Busting Emergency Stop Myths

This entry is part 3 of 13 in the series Emergency Stop

There are a num­ber of myths that have grown up around emer­gency stops over the years. These myths can lead to injury or death, so it’s time for a little Myth Busting here on the MS101 blog!

There are a num­ber of myths that have grown up around emer­gency stops over the years. These myths can lead to injury or death, so it’s time for a little Myth Busting here on the MS101 blog!

What does ‘emergency’ mean?

Consider for a moment the roots of the word ‘emer­gency’. This word comes from the word ‘emer­gent’, mean­ing a situ­ation that is devel­op­ing or emer­ging in the moment. Emergency stop sys­tems are inten­ded to help the user deal with poten­tially haz­ard­ous con­di­tions that are emer­ging in the moment. These con­di­tions have prob­ably aris­en because the design­ers of the machinery failed to con­sider all the fore­see­able uses of the equip­ment, or because someone has chosen to mis­use the equip­ment in a way that was not inten­ded by the design­ers. The key func­tion of an Emergency Stop sys­tem is to provide the user with a backup to the primary safe­guards. These sys­tems are referred to as “Complementary Protective Measures” and are inten­ded to give the user a chance to “avert or lim­it harm” in a haz­ard­ous situ­ation. With that in mind, let’s look at three myths I hear about regularly.

 

Myth #1 – The Emergency Stop Is A Safety Device

Waterwheel and belt. Credit: Harry Matthews & http://www.old-engine.com
A Fitz Water Wheel and Belt Drive, Credit: Harry Matthews & http://​www​.old​-engine​.com

Early in the Industrial Revolution machine build­ers real­ized that users of their machinery needed a way to quickly stop a machine when some­thing went wrong. At that time, over­head line-​shafts were driv­en by large cent­ral power sources like water­wheels, steam engines or large elec­tric motors. Machinery was coupled to the cent­ral shafts with pul­leys, clutches and belts which trans­mit­ted the power to the machinery.

See pic­tures of a line-​shaft powered machine shop or click the image below.

Line Shaft in the Mt. Wilson Observatory Machine Shop
Photo: Larry Evans & www​.olden​gine​.org

These cent­ral engines powered an entire fact­ory, so they were much lar­ger than an indi­vidu­al motor sized for a mod­ern machine. In addi­tion, they could not be eas­ily stopped, since stop­ping the cent­ral power source would mean stop­ping the entire fact­ory – not a wel­come choice. Emergency stop devices were born in this environment.

Learn more about Line Shafts at Harry’s Old Engines.

See pho­tos and video of a work­ing line shaft machine shop. 

Due to their early use as a safety device, some have incor­rectly con­sidered emer­gency stop sys­tems safe­guard­ing devices. Modern stand­ards make the dif­fer­ence very clear. The easi­est way to under­stand the cur­rent mean­ing of the term “EMERGENCY STOP” is to begin by look­ing at the inter­na­tion­al stand­ards pub­lished by IEC1 and ISO2.

emer­gency stop3
emer­gency stop function

func­tion that is inten­ded to

—   avert arising, or reduce exist­ing, haz­ards to per­sons, dam­age to machinery or to work in progress,

—   be ini­ti­ated by a single human action

NOTE 1

Hazards, for the pur­poses of this International Standard, are those which can arise from

—   func­tion­al irreg­u­lar­it­ies (e.g. machinery mal­func­tion, unac­cept­able prop­er­ties of the mater­i­al pro­cessed, human error),

—   nor­mal operation.

It is import­ant to under­stand that an emer­gency stop func­tion is “ini­ti­ated by a single human action”. This means that it is not auto­mat­ic, and there­fore can­not be con­sidered to be a risk con­trol meas­ure for oper­at­ors or bystand­ers. Emergency stop may provide the abil­ity to avoid or reduce harm, by provid­ing a means to stop the equip­ment once some­thing has already gone wrong. Your next actions will usu­ally be to call 911 and admin­is­ter first aid.

Safeguarding sys­tems act auto­mat­ic­ally to pre­vent a per­son from becom­ing involved with the haz­ard in the first place. This is a reduc­tion in the prob­ab­il­ity of a haz­ard­ous situ­ation arising, and may also involve a reduc­tion in the sever­ity of injury by con­trolling the haz­ard (i.e., slow­ing or stop­ping rotat­ing machinery before it can be reached.) This con­sti­tutes a risk con­trol meas­ure and can be shown to reduce the risk of injury to an exposed person.

Emergency stop is react­ive; safe­guard­ing sys­tems are pro­act­ive.

In Canada, CSA defines emer­gency stop as a ‘Complementary Protective Measure’ in CSA Z432-​046:

6.2.2.1.1
Safeguards (guards, pro­tect­ive devices) shall be used to pro­tect per­sons from the haz­ards that can­not reas­on­ably be avoided or suf­fi­ciently lim­ited by inher­ently safe design. Complementary pro­tect­ive meas­ures involving addi­tion­al equip­ment (e.g., emer­gency stop equip­ment) may have to be taken.

6.2.3.5.3 Complementary pro­tect­ive measures
Following the risk assess­ment, the meas­ures in this clause either shall be applied to the machine or shall be dealt with in the inform­a­tion for use.
Protective meas­ures that are neither inher­ently safe design meas­ures, nor safe­guard­ing (imple­ment­a­tion of guards and/​or pro­tect­ive devices), nor inform­a­tion for use may have to be imple­men­ted as required by the inten­ded use and the reas­on­ably fore­see­able mis­use of the machine. Such meas­ures shall include, but not be lim­ited to,

(a) emer­gency stop;
(b) means of res­cue of trapped per­sons; and
(c) means of energy isol­a­tion and dissipation.

In the USA, three stand­ards apply: ANSI B11,  ANSI B11.19 – 2003, and NFPA 79:

ANSI B11-​2008

3.80 stop: Immediate or con­trolled ces­sa­tion of machine motion or oth­er haz­ard­ous situ­ations. There are many terms used to describe the dif­fer­ent kinds of stops, includ­ing user- or supplier-​specific terms, the oper­a­tion and func­tion of which is determ­ined by the indi­vidu­al design. Definitions of some of the more com­monly used “stop” ter­min­o­logy include:

3.80.2 emer­gency stop: The stop­ping of a machine tool, manu­ally ini­ti­ated, for emer­gency purposes;

7.6 Emergency stop

Electrical, pneu­mat­ic and hydraul­ic emer­gency stops shall con­form to require­ments in the ANSI B11 machine-​specific stand­ard or NFPA 79.
Informative Note 1: An emer­gency stop is not a safe­guard­ing device. See also, B11.19.
Informative Note 2: For addi­tion­al inform­a­tion, see ISO 13850 and IEC 60204 – 1.

ANSI B11.19 – 2003

12.9 Stop and emergency stop devices

Stop and emer­gency stop devices are not safe­guard­ing devices. They are com­ple­ment­ary to the guards, safe­guard­ing device, aware­ness bar­ri­ers, sig­nals and signs, safe­guard­ing meth­ods and safe­guard­ing pro­ced­ures in clauses 7 through 11.

Stop and emer­gency stop devices shall meet the require­ments of ANSI /​ NFPA 79.

E12.9

Emergency stop devices include but are not lim­ited to, but­tons, rope-​pulls, and cable-pulls.

A safe­guard­ing device detects or pre­vents inad­vert­ent access to a haz­ard, typ­ic­ally without overt action by the indi­vidu­al or oth­ers. Since an indi­vidu­al must actu­ate an emer­gency stop device to issue the stop com­mand, usu­ally in reac­tion to an event or haz­ard­ous situ­ation, it neither detects nor pre­vents expos­ure to the hazard.

If an emer­gency stop device is to be inter­faced into the con­trol sys­tem, it should not reduce the level of per­form­ance of the safety func­tion (see sec­tion 6.1 and Annex C).

NFPA 79 deals with the elec­tric­al func­tions of the emer­gency stop func­tion which is not dir­ectly rel­ev­ant to this art­icle, so that is why I haven’t quoted dir­ectly from that doc­u­ment here.

As you can clearly see, the essen­tial defin­i­tions of these devices in the US and Canada match very closely, although the US does not spe­cific­ally use the term ‘com­ple­ment­ary pro­tect­ive measures’.

Myth #2 – Cycle Stop And Emergency Stop Are Equivalent

Emergency stop sys­tems act primar­ily by remov­ing power from the prime movers in a machine, ensur­ing that power is removed and the equip­ment brought to a stand­still as quickly as pos­sible, regard­less of the por­tion of the oper­at­ing cycle that the machine is in. After an emer­gency stop, the machine is inop­er­able until the emer­gency stop sys­tem is reset. In some cases, emer­gency stop­ping the machine may dam­age the equip­ment due to the forces involved in halt­ing the pro­cess quickly.

Cycle stop is a con­trol sys­tem com­mand func­tion that is used to bring the machine cycle to a grace­ful stop at the end of the cur­rent cycle. The machine is still fully oper­able and may still be in auto­mat­ic mode at the com­ple­tion of this stop.

Again, refer­ring to ANSI B11-2008:

3.80.1 con­trolled stop: The stop­ping of machine motion while retain­ing power to the machine actu­at­ors dur­ing the stop­ping pro­cess. Also referred to as Category 1 or 2 stop (see also NFPA 79: 2007, 9.2.2);

3.80.2 emer­gency stop: The stop­ping of a machine tool, manu­ally ini­ti­ated, for emer­gency purposes;

Myth #3 – Emergency Stop Systems Can Be Used For Energy Isolation

Disconnect Switch with Lock and TagFifteen to twenty years ago it was not uncom­mon to see emer­gency stop but­tons fit­ted with lock­ing devices.  The lock­ing device allowed a per­son to pre­vent the reset­ting of the emer­gency stop device. This was done as part of a “lock­out pro­ced­ure”. Lockout is one aspect of haz­ard­ous energy con­trol pro­ced­ures (HECP).  HECPs recog­nize that live work needs to be done from time to time, and that nor­mal safe­guards may be bypassed or dis­con­nec­ted tem­por­ar­ily, to allow dia­gnostics and test­ing to be car­ried out. This pro­cess is detailed in two cur­rent stand­ards, CSA Z460 and ANSI Z244.1. Note that these lock­ing devices are still avail­able for sale, and can be used as part of an HECP to pre­vent the emer­gency stop sys­tem or oth­er con­trols from being reset until the machine is ready for test­ing. They can­not be used to isol­ate an energy source.

No cur­rent stand­ard allows for the use of con­trol devices such as push but­tons or select­or switches to be used as energy isol­a­tion devices.

CSA Z460-​05 spe­cific­ally pro­hib­its this use in their defin­i­tion of ‘energy isol­a­tion devices’:

Energy-​isolating device — a mech­an­ic­al device that phys­ic­ally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: a manu­ally oper­ated elec­tric­al cir­cuit break­er; a dis­con­nect switch; a manu­ally oper­ated switch by which the con­duct­ors of a cir­cuit can be dis­con­nec­ted from all ungroun­ded sup­ply con­duct­ors; a line valve; a block; and oth­er devices used to block or isol­ate energy (push-​button select­or switches and oth­er control-​type devices are not energy-​isolating devices).4

Similar require­ments are found in ANSI Z244.15 and in ISO 138503.

Myth #4 – All Machines are Required to have an Emergency Stop

Some machine design­ers believe that all machines are required to have an emer­gency stop. This is simply not true. A read­er poin­ted out to me that CSA Z432-​04, clause 7.17.1.2, does make this require­ment. To my know­ledge this is the only gen­er­al level (i.e., not machine spe­cif­ic) stand­ard that makes this require­ment. I stand cor­rec­ted! Having said that, the rest of my com­ments on this top­ic still stand. Clause 7.17.1.2 lim­its the applic­a­tion of this requirement:

7.17.1.2

Each oper­at­or con­trol sta­tion, includ­ing pendants, cap­able of ini­ti­at­ing machine motion shall have a manu­ally ini­ti­ated emer­gency stop device.

Emergency stop sys­tems may be use­ful where they can provide a back-​up to oth­er safe­guard­ing sys­tems. To under­stand where to use an emer­gency stop, a start-​stop ana­lys­is must be car­ried out as part of the design pro­cess. This ana­lys­is will help the design­er devel­op a clear under­stand­ing of the nor­mal start and stop con­di­tions for the machine. The ana­lys­is also needs to include fail­ure modes for all of the stop func­tions. It is here that the emer­gency stop can be help­ful. If remov­ing power will cause the haz­ard to cease in a short time, or if the haz­ard can be quickly con­tained in some way, then emer­gency stop is a val­id choice. If the haz­ard will remain for a con­sid­er­able time fol­low­ing remov­al of power, then emer­gency stop will have no effect and is use­less for avoid­ing or lim­it­ing harm.

For example, con­sider an oven. If the burn­er stop con­trol failed, and assum­ing that the only haz­ard we are con­cerned with is the hot sur­faces inside the oven, then using an emer­gency stop to turn the burn­ers off only res­ults in the start of the nat­ur­al cool­ing cycle of the oven. In some cases that could take hours or days, so the emer­gency stop has no value. It might be use­ful for con­trolling oth­er haz­ards, such as fire, that might be related to the same fail­ure. Without a full ana­lys­is of the fail­ure modes of the con­trol sys­tem, a sound decision can­not be made.

Simple machines like drill presses and table saws are sel­dom fit­ted with emer­gency stop sys­tems. These machines, which can be very dan­ger­ous, could def­in­itely bene­fit from hav­ing an emer­gency stop. They are some­times fit­ted with a dis­con­nect­ing device with a red and yel­low handle that can be used for ‘emer­gency switch­ing off’. This dif­fers from emer­gency stop because the machine, and the haz­ard, will typ­ic­ally re-​start imme­di­ately when the emer­gency switch­ing off device is turned back on. This is not per­mit­ted with emer­gency stop, where reset­ting the emer­gency stop device only per­mits the restart­ing of the machine through oth­er con­trols. Reset of the emer­gency stop device is not per­mit­ted to reapply power to the machine on its own.

These require­ments are detailed in ISO 138503, CSA Z4326 and oth­er standards.

Design Considerations

Emergency Stop is a con­trol that is often designed in with little thought and used for a vari­ety of things that it was nev­er inten­ded to be used to accom­plish. The three myths dis­cussed in this art­icle are the tip of the iceberg.

Consider these ques­tions when think­ing about the design and use of emer­gency stop systems:

  1. Have all the inten­ded uses and fore­see­able mis­uses of the equip­ment been considered?
  2. What do I expect the emer­gency stop sys­tem to do for the user of the machine? (The answer to this should be in the risk assessment.)
  3. How much risk reduc­tion am I expect­ing to achieve with the emer­gency stop?
  4. How reli­able does the emer­gency stop sys­tem need to be?
  5. Am I expect­ing the emer­gency stop to be used for oth­er pur­poses, like ‘Power Off’, energy isol­a­tion, or reg­u­lar stop­ping of the machine? (The answer to this should be ‘NO’.)

Taking the time to assess the design require­ments before design­ing the sys­tem can help ensure that the machine con­trols are designed to provide the func­tion­al­ity that the user needs, and the risk reduc­tion that is required. The answers lie in the five ques­tions above.

Have any of these myths affected you?

Got any more myths about e-​stops you’d like to share?

I really appre­ci­ate hear­ing from my read­ers! Leave a com­ment or email it to us and we’ll con­sider adding it to this art­icle, with cred­it of course!

References

5% Discount on All Standards with code: CC2011 

  1. IEC – International Electrotechnical Commission. Download IEC stand­ards, International Electrotechnical Commission standards.
  2. ISO – International Organization for Standardization Download ISO Standards 
  3. Safety of machinery — Emergency stop — Principles for design, ISO 13850, 2006, ISO, Geneva, Switzerland.
  4. Control of Hazardous Energy ­– Lockout and Other Methods, CSA Z460, 2005, Canadian Standards Association, Toronto, Canada.
    Buy CSA Standards online at CSA​.ca
  5. Safeguarding of Machinery, CSA Z432-​04, Canadian Standards Association, Toronto, Canada.
  6. Control of Hazardous Energy – Lockout/​Tagout and Alternative Methods, ANSI/​ASSE Z244.1, 2003, American National Standards Institute /​ American Society of Safety Engineers, Des Plaines, IL, USA.
    Download ANSI standards
  7. American National Standard for Machine Tools – Performance Criteria for Safeguarding, ANSI B11.19 – 2003, American National Standards Institute, Des Plaines, IL, USA.
  8. General Safety Requirements Common to ANSI B11 Machines, ANSI B11-​2008, American National Standards Institute, Des Plaines, IL, USA.
  9. Electrical Standard for Industrial Machinery, NFPA 79 – 2007, NFPA, 1 Batterymarch Park, Quincy, MA 02169 – 7471, USA.
    Buy NFPA Standards online.

5% Discount on All Standards with code: CC2011 

Interlock Architectures – Pt. 2: Category 1

This entry is part 2 of 8 in the series Circuit Architectures Explored

This art­icle expands on the first in the series “Interlock Architectures – Pt. 1: What do those cat­egor­ies really mean?”. Learn about the basic cir­cuit archi­tec­tures that under­lie all safety inter­lock sys­tems under ISO 13849 – 1, and CSA Z432 and ANSI RIA R15.06.

In Part 1 of this series we explored Category B, the Basic Category that under­pins all the oth­er Categories. This post builds on Part 1 by tak­ing a look at Category 1. Let’s start by explor­ing the dif­fer­ence as defined in ISO 13849 – 1. When you are read­ing, remem­ber that “SRP/​CS” stands for “Safety Related Parts of Control Systems”.

SRP/​CS of Category 1 shall be designed and con­struc­ted using well-​tried com­pon­ents and well-​tried safety prin­ciples (see ISO 13849 – 2).

Well-​Tried Components

So what, exactly, is a “Well-​Tried Component”?? Let’s go back to the stand­ard for that:

A “well-​tried com­pon­ent” for a safety-​related applic­a­tion is a com­pon­ent which has been either

a) widely used in the past with suc­cess­ful res­ults in sim­il­ar applic­a­tions, or
b) made and veri­fied using prin­ciples which demon­strate its suit­ab­il­ity and reli­ab­il­ity for safety-​related applications.

Newly developed com­pon­ents and safety prin­ciples may be con­sidered as equi­val­ent to “well-​tried” if they ful­fil the con­di­tions of b).

The decision to accept a par­tic­u­lar com­pon­ent as being “well-​tried” depends on the application.

NOTE 1 Complex elec­tron­ic com­pon­ents (e.g. PLC, micro­pro­cessor, application-​specific integ­rated cir­cuit) can­not be con­sidered as equi­val­ent to “well tried”.

[1, 6.2.4]

Lets look at what this all means by refer­ring to ISO 13849 – 2:

Table 1 — Well-​Tried Components [2]
Well-​Tried Components Conditions for “well – tried” Standard or specification
Screw All factors influ­en­cing the screw con­nec­tion and the applic­a­tion are to be con­sidered. See Table A.2 “List of well – tried safety principles”. Mechanical joint­ing such as screws, nuts, wash­ers, riv­ets, pins, bolts etc. are standardised.
Spring See Table A.2 “Use of a well – tried spring”. Technical spe­cific­a­tions for spring steels and oth­er spe­cial applic­a­tions are giv­en in ISO 4960.
Cam All factors influ­en­cing the cam arrange­ment (e. g. part of an inter­lock­ing device) are to be con­sidered. See Table A.2 “List of well – tried safety principles”. See EN 1088 (ISO 14119) (Interlocking devices).
Break – pin All factors influ­en­cing the applic­a­tion are to be con­sidered. See Table A.2 “List of well-​tried safety principles”.

Now we have a few ideas about what might con­sti­tute a ‘well-​tried com­pon­ent’. Unfortunately, you will notice that ‘con­tact­or’ or ‘relay’ or ‘lim­it switch’ appear nowhere on the list. This is a chal­lenge, but one that can be over­come. The key to deal­ing with this is to look at how the com­pon­ents that you are choos­ing to use are con­struc­ted. If they use these com­pon­ents and tech­niques, you are on your way to con­sid­er­ing them to be well-tried.

Another approach is to let the com­pon­ent man­u­fac­turer worry about the details of the con­struc­tion of the device, and simply ensure that com­pon­ents selec­ted for use in the SRP/​CS are ‘safety rated’ by the man­u­fac­turer. This can work in 80 – 90% of cases, with a small per­cent­age of com­pon­ents, such as large motor starters, some servo and step­per drives and oth­er sim­il­ar com­pon­ents unavail­able with a safety rat­ing. It’s worth not­ing that many drive man­u­fac­tur­ers are start­ing to pro­duce drives with built-​in safety com­pon­ents that are inten­ded to be integ­rated into your SRP/​CS.

Exclusion of Complex Electronics

Note 1 from the first part of the defin­i­tion is very import­ant. So import­ant that I’m going to repeat it here:

NOTE 1 Complex elec­tron­ic com­pon­ents (e.g. PLC, micro­pro­cessor, application-​specific integ­rated cir­cuit) can­not be con­sidered as equi­val­ent to “well tried”.

I added the bold text to emphas­ize the import­ance of this state­ment. While this is included in a Note and is there­fore con­sidered to be explan­at­ory text and not part of the norm­at­ive body of the stand­ard, it illu­min­ates a key concept. This little note is what pre­vents a stand­ard PLC from being used in Category 1 sys­tems. It’s also import­ant to real­ize that this defin­i­tion is only con­sid­er­ing the hard­ware – no men­tion of soft­ware is made here, and soft­ware is not dealt with until later in the standard.

Well-​Tried Safety Principles

Let’s have a look at what ‘Well-​Tried Safety Principles’ might be.

Table 2 — Well-​Tried Safety Principles [2, A.2]
Well-​tried Safety Principles Remarks
Use of care­fully selec­ted mater­i­als and manufacturing Selection of suit­able mater­i­al, adequate man­u­fac­tur­ing meth­ods and treat­ments related to the application.
Use of com­pon­ents with ori­ented fail­ure mode The pre­dom­in­ant fail­ure mode of a com­pon­ent is known in advance and always the same, see EN 292 – 2:1991, (ISO/​TR 12100 – 2:1992), 3.7.4.
Over – dimensioning/​safety factor The safety factors are giv­en in stand­ards or by good exper­i­ence in safety-​related applications.
Safe pos­i­tion The mov­ing part of the com­pon­ent is held in one of the pos­sible pos­i­tions by mech­an­ic­al means (fric­tion only is not enough). Force is needed for chan­ging the position.
Increased OFF force A safe position/​state is obtained by an increased OFF force in rela­tion to ON force.
Careful selec­tion, com­bin­a­tion, arrange­ment, assembly and install­a­tion of components/​system related to the application
Careful selec­tion of fasten­ing related to the application Avoid rely­ing only on friction.
Positive mech­an­ic­al action Dependent oper­a­tion (e. g. par­al­lel oper­a­tion) between parts is obtained by pos­it­ive mech­an­ic­al link(s). Springs and sim­il­ar “flex­ible” ele­ments should not be part of the link(s) [see EN 292 – 2:1991 (ISO/​TR 12100 – 2:1992), 3.5].
Multiple parts Reducing the effect of faults by mul­tiply­ing parts, e. g. where a fault of one spring (of many springs) does not lead to a dan­ger­ous condition.
Use of well – tried spring (see also Table A.3) A well – tried spring requires:
  • use of care­fully selec­ted mater­i­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cyc­ling before use) and treat­ments (e. g. rolling and shot – peening),
  • suf­fi­cient guid­ance of the spring, and
  • suf­fi­cient safety factor for fatigue stress (i. e. with high prob­ab­il­ity a frac­ture will not occur).

Well – tried pres­sure coil springs may also be designed by:

  • use of care­fully selec­ted mater­i­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cyc­ling before use) and treat­ments (e. g. rolling and shot-peening),
  • suf­fi­cient guid­ance of the spring, and
  • clear­ance between the turns less than the wire dia­met­er when unloaded, and
  • suf­fi­cient force after a fracture(s) is main­tained (i. e. a fracture(s) will not lead to a dan­ger­ous condition).
Limited range of force and sim­il­ar parameters Decide the neces­sary lim­it­a­tion in rela­tion to the exper­i­ence and applic­a­tion. Examples for lim­it­a­tions are break pin, break plate, torque lim­it­ing clutch.
Limited range of speed and sim­il­ar parameters Decide the neces­sary lim­it­a­tion in rela­tion to the exper­i­ence and applic­a­tion. Examples for lim­it­a­tions are cent­ri­fu­gal gov­ernor; safe mon­it­or­ing of speed or lim­ited displacement.
Limited range of envir­on­ment­al parameters Decide the neces­sary lim­it­a­tions. Examples on para­met­ers are tem­per­at­ure, humid­ity, pol­lu­tion at the install­a­tion. See clause 8 and con­sider manufacturer’s applic­a­tion notes.
Limited range of reac­tion time, lim­ited hysteresis Decide the neces­sary limitations.
Consider e. g. spring tired­ness, fric­tion, lub­ric­a­tion, tem­per­at­ure, iner­tia dur­ing accel­er­a­tion and deceleration,
com­bin­a­tion of tolerances.

Use of Positive-​Mode Operation

The use of these prin­ciples in the com­pon­ents, as well as in the over­all design of the safe­guards is import­ant. In devel­op­ing a sys­tem that uses ‘pos­it­ive mode oper­a­tion’, the mech­an­ic­al link­age that oper­ates the elec­tric­al con­tacts or the fluid-​power valve that con­trols the prime-mover(s) (i.e. motors, cyl­in­ders, etc.), must act to dir­ectly drive the con­trol ele­ment (con­tacts or valve spool) to the safe state. Springs can be used to return the sys­tem to the run state or dan­ger­ous state, since a fail­ure of the spring will res­ult in the inter­lock device stay­ing in the safe state (fail-​safe or fail-to-safety).

CSA Z432 [3] provides us with a nice dia­gram that illus­trates the idea of “positive-​action” or “positive-​mode” operation:

CSA Z432 Fig B.10 - Positive Mode Operation
Figure 1 – Positive Mode Operation [3, B.10]

In Fig. 1, open­ing the guard door forces the roller to fol­low the cam attached to the door, driv­ing the switch con­tacts apart and open­ing the inter­lock. Even if the con­tacts were to weld, they would still be driv­en apart since the mech­an­ic­al advant­age provided by the width of the door and the cam are more than enough to force the con­tacts apart.

Here’s an example of a ‘neg­at­ive mode’ operation:

CSA Z432-04 Fig B.11 - Negative Mode operation
Figure 2 – Negative Mode oper­a­tion [3, B.11]

In Fig. 2, the inter­lock switch relies on a spring to enter the safe state when the door is opened. If the spring in the inter­lock device fails, the sys­tem fails-​to-​danger. Also note that this design is very easy to defeat. A ‘zip-​tie’ or some tape is all that would be required to keep the inter­lock in the ‘RUN’ condition.

You should have a bet­ter idea of what is meant when you read about pos­it­ive and negative-​modes of oper­a­tion now. We’ll talk about defeat res­ist­ance in anoth­er article.

Reliability

Combining what you’ve learned so far, you can see that cor­rectly spe­cified com­pon­ents, com­bined with over-​dimensioning and imple­ment­a­tion of design lim­its along with the use of well-​tried safety prin­ciples will go a long way to improv­ing the reli­ab­il­ity of the con­trol sys­tem. The next part of the defin­i­tion of Category 1 speaks to some addi­tion­al requirements:

The MTTFd of each chan­nel shall be high.

The max­im­um PL achiev­able with cat­egory 1 is PL = c.

NOTE 2 There is no dia­gnost­ic cov­er­age (DCavg = none) with­in cat­egory 1 sys­tems. In such struc­tures (single-​channel sys­tems) the con­sid­er­a­tion of CCF is not relevant.

NOTE 3 When a fault occurs it can lead to the loss of the safety func­tion. However, the MTTFd of each chan­nel in cat­egory 1 is high­er than in cat­egory B. Consequently, the loss of the safety func­tion is less likely.

We now know that the integ­rity of a Category 1 sys­tem is great­er than a Category B sys­tem, since the chan­nel MTTFd of the sys­tem has gone from “Low-​to-​Medium” in sys­tems exhib­it­ing PLa or PLb per­form­ance to “High” in sys­tems exhib­it­ing PLb or PLc per­form­ance. [1, Table 5] shows this dif­fer­ence in terms of pre­dicted years to fail­ure. As you can see, MTTFd “High” res­ults in a pre­dicted fail­ure rate between 30 and 100 years. This is a pretty good res­ult for simply improv­ing the com­pon­ents used in the system!

Table 3 – Mean time to dangerous failure  [1, Table 5]
Table 3 – Mean time to dan­ger­ous failure

The oth­er bene­fit is the increase in the over­all PL. Where Category B archi­tec­ture can provide PLb per­form­ance at best, Category 1 takes this up a notch to PLc. To get a handle on what PLc means, let’s look at our single and three shift examples again. If we take a Canadian oper­a­tion with a single shift per day, and a 50 week work­ing year we get:

7.5 h/​shift x 5 d/​w x 50 w/​a = 1875 h/​a

Where

h = hours

d = days

w = weeks

a  = years

In this case, PLc is equi­val­ent to one fail­ure in 533.3 years of oper­a­tion to 1600 years of operation.

Looking at three shifts per day in the same oper­a­tion gives us:

7.5 h/​shift x 3 shifts/​d x 5 d/​w x 50 w/​a = 5625 h/​a

In this case, PLc is equi­val­ent to one fail­ure in 177.8 years of oper­a­tion to 533.3 years of operation.

When com­plet­ing the ana­lys­is of a sys­tem, [1] lim­its the sys­tem MTTFd to 100 years regard­less of what the indi­vidu­al chan­nel MTTFd may be. Where the actu­al MTTFd is import­ant relates to the need to replace com­pon­ents dur­ing the life­time of the product. If a com­pon­ent or a sub-​system has an MTTFd that is less than the mis­sion time of the sys­tem, then the com­pon­ent or sub­sys­tem must be replaced by the time the product reaches it’s MTTFd. 20 years is the default mis­sion time, but you can choose a short­er or longer time span if it makes sense.

Remember that these are prob­ab­il­it­ies, not guar­an­tees. A fail­ure could hap­pen in the first hour of oper­a­tion, the last hour of oper­a­tion or nev­er. These fig­ures simply provide a way for you as the design­er to gauge the rel­at­ive reli­ab­il­ity of the system.

Well-​Tried Components versus Fault Exclusions

The stand­ard goes on to out­line some key dis­tinc­tions between ‘well-​tried com­pon­ent’ and ‘fault exclu­sion’. We’ll talk more about fault exclu­sions later in the series.

It is import­ant that a clear dis­tinc­tion between “well-​tried com­pon­ent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fic­a­tion of a com­pon­ent as being well-​tried depends on its applic­a­tion. For example, a pos­i­tion switch with pos­it­ive open­ing con­tacts could be con­sidered as being well-​tried for a machine tool, while at the same time as being inap­pro­pri­ate for applic­a­tion in a food industry — in the milk industry, for instance, this switch would be des­troyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate meas­ures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tion­al meas­ures out­side the con­trol sys­tem may be neces­sary. In the case of a pos­i­tion switch, some examples of these kinds of meas­ures are

  • means to secure the fix­ing of the switch after its adjustment,
  • means to secure the fix­ing of the cam,
  • means to ensure the trans­verse sta­bil­ity of the cam,
  • means to avoid over travel of the pos­i­tion switch, e.g. adequate mount­ing strength of the shock absorber and any align­ment devices, and
  • means to pro­tect it against dam­age from outside.

[1, 6.2.4]

System Block Diagram

Finally, let’s look at the block dia­gram for Category 1. You will notice that it looks the same as the Category B block dia­gram, since only the com­pon­ents used in the sys­tem have changed, and not the architecture.

ISO 13849-1 Figure 9
Figure 3 – Category 1 Block Diagram [1, Fig. 9]

References

[1]       Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design. ISO Standard 13849 – 1, Ed. 2. 2006.

[2]       Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation. ISO Standard 13849 – 2, Ed. 2. 2012.

[3]       Safeguarding of Machinery. CSA Standard Z432. 2004.

Add to your Library

If you are work­ing on imple­ment­ing these design stand­ards in your products, you need to buy cop­ies of the stand­ards for your library.

  • ISO 13849 – 1:2006 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design
  • ISO 13849 – 2:2003 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation

Download IEC stand­ards, International Electrotechnical Commission standards.

If you are work­ing in the EU, or are work­ing on CE Marking your product, you should hold the har­mon­ized ver­sion of this stand­ard, avail­able through the CEN resellers:

  • EN ISO 13849 – 1:2008 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design
  • EN ISO 13849 – 2:2012 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation

Next Installment

Watch for the next part of this series, “Interlock Architectures – Pt. 3: Category 2″ where we expand on the first two cat­egor­ies by adding some dia­gnost­ic cov­er­age to improve reliability.

Have ques­tions? Email me!

Emergency Stop – What’s so confusing about that?

This entry is part 1 of 13 in the series Emergency Stop

I get a lot of calls and emails ask­ing about emer­gency stops. This is one of those decept­ively simple con­cepts that has man­aged to get very com­plic­ated over time. Not every machine needs or can bene­fit from an emer­gency stop. In some cases, it may lead to an unreas­on­able expect­a­tion of safety from the user, which can lead to injury if they don’t under­stand the haz­ards involved. Some product-​specific standards

Editor’s Note: Since we first pub­lished this art­icle on emer­gency stop in March of 2009, it has become our most pop­u­lar post of all time! We decided it was time for a little refresh. Enjoy, and please com­ment if you find the post help­ful, or if you have any ques­tions you’d like answered. DN-​July, 2017.

The Emergency Stop func­tion is one of those decept­ively simple con­cepts that have man­aged to get very com­plic­ated over time. Not every machine needs or can bene­fit from an emer­gency stop. In some cases, it may lead to an unreas­on­able expect­a­tion of safety from the user. Some product-​specific stand­ards man­date the require­ment for an emer­gency stop, such as CSA Z434-​14 [1], where robot con­trol­lers are required to provide emer­gency stop func­tion­al­ity, and work cells integ­rat­ing robots are also required to have emer­gency stop capability.

Defining Emergency Stop

Old, non-compliant, E-Stop Button
Photo 1 – This OLD but­ton is def­in­itely non-compliant.

So what is the Emergency Stop func­tion, or E-​stop func­tion, and when do you need to have one? Let’s look at a few defin­i­tions taken from CSA Z432-​14 [2]:

Emergency situ­ation
an imme­di­ately haz­ard­ous situ­ation that needs to be ended or aver­ted quickly in order to pre­vent injury or damage.
Emergency stop
a func­tion that is inten­ded to avert harm or to reduce exist­ing haz­ards to per­sons, machinery, or work in progress.
Emergency stop button
a red mushroom-​headed but­ton that, when activ­ated, will imme­di­ately start the emer­gency stop sequence.

One more [2, 6.3.5]:

Complementary pro­tect­ive measures
Protective meas­ures which are neither inher­ently safe design meas­ures, nor safe­guard­ing (imple­ment­a­tion of guards and/​or pro­tect­ive devices), nor inform­a­tion for use, could have to be imple­men­ted as required by the inten­ded use and the reas­on­ably fore­see­able mis­use of the machine.

Modern, non-compliant e-stop button.
Photo 2 – This more mod­ern but­ton is non-​compliant due to the RED back­ground and spring-​return button.

An e-​stop is a func­tion that is inten­ded for use in Emergency con­di­tions to try to lim­it or avert harm to someone or some­thing. It isn’t a safe­guard but is con­sidered to be a Complementary Protective Measure. Looking at emer­gency stop func­tions from the per­spect­ive of the Hierarchy of Controls, emer­gency stop func­tions fall into the same level as Personal Protective Equipment like safety glasses, safety boots, and hear­ing protection. 

So far so good.

Is an Emergency Stop Function Required?

Depending on the reg­u­la­tions and the stand­ards you choose to read, machinery is may not be required to have an Emergency Stop. Quoting from [2, 6.3.5.2]:

Components and ele­ments to achieve the emer­gency stop function

If, fol­low­ing a risk assess­ment, a machine needs to be fit­ted with com­pon­ents and ele­ments to achieve an emer­gency stop func­tion for enabling actu­al or impend­ing emer­gency situ­ations to be aver­ted, the fol­low­ing require­ments apply:

  • the actu­at­ors shall be clearly iden­ti­fi­able, clearly vis­ible and read­ily accessible;
  • the haz­ard­ous pro­cess shall be stopped as quickly as pos­sible without cre­at­ing addi­tion­al haz­ards, but if this is not pos­sible or the risk can­not be reduced, it should be ques­tioned wheth­er imple­ment­a­tion of an emer­gency stop func­tion is the best solution;
  • the emer­gency stop con­trol shall trig­ger or per­mit the trig­ger­ing of cer­tain safe­guard move­ments where necessary.

Note For more detailed pro­vi­sions, see ISO 13850.

Later in [2, 7.15.1.2]:

Each oper­at­or con­trol sta­tion, includ­ing pendants, cap­able of ini­ti­at­ing machine motion and/​or auto­mat­ic motion shall have an emer­gency stop func­tion (see Clause 6.3.5.2), unless a risk assess­ment determ­ines that the emer­gency stop func­tion will not con­trib­ute to risk control.

Note: There could be situ­ations where an e-​stop does not con­trib­ute to risk con­trol and altern­at­ives could be con­sidered in con­junc­tion with a risk assessment.

The bold text in the pre­ced­ing para­graph is mine. I wanted to be sure that you caught this import­ant bit of text. Not every machine requires an E-​stop func­tion. The func­tion is only required where there is a bene­fit to the user. In some cases, product fam­ily stand­ards often called “Type C” stand­ards, includ­ing spe­cif­ic require­ments for the pro­vi­sion of an emer­gency stop func­tion. The require­ment may include a min­im­um PLr or SILr, based on the opin­ion of the Technical Committee respons­ible for the stand­ard and their know­ledge of the par­tic­u­lar type of machinery covered by their document.

Note: For more detailed pro­vi­sions on the elec­tric­al design require­ments, see CSA C22.2 #301, NFPA 79 or IEC 60204 – 1.

Download NFPA stand­ards through ANSI

This more modern button is still wrong due to the RED background.
Photo 3 – This more mod­ern but­ton is non-​compliant due to the RED background.

If you read Ontario’s Industrial Establishments Regulation (Regulation 851), you will find that prop­er iden­ti­fic­a­tion of the emer­gency stop device(s) and loc­a­tion “with­in easy reach” of the oper­at­or are the only require­ment. What does “prop­erly iden­ti­fied” mean? In Canada, the USA and Internationally, a RED oper­at­or device on a YELLOW back­ground, with or without any text behind it, is recog­nized as EMERGENCY STOP or EMERGENCY OFF, in the case of dis­con­nect­ing switches or con­trol switches. I’ve scattered some examples of dif­fer­ent com­pli­ant and non-​compliant e-​stop devices through this article.

The EU Machinery Directive, 2006/​42/​EC, and Emergency Stop

Interestingly, the European Union has taken what looks like an oppos­ing view of the need for emer­gency stop sys­tems. Quoting from the Machinery Directive [3, Annex I, 1.2.4.3]:

1.2.4.3. Emergency stop
Machinery must be fit­ted with one or more emer­gency stop devices to enable actu­al or impend­ing danger to be averted.

Notice the words “…actu­al or impend­ing danger…” This har­mon­ises with the defin­i­tion of Complementary Protective Measures, in that they are inten­ded to allow a user to “avert or lim­it harm” from a haz­ard. Clearly, the dir­ec­tion from the European per­spect­ive is that ALL machines need to have an emer­gency stop. Or do they? The same clause goes on to say:

The fol­low­ing excep­tions apply:

  • machinery in which an emer­gency stop device would not lessen the risk, either because it would not reduce the stop­ping time or because it would not enable the spe­cial meas­ures required to deal with the risk to be taken,
  • port­able hand-​held and/​or hand-​guided machinery.

From these two bul­lets it becomes clear that, just as in the Canadian and US reg­u­la­tions, machines only need emer­gency stops WHEN THEY CAN REDUCE THE RISK. This is hugely import­ant and often over­looked. If the risks can­not be con­trolled effect­ively with an emer­gency stop, or if the risk would be increased or new risks would be intro­duced by the action of an e-​stop sys­tem, then it should not be included in the design.

Carrying on with [3, 1.2.4.3]:

The device must:

  • have clearly iden­ti­fi­able, clearly vis­ible and quickly access­ible con­trol devices,
  • stop the haz­ard­ous pro­cess as quickly as pos­sible, without cre­at­ing addi­tion­al risks,
  • where neces­sary, trig­ger or per­mit the trig­ger­ing of cer­tain safe­guard movements.

Once again, this is con­sist­ent with the gen­er­al require­ments found in the Canadian and US reg­u­la­tions. [3] goes on to define the func­tion­al­ity of the sys­tem in more detail:

Once act­ive oper­a­tion of the emer­gency stop device has ceased fol­low­ing a stop com­mand, that com­mand must be sus­tained by engage­ment of the emer­gency stop device until that engage­ment is spe­cific­ally over­rid­den; it must not be pos­sible to engage the device without trig­ger­ing a stop com­mand; it must be pos­sible to dis­en­gage the device only by an appro­pri­ate oper­a­tion, and dis­en­ga­ging the device must not restart the machinery but only per­mit restarting.

The emer­gency stop func­tion must be avail­able and oper­a­tion­al at all times, regard­less of the oper­at­ing mode.

Emergency stop devices must be a back-​up to oth­er safe­guard­ing meas­ures and not a sub­sti­tute for them.

The first sen­tence of the first para­graph above is the one that requires e-​stop devices to latch in the activ­ated pos­i­tion. The last part of that sen­tence is even more import­ant: “…dis­en­ga­ging the device must not restart the machinery but only per­mit restart­ing.” That phrase requires that every emer­gency stop sys­tem has a second dis­crete action to reset the emer­gency stop sys­tem. Pulling out the e-​stop but­ton and hav­ing power come back imme­di­ately is not OK. Once that but­ton has been reset, a second action, such as push­ing a “POWER ON” or “RESET” but­ton to restore con­trol power is needed.

Point of Clarification: I had a ques­tion come from a read­er ask­ing if com­bin­ing the E-​stop func­tion and the reset func­tion was accept­able. It can be, but only if:

  • The risk assess­ment for the machinery does not indic­ate any haz­ards that might pre­clude this approach; and
  • The device is designed with the fol­low­ing characteristics: 
    • The device must latch in the activ­ated position;
    • The device must have a “neut­ral” pos­i­tion where the machine’s emer­gency stop sys­tem can be reset, or where the machine can be enabled to run;
    • The reset pos­i­tion must be dis­tinct from the pre­vi­ous two pos­i­tions, and the device must spring-​return to the neut­ral position.

The second sen­tence har­mon­izes with the require­ments of the Canadian and US stand­ards. The last sen­tence har­mon­izes with the idea of “Complementary Protective Measures” as described in [2].

How Many and Where?

Where? “Within easy reach”. Consider the loc­a­tions where you EXPECT an oper­at­or to be. Besides the main con­trol con­sole, these could include feed hop­pers, con­sum­ables feed­ers, fin­ished goods exit points, etc. You get the idea. Anywhere you can reas­on­ably expect an oper­at­or to be under nor­mal cir­cum­stances is a reas­on­able place to put an e-​stop device. “Easy Reach” I inter­pret as with­in the arm-​span of an adult (pre­sum­ing the equip­ment is not inten­ded for use by chil­dren). The “easy reach” require­ment trans­lates to 500 – 600 mm either side of the centre line of most workstations.

How do you know if you need an emer­gency stop? Start with a stop/​start ana­lys­is. Identify all the nor­mal start­ing and stop­ping modes that you anti­cip­ate on the equip­ment. Consider all of the dif­fer­ent oper­at­ing modes that you are provid­ing, such as Automatic, Manual, Teach, Setting, etc. Identify all of the match­ing stop con­di­tions in the same modes, and ensure that all start func­tions have a match­ing stop function.

Do a risk assess­ment. Risk assess­ment is a basic require­ment in most jur­is­dic­tions today.

As you determ­ine your risk con­trol meas­ures (fol­low­ing the Hierarchy of Controls), look at what risks you might con­trol with an Emergency Stop. Remember that e-​stops fall below safe­guards in the hier­archy, so you must use a safe­guard­ing tech­nique if pos­sible, you can’t just default down to an emer­gency stop. IF the e-​stop can provide you with the addi­tion­al risk reduc­tion then use it, but first, reduce the risks in oth­er ways.

The Stop Function and Functional Safety Requirements

Finally, once you determ­ine the need for an emer­gency stop sys­tem, you need to con­sider the system’s func­tion­al­ity and con­trols archi­tec­ture. NFPA 79 [4] has been the ref­er­ence stand­ard for Canada and is the ref­er­ence for the USA. In 2016, CSA intro­duced a new elec­tric­al stand­ard for machinery, CSA C22.2 #301 [5]. This stand­ard is inten­ded for cer­ti­fic­a­tion of indus­tri­al machines. My opin­ion is that this stand­ard has some sig­ni­fic­ant issues. You can find very sim­il­ar elec­tric­al require­ments to this in [4] in IEC 60204 – 1 [6] if you are work­ing in an inter­na­tion­al mar­ket. EN 60204 – 1 applies to the EU mar­ket for indus­tri­al machines and is tech­nic­ally identic­al to [6].

Download NFPA stand­ards through ANSI
Download IEC stand­ards, International Electrotechnical Commission standards.

Functional Stop Categories

NFPA 79 calls out three basic cat­egor­ies of stop func­tions. Note that these cat­egor­ies are NOT func­tion­al safety archi­tec­tur­al cat­egor­ies, but are cat­egor­ies describ­ing stop­ping func­tions. Reliability is not addressed in these sec­tions. Quoting from the standard:

9.2.2 Stop Functions

Stop func­tions shall over­ride related start func­tions. The reset of the stop func­tions shall not ini­ti­ate any haz­ard­ous con­di­tions. The three cat­egor­ies of stop func­tions shall be as follows:

(1) Category 0 is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actuators.

(2) Category 1 is a con­trolled stop with power to the machine actu­at­ors avail­able to achieve the stop then power is removed when the stop is achieved.

(3) Category 2 is a con­trolled stop with power left avail­able to the machine actuators.

This E-Stop Button is correct.
Photo 4 – This E-​Stop but­ton is CORRECT. Note the Push-​Pull-​Twist oper­at­or and the YELLOW background.

A bit later in the stand­ard, we find:

9.2.5.3 Stop.

9.2.5.3.1* Category 0, Category 1, and/​or Category 2 stops shall be provided as determ­ined by the risk assess­ment and the func­tion­al require­ments of the machine. Category 0 and Category 1 stops shall be oper­a­tion­al regard­less of oper­at­ing modes, and Category 0 shall take priority.

9.2.5.3.2 Where required, pro­vi­sions to con­nect pro­tect­ive devices and inter­locks shall be provided. Where applic­able, the stop func­tion shall sig­nal the logic of the con­trol sys­tem that such a con­di­tion exists.

You’ll also note that that pesky “risk assess­ment” pops up again in 9.2.5.3.1. You just can’t get away from it…

The func­tion­al stop cat­egor­ies are aligned with sim­il­ar terms used with motor drives. You may want to read this art­icle if your machinery uses a motor drive.

Functional Safety

Disconnect with E-Stop Colours indicates that this device is intended to be used for EMERGENCY SWITCHING OFF.
Photo 5 – Disconnect with E-​Stop Colours indic­ates that this dis­con­nect­ing device is inten­ded to be used for EMERGENCY SWITCHING OFF.

Once you know what func­tion­al cat­egory of stop you need, and what degree of risk reduc­tion you are expect­ing from the emer­gency stop sys­tem, you can determ­ine the func­tion­al safety require­ments. In Canada, [2, 8.2.1] requires that all new equip­ment be designed to com­ply with ISO 13849 [7], [8], or IEC 62061 [9]. This is a new require­ment that was added to [2] to help bring Canadian machinery into har­mon­iz­a­tion with the International Standards.

Emergency stop func­tions are required to provide a min­im­um of ISO 13849 – 1, PLc, or IEC 62061 SIL1. If the risk assess­ment shows that great­er reli­ab­il­ity is required, the sys­tem can be designed to meet any high­er reli­ab­il­ity require­ment that is suit­able. Essentially, the great­er the risk reduc­tion required, the high­er the degree of reli­ab­il­ity required.

I’ve writ­ten extens­ively about the applic­a­tion of ISO 13849, so if you are not sure what any of that means, you may want to read the series on that topic.

Extra points go to any read­er who noticed that the ‘elec­tric­al haz­ard’ warn­ing label imme­di­ately above the dis­con­nect handle in Photo 5 above is

a) upside down, and

b) using a non-​standard light­ing flash.

Cheap haz­ard warn­ing labels, like this one, are often as good as none at all. I’ll be writ­ing more on haz­ard warn­ings in future posts. In case you are inter­ested, here is the cor­rect ISO elec­tric­al haz­ard label:

Yellow triangular background with a black triangular border and a stylized black lighting-flash arrow travelling from top to bottom.
Photo 6 – Electric Shock Hazard – IEC 60417 – 5036

You can find these labels at Clarion Safety Systems.

Use of Emergency Stop as part of a Lockout Procedure or HECP

One last note: Emergency stop func­tions and the sys­tem that imple­ment the func­tions (with the excep­tion of emer­gency switch­ing off devices, such as dis­con­nect switches used for e-​stop) CANNOT be used for energy isol­a­tion in an HECP – Hazardous Energy Control Procedure (which includes Lockout). Devices for this pur­pose must phys­ic­ally sep­ar­ate the energy source from the down­stream com­pon­ents. See CSA Z460 [10] for more on that subject.

Read our Article on Using E-​Stops in Hazardous Energy Control Procedures (HECP) includ­ing lockout.

Pneumatic E-Stop Device
Photo 7 – Pneumatic E-​Stop/​Isolation device.

References

[1]  Industrial robots and robot sys­tems (Adopted ISO 10218 – 1:2011, second edi­tion, 2011-​07-​01, with Canadian devi­ations and ISO 10218 – 2:2011, first edi­tion, 2011-​07-​01, with Canadian devi­ations). Canadian National Standard CAN/​CSA Z434. 2014. 

[2]  Safeguarding of Machinery, CSA Standard Z432. 2016

[3]  DIRECTIVE 2006/​42/​EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL  of 17 May 2006  on machinery, and amend­ing Directive 95/​16/​EC (recast). Brussels: European Commission, 2006.

[4]  Electrical Standard for Industrial Machinery. ANSI/​NFPA Standard 79. 2015.

Download NFPA stand­ards at ANSI

[5] Industrial elec­tric­al machinery. CSA Standard C22.2 NO. 301. 2016. 

[6] Safety of machinery – Electrical Equipment of machines – Part 1: General require­ments. IEC Standard 60204 – 1. 2016.  

Download IEC stand­ards, International Electrotechnical Commission standards.

[7] Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design. ISO Standard 13849 – 1. 2015.

[8] Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation. ISO Standard 13849 – 2. 2012.

[9] Safety of machinery – Functional safety of safety-​related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. IEC Standard 62061+AMD1+AMD2. 2015.

[10] Safety of machineryEmergency Stop — Principals for design. ISO Standard 13850. 2015.

Download IEC stand­ards, International Electrotechnical Commission standards.
Download ISO Standards 

[11] Control of haz­ard­ous energy — Lockout and oth­er meth­ods. CSA Standard Z460. 2013.