERGENCY SWITCHING OFF.

Disconnect with E-​​Stop Colours indi­cates that this device is intended to be used for EMERGENCY SWITCHING OFF.

Once you know what func­tional cat­e­gory of stop you need, and what degree of risk reduc­tion you are expect­ing from the emer­gency stop sys­tem, you can deter­mine the degree of reli­a­bil­ity required. In Canada, CSA Z432 gives us these cat­e­gories: SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL MONITORED and CONTROL RELIABLE. These cat­e­gories are being replaced slowly by Performance Levels (PL) as defined in ISO 13849–1 2007.

The short answer is that the greater the risk reduc­tion required, the higher the degree of reli­a­bil­ity required. In many cases, a SINGLE CHANNEL or SINGLE CHANNEL MONITORED solu­tion may be accept­able, par­tic­u­larly when there are more reli­able safe­guards in place. On the other hand, you may require CONTROL RELIABLE designs if the e-​​stop is the pri­mary risk reduc­tion for some risks or spe­cific tasks.

Extra points go to any reader who noticed that the ‘elec­tri­cal haz­ard’ warn­ing label imme­di­ately above the dis­con­nect han­dle in the above photo is a) upside down, and b) using a non-​​standard light­ing flash. Cheap haz­ard warn­ing labels, like this one, are often as good as none at all. I’ll be writ­ing more on haz­ard warn­ings in future posts.

Use of Emergency Stop as part of a Lockout Procedure or HECP.

One last note: Emergency stop sys­tems (with the excep­tion of emer­gency switch­ing off devices, such as dis­con­nect switches used for e-​​stop) CANNOT be used for energy iso­la­tion in a Hazardous Energy Control Procedure (a.k.a. Lockout). Devices for this pur­pose must phys­i­cally sep­a­rate the energy source from the down-​​stream com­po­nents. See CSA Z460-​​05 for more on that subject.

Read our Article on Using E-​​Stops in HECP.

Pneumatic E-Stop Device

Pneumatic E-​​Stop/​Isolation device.

Standards Referenced in this post:

CSA Z432-​​04, Safeguarding of Machinery

NFPA 79–07, Electrical Standard for Industrial Machinery
Download NFPA stan­dards at ANSI

IEC 60204–1:09,  SAFETY OF MACHINERYELECTRICAL EQUIPMENT OF MACHINESPART 1: GENERAL REQUIREMENTS

Download IEC stan­dards, International Electrotechnical Commission standards.

ISO 13849−1−2007, Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 1: General prin­ci­ples for design

See also

ISO 13850:06, SAFETY OF MACHINERYEMERGENCY STOPPRINCIPLES FOR DESIGN

Download IEC stan­dards, International Electrotechnical Commission stan­dards.
Download ISO Standards

All original content on these pages is fingerprinted and certified by Digiprove
Performance Optimization WordPress Plugins by W3 EDGE