Emergency Stop - Machinery Safety 101

Machinery Safety 101

Emergency Stop — What’s so confusing about that?

Defining Emergency Stop

Is an Emergency Stop Required?

How Many and Where?

The Stop Function and Control Reliability Requirements

Checking Emergency Stop Systems

Tests

Guarding Emergency Stop Devices

References

Safe designs for safe workplaces

Emergency Stop — What’s so confusing about that?

Defining Emergency Stop

Is an Emergency Stop Required?

How Many and Where?

The EU Machinery Directive, 2006/42/EC, and Emergency Stop

Functional Stop Categories

Control Reliability

Why Guard an Emergency Stop?

Regulatory Requirements

Summing Up

Effects of PPE

Effects of State-of-Mind

The answer you’ve all been waiting for!

The EU Machinery Directive, 2006/42/EC, and Emergency Stop

Posted by Doug Nix on March 6, 2009 1 comment

This entry is part 1 of 9 in the series Emergency Stop

I get a lot of calls and emails asking about emergency stops. This is one of those deceptively simple concepts that has managed to get very complicated over time. Not every machine needs or can benefit from an emergency stop. In some cases, it may lead to an unreasonable expectation of safety from the user, which can lead to injury if they don’t understand the hazards involved. Some product-specific standards mandate the requirement for emergency stop, such as CSA Z434-03, where robot controllers are required to provide emergency stop functionality and work cells integrating robots are also required to have emergency stop capability.

This OLD button is definitely non-compliant.

So what is an Emergency Stop, or e-stop, and when do you need to have one? Let’s look at a few definitions taken from CSA Z432-04:

Emergency situation — an immediately hazardous situation that needs to be ended or averted quickly in order to prevent injury or damage.
Emergency stop — a function that is intended to avert harm or to reduce existing hazards to persons, machinery, or work in progress.
Emergency stop button — a red mushroom-headed button that, when activated, will immediately start the emergency stop sequence.

and one more:

6.2.3.5.3 Complementary protective measures
Following the risk assessment, the measures in this clause either shall be applied to the machine or shall be dealt with in the information for use.
Protective measures that are neither inherently safe design measures, nor safeguarding (implementation of guards and/or protective devices), nor information for use may have to be implemented as required by the intended use and the reasonably foreseeable misuse of the machine. Such measures shall include, but not be limited to,
a) emergency stop;
b) means of rescue of trapped persons; and
c) means of energy isolation and dissipation.

This more modern button is non-compliant due to the RED background and spring-return button.

So, an e-stop is a system that is intended for use in Emergency conditions to try to limit or avert harm to someone or something. It isn’t a safeguard, but is considered to be a Complementary Protective Measure. So far so, good.

Depending on the regulations and the standards you choose to read, machinery is not required to have an Emergency Stop. Quoting from CSA Z432-04:

6.2.5.2.1 Components and elements to achieve the emergency stop function
If, following a risk assessment, it is determined that in order to achieve adequate risk reduction under emergency circumstances a machine must be fitted with components and elements necessary to achieve an emergency stop function so that actual or impending emergency situations can be controlled, the following requirements shall apply:
a) The actuators shall be clearly identifiable, clearly visible, and readily accessible.
b) The hazardous process shall be stopped as quickly as possible without creating additional hazards.
If this is not possible or the risk cannot be adequately reduced, this may indicate that an emergency stop function may not be the best solution (i.e., other solutions should be sought). (Bolding added for emphasis — DN)

c) The emergency stop control shall trigger or permit the triggering of certain safeguard movements where necessary.
Note: For more detailed provisions, see NFPA 79.

Download NFPA standards through ANSI

This more modern button is still wrong due to the RED background.

This more modern button is non-compliant due to the RED background.

In fact, if you read Ontario’s Industrial Establishments regulation (Regulation 851), you will find that the only requirement for an emergency stop is that it is properly identified and located “within easy reach” of the operator. What does “properly identified” mean? In Canada, the USA and Internationally, a RED operator device on a YELLOW background, with or without any text behind it, is recognized as EMERGENCY STOP or EMERGENCY OFF, in the case of disconnecting switches or control switches. I’ve scattered some examples of different compliant and non-compliant e-stop devices through this article.

Interestingly, the European Union has taken what looks like an opposing view of the need for emergency stop systems. Quoting from Annex I of the Machinery Directive:

1.2.4.3. Emergency stop
Machinery must be fitted with one or more emergency stop devices to enable actual or impending danger to be averted.

Notice the words “…actual or impending danger…” This harmonizes with the definition of Complementary Protective Measures, in that they are intended to allow a user to “avert or limit harm” from a hazard. Clearly, the direction from the European perspective is that ALL machines need to have an emergency stop. Or do they? The same clause goes on to say:

The following exceptions apply:
machinery in which an emergency stop device would not lessen the risk, either because it would not reduce the stopping time or because it would not enable the special measures required to deal with the risk to be taken,
portable hand-held and/or hand-guided machinery.

From these two bullets it becomes clear that, just as in the Canadian and US regulations, machines only need emergency stops WHEN THEY CAN REDUCE THE RISK. This is hugely important, and often overlooked. If the risks cannot be controlled effectively with an emergency stop, or if the risk would be increased or new risks would be introduced by the action of an e-stop system, then it should not be included in the design.

Carrying on with the same clause:

The device must:
have clearly identifiable, clearly visible and quickly accessible control devices,
stop the hazardous process as quickly as possible, without creating additional risks,
where necessary, trigger or permit the triggering of certain safeguard movements.

Once again, this is consistent with the general requirements found in the Canadian and US regulations. The directive goes on to define the functionality of the system in more detail:

Once active operation of the emergency stop device has ceased following a stop command, that command must be sustained by engagement of the emergency stop device until that engagement is specifically overridden; it must not be possible to engage the device without triggering a stop command; it must be possible to disengage the device only by an appropriate operation, and disengaging the device must not restart the machinery but only permit restarting.
The emergency stop function must be available and operational at all times, regardless of the operating mode.
Emergency stop devices must be a back-up to other safeguarding measures and not a substitute for them.

The first sentence of the first paragraph above is the one that requires e-stop devices to latch in the activated position. The last part of that sentence is even more important: “…disengaging the device must not restart the machinery but only permit restarting.” That phrase requires that every emergency stop system have a second discrete action to reset the emergency stop system. Pulling out the e-stop button and having power come back immediately is not OK. Once that button has been reset, a second action, such as pushing a “POWER ON” or “RESET” button to restore control power is needed. Point of Clarification: I had a question come from a reader asking if combining the e-stop function and the reset function was acceptable. It can be, but only if:

The risk assessment for the machinery does not indicate any hazards that might preclude this approach; and
The device is designed with the following characteristics:

The device must latch in the activated position;
The device must have a “neutral” position where the machine’s emergency stop system can be reset, or where the machine can be enabled to run;
The reset position must be distinct from the previous two positions, and the device must spring-return to the neutral position.

The second sentence harmonizes with the requirements of the Canadian and US standards.

Finally, the last sentence harmonizes with the idea of “Complementary Protective Measures” as described in CSA Z432.

Where? “Within easy reach”. Consider the locations where you EXPECT an operator to be. Besides the main control console, these could include feed hoppers, consumables feeders, finished goods exit points… you get the idea. Anywhere you can reasonably expect an operator to be under normal circumstances is a reasonable place to put an e-stop device. “Easy Reach” I interpret as within the arm-span of an adult (presuming the equipment is not intended for use by children). This translates to 500–600 mm either side of the center line of most work stations.

How do you know if you need an emergency stop? Start with a stop/start analysis. Identify all the normal starting and stopping modes that you anticipate on the equipment. Consider all of the different operating modes that you are providing, such as Automatic, Manual, Teach, Setting, etc. Identify all of the matching stop conditions in the same modes, and ensure that all start functions have a matching stop function.

Do a risk assessment. This is a basic requirement in most jurisdictions today.

As you determine your risk control measures (following the hierarchy of controls), look at what risks you might control with an Emergency Stop. Remember that e-stops fall below safeguards in the hierarchy, so you must use a safeguarding technique if possible, you can’t just default down to an emergency stop. IF the e-stop can provide you with the additional risk reduction, then use it but first, reduce the risks in other ways.

Finally, once you determine the need for an emergency stop system, you need to consider the system’s functionality and controls architecture. NFPA 79 is the reference standard for Canada, although you can find very similar requirements in IEC 60204–1 if you are working in an international market.

Download NFPA standards through ANSI
Download IEC standards, International Electrotechnical Commission standards.

NFPA 79 calls out three basic categories of stop. Note that these are NOT reliability categories, but are functional categories. Reliability is not addressed in these sections. Quoting from the standard:

9.2.2 Stop Functions. The three categories of stop functions shall be as follows:
(1) Category 0 is an uncontrolled stop by immediately removing power to the machine actuators.
(2) Category 1 is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.
(3) Category 2 is a controlled stop with power left available to the machine actuators.

This E-Stop button is CORRECT. Note the Push-Pull-Twist operator and the YELLOW background.

A bit later, the standards says:

9.2.5.3 Stop.
9.2.5.3.1 Each machine shall be equipped with a Category 0 stop.
9.2.5.3.2 Category 0, Category 1, and/or Category 2 stops shall be provided where indicated by an analysis of the risk assessment and the functional requirements of the machine. Category 0 and Category 1 stops shall be operational regardless of operating modes, and Category 0 shall take priority. Stop function shall operate by de-energizing that relevant circuit and shall override related start functions.

Note that 9.2.5.3.1 does NOT mean that every machine must have an e-stop. It simply says that every machine must have a way to stop the machine that is equivalent to “pulling the plug”. The main disconnect on the control panel can be used for this function if sized and rated appropriately. The question of HOW to effect the Category 0 stop depends on WHEN it will be used — i.e. what risks must be reduced, or what hazards must be controlled by the e-stop.

You’ll also note that that pesky “risk assessment” pops up again in 9.2.5.3.2. You just can’t get away from it…

Disconnect with E-Stop Colours indicates that this device is intended to be used for EMERGENCY SWITCHING OFF.

Once you know what functional category of stop you need, and what degree of risk reduction you are expecting from the emergency stop system, you can determine the degree of reliability required. In Canada, CSA Z432 gives us these categories: SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL MONITORED and CONTROL RELIABLE. These categories are being replaced slowly by Performance Levels (PL) as defined in ISO 13849–1 2007.

The short answer is that the greater the risk reduction required, the higher the degree of reliability required. In many cases, a SINGLE CHANNEL or SINGLE CHANNEL MONITORED solution may be acceptable, particularly when there are more reliable safeguards in place. On the other hand, you may require CONTROL RELIABLE designs if the e-stop is the primary risk reduction for some risks or specific tasks.

Extra points go to any reader who noticed that the ‘electrical hazard’ warning label immediately above the disconnect handle in the above photo is a) upside down, and b) using a non-standard lighting flash. Cheap hazard warning labels, like this one, are often as good as none at all. I’ll be writing more on hazard warnings in future posts.

Use of Emergency Stop as part of a Lockout Procedure or HECP.

One last note: Emergency stop systems (with the exception of emergency switching off devices, such as disconnect switches used for e-stop) CANNOT be used for energy isolation in a Hazardous Energy Control Procedure (a.k.a. Lockout). Devices for this purpose must physically separate the energy source from the down-stream components. See CSA Z460-05 for more on that subject.

Read our Article on Using E-Stops in HECP.

Pneumatic E-Stop/Isolation device.

Standards Referenced in this post:

CSA Z432-04, Safeguarding of Machinery

NFPA 79–07, Electrical Standard for Industrial Machinery
Download NFPA standards at ANSI

IEC 60204–1:09, SAFETY OF MACHINERY — ELECTRICAL EQUIPMENT OF MACHINES — PART 1: GENERAL REQUIREMENTS

Download IEC standards, International Electrotechnical Commission standards.

ISO 13849−1−2007, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design

Posted by Doug Nix on July 15, 2010 7 comments

This entry is part 2 of 9 in the series Emergency Stop

A while back I wrote about the basic design requirements for Emergency Stop systems. I’ve had several people contact me wanting to know about checking and testing emergency stops, so here are my thoughts on this process.

Figure 1 below, excerpted from the 1996 edition of ISO 13850, Safety of machinery — Emergency stop — Principles for design, shows the emergency stop function graphically. As you can see, the initiating factor in this function is a person becoming aware of the need for an emergency stop. This is NOT an automatic function and is NOT a safety or safeguarding function.

Download ISO Standards

ISO 13850 1996 Figure 1 — Emergency Stop Function

Download ISO Standards

I mention this because many people are confused about this point. Emergency stop systems are considered to be ‘complimentary protective measures’, meaning that their functions complement the safeguarding systems, but cannot be considered to be safeguards in and of themselves. This is significant. Safeguarding systems are required to act automatically to protect an exposed person. Think about how an interlocked gate or a light curtain acts to stop hazardous motion BEFORE the person can reach it. Emergency stop is normally used AFTER the person is already involved with the hazard, and the next step is normally to call 911.

All of that is important from the perspective of control reliability. The control reliability requirements for emergency stop systems are often different from those for the safeguarding systems because they are a backup system. Determination of the reliability requirements is based on the risk assessment and on an analysis of the circumstances where you, as the designer, anticipate that emergency stop may be helpful in reducing or avoiding injury or machinery damage. Frequently, these systems have lower control reliability requirements than do safeguarding systems.

Before you begin any testing, understand what effects the testing will have on the machinery. Emergency stops can be partially tested with the machinery at rest. Depending on the function of the machinery and the difficulty in recovering from an emergency stop condition, you may need to adjust your approach to these tests. Start by reviewing the emergency stop functional description in the manual. Here’s an example taken from a real machine manual:

Emergency Stop (E-Stop) Button

Figure 2.1 Emergency Stop (E-Stop) Button

A red emergency stop (E-Stop) button is a safety device which allows the operator to stop the machine in an emergency. At any time during operation, press the E-Stop button to disconnect actuator power and stop all connected machines in the production line. Figure 2.1 shows the emergency stop button.
There is one E-Stop button on the pneumatic panel.
NOTE: After pressing the E-Stop button, the entire production line from spreader-feeder to stacker shuts down. When the E-Stop button is reset, all machines in the production line will need to be restarted.
DANGER: These devices do not disconnect main electrical power from the machine. See “Electrical Disconnect” on page 21.

As you can see, the general function of the button is described, and some warnings are given about what does and doesn’t happen when the button is pressed.

Now, if the emergency stop system has been designed properly and the machine is operating normally, pressing the emergency stop button while the machine is in mid-cycle should result in the machinery coming to a fast and graceful stop. Here is what ISO 13850 has to say about this condition:

4.1.3 The emergency stop function shall be so designed that, after actuation of the emergency stop actuator, hazardous movements and operations of the machine are stopped in an appropriate manner, without creating additional hazards and without any further intervention by any person, according to the risk assessment.
An “appropriate manner” can include
choice of an optimal deceleration rate,
selection of the stop category (see 4.1.4), and
employment of a predetermined shutdown sequence.
The emergency stop function shall be so designed that a decision to use the emergency stop device does not
require the machine operator to consider the resultant effects.

The intention of this function is to bring the machinery to a halt as quickly as possible without breaking it. However, if the braking systems fail, e.g. the servo drive fails to decelerate the tooling as it should, then dropping power and potentially breaking the machinery is acceptable.

In many systems, pressing the e-stop button or otherwise activating the emergency stop system will result in a fault or an error being displayed on the machine’s operator display. This can be used as an indication that the control system ‘knows’ that the system has been activated.

ISO 13850 requires that emergency stop systems exhibit the following key behaviours:

It must override all other control functions, and no start functions are permitted (intended, unintended or unexpected) until the emergency stop has been reset;
Use of the emergency stop cannot impair the operation of any functions of the machine intended for the release of trapped persons;
It is not permitted to affect the function of any other safety critical systems or devices.

Once the emergency stop device has been activated, control power is normally lost. Pressing any START function on the control panel, except POWER ON or RESET should have no effect. If any aspect of the machine starts, count this as a FAILED test.

If resetting the emergency stop device results in control power being re-applied, count this as a FAILED test.

Pressing POWER ON or RESET before the activated emergency stop device has been reset (i.e. the e-stop button has been pulled out to the ‘operate’ position), should have no effect. If you can turn the power back on before you reset the emergency stop device, count this as a FAILED test.

Once the emergency stop device has been reset, pressing POWER ON or RESET should result in the control power being restored. This is acceptable. The machine should not restart. If the machine restarts normal operation, count this as a FAILED test.

Once control power is back on, you may have a number of faults to clear. When all the faults have been cleared, pressing the START button should result in the machine restarting. This is acceptable behaviour.

If you break the machine while testing the emergency stop system, count this as a FAILED test.

Test all emergency stop devices. A wiring error or other problems may not be apparent until the emergency stop device is tested. Push all buttons, pull all pull cords, activate all emergency stop devices. If any fail to create the emergency stop condition, count this as a FAILED test.

If, having conducted all of these tests, no failures have been detected, consider the system to have passed basic functional testing. Depending on the complexity of the system and the criticality of the emergency stop function, additional testing may be required. It may be necessary to develop some functional tests that are conducted while various EMI signals are present, for example.

If you have any questions regarding testing of emergency stop devices, please email me (dnixcomplianceinsight dot ca) !

Download ISO Standards

Posted by Doug Nix on September 3, 2010 6 comments

This entry is part 3 of 9 in the series Emergency Stop

A lot of confusion exists when it comes to Emergency Stop systems, and clients often ask me if it is ‘OK’ to guard emergency stop devices like e-stop buttons, foot pedals, pull-cords, etc. Without getting into a ton of regulatory details, this article will look at the requirements in for emergency stop devices in three key jurisdictions: Canada, the USA and the European Union.

If you need information on the functional aspects of emergency stop systems, see “Emergency Stop — What’s so confusing about that?”

Generally, emergency stop devices, or e-stop devices as they’re often called, need to be protected from unintentional use. This problem occurs because e-stop devices have to be located close to where people work in order to be useful. An e-stop you can’t reach when you need it may as well not be there in the first place. So emergency stops are located at ‘normal operator stations’. This often means they are located under the edge of a machine table, or on an operator control bar like that used on power presses, putting the e-stop within reach, but also in the ‘line-of-fire’ when it comes to the operator’s normal movements.

To prevent unintended operation, people often want to put rings, collars, or worse — covers — on or around the e-stop device to keep people from bumping the device. Some of these can be done and should be done, and others are never permitted for good reason.

Let’s take a look at the key requirements from the regulations world wide:

Emergency Stop devices must be clearly identified. The technical standards require that emergency stop devices be coloured RED with a YELLOW background.
They must be located within easy reach of the operator. This applies to all normal workstations where operators interact with the machine. For maintenance and service activities where workers may be in locations other than normal workstations, a pendant or other portable control must be used to cause machine motion. This device must include an emergency stop control along with other complementary safeguarding devices such as enabling devices and hold-to-run controls. Where access is only allowed under lockout conditions, this is not required.
Buttons must be palm or mushroom-shaped devices.
Devices must require manual resetting. This means that the device must latch in the operated position and require a deliberate action to reset the device. This includes actions such as: pulling put a pressed button, twisting a button to release the latched condition, pressing a reset button on a pull-cord to reset the tripped condition, etc.
Unguarded. This means that easy access to the device may not be impeded, considering the personal protective equipment (PPE) that workers are required to wear. Devices that would be considered to be guards would include:

Close fitting rings or collars that require a worker to insert a finger inside the ring or collar to reach the device and activate it,
covers that close over the device to prevent access,
locking device that prevent access to the device, etc.

So, considering point 5 above, isn’t this the end of the discussion? Not at all! There are a few factors to consider first.

An important consideration is the potential for accidental operation. Depending on the machine or process, accidental operation of emergency stop devices may result in significant lost production and/or damage to equipment. In cases like this, it is reasonable to protect the device from accidental operation as long as the measures taken to protect the device do not impede the operation of the device in emergency conditions.

ISO 13850 2006 supports this idea in Clause 4.4 Emergency stop device:

4.4.2 An emergency stop device shall be located at each operator control station, except where the risk assessment indicates that this is not necessary, as well as at other locations, as determined by the risk assessment. It shall be positioned such that it is readily accessible and capable of non-hazardous actuation by the operator and others who could need to actuate it. Measures against inadvertent actuation should not impair its accessibility. (Author’s Note: Bold text added for emphasis.)

The key difference between North American thinking and International/EU thinking is in the term “unguarded” as used in the North American standards, versus ISO 13850, § 4.2.2, where the designer is reminded, “Measures against inadvertent actuation should not impair its accessibility.”

In my opinion it is reasonable to protect an emergency stop device from inadvertent operation by placing a ring or other similar structure around an emergency stop device as long as the structure does not impair easy access to the device by the operator.

I know this opinion appears initially to go against the established North American standards, however it can be logically argued, based on the definition of the word “guard”.

A guard is a device that prevents access to something, usually a hazard. Considering that we are talking about a control that is designed to reduce or limit harm, any structure that does not prevent access to the emergency stop device associated with the structure should be considered to be acceptable.

That said, devices like:

hinged covers;
doors;
locking devices;
narrow collars; and
any other device or structure

that unduly limits access to the emergency stop device cannot be considered acceptable.

The phrase ‘unduly limits access’ has specific meaning here. If workers are expected to be wearing PPE on the body part used to activate the emergency stop device, such as gloves or boots for example, then the structure placed around the emergency stop device must take the added dimensions of the PPE and the reduction in tactile capability that may occur (e.g. heavy work gloves make it hard to feel things easily), and must compensate for the effects of the PPE. Big gloves/boots = Big opening in the structure.

Lighting and protective eyewear can also play a part. You may need to use reflective or luminescent paint to highlight the location of the device in low light environments or where very dark eyewear is required, like that needed by welders or used by workers around some infrared lasers with open beam paths.

It’s also important to consider the likely state-of-mind of a worker needing to use an emergency stop device. They are either urgently trying to stop the machine because,

another safeguard has failed an someone is involved with a hazard, including themselves, or
the machine is damaging itself or the product and they need to limit the damage.

Both scenarios have a high level of urgency attached to them. The human mind tends to miss obvious things including training, when placed under high levels of stress. Structures placed around emergency stop devices, such as covers, that completely block access, even though they may be easily opened, may be enough to prevent access in an emergency.

So in the end, can you put a structure around an emergency stop to reduce inadvertent operation of the device:

YES!

Just make sure that you consider all the factors that may affect it’s use, document your analysis, and don’t unduly restrict access to the device.

Need more help? Feel free to email me!

IEC – International Electrotechnical Commission

ISO – International Organization for Standardization

Safety of machinery — Emergency stop — Principles for design, ISO 13850, 2006, ISO, Geneva, Switzerland.

Control of Hazardous Energy – Lockout and Other Methods, CSA Z460, 2005, Canadian Standards Association, Toronto, Canada.

Control of Hazardous Energy – Lockout/Tagout and Alternative Methods, ANSI ASSE Z244.1, 2003, American National Standards Institute / American Society of Safety Engineers, Des Plaines, IL, USA.

Original content here is published under these license terms:		X

License Type:	Non-commercial, Attribution, Share Alike

License Summary:	You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.

License URL:	http://creativecommons.org/licenses/by-nc-sa/3.0/

17 Events on February 17, 2012 Toronto Engineering & Human Environment ExCom More details