Tag Archives: e-stop - Page 2

Understanding Risk Assessment

Posted by on January 31, 2011 10 comments

When peo­ple dis­cuss ‘Risk’ there are a lot of dif­fer­ent assump­tions made about what that means. For me, the study of risk and risk assess­ment tech­niques started in 1995. As a tech­nol­o­gist and con­trols designer, I had to some­how wrap my head around the whole con­cept in ways I’d never con­sid­ered. If you’re try­ing to fig­ure out risk and risk assess­ment this is a good place to get started!

What is risk?

From a machin­ery per­spec­tive, ISO 12100:2010 defines risk as:

com­bi­na­tion of the prob­a­bil­ity of occur­rence of harm and the sever­ity of that harm”

Risk can have pos­i­tive or neg­a­tive out­comes, but when con­sid­er­ing safety, we only con­sider neg­a­tive risk, or events that result in neg­a­tive health effects for the peo­ple exposed.

The risk rela­tion­ship is illus­trated in ISO 12100:2010 Figure 3:


ISO 12100-2010 Figure 3

ISO 12100–2010 Figure 3


Where

R = Risk

S = Severity of Harm

P = Probability of Occurrence of Harm

The Probability of Occurrence of Harm fac­tor is often fur­ther bro­ken down into three sub-​​factors:

  • Probability of Exposure to the haz­ard
  • Probability of Occurrence of the Hazardous Event
  • Probability of Limiting or Avoiding the Harm

How is risk measured?

In order to esti­mate risk a scor­ing tool is needed. There is no one ‘cor­rect’ scor­ing tool, and there are flaws in most scales that can result in blind-​​spots where risks may be over or under-​​estimated.

At the sim­plest level are ‘screen­ing’ tools. These tools use very sim­ple scales like ‘High, Medium, Low’, or ‘A, B, C’. These tools are often used when doing a shop-​​floor inspec­tion and are intended to pro­vide a quick method of cap­tur­ing obser­va­tions and giv­ing a gut-​​feel assess­ment of the risk involved. These tools should be used as a way to iden­tify risks that need addi­tional, detailed assess­ment. To get an idea of what a good screen­ing tool can look like, have a look at the SOBANE Déparis sys­tem.

Every scor­ing tool requires a scale for each risk para­me­ter included in the tool. For instance, con­sider the CSA tool described in CSA Z434:

CSA Z434-03 Table 1As you can see, each para­me­ter (Severity, Exposure and Avoidance) has a scale, with two pos­si­ble selec­tions for each parameter.

When con­sid­er­ing selec­tion of a scor­ing tool, it’s impor­tant to take some time to really exam­ine the scales for each fac­tor. The scale shown above has a glar­ing hole in one scale. See if you can spot it and I’ll tell you what I think a bit later in this post.

There are more than 350 dif­fer­ent scales and method­olo­gies avail­able for assess­ing risk. You can find a good review of some of them in Bruce Main’s text­book “Risk Assessment: Basics and Benchmarks” avail­able from DSE online.

A sim­i­lar, although dif­fer­ent, tool is found in Annex 1 of ISO 13849–1. Note that this tool is pro­vided in an Informative Annex. This means that it is not part of the body of the stan­dard and is NOT manda­tory. In fact, this tool was pro­vided as an exam­ple of how a user could link the out­put of a risk assess­ment tool to the Performance Levels described in the nor­ma­tive text (the manda­tory part) of the standard.

Consider cre­at­ing your own scales. There is noth­ing wrong with deter­min­ing what char­ac­ter­is­tics (para­me­ters) you want to include in your risk assess­ment, and then assign­ing each para­me­ter a numeric scale that you think is suit­able; 1–10, 0–5, etc. Some scales may be inverted to oth­ers, for exam­ple: If the Severity scale runs from 0–10, the Avoidability scale might run from 10–0 (Unavoidable to Entirely Avoidable).

Once the scales in your tool have been defined, doc­u­ment the def­i­n­i­tions as part of your assessment.

Who should con­duct risk assessments?

Lake YogaIn many orga­ni­za­tions, I find that risk assess­ment has been del­e­gated to one per­son. This is a major mis­take for a num­ber of rea­sons. Risk assess­ment is not a solo activ­ity for a ‘guru’ in a lonely office somewhere!

Risk assess­ment is not a lot of fun to do, and since risk assess­ments can get to be quite involved, it rep­re­sents a sig­nif­i­cant amount of work to put on one per­son. Also, leav­ing it to one per­son means that the assess­ment will nec­es­sar­ily be biased to what that per­son knows, and may miss sig­nif­i­cant haz­ards because the asses­sor doesn’t know enough about that haz­ard to spot it and assess it properly.

Risk assess­ment requires mul­ti­ple view­points from par­tic­i­pants with var­ied exper­tise. This includes users, design­ers, engi­neers, lawyers and those who may have spe­cial­ized knowl­edge of a par­tic­u­lar haz­ard, like a Laser Safety Officer or a Radiation Safety Officer. The var­ied exper­tise of the peo­ple involved will allow the com­mit­tee to bal­ance the opin­ion of each haz­ard, and develop a more rea­soned assess­ment of the risk.

I rec­om­mend that risk assess­ment com­mit­tees never be less than three mem­bers. Five is fre­quently a good num­ber. Once you get beyond five, it becomes increas­ingly dif­fi­cult to obtain con­sen­sus on each haz­ard. Also, con­sider the cost. As each com­mit­tee mem­ber is added to the team, the cost of the assess­ment can esca­late exponentially.

Training in risk assess­ment is cru­cial to suc­cess. Ensure that the indi­vid­u­als involved are trained, and that at least one has some pre­vi­ous expe­ri­ence in the prac­tice so that they may guide the com­mit­tee as needed.

When should a risk assess­ment be conducted?


Risk Assessment Lifetime Flow Chart

Risk Assessment in the Lifetime of a Product


Risk assess­ment should begin at the begin­ning of a project, whether it’s the design of a prod­uct, the devel­op­ment of a process or ser­vice, or the design of a new build­ing. Understanding risk is crit­i­cal to the design process. Cost for changes made at the begin­ning of a project are min­i­mal com­pared to those that will be incurred to cor­rect prob­lems that might have been fore­seen at the start. Risk assess­ment should start at the con­cept stage and be included at each sub­se­quent stage in the devel­op­ment process. The accom­pa­ny­ing graphic illus­trates this idea.

Essentially, risk assess­ment is never fin­ished until the prod­uct, process or ser­vice ceases to exist.

What tools are available?

As men­tioned ear­lier in this post, the book ‘Risk Assessment: Basics and Benchmarks” pro­vides an overview of roughly 350 dif­fer­ent scor­ing tools. You can search the Internet and turn up quite a few as well. The key thing with all of these sys­tems is that you will need to develop any soft­ware based tools your­self. Depending on your com­fort with soft­ware, this might be a spread­sheet for­mat, a word pro­cess­ing doc­u­ment a data­base, or some other for­mat that works for your application.

There are a num­ber of risk assess­ment soft­ware tools avail­able as well, includ­ing ISI’s CIRSMA and DSE’s DesignSafe. As with the scor­ing tools, you need to be care­ful when eval­u­at­ing tools. Some have sig­nif­i­cant blind spots that may trip you up if you are not aware of their limitations.

Remember too that the out­put from the soft­ware can only be as good as the input data. The old saw “Garbage In, Garbage Out” holds true with risk assessment.

Where can you get training?

There are a few places to get train­ing. Compliance InSight Consulting pro­vides train­ing to cor­po­rate clients and will be launch­ing a series of web-​​based train­ing ser­vices in 2011 that will allow indi­vid­ual learn­ers to get train­ing too.

The IEEE PSES oper­ates a Risk Assessment Technical Committee that is open to the pub­lic as well. See the RATC web site.

The Answer to the Scale Question

The Exposure Scale in the CSA tool has a gap between E1 and E2. Looking at the def­i­n­i­tions for each choice, notice that E1 is less than once per day or shift, while E2 is more than once per hour. Exposures that occur once per hour or less, but more than once per day can­not be scored effec­tively using this scale.

Also, notice the Severity scale: S1 encom­passes injuries requir­ing not more than basic first aid. One com­mon ques­tion I get is “Does that include CPR*?”. This ques­tion comes up because most basic first aid courses taught in Canada include CPR as part of the course. There is no clear answer for this in the stan­dard. The S2 fac­tor extends from injuries requir­ing more than basic first aid, like a bro­ken fin­ger for instance, all the way to a fatal­ity. Does it make sense to group this broad range of injuries together? This def­i­n­i­tion doesn’t quite match with the Province of Ontario’s def­i­n­i­tion of a Critical Injury found in Regulation 834 either.

All of this points to the need to care­fully assess the scales that you choose before you start the process. Choosing the wrong tool can skew your results in ways that you may not be very happy about.

*Cardio-​​Pulmonary Resuscitation

Emergency Stop Categories

Posted by on September 27, 2010 4 comments
Emergency Stop on machine console
This entry is part 5 of 9 in the series Emergency Stop

I’ve noticed a lot of peo­ple look­ing for infor­ma­tion on Emergency Stop cat­e­gories recently, so this post is aimed at those read­ers who want to under­stand this topic in more depth.

Categories

The first point to make is that these cat­e­gories are not exclu­sive to emer­gency stop func­tions. They are STOP func­tions, and may be used for nor­mal stop­ping as well as e-​​stop.

Stop cat­e­gories and con­trol reli­a­bil­ity cat­e­gories are not the same, and there are sig­nif­i­cant dif­fer­ences that need to be under­stood by con­trol sys­tem design­ers. I’m going to sling a num­ber of stan­dards at you in this post, and I will pro­vide ref­er­ences at the end if you want to dig deeper.

Control reli­a­bil­ity cat­e­gories are defined and described in ISO 13849–1, and I’ve writ­ten quite a bit on these in the past. If you want to know more about Categories B, 1–4, check out this series of posts on ISO 13849–1 Categories.

Originating Standards

OK, so let’s talk about stop func­tion cat­e­gories. There are two stan­dards that define these cat­e­gories, and thank­fully they are har­mo­nized, mean­ing that the def­i­n­i­tions for the cat­e­gories are essen­tially the same in each doc­u­ment. They are:

  • IEC 60204–1, Safety of machin­ery — Electrical equip­ment of machines — Part 1: General require­ments (aka EN 60204–1)
  • NFPA 79, Electrical Standard for Industrial Machinery

Note that Canada does not have a stan­dard at the moment that specif­i­cally describes these same cat­e­gories, how­ever CSA Z432 does make ref­er­ence to NFPA 79, bring­ing the cat­e­gories in that way, albeit indirectly.

Download ANSI standards

Download IEC standards

Category Definitions

Emergency Stop ButtonThe cat­e­gories are bro­ken down into three gen­eral groups:

  • Category 0 — Equivalent to pulling the plug;
  • Category 1 — Bring things to a grace­ful stop, then pull the plug; and
  • Category 2 — Bring things to a stop and hold them there under power.

Let’s look at the def­i­n­i­tions in more detail. For com­par­i­son, I’m going to show the def­i­n­i­tions from the two stan­dards side-​​by-​​side.

Table 1
Comparison of Stop Function Categories
CategoryIEC 60204–1NFPA 79
0stop­ping by imme­di­ate removal of power to the machine actu­a­tors (i.e. an uncon­trolled stop – see 3.56);

is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actuators.

1a con­trolled stop (see 3.11) with power avail­able to the machine actu­a­tors to achieve the stop and then removal of power when the stop is achieved;is a con­trolled stop with power to the machine actu­a­tors avail­able to achieve the stop then remove power when the stop is achieved.
2a con­trolled stop with power left avail­able to the machine actuators.is a con­trolled stop with power left avail­able to the machine actuators.

Definitions from IEC 60204–1:

3.11 con­trolled stop

stop­ping of machine motion with elec­tri­cal power to the machine actu­a­tors main­tained dur­ing the stop­ping process

3.56 uncon­trolled stop

stop­ping of machine motion by remov­ing elec­tri­cal power to the machine actuators

NOTE This def­i­n­i­tion does not imply any par­tic­u­lar state of other stop­ping devices, for exam­ple mechan­i­cal or hydraulic brakes.

As you can see, the two sets of Category descrip­tions are vir­tu­ally iden­ti­cal, with the pri­mary dif­fer­ence being the use of the def­i­n­i­tions in the IEC stan­dard instead of includ­ing that infor­ma­tion in the descrip­tion as in the NFPA standard.

Download ANSI standards

Download IEC standards

Minimum Requirements

Both stan­dards require that all machines have at least a Category 0 stop. This could be achieved by switch­ing off (by using the dis­con­nect­ing means for exam­ple), by phys­i­cally “pulling the plug” from the power sup­ply socket on the wall, through a ‘master-​​control relay’ cir­cuit, or through an emer­gency stop cir­cuit. Note that this does not require that all machines have an e-​​stop!!

To learn more about how to deter­mine the need for emer­gency stop, see my ear­lier post Emergency Stop – What’s so con­fus­ing about that?

Selecting a Stop Function

How do you decide on what cat­e­gory to use? First, a risk assess­ment is required. Second, a start/​stop analy­sis should be con­ducted. This is quite sim­ple, being a straight­for­ward analy­sis of the start­ing and stop­ping con­di­tions for the machin­ery. Next, ask these questions:

1) Will the machin­ery stop safely under an uncon­trolled stop?

If the machin­ery does not have a sig­nif­i­cant amount of iner­tia, mean­ing it won’t coast more than a very short time, then a Category 0 stop may be all that is required.

2) If the machin­ery coasts, or if the machin­ery can be stopped more quickly under con­trol than when power is sim­ply removed, then a Category 1 stop is likely the best choice.

3) If the machin­ery includes devices that require power to keep them in a safe state, then a Category 2 stop is likely the best choice.

If you choose to use a Category 2 stop, be aware that leav­ing power on the machin­ery leaves the user open to haz­ards related to hav­ing power on the machin­ery. Careful risk assess­ment is required in these cases especially.

Risk Assessment and Stop/​Start Analysis

Risk assess­ment is crit­i­cal to the spec­i­fi­ca­tion of all safety–related func­tions. While emer­gency stop is not a safe­guard, it is con­sid­ered to be a ‘com­ple­men­tary pro­tec­tive mea­sure’. Understanding the haz­ards that need to be con­trolled and the degree of risk related to the haz­ards is basic design infor­ma­tion that will pro­vide spe­cific direc­tion on the stop cat­e­gory required and the degree of con­trol reli­a­bil­ity nec­es­sary to pro­vide the expected risk reduction.

Stop/​Start Analysis is quite sim­ple. It amounts to con­sid­er­ing all of the intended stop/​start con­di­tions for the machin­ery, and then includ­ing con­di­tions that may result from rea­son­ably fore­see­able fail­ure modes of the machin­ery and fore­see­able mis­uses of the machin­ery. Create a table with three columns as a start­ing point, sim­i­lar to Table 2.

Table 2
Example Start/​Stop Analysis

DescriptionStart ConditionStop Condition
Lubricant PumpLubricant Pump Start Button PressedLubricant Pump Stop Button Pressed
  Low Lubricant Level in reservoir
  High pres­sure drop across lubri­cant filter
Main Spindle MotorStart enabled and Start Button PressedLow Lubricant Pressure
  Stop but­ton pressed
Feed Advance motorFeed Advance but­ton pressedFeed Stop but­ton pressed
  Feed end of travel limit reached
Emergency Stop All motions stop, lubri­cant pump remains running

The above table is sim­ply an exam­ple of what a start/​stop analy­sis can look like. You can have as much detail as you like.

Control Reliability Requirements

Both ISO 13849–1 and IEC 62061 base the ini­tial require­ments for reli­a­bil­ity on the out­come of the risk assess­ment (PLr or SILr). If the stop­ping con­di­tion is part of nor­mal oper­a­tion, then sim­ple cir­cuit require­ments (i.e. PLa, Category 1) are all that may be required. If the stop­ping con­di­tion is intended to be an Emergency Stop, then addi­tional analy­sis is needed to deter­mine exactly what may be required.

More Information

How have you typ­i­cally imple­mented your stops and emer­gency stop systems?

Have you ever used the START/​STOP analy­sis method?

I care about what you think as a reader, so please leave me com­ments and ques­tions! If you would pre­fer to dis­cuss your ques­tion pri­vately,  con­tact me directly.

Referenced Standards

5% Discount on All Standards with code: CC2011

American National Standards Institute (ANSI)

ANSI/​NFPA 79, 2007 — Electrical Standard for Industrial Machinery

Download stan­dards from ANSI

Canadian Standards Association (CSA)

CSA Z432, 2004 — Safeguarding of Machinery
CSA Store

International Electrotechnical Commission (IEC)

IEC 60204–1, 2009 — Electrical Equipment of Industrial Machines

Download IEC standards

International Standardization Organization (ISO)

ISO 13849–1, 2006 — Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design

ISO 13849–2, 2006 — Safety of Machinery — Safety Related Parts of Control Systems — Part 2: Validation

Download ISO Standards

5% Discount on All Standards with code: CC2011

Busting Emergency Stop Myths

Posted by on September 3, 2010 3 comments
Emergency Stop on machine console
This entry is part 4 of 9 in the series Emergency Stop

There are a num­ber of myths that have grown up around emer­gency stops over the years. These myths can lead to injury or death, so it’s time for a lit­tle Myth Busting here on the MS101 blog!

What does ‘emer­gency’ mean?

Consider for a moment the roots of the word ‘emer­gency’. This word comes from the word ‘emer­gent’, mean­ing a sit­u­a­tion that is devel­op­ing or emerg­ing in the moment. Emergency stop sys­tems are intended to help the user deal with poten­tially haz­ardous con­di­tions that are emerg­ing in the moment. These con­di­tions have prob­a­bly arisen because the design­ers of the machin­ery failed to con­sider all the fore­see­able uses of the equip­ment, or because some­one has cho­sen to mis­use the equip­ment in a way that was not intended by the design­ers. The key func­tion of an Emergency Stop sys­tem is to pro­vide the user with a backup to the pri­mary safe­guards. These sys­tems are referred to as “Complementary Protective Measures” and are intended to give the user a chance to “avert or limit harm” in a haz­ardous sit­u­a­tion. With that in mind, let’s look at three myths I hear about regularly.

Myth #1 – The Emergency Stop Is A Safety Device

Waterwheel and belt. Credit: Harry Matthews & http://www.old-engine.com

A Fitz Water Wheel and Belt Drive, Credit: Harry Matthews & http://​www​.old​-engine​.com

Early in the Industrial Revolution machine builders real­ized that users of their machin­ery needed a way to quickly stop a machine when some­thing went wrong. At that time, over­head line-​​shafts were dri­ven by large cen­tral power sources like water­wheels, steam engines or large elec­tric motors. Machinery was cou­pled to the cen­tral shafts with pul­leys, clutches and belts which trans­mit­ted the power to the machinery.

See pic­tures of a line-​​shaft pow­ered machine shop or click the image below.

Line Shaft in the Mt. Wilson Observatory Machine Shop

Photo: Larry Evans & www​.old​engine​.org

These cen­tral engines pow­ered an entire fac­tory, so they were much larger than an indi­vid­ual motor sized for a mod­ern machine. In addi­tion, they could not be eas­ily stopped, since stop­ping the cen­tral power source would mean stop­ping the entire fac­tory – not a wel­come choice. Emergency stop devices were born in this environment.

Learn more about Line Shafts at Harry’s Old Engines.

Due to their early use as a safety device, some have incor­rectly con­sid­ered emer­gency stop sys­tems safe­guard­ing devices. Modern stan­dards make the dif­fer­ence very clear. The eas­i­est way to under­stand the cur­rent mean­ing of the term “EMERGENCY STOP” is to begin by look­ing at the inter­na­tional stan­dards pub­lished by IEC1 and ISO2.

emer­gency stop3
emer­gency stop function

func­tion that is intended to

—   avert aris­ing, or reduce exist­ing, haz­ards to per­sons, dam­age to machin­ery or to work in progress,

—   be ini­ti­ated by a sin­gle human action

NOTE 1

Hazards, for the pur­poses of this International Standard, are those which can arise from

—   func­tional irreg­u­lar­i­ties (e.g. machin­ery mal­func­tion, unac­cept­able prop­er­ties of the mate­r­ial processed, human error),

—   nor­mal operation.

It is impor­tant to under­stand that an emer­gency stop func­tion is “ini­ti­ated by a sin­gle human action”. This means that it is not auto­matic, and there­fore can­not be con­sid­ered to be a risk con­trol mea­sure for oper­a­tors or bystanders. Emergency stop may pro­vide the abil­ity to avoid or reduce harm, by pro­vid­ing a means to stop the equip­ment once some­thing has already gone wrong. Your next actions will usu­ally be to call 911 and admin­is­ter first aid.

Safeguarding sys­tems act auto­mat­i­cally to pre­vent a per­son from becom­ing involved with the haz­ard in the first place. This is a reduc­tion in the prob­a­bil­ity of a haz­ardous sit­u­a­tion aris­ing, and may also involve a reduc­tion in the sever­ity of injury by con­trol­ling the haz­ard (i.e., slow­ing or stop­ping rotat­ing machin­ery before it can be reached.) This con­sti­tutes a risk con­trol mea­sure and can be shown to reduce the risk of injury to an exposed person.

Emergency stop is reac­tive; safe­guard­ing sys­tems are proac­tive.

In Canada, CSA defines emer­gency stop as a ‘Complementary Protective Measure’ in CSA Z432-​​046:

6.2.2.1.1
Safeguards (guards, pro­tec­tive devices) shall be used to pro­tect per­sons from the haz­ards that can­not rea­son­ably be avoided or suf­fi­ciently lim­ited by inher­ently safe design. Complementary pro­tec­tive mea­sures involv­ing addi­tional equip­ment (e.g., emer­gency stop equip­ment) may have to be taken.

6.2.3.5.3 Complementary pro­tec­tive mea­sures
Following the risk assess­ment, the mea­sures in this clause either shall be applied to the machine or shall be dealt with in the infor­ma­tion for use.
Protective mea­sures that are nei­ther inher­ently safe design mea­sures, nor safe­guard­ing (imple­men­ta­tion of guards and/​or pro­tec­tive devices), nor infor­ma­tion for use may have to be imple­mented as required by the intended use and the rea­son­ably fore­see­able mis­use of the machine. Such mea­sures shall include, but not be lim­ited to,

(a) emer­gency stop;
(b) means of res­cue of trapped per­sons; and
© means of energy iso­la­tion and dissipation.

In the USA, three stan­dards apply: ANSI B11ANSI B11.19–2003, and NFPA 79:

ANSI B11-​​2008

3.80 stop: Immediate or con­trolled ces­sa­tion of machine motion or other haz­ardous sit­u­a­tions. There are many terms used to describe the dif­fer­ent kinds of stops, includ­ing user– or supplier-​​specific terms, the oper­a­tion and func­tion of which is deter­mined by the indi­vid­ual design. Definitions of some of the more com­monly used “stop” ter­mi­nol­ogy include:

3.80.2 emer­gency stop: The stop­ping of a machine tool, man­u­ally ini­ti­ated, for emer­gency purposes;

7.6 Emergency stop

Electrical, pneu­matic and hydraulic emer­gency stops shall con­form to require­ments in the ANSI B11 machine-​​specific stan­dard or NFPA 79.
Informative Note 1: An emer­gency stop is not a safe­guard­ing device. See also, B11.19.
Informative Note 2: For addi­tional infor­ma­tion, see ISO 13850 and IEC 60204–1.

ANSI B11.19–2003

12.9 Stop and emer­gency stop devices

Stop and emer­gency stop devices are not safe­guard­ing devices. They are com­ple­men­tary to the guards, safe­guard­ing device, aware­ness bar­ri­ers, sig­nals and signs, safe­guard­ing meth­ods and safe­guard­ing pro­ce­dures in clauses 7 through 11.

Stop and emer­gency stop devices shall meet the require­ments of ANSI /​ NFPA 79.

E12.9

Emergency stop devices include but are not lim­ited to, but­tons, rope-​​pulls, and cable-​​pulls.

A safe­guard­ing device detects or pre­vents inad­ver­tent access to a haz­ard, typ­i­cally with­out overt action by the indi­vid­ual or oth­ers. Since an indi­vid­ual must actu­ate an emer­gency stop device to issue the stop com­mand, usu­ally in reac­tion to an event or haz­ardous sit­u­a­tion, it nei­ther detects nor pre­vents expo­sure to the hazard.

If an emer­gency stop device is to be inter­faced into the con­trol sys­tem, it should not reduce the level of per­for­mance of the safety func­tion (see sec­tion 6.1 and Annex C).

NFPA 79 deals with the elec­tri­cal func­tions of the emer­gency stop func­tion which is not directly rel­e­vant to this arti­cle, so that is why I haven’t quoted directly from that doc­u­ment here.

As you can clearly see, the essen­tial def­i­n­i­tions of these devices in the US and Canada match very closely, although the US does not specif­i­cally use the term ‘com­ple­men­tary pro­tec­tive measures’.

Myth #2 – Cycle Stop And Emergency Stop Are Equivalent

Emergency stop sys­tems act pri­mar­ily by remov­ing power from the prime movers in a machine, ensur­ing that power is removed and the equip­ment brought to a stand­still as quickly as pos­si­ble, regard­less of the por­tion of the oper­at­ing cycle that the machine is in. After an emer­gency stop, the machine is inop­er­a­ble until the emer­gency stop sys­tem is reset. In some cases, emer­gency stop­ping the machine may dam­age the equip­ment due to the forces involved in halt­ing the process quickly.

Cycle stop is a con­trol sys­tem com­mand func­tion that is used to bring the machine cycle to a grace­ful stop at the end of the cur­rent cycle. The machine is still fully oper­a­ble and may still be in auto­matic mode at the com­ple­tion of this stop.

Again, refer­ring to ANSI B11-​​2008:

3.80.1 con­trolled stop: The stop­ping of machine motion while retain­ing power to the machine actu­a­tors dur­ing the stop­ping process. Also referred to as Category 1 or 2 stop (see also NFPA 79: 2007, 9.2.2);

3.80.2 emer­gency stop: The stop­ping of a machine tool, man­u­ally ini­ti­ated, for emer­gency purposes;

Myth #3 – Emergency Stop Systems Can Be Used For Energy Isolation

Disconnect Switch with Lock and TagFifteen to twenty years ago it was not uncom­mon to see emer­gency stop but­tons fit­ted with lock­ing devices.  The lock­ing device allowed a per­son to pre­vent the reset­ting of the emer­gency stop device. This was done as part of a “lock­out pro­ce­dure”. Lockout is one aspect of haz­ardous energy con­trol pro­ce­dures (HECP).  HECPs rec­og­nize that live work needs to be done from time to time, and that nor­mal safe­guards may be bypassed or dis­con­nected tem­porar­ily, to allow diag­nos­tics and test­ing to be car­ried out. This process is detailed in two cur­rent stan­dards, CSA Z460 and ANSI Z244.1. Note that these lock­ing devices are still avail­able for sale, and can be used as part of an HECP to pre­vent the emer­gency stop sys­tem or other con­trols from being reset until the machine is ready for test­ing. They can­not be used to iso­late an energy source.

No cur­rent stan­dard allows for the use of con­trol devices such as push but­tons or selec­tor switches to be used as energy iso­la­tion devices.

CSA Z460-​​05 specif­i­cally pro­hibits this use in their def­i­n­i­tion of ‘energy iso­la­tion devices’:

Energy-​​isolating device — a mechan­i­cal device that phys­i­cally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: a man­u­ally oper­ated elec­tri­cal cir­cuit breaker; a dis­con­nect switch; a man­u­ally oper­ated switch by which the con­duc­tors of a cir­cuit can be dis­con­nected from all ungrounded sup­ply con­duc­tors; a line valve; a block; and other devices used to block or iso­late energy (push-​​button selec­tor switches and other control-​​type devices are not energy-​​isolating devices).4

Similar require­ments are found in ANSI Z244.15 and in ISO 138503.

Myth #4 — All Machines are Required to have an Emergency Stop

Some machine design­ers believe that all machines are required to have an emer­gency stop. This is sim­ply not true.

Emergency stop sys­tems may be use­ful where they can pro­vide a back-​​up to other safe­guard­ing sys­tems. To under­stand where to use an emer­gency stop, a start-​​stop analy­sis must be car­ried out as part of the design process. This analy­sis will help the designer develop a clear under­stand­ing of the nor­mal start and stop con­di­tions for the machine. The analy­sis also needs to include fail­ure modes for all of the stop func­tions. It is here that the emer­gency stop can be help­ful. If remov­ing power will cause the haz­ard to cease in a short time, or if the haz­ard can be quickly con­tained in some way, then emer­gency stop is a valid choice. If the haz­ard will remain for a con­sid­er­able time fol­low­ing removal of power, then emer­gency stop will have no effect and is use­less for avoid­ing or lim­it­ing harm.

For exam­ple, con­sider an oven. If the burner stop con­trol failed, and assum­ing that the only haz­ard we are con­cerned with is the hot sur­faces inside the oven, then using an emer­gency stop to turn the burn­ers off only results in the start of the nat­ural cool­ing cycle of the oven. In some cases that could take hours or days, so the emer­gency stop has no value. It might be use­ful for con­trol­ling other haz­ards, such as fire, that might be related to the same fail­ure. Without a full analy­sis of the fail­ure modes of the con­trol sys­tem, a sound deci­sion can­not be made.

Simple machines like drill presses and table saws are sel­dom fit­ted with emer­gency stop sys­tems. These machines, which can be very dan­ger­ous, could def­i­nitely ben­e­fit from hav­ing an emer­gency stop. They are some­times fit­ted with a dis­con­nect­ing device with a red and yel­low han­dle that can be used for ‘emer­gency switch­ing off’. This dif­fers from emer­gency stop because the machine, and the haz­ard, will typ­i­cally re-​​start imme­di­ately when the emer­gency switch­ing off device is turned back on. This is not per­mit­ted with emer­gency stop, where reset­ting the emer­gency stop device only per­mits the restart­ing of the machine through other con­trols. Reset of the emer­gency stop device is not per­mit­ted to reap­ply power to the machine on its own.

These require­ments are detailed in ISO 138503, CSA Z4326 and other standards.

Design Considerations

Emergency Stop is a con­trol that is often designed in with lit­tle thought and used for a vari­ety of things that it was never intended to be used to accom­plish. The three myths dis­cussed in this arti­cle are the tip of the iceberg.

Consider these ques­tions when think­ing about the design and use of emer­gency stop systems:

  1. Have all the intended uses and fore­see­able mis­uses of the equip­ment been considered?
  2. What do I expect the emer­gency stop sys­tem to do for the user of the machine? (The answer to this should be in the risk assessment.)
  3. How much risk reduc­tion am I expect­ing to achieve with the emer­gency stop?
  4. How reli­able does the emer­gency stop sys­tem need to be?
  5. Am I expect­ing the emer­gency stop to be used for other pur­poses, like ‘Power Off’, energy iso­la­tion, or reg­u­lar stop­ping of the machine? (The answer to this should be ‘NO’.)

Taking the time to assess the design require­ments before design­ing the sys­tem can help ensure that the machine con­trols are designed to pro­vide the func­tion­al­ity that the user needs, and the risk reduc­tion that is required. The answers lie in the five ques­tions above.

Have any of these myths affected you?

Got any more myths about e-​​stops you’d like to share?

I really appre­ci­ate hear­ing from my read­ers! Leave a com­ment or email it to us and we’ll con­sider adding it to this arti­cle, with credit of course!

References

5% Discount on All Standards with code: CC2011

  1. IEC – International Electrotechnical Commission. Download IEC stan­dards, International Electrotechnical Commission standards.
  2. ISO – International Organization for Standardization Download ISO Standards
  3. Safety of machin­ery — Emergency stop — Principles for design, ISO 13850, 2006, ISO, Geneva, Switzerland.
  4. Control of Hazardous Energy ­– Lockout and Other Methods, CSA Z460, 2005, Canadian Standards Association, Toronto, Canada.
    Buy CSA Standards online at CSA​.ca
  5. Safeguarding of Machinery, CSA Z432-​​04, Canadian Standards Association, Toronto, Canada.
  6. Control of Hazardous Energy – Lockout/​Tagout and Alternative Methods, ANSI/​ASSE Z244.1, 2003, American National Standards Institute /​ American Society of Safety Engineers, Des Plaines, IL, USA.
    Download ANSI standards
  7. American National Standard for Machine Tools – Performance Criteria for Safeguarding, ANSI B11.19–2003, American National Standards Institute, Des Plaines, ILUSA.
  8. General Safety Requirements Common to ANSI B11 Machines, ANSI B11-​​2008, American National Standards Institute, Des Plaines, ILUSA.
  9. Electrical Standard for Industrial Machinery, NFPA 79–2007, NFPA, 1 Batterymarch Park, Quincy, MA 02169–7471, USA.
    Buy NFPA Standards online.

5% Discount on All Standards with code: CC2011

Copyright secured by Digiprove © 2011
Acknowledgements: See cita­tions in the article.
Some Rights Reserved
All original content on these pages is fingerprinted and certified by Digiprove
Performance Optimization WordPress Plugins by W3 EDGE