Tag Archives: Emergency Stop - Page 2

Reader Question: Multiple E-​​Stops and Resets

Posted by on March 1, 2011 3 comments
This entry is part 7 of 9 in the series Emergency Stop

Control Panel with Emergency Stop Button.I had an inter­est­ing ques­tion come in from a reader today that is rel­e­vant to many situations:

When you have mul­ti­ple E-​​Stop but­tons I have often got­ten into an argu­ment that says you can have a reset beside each one. I was taught that you were required to have a sin­gle point of reset. Who is correct?”

— Michael Barb, Sr. Electrical Engineer

The Short Answer

There is noth­ing in the EU, US or Canadian reg­u­la­tions that would for­bid hav­ing mul­ti­ple reset but­tons. However, you must under­stand the over­lap­ping require­ments for emer­gency stop and pre­ven­tion of unex­pected start-​​up.

The Long Answer:

First I need to define two dif­fer­ent types of reset for clarity:

  1. Emergency Stop Device Reset: Each e-​​stop device, i.e. but­ton, pull cord, foot switch, etc., is required to latch in the acti­vated state and must be indi­vid­u­ally reset. Resetting the e-​​stop device is NOT per­mit­ted to re-​​start the machin­ery, only to per­mit restart­ing. (NFPA 79, CSA Z432, ISO 14118).
  2. Restarting the machine is a sep­a­rate delib­er­ate action from reset­ting the emer­gency stop device(s).

ANSI B11-​​2008 pro­vides some direct guid­ance on this topic:

7.2.2 Zones

A machine or an assem­bly of machines may be divided into sev­eral con­trol zones (e.g., for emer­gency stop­ping, stop­ping as a result of safe­guard­ing devices, start-​​up, iso­la­tion or energy dis­si­pa­tion). The machine and con­trols in dif­fer­ent zones shall be defined and iden­ti­fied. Controls for machines in zones can be local for each machine, across sev­eral machines in a zone, or glob­ally for machines across zones. The con­trol require­ments shall be based on the oper­a­tional require­ments and on the risk assess­ment.The inter­faces between zones, includ­ing syn­chro­niza­tion and inde­pen­dent oper­a­tion, shall be designed such that no func­tion in one zone cre­ates a haz­ard(s) /​ haz­ardous sit­u­a­tion in another zone.

CSA Z432-​​04 has sim­i­lar wording:

6.2.1.8.4

When zones can be deter­mined, their delim­i­ta­tions shall be evi­dent (includ­ing the effect of the asso­ci­ated emer­gency stop device). This shall also apply to the effect of iso­la­tion and energy dissipation.

Let’s take a case with a sin­gle e-​​stop but­ton first. The same require­ments apply for all e-​​stop devices. The require­ments include:

  1. Button must be in ‘easy-​​reach’ of the nor­mal oper­a­tor posi­tion. I con­sider ‘easy-​​reach’ to be the range I can touch while sit­ting or stand­ing at the nor­mal oper­a­tor posi­tion. This posi­tion is not nec­es­sar­ily in front of the con­trol panel. This is the posi­tion where the oper­a­tor is expected to be while car­ry­ing out the tasks expected of them when the machine is oper­at­ing. This is the require­ment that dri­ves hav­ing mul­ti­ple but­tons in most cases.
  2. E-​​stop devices can­not be located so that the oper­a­tor must reach over or past a haz­ard to acti­vate them.
  3. The but­ton must latch in the oper­ated position.
  4. The but­ton must be robust enough to han­dle the mechan­i­cal and elec­tri­cal stresses that will be placed on it when used. i.e. rugged but­tons are required.
  5. When the e-​​stop device is reset — i.e returned to the ‘RUN’ posi­tion — the machine is NOT per­mit­ted to restart. It is only PERMITTED to restart. It must be restarted through another delib­er­ate action, like press­ing a ‘Power On’ button.

So what do you do with the ‘POWER ON’ or safety cir­cuit reset but­ton? The first ques­tion to ask is: ‘What hap­pens when I reset this cir­cuit, apply­ing power to the con­trol circuits?”

Case A: If it is impos­si­ble to see the entire machine from the loca­tion of the reset but­ton, then I would rec­om­mend a sin­gle reset but­ton located at the HMI or main con­sole. The oper­a­tor must check to make sure the machine is clear before re-​​applying power. Where the machine is too big to be com­pletely vis­i­ble from the main oper­a­tor con­sole, then I would also recommend:

  • warn­ing horn,
  • warn­ing lights, and
  • a start-​​up delay that is long enough to allow a per­son to get clear of the machine before it starts moving.

Case B: If the machine is sim­ply ‘enabled’ at this point, but no motion occurs, then mul­ti­ple ‘reset’ or ‘power on’ but­tons may be accept­able, depend­ing on the out­come of the risk assess­ment and start/​stop analy­sis. Having said that, the oper­a­tor will likely have to return to a main con­sole to reset the machine and restart oper­a­tion, and chances are there is only one HMI screen on the machine, so there may not be any advan­tage to hav­ing mul­ti­ple reset buttons.

I would rec­om­mend doing two things to get a good han­dle on this: Conduct a detailed risk assess­ment and include all nor­mal oper­a­tions and all main­te­nance oper­a­tions. Then con­duct a start/​stop analy­sis to look at all of the start­ing and stop­ping con­di­tions that you can rea­son­ably fore­see. Combine the results of these two analy­ses to find the start­ing and stop­ping con­di­tions with the high­est risk, and then deter­mine if hav­ing mul­ti­ple reset but­tons will con­tribute to the risk or not. You may also want to look at the con­trol reli­a­bil­ity require­ments for the emer­gency stop sys­tem based on the out­come of the risk assess­ment and the start/​stop analysis.

In a case where there are mul­ti­ple emer­gency stop devices, loca­tions are impor­tant. There must be one at each nor­mal work­sta­tion to meet the reg­u­la­tory require­ments in most juris­dic­tions, and within ‘easy reach’. You may also want some inside the machine if it is pos­si­ble to gain full body access inside the machin­ery. i.e. inside a robot work cell. Make sure that the but­tons or other devices are located so that a per­son exposed to the hazard(s) inside the machine is not required to reach over or past the haz­ard to get to the button.

Michael, I hope that set­tles the argument!

Using E-​​Stops in Lockout Procedures

Posted by on November 29, 2010 2 comments
This entry is part 6 of 9 in the series Emergency Stop

Disconnect Switch with Lock and TagControl of haz­ardous energy is one of the key ways that main­te­nance and ser­vice work­ers are pro­tected while main­tain­ing indus­trial equip­ment. Not so long ago we only thought about ‘Lockout’ or ‘Lockout/​Tagout’ pro­ce­dures, but there is much more to pro­tect­ing these work­ers than ‘just’ lock­ing out energy sources. Inevitably con­di­tions come up where safe­guards may need to be removed or tem­porar­ily bypassed in order to diag­nose prob­lems or to make crit­i­cal but infre­quent adjust­ments to the equip­ment, and this is where Hazardous Energy Control Procedures, or HECP, come in.

One of the ques­tions I often get when help­ing clients with devel­op­ing HECPs for their equip­ment is, “Can we use the emer­gency stop cir­cuit for lock­out?”. As usual, there is a short answer and a long answer to that sim­ple question!

The Short Answer

The short answer to this ques­tion is NO. Lockout requires that sources of haz­ardous energy be phys­i­cally iso­lated or blocked. Control sys­tems may be able to meet parts, but not all of this require­ment. Read on if you’d like to know why.

The Long Answer

Lockout

Lockout pro­ce­dures are now grouped with other adjust­ment, diag­nos­tic and test pro­ce­dures into what are called Hazardous Energy Control Procedures or HECP. In the USA, OSHA pub­lishes a lock­out stan­dard in 29 CFR 1910.147, and ANSI pub­lishes ANSI Z244.1.

Download ANSI standards

In Canada we didn’t have a stan­dard for HECP until 2005 when CSA Z460 was pub­lished, although all the Provinces and Territories have some lan­guage in their leg­is­la­tion that at least alludes to the need for con­trol of haz­ardous energy. In the Province of Ontario where I live, this require­ment shows up in Ontario Regulation 851, Sections 42, 75 and 76.

In the EU, con­trol of haz­ardous energy is dealt with in ISO 14118:2000, Safety of machin­ery — Prevention of unex­pected start-​​up.

Download ISO Standards

If you have a look at the sec­tions from the Ontario reg­u­la­tions, they don’t tell you how to per­form lock­out, and they make lit­tle men­tion of what to do with live work for trou­bleshoot­ing pur­poses. The US OSHA reg­u­la­tions read more like a stan­dard, but because they are in leg­is­la­tion they are pre­scrip­tive. You MUST meet this min­i­mum require­ment, and you may exceed it.

Let’s look at how lock­out is defined in the standards.

Canada (Ontario)USA (OSHA)European Union

Lockout — place­ment of a lock or tag on an energy-​​isolating device in accor­dance with an estab­lished pro­ce­dure, thereby indi­cat­ing that the energy-​​isolating device is not to be oper­ated until removal of the lock or tag in accor­dance with an estab­lished procedure.

CSA Z460, 2005

Lockout. The place­ment of a lock­out device on an energy iso­lat­ing device, in accor­dance with an estab­lished pro­ce­dure, ensur­ing that the energy iso­lat­ing device and the equip­ment being con­trolled can­not be oper­ated until the lock­out device is removed.

Tagout. The place­ment of a tagout device on an energy iso­lat­ing device, in accor­dance with an estab­lished pro­ce­dure, to indi­cate that the energy iso­lat­ing device and the equip­ment being con­trolled may not be oper­ated until the tagout device is removed.

29 CFR 1910.147

2.14 lockout/​tagout: The place­ment of a lock/​tag on the energy iso­lat­ing device in accor­dance with an estab­lished pro­ce­dure, indi­cat­ing that the energy iso­lat­ing device shall not be oper­ated until removal of the lock/​tag in accor­dance with an estab­lished pro­ce­dure. (The term “lockout/​tagout” allows the use of a lock­out device, a tagout device, or a com­bi­na­tion of both.)

ANSI Z244.1–2003


3.3 iso­la­tion and energy dissipation

pro­ce­dure which con­sists of all of the four fol­low­ing actions:

a) iso­lat­ing (dis­con­nect­ing, sep­a­rat­ing) the machine (or defined parts of the machine) from all power supplies;

b) lock­ing (or oth­er­wise secur­ing), if nec­es­sary (for instance in large machines or in instal­la­tions), all the iso­lat­ing units in the “iso­lated” position;

c) dis­si­pat­ing or restrain­ing [con­tain­ing] any stored energy which may give rise to a haz­ard.

NOTE Energy con­sid­ered in c) above may be stored in e.g.:

  • mechan­i­cal parts con­tin­u­ing to move through inertia;
  • mechan­i­cal parts liable to move by gravity;
  • capac­i­tors, accumulators;
  • pres­sur­ized fluids;
  • springs.

d) ver­i­fy­ing by using a safe work­ing pro­ce­dure that the actions taken accord­ing to a), b) and c) above have pro­duced the desired effect.

ISO 14118–2000

As you can see, the def­i­n­i­tions are fairly sim­i­lar, although slightly dif­fer­ent terms may be used. The ISO stan­dard actu­ally pro­vides the best guid­ance over­all in my opin­ion. Note that these excerpts are all taken from the def­i­n­i­tions sec­tions of the rel­e­vant documents.

One of the big dif­fer­ences between the US and Canada is the idea of ‘tagout’ (pro­nounced TAG-​​out for those not famil­iar with the term). Tagout is iden­ti­cal to lock­out with the excep­tion of the device that is attached to the energy iso­lat­ing device. Under cer­tain cir­cum­stances the US per­mits the use of a tag with­out a lock to secure the energy iso­la­tion device. This is not per­mit­ted in Canada under any cir­cum­stance, and the term ‘tagout’ is not offi­cially rec­og­nized. In Canada the term is often taken to mean the addi­tion of a tag to the lock­ing device,  a manda­tory part of the procedure.

Use of Controls for Energy Isolation

This is where the ‘rub­ber meets the road’ — how is the source of haz­ardous energy iso­lated effec­tively? To under­stand the require­ments, let’s look at the def­i­n­i­tion for an Energy Isolating Device.

CanadaUSAEU

Energy-​​isolating device — a mechan­i­cal device that phys­i­cally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: a man­u­ally oper­ated elec­tri­cal cir­cuit breaker; a dis­con­nect switch; a man­u­ally oper­ated switch by which the con­duc­tors of a cir­cuit can be dis­con­nected from all ungrounded sup­ply con­duc­tors; a line valve; a block; and other devices used to block or iso­late energy (push-​​button selec­tor switches and other control-​​type devices are not energy-​​isolating devices).

CSA Z460, 2005

Note — Bold added for empha­sis — DN

Energy iso­lat­ing device. A mechan­i­cal device that phys­i­cally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: A man­u­ally oper­ated elec­tri­cal cir­cuit breaker; a dis­con­nect switch; a man­u­ally oper­ated switch by which the con­duc­tors of a cir­cuit can be dis­con­nected from all ungrounded sup­ply con­duc­tors, and, in addi­tion, no pole can be oper­ated inde­pen­dently; a line valve; a block; and any sim­i­lar device used to block or iso­late energy. Push but­tons, selec­tor switches and other con­trol cir­cuit type devices are not energy iso­lat­ing devices.

Note — Bold added for empha­sis — DN

Tagout device. A promi­nent warn­ing device, such as a tag and a means of attach­ment, which can be securely fas­tened to an energy iso­lat­ing device in accor­dance with an estab­lished pro­ce­dure, to indi­cate that the energy iso­lat­ing device and the equip­ment being con­trolled may not be oper­ated until the tagout device is removed.

29 CFR 1910.147

2.8 energy iso­lat­ing device: A mechan­i­cal device that phys­i­cally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: a man­u­ally oper­ated elec­tri­cal cir­cuit breaker, a dis­con­nect switch, a man­u­ally oper­ated switch by which the con­duc­tors of a cir­cuit can be dis­con­nected from all ungrounded sup­ply con­duc­tors and, in addi­tion, no pole can be oper­ated inde­pen­dently; a line valve; a block; and any sim­i­lar device used to block or iso­late energy.

2.20.1 tagout device: A promi­nent warn­ing means such as a tag and a means of attach­ment, which can be securely fas­tened to an energy iso­lat­ing device to indi­cate that the energy iso­lat­ing device and the equip­ment being con­trolled may not be oper­ated until the tagout device is removed.

ANSI Z244.1–2003

4.1 Isolation and energy dissipation

Machines shall be pro­vided with means intended for iso­la­tion and energy dis­si­pa­tion (see clause 5), espe­cially with a view to major main­te­nance, work on power cir­cuits and decom­mis­sion­ing in accor­dance with the essen­tial safety require­ment expressed in ISO/​TR 12100–2:1992, annex A, 1.6.3.

Note — ISO/​TR 12100–2 was with­drawn in Oct-​​10 and replaced by ISO 12100–2010. — DN Read more on this.

5.1 Devices for iso­la­tion from power sup­plies
5.1.1 Isolation devices shall:

  • ensure a reli­able iso­la­tion (dis­con­nec­tion, separation);
  • have a reli­able mechan­i­cal link between the man­ual con­trol and the iso­lat­ing element(s);
  • be equipped with clear and unam­bigu­ous iden­ti­fi­ca­tion of the state of the iso­la­tion device which cor­re­sponds to each posi­tion of its man­ual con­trol (actuator).

NOTE 1 For elec­tri­cal equip­ment, a sup­ply dis­con­nect­ing device com­ply­ing with IEC 60204–1:1997, 5.3 “Supply dis­con­nect­ing (iso­lat­ing) device” meets this requirement.

NOTE 2 Plug and socket sys­tems (for elec­tri­cal sup­plies), or their pneu­matic, hydraulic or mechan­i­cal equiv­a­lents, are exam­ples of iso­lat­ing devices with which it is pos­si­ble to achieve a vis­i­ble and reli­able dis­con­ti­nu­ity in the power sup­ply circuits.

For elec­tri­cal plug/​socket com­bi­na­tions, see IEC 60204–1:1997, 5.3.2 d).

NOTE 3 For hydraulic and pneu­matic equip­ment, see also EN 982:1996, 5.1.6 and EN 983:1996, 5.1.6.

ISO 14118–2000


BRADY Small Plug Lockout Device

BRADY Small Plug Lockout Device

As you can see from the above def­i­n­i­tions, all the juris­dic­tions require that devices used for energy iso­la­tion are reli­able, man­u­ally oper­a­ble, mechan­i­cal devices. While elec­tri­cal con­trol sys­tems that meet high lev­els of design reli­a­bil­ity may meet the reli­a­bil­ity require­ments, they do not meet the require­ments for phys­i­cal, mechan­i­cal dis­con­nec­tion of the source of haz­ardous energy. Operator devices are specif­i­cally excluded from this use in Canada and the USA. Note that plug and socket com­bi­na­tions are per­mit­ted in all juris­dic­tions. Lockout devices such as ‘suit­case’ lock­out devices like the Brady Small Plug Lockout Device shown here and sim­i­lar devices can be used for this pur­pose. With some plugs it is pos­si­ble to put a small lock through a hole in one of the con­tacts. In some juris­dic­tions, even the sim­ple act of putting the plug in your back pocket while con­duct­ing the work is sufficient.

In addi­tion, the energy iso­la­tion device is required to be able to be locked in the off, iso­lated, or blocked posi­tion. There are emer­gency stop but­ton oper­a­tors that can be pur­chased with an inte­grated lock cylin­der, and there are some con­trol oper­a­tor acces­sories avail­able that will allow con­trol push but­tons and selec­tor switches to be locked in one posi­tion or another, but these do not meet the require­ments of the above stan­dards. They can be used in addi­tion to an energy iso­la­tion device as part of the pro­ce­dure, but not on their own as the sole means of pre­vent­ing unex­pected start-​​up.

BRADY Button Locking Device

BRADY Button Locking Device

Conclusions

Each machine or piece of equip­ment is required to have an HECP that is spe­cific to that piece of equip­ment. ‘Global’ HECP’s are sel­dom use­ful except as a tem­plate doc­u­ment. Development of HECPs takes some care­ful thought and a thor­ough under­stand­ing of the kinds of work that will need to be done to main­tain and ser­vice the machin­ery. Individual juris­dic­tions have some dif­fer­ences in the details of their reg­u­la­tions, but ulti­mately the require­ments come down to the same thing: Protecting workers.

Control sys­tem devices such as stop but­tons and emer­gency stop devices are not accepted as energy iso­lat­ing devices and can­not be used for this pur­pose, although they may be used as part of the HECP shut­down pro­ce­dure lead­ing up to the phys­i­cal iso­la­tion of the haz­ardous energy sources.

Excellent stan­dards exist that cover devel­op­ment of these pro­ce­dures and should be ref­er­enced as spe­cific HECP are developed.

5% Discount on All Standards with code: CC2011

104602 - BRADY Button Locking Device

BRADY Button Locking Device

References

Canada

Ontario Regulation 851, Sections 42, 75 and 76.

CSA Z460-​​05 (R2010) — Control of haz­ardous energy — Lockout and other methods

USA

29 CFR 1910.147The con­trol of haz­ardous energy (lockout/​tagout).

ANSI Z244.1 — 2003 (R2008) — Control of Hazardous Energy – Lockout/​Tagout and Alternative Methods

Download stan­dards

Allen-Bradley 8579

Allen-​​Bradley 8579

International

ISO 14118 2000, Safety of machin­ery — Prevention of unex­pected start-​​up

Download ISO Standards

Emergency Stop Categories

Posted by on September 27, 2010 4 comments
Emergency Stop on machine console
This entry is part 5 of 9 in the series Emergency Stop

I’ve noticed a lot of peo­ple look­ing for infor­ma­tion on Emergency Stop cat­e­gories recently, so this post is aimed at those read­ers who want to under­stand this topic in more depth.

Categories

The first point to make is that these cat­e­gories are not exclu­sive to emer­gency stop func­tions. They are STOP func­tions, and may be used for nor­mal stop­ping as well as e-​​stop.

Stop cat­e­gories and con­trol reli­a­bil­ity cat­e­gories are not the same, and there are sig­nif­i­cant dif­fer­ences that need to be under­stood by con­trol sys­tem design­ers. I’m going to sling a num­ber of stan­dards at you in this post, and I will pro­vide ref­er­ences at the end if you want to dig deeper.

Control reli­a­bil­ity cat­e­gories are defined and described in ISO 13849–1, and I’ve writ­ten quite a bit on these in the past. If you want to know more about Categories B, 1–4, check out this series of posts on ISO 13849–1 Categories.

Originating Standards

OK, so let’s talk about stop func­tion cat­e­gories. There are two stan­dards that define these cat­e­gories, and thank­fully they are har­mo­nized, mean­ing that the def­i­n­i­tions for the cat­e­gories are essen­tially the same in each doc­u­ment. They are:

  • IEC 60204–1, Safety of machin­ery — Electrical equip­ment of machines — Part 1: General require­ments (aka EN 60204–1)
  • NFPA 79, Electrical Standard for Industrial Machinery

Note that Canada does not have a stan­dard at the moment that specif­i­cally describes these same cat­e­gories, how­ever CSA Z432 does make ref­er­ence to NFPA 79, bring­ing the cat­e­gories in that way, albeit indirectly.

Download ANSI standards

Download IEC standards

Category Definitions

Emergency Stop ButtonThe cat­e­gories are bro­ken down into three gen­eral groups:

  • Category 0 — Equivalent to pulling the plug;
  • Category 1 — Bring things to a grace­ful stop, then pull the plug; and
  • Category 2 — Bring things to a stop and hold them there under power.

Let’s look at the def­i­n­i­tions in more detail. For com­par­i­son, I’m going to show the def­i­n­i­tions from the two stan­dards side-​​by-​​side.

Table 1
Comparison of Stop Function Categories
CategoryIEC 60204–1NFPA 79
0stop­ping by imme­di­ate removal of power to the machine actu­a­tors (i.e. an uncon­trolled stop – see 3.56);

is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actuators.

1a con­trolled stop (see 3.11) with power avail­able to the machine actu­a­tors to achieve the stop and then removal of power when the stop is achieved;is a con­trolled stop with power to the machine actu­a­tors avail­able to achieve the stop then remove power when the stop is achieved.
2a con­trolled stop with power left avail­able to the machine actuators.is a con­trolled stop with power left avail­able to the machine actuators.

Definitions from IEC 60204–1:

3.11 con­trolled stop

stop­ping of machine motion with elec­tri­cal power to the machine actu­a­tors main­tained dur­ing the stop­ping process

3.56 uncon­trolled stop

stop­ping of machine motion by remov­ing elec­tri­cal power to the machine actuators

NOTE This def­i­n­i­tion does not imply any par­tic­u­lar state of other stop­ping devices, for exam­ple mechan­i­cal or hydraulic brakes.

As you can see, the two sets of Category descrip­tions are vir­tu­ally iden­ti­cal, with the pri­mary dif­fer­ence being the use of the def­i­n­i­tions in the IEC stan­dard instead of includ­ing that infor­ma­tion in the descrip­tion as in the NFPA standard.

Download ANSI standards

Download IEC standards

Minimum Requirements

Both stan­dards require that all machines have at least a Category 0 stop. This could be achieved by switch­ing off (by using the dis­con­nect­ing means for exam­ple), by phys­i­cally “pulling the plug” from the power sup­ply socket on the wall, through a ‘master-​​control relay’ cir­cuit, or through an emer­gency stop cir­cuit. Note that this does not require that all machines have an e-​​stop!!

To learn more about how to deter­mine the need for emer­gency stop, see my ear­lier post Emergency Stop – What’s so con­fus­ing about that?

Selecting a Stop Function

How do you decide on what cat­e­gory to use? First, a risk assess­ment is required. Second, a start/​stop analy­sis should be con­ducted. This is quite sim­ple, being a straight­for­ward analy­sis of the start­ing and stop­ping con­di­tions for the machin­ery. Next, ask these questions:

1) Will the machin­ery stop safely under an uncon­trolled stop?

If the machin­ery does not have a sig­nif­i­cant amount of iner­tia, mean­ing it won’t coast more than a very short time, then a Category 0 stop may be all that is required.

2) If the machin­ery coasts, or if the machin­ery can be stopped more quickly under con­trol than when power is sim­ply removed, then a Category 1 stop is likely the best choice.

3) If the machin­ery includes devices that require power to keep them in a safe state, then a Category 2 stop is likely the best choice.

If you choose to use a Category 2 stop, be aware that leav­ing power on the machin­ery leaves the user open to haz­ards related to hav­ing power on the machin­ery. Careful risk assess­ment is required in these cases especially.

Risk Assessment and Stop/​Start Analysis

Risk assess­ment is crit­i­cal to the spec­i­fi­ca­tion of all safety–related func­tions. While emer­gency stop is not a safe­guard, it is con­sid­ered to be a ‘com­ple­men­tary pro­tec­tive mea­sure’. Understanding the haz­ards that need to be con­trolled and the degree of risk related to the haz­ards is basic design infor­ma­tion that will pro­vide spe­cific direc­tion on the stop cat­e­gory required and the degree of con­trol reli­a­bil­ity nec­es­sary to pro­vide the expected risk reduction.

Stop/​Start Analysis is quite sim­ple. It amounts to con­sid­er­ing all of the intended stop/​start con­di­tions for the machin­ery, and then includ­ing con­di­tions that may result from rea­son­ably fore­see­able fail­ure modes of the machin­ery and fore­see­able mis­uses of the machin­ery. Create a table with three columns as a start­ing point, sim­i­lar to Table 2.

Table 2
Example Start/​Stop Analysis

DescriptionStart ConditionStop Condition
Lubricant PumpLubricant Pump Start Button PressedLubricant Pump Stop Button Pressed
  Low Lubricant Level in reservoir
  High pres­sure drop across lubri­cant filter
Main Spindle MotorStart enabled and Start Button PressedLow Lubricant Pressure
  Stop but­ton pressed
Feed Advance motorFeed Advance but­ton pressedFeed Stop but­ton pressed
  Feed end of travel limit reached
Emergency Stop All motions stop, lubri­cant pump remains running

The above table is sim­ply an exam­ple of what a start/​stop analy­sis can look like. You can have as much detail as you like.

Control Reliability Requirements

Both ISO 13849–1 and IEC 62061 base the ini­tial require­ments for reli­a­bil­ity on the out­come of the risk assess­ment (PLr or SILr). If the stop­ping con­di­tion is part of nor­mal oper­a­tion, then sim­ple cir­cuit require­ments (i.e. PLa, Category 1) are all that may be required. If the stop­ping con­di­tion is intended to be an Emergency Stop, then addi­tional analy­sis is needed to deter­mine exactly what may be required.

More Information

How have you typ­i­cally imple­mented your stops and emer­gency stop systems?

Have you ever used the START/​STOP analy­sis method?

I care about what you think as a reader, so please leave me com­ments and ques­tions! If you would pre­fer to dis­cuss your ques­tion pri­vately,  con­tact me directly.

Referenced Standards

5% Discount on All Standards with code: CC2011

American National Standards Institute (ANSI)

ANSI/​NFPA 79, 2007 — Electrical Standard for Industrial Machinery

Download stan­dards from ANSI

Canadian Standards Association (CSA)

CSA Z432, 2004 — Safeguarding of Machinery
CSA Store

International Electrotechnical Commission (IEC)

IEC 60204–1, 2009 — Electrical Equipment of Industrial Machines

Download IEC standards

International Standardization Organization (ISO)

ISO 13849–1, 2006 — Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design

ISO 13849–2, 2006 — Safety of Machinery — Safety Related Parts of Control Systems — Part 2: Validation

Download ISO Standards

5% Discount on All Standards with code: CC2011

All original content on these pages is fingerprinted and certified by Digiprove
Performance Optimization WordPress Plugins by W3 EDGE