Tag Archives: ISO 13850

Busting Emergency Stop Myths

Posted by on September 3, 2010 3 comments
Emergency Stop on machine console
This entry is part 4 of 9 in the series Emergency Stop

There are a num­ber of myths that have grown up around emer­gency stops over the years. These myths can lead to injury or death, so it’s time for a lit­tle Myth Busting here on the MS101 blog!

What does ‘emer­gency’ mean?

Consider for a moment the roots of the word ‘emer­gency’. This word comes from the word ‘emer­gent’, mean­ing a sit­u­a­tion that is devel­op­ing or emerg­ing in the moment. Emergency stop sys­tems are intended to help the user deal with poten­tially haz­ardous con­di­tions that are emerg­ing in the moment. These con­di­tions have prob­a­bly arisen because the design­ers of the machin­ery failed to con­sider all the fore­see­able uses of the equip­ment, or because some­one has cho­sen to mis­use the equip­ment in a way that was not intended by the design­ers. The key func­tion of an Emergency Stop sys­tem is to pro­vide the user with a backup to the pri­mary safe­guards. These sys­tems are referred to as “Complementary Protective Measures” and are intended to give the user a chance to “avert or limit harm” in a haz­ardous sit­u­a­tion. With that in mind, let’s look at three myths I hear about regularly.

Myth #1 – The Emergency Stop Is A Safety Device

Waterwheel and belt. Credit: Harry Matthews & http://www.old-engine.com

A Fitz Water Wheel and Belt Drive, Credit: Harry Matthews & http://​www​.old​-engine​.com

Early in the Industrial Revolution machine builders real­ized that users of their machin­ery needed a way to quickly stop a machine when some­thing went wrong. At that time, over­head line-​​shafts were dri­ven by large cen­tral power sources like water­wheels, steam engines or large elec­tric motors. Machinery was cou­pled to the cen­tral shafts with pul­leys, clutches and belts which trans­mit­ted the power to the machinery.

See pic­tures of a line-​​shaft pow­ered machine shop or click the image below.

Line Shaft in the Mt. Wilson Observatory Machine Shop

Photo: Larry Evans & www​.old​engine​.org

These cen­tral engines pow­ered an entire fac­tory, so they were much larger than an indi­vid­ual motor sized for a mod­ern machine. In addi­tion, they could not be eas­ily stopped, since stop­ping the cen­tral power source would mean stop­ping the entire fac­tory – not a wel­come choice. Emergency stop devices were born in this environment.

Learn more about Line Shafts at Harry’s Old Engines.

Due to their early use as a safety device, some have incor­rectly con­sid­ered emer­gency stop sys­tems safe­guard­ing devices. Modern stan­dards make the dif­fer­ence very clear. The eas­i­est way to under­stand the cur­rent mean­ing of the term “EMERGENCY STOP” is to begin by look­ing at the inter­na­tional stan­dards pub­lished by IEC1 and ISO2.

emer­gency stop3
emer­gency stop function

func­tion that is intended to

—   avert aris­ing, or reduce exist­ing, haz­ards to per­sons, dam­age to machin­ery or to work in progress,

—   be ini­ti­ated by a sin­gle human action

NOTE 1

Hazards, for the pur­poses of this International Standard, are those which can arise from

—   func­tional irreg­u­lar­i­ties (e.g. machin­ery mal­func­tion, unac­cept­able prop­er­ties of the mate­r­ial processed, human error),

—   nor­mal operation.

It is impor­tant to under­stand that an emer­gency stop func­tion is “ini­ti­ated by a sin­gle human action”. This means that it is not auto­matic, and there­fore can­not be con­sid­ered to be a risk con­trol mea­sure for oper­a­tors or bystanders. Emergency stop may pro­vide the abil­ity to avoid or reduce harm, by pro­vid­ing a means to stop the equip­ment once some­thing has already gone wrong. Your next actions will usu­ally be to call 911 and admin­is­ter first aid.

Safeguarding sys­tems act auto­mat­i­cally to pre­vent a per­son from becom­ing involved with the haz­ard in the first place. This is a reduc­tion in the prob­a­bil­ity of a haz­ardous sit­u­a­tion aris­ing, and may also involve a reduc­tion in the sever­ity of injury by con­trol­ling the haz­ard (i.e., slow­ing or stop­ping rotat­ing machin­ery before it can be reached.) This con­sti­tutes a risk con­trol mea­sure and can be shown to reduce the risk of injury to an exposed person.

Emergency stop is reac­tive; safe­guard­ing sys­tems are proac­tive.

In Canada, CSA defines emer­gency stop as a ‘Complementary Protective Measure’ in CSA Z432-​​046:

6.2.2.1.1
Safeguards (guards, pro­tec­tive devices) shall be used to pro­tect per­sons from the haz­ards that can­not rea­son­ably be avoided or suf­fi­ciently lim­ited by inher­ently safe design. Complementary pro­tec­tive mea­sures involv­ing addi­tional equip­ment (e.g., emer­gency stop equip­ment) may have to be taken.

6.2.3.5.3 Complementary pro­tec­tive mea­sures
Following the risk assess­ment, the mea­sures in this clause either shall be applied to the machine or shall be dealt with in the infor­ma­tion for use.
Protective mea­sures that are nei­ther inher­ently safe design mea­sures, nor safe­guard­ing (imple­men­ta­tion of guards and/​or pro­tec­tive devices), nor infor­ma­tion for use may have to be imple­mented as required by the intended use and the rea­son­ably fore­see­able mis­use of the machine. Such mea­sures shall include, but not be lim­ited to,

(a) emer­gency stop;
(b) means of res­cue of trapped per­sons; and
© means of energy iso­la­tion and dissipation.

In the USA, three stan­dards apply: ANSI B11ANSI B11.19–2003, and NFPA 79:

ANSI B11-​​2008

3.80 stop: Immediate or con­trolled ces­sa­tion of machine motion or other haz­ardous sit­u­a­tions. There are many terms used to describe the dif­fer­ent kinds of stops, includ­ing user– or supplier-​​specific terms, the oper­a­tion and func­tion of which is deter­mined by the indi­vid­ual design. Definitions of some of the more com­monly used “stop” ter­mi­nol­ogy include:

3.80.2 emer­gency stop: The stop­ping of a machine tool, man­u­ally ini­ti­ated, for emer­gency purposes;

7.6 Emergency stop

Electrical, pneu­matic and hydraulic emer­gency stops shall con­form to require­ments in the ANSI B11 machine-​​specific stan­dard or NFPA 79.
Informative Note 1: An emer­gency stop is not a safe­guard­ing device. See also, B11.19.
Informative Note 2: For addi­tional infor­ma­tion, see ISO 13850 and IEC 60204–1.

ANSI B11.19–2003

12.9 Stop and emer­gency stop devices

Stop and emer­gency stop devices are not safe­guard­ing devices. They are com­ple­men­tary to the guards, safe­guard­ing device, aware­ness bar­ri­ers, sig­nals and signs, safe­guard­ing meth­ods and safe­guard­ing pro­ce­dures in clauses 7 through 11.

Stop and emer­gency stop devices shall meet the require­ments of ANSI /​ NFPA 79.

E12.9

Emergency stop devices include but are not lim­ited to, but­tons, rope-​​pulls, and cable-​​pulls.

A safe­guard­ing device detects or pre­vents inad­ver­tent access to a haz­ard, typ­i­cally with­out overt action by the indi­vid­ual or oth­ers. Since an indi­vid­ual must actu­ate an emer­gency stop device to issue the stop com­mand, usu­ally in reac­tion to an event or haz­ardous sit­u­a­tion, it nei­ther detects nor pre­vents expo­sure to the hazard.

If an emer­gency stop device is to be inter­faced into the con­trol sys­tem, it should not reduce the level of per­for­mance of the safety func­tion (see sec­tion 6.1 and Annex C).

NFPA 79 deals with the elec­tri­cal func­tions of the emer­gency stop func­tion which is not directly rel­e­vant to this arti­cle, so that is why I haven’t quoted directly from that doc­u­ment here.

As you can clearly see, the essen­tial def­i­n­i­tions of these devices in the US and Canada match very closely, although the US does not specif­i­cally use the term ‘com­ple­men­tary pro­tec­tive measures’.

Myth #2 – Cycle Stop And Emergency Stop Are Equivalent

Emergency stop sys­tems act pri­mar­ily by remov­ing power from the prime movers in a machine, ensur­ing that power is removed and the equip­ment brought to a stand­still as quickly as pos­si­ble, regard­less of the por­tion of the oper­at­ing cycle that the machine is in. After an emer­gency stop, the machine is inop­er­a­ble until the emer­gency stop sys­tem is reset. In some cases, emer­gency stop­ping the machine may dam­age the equip­ment due to the forces involved in halt­ing the process quickly.

Cycle stop is a con­trol sys­tem com­mand func­tion that is used to bring the machine cycle to a grace­ful stop at the end of the cur­rent cycle. The machine is still fully oper­a­ble and may still be in auto­matic mode at the com­ple­tion of this stop.

Again, refer­ring to ANSI B11-​​2008:

3.80.1 con­trolled stop: The stop­ping of machine motion while retain­ing power to the machine actu­a­tors dur­ing the stop­ping process. Also referred to as Category 1 or 2 stop (see also NFPA 79: 2007, 9.2.2);

3.80.2 emer­gency stop: The stop­ping of a machine tool, man­u­ally ini­ti­ated, for emer­gency purposes;

Myth #3 – Emergency Stop Systems Can Be Used For Energy Isolation

Disconnect Switch with Lock and TagFifteen to twenty years ago it was not uncom­mon to see emer­gency stop but­tons fit­ted with lock­ing devices.  The lock­ing device allowed a per­son to pre­vent the reset­ting of the emer­gency stop device. This was done as part of a “lock­out pro­ce­dure”. Lockout is one aspect of haz­ardous energy con­trol pro­ce­dures (HECP).  HECPs rec­og­nize that live work needs to be done from time to time, and that nor­mal safe­guards may be bypassed or dis­con­nected tem­porar­ily, to allow diag­nos­tics and test­ing to be car­ried out. This process is detailed in two cur­rent stan­dards, CSA Z460 and ANSI Z244.1. Note that these lock­ing devices are still avail­able for sale, and can be used as part of an HECP to pre­vent the emer­gency stop sys­tem or other con­trols from being reset until the machine is ready for test­ing. They can­not be used to iso­late an energy source.

No cur­rent stan­dard allows for the use of con­trol devices such as push but­tons or selec­tor switches to be used as energy iso­la­tion devices.

CSA Z460-​​05 specif­i­cally pro­hibits this use in their def­i­n­i­tion of ‘energy iso­la­tion devices’:

Energy-​​isolating device — a mechan­i­cal device that phys­i­cally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: a man­u­ally oper­ated elec­tri­cal cir­cuit breaker; a dis­con­nect switch; a man­u­ally oper­ated switch by which the con­duc­tors of a cir­cuit can be dis­con­nected from all ungrounded sup­ply con­duc­tors; a line valve; a block; and other devices used to block or iso­late energy (push-​​button selec­tor switches and other control-​​type devices are not energy-​​isolating devices).4

Similar require­ments are found in ANSI Z244.15 and in ISO 138503.

Myth #4 — All Machines are Required to have an Emergency Stop

Some machine design­ers believe that all machines are required to have an emer­gency stop. This is sim­ply not true.

Emergency stop sys­tems may be use­ful where they can pro­vide a back-​​up to other safe­guard­ing sys­tems. To under­stand where to use an emer­gency stop, a start-​​stop analy­sis must be car­ried out as part of the design process. This analy­sis will help the designer develop a clear under­stand­ing of the nor­mal start and stop con­di­tions for the machine. The analy­sis also needs to include fail­ure modes for all of the stop func­tions. It is here that the emer­gency stop can be help­ful. If remov­ing power will cause the haz­ard to cease in a short time, or if the haz­ard can be quickly con­tained in some way, then emer­gency stop is a valid choice. If the haz­ard will remain for a con­sid­er­able time fol­low­ing removal of power, then emer­gency stop will have no effect and is use­less for avoid­ing or lim­it­ing harm.

For exam­ple, con­sider an oven. If the burner stop con­trol failed, and assum­ing that the only haz­ard we are con­cerned with is the hot sur­faces inside the oven, then using an emer­gency stop to turn the burn­ers off only results in the start of the nat­ural cool­ing cycle of the oven. In some cases that could take hours or days, so the emer­gency stop has no value. It might be use­ful for con­trol­ling other haz­ards, such as fire, that might be related to the same fail­ure. Without a full analy­sis of the fail­ure modes of the con­trol sys­tem, a sound deci­sion can­not be made.

Simple machines like drill presses and table saws are sel­dom fit­ted with emer­gency stop sys­tems. These machines, which can be very dan­ger­ous, could def­i­nitely ben­e­fit from hav­ing an emer­gency stop. They are some­times fit­ted with a dis­con­nect­ing device with a red and yel­low han­dle that can be used for ‘emer­gency switch­ing off’. This dif­fers from emer­gency stop because the machine, and the haz­ard, will typ­i­cally re-​​start imme­di­ately when the emer­gency switch­ing off device is turned back on. This is not per­mit­ted with emer­gency stop, where reset­ting the emer­gency stop device only per­mits the restart­ing of the machine through other con­trols. Reset of the emer­gency stop device is not per­mit­ted to reap­ply power to the machine on its own.

These require­ments are detailed in ISO 138503, CSA Z4326 and other standards.

Design Considerations

Emergency Stop is a con­trol that is often designed in with lit­tle thought and used for a vari­ety of things that it was never intended to be used to accom­plish. The three myths dis­cussed in this arti­cle are the tip of the iceberg.

Consider these ques­tions when think­ing about the design and use of emer­gency stop systems:

  1. Have all the intended uses and fore­see­able mis­uses of the equip­ment been considered?
  2. What do I expect the emer­gency stop sys­tem to do for the user of the machine? (The answer to this should be in the risk assessment.)
  3. How much risk reduc­tion am I expect­ing to achieve with the emer­gency stop?
  4. How reli­able does the emer­gency stop sys­tem need to be?
  5. Am I expect­ing the emer­gency stop to be used for other pur­poses, like ‘Power Off’, energy iso­la­tion, or reg­u­lar stop­ping of the machine? (The answer to this should be ‘NO’.)

Taking the time to assess the design require­ments before design­ing the sys­tem can help ensure that the machine con­trols are designed to pro­vide the func­tion­al­ity that the user needs, and the risk reduc­tion that is required. The answers lie in the five ques­tions above.

Have any of these myths affected you?

Got any more myths about e-​​stops you’d like to share?

I really appre­ci­ate hear­ing from my read­ers! Leave a com­ment or email it to us and we’ll con­sider adding it to this arti­cle, with credit of course!

References

5% Discount on All Standards with code: CC2011

  1. IEC – International Electrotechnical Commission. Download IEC stan­dards, International Electrotechnical Commission standards.
  2. ISO – International Organization for Standardization Download ISO Standards
  3. Safety of machin­ery — Emergency stop — Principles for design, ISO 13850, 2006, ISO, Geneva, Switzerland.
  4. Control of Hazardous Energy ­– Lockout and Other Methods, CSA Z460, 2005, Canadian Standards Association, Toronto, Canada.
    Buy CSA Standards online at CSA​.ca
  5. Safeguarding of Machinery, CSA Z432-​​04, Canadian Standards Association, Toronto, Canada.
  6. Control of Hazardous Energy – Lockout/​Tagout and Alternative Methods, ANSI/​ASSE Z244.1, 2003, American National Standards Institute /​ American Society of Safety Engineers, Des Plaines, IL, USA.
    Download ANSI standards
  7. American National Standard for Machine Tools – Performance Criteria for Safeguarding, ANSI B11.19–2003, American National Standards Institute, Des Plaines, ILUSA.
  8. General Safety Requirements Common to ANSI B11 Machines, ANSI B11-​​2008, American National Standards Institute, Des Plaines, ILUSA.
  9. Electrical Standard for Industrial Machinery, NFPA 79–2007, NFPA, 1 Batterymarch Park, Quincy, MA 02169–7471, USA.
    Buy NFPA Standards online.

5% Discount on All Standards with code: CC2011

Copyright secured by Digiprove © 2011
Acknowledgements: See cita­tions in the article.
Some Rights Reserved

Emergency Stop — What’s so confusing about that?

Posted by on March 6, 2009 1 comment
Emergency Stop on machine console
This entry is part 1 of 9 in the series Emergency Stop

I get a lot of calls and emails ask­ing about emer­gency stops. This is one of those decep­tively sim­ple con­cepts that has man­aged to get very com­pli­cated over time. Not every machine needs or can ben­e­fit from an emer­gency stop. In some cases, it may lead to an unrea­son­able expec­ta­tion of safety from the user, which can lead to injury if they don’t under­stand the haz­ards involved. Some product-​​specific stan­dards man­date the require­ment for emer­gency stop, such as CSA Z434-​​03, where robot con­trollers are required to pro­vide emer­gency stop func­tion­al­ity and work cells inte­grat­ing robots are also required to have emer­gency stop capability.

Defining Emergency Stop

Old, non-compliant, E-Stop Button

This OLD but­ton is def­i­nitely non-​​compliant.

So what is an Emergency Stop, or e-​​stop, and when do you need to have one? Let’s look at a few def­i­n­i­tions taken from CSA Z432-​​04:

Emergency sit­u­a­tion — an imme­di­ately haz­ardous sit­u­a­tion that needs to be ended or averted quickly in order to pre­vent injury or damage.

Emergency stop — a func­tion that is intended to avert harm or to reduce exist­ing haz­ards to per­sons, machin­ery, or work in progress.

Emergency stop but­ton — a red mushroom-​​headed but­ton that, when acti­vated, will imme­di­ately start the emer­gency stop sequence.

and one more:

6.2.3.5.3 Complementary pro­tec­tive mea­sures
Following the risk assess­ment, the mea­sures in this clause either shall be applied to the machine or shall be dealt with in the infor­ma­tion for use.

Protective mea­sures that are nei­ther inher­ently safe design mea­sures, nor safe­guard­ing (imple­men­ta­tion of guards and/​or pro­tec­tive devices), nor infor­ma­tion for use may have to be imple­mented as required by the intended use and the rea­son­ably fore­see­able mis­use of the machine. Such mea­sures shall include, but not be lim­ited to,

a) emer­gency stop;

b) means of res­cue of trapped per­sons; and

c) means of energy iso­la­tion and dissipation.

Modern, non-compliant e-stop button.

This more mod­ern but­ton is non-​​compliant due to the RED back­ground and spring-​​return button.

So, an e-​​stop is a sys­tem that is intended for use in Emergency con­di­tions to try to limit or avert harm to some­one or some­thing. It isn’t a safe­guard, but is con­sid­ered to be a Complementary Protective Measure. In terms of the Hierarchy of Controls, emer­gency stop sys­tems fall into the same level as Personal Protective Equipment like safety glasses, safety boots and hear­ing protection. So far so good.

Is an Emergency Stop Required?

Depending on the reg­u­la­tions and the stan­dards you choose to read, machin­ery is not required to have  an Emergency Stop. Quoting from CSA Z432-​​04:

6.2.5.2.1 Components and ele­ments to achieve the emer­gency stop func­tion
If, fol­low­ing a risk assess­ment, it is deter­mined that in order to achieve ade­quate risk reduc­tion under emer­gency cir­cum­stances a machine must be fit­ted with com­po­nents and ele­ments nec­es­sary to achieve an emer­gency stop func­tion so that actual or impend­ing emer­gency sit­u­a­tions can be con­trolled, the fol­low­ing require­ments shall apply:

a) The actu­a­tors shall be clearly iden­ti­fi­able, clearly vis­i­ble, and read­ily accessible.

b) The haz­ardous process shall be stopped as quickly as pos­si­ble with­out cre­at­ing addi­tional haz­ards.
If this is not pos­si­ble or the risk can­not be ade­quately reduced, this may indi­cate that an emer­gency stop func­tion may not be the best solu­tion (i.e., other solu­tions should be sought). (Bolding added for empha­sis — DN)

c) The emer­gency stop con­trol shall trig­ger or per­mit the trig­ger­ing of cer­tain safe­guard move­ments where necessary.

Note: For more detailed pro­vi­sions, see NFPA 79.

Download NFPA stan­dards through ANSI

This more modern button is still wrong due to the RED background.

This more mod­ern but­ton is non-​​compliant due to the RED background.

In fact, if you read Ontario’s Industrial Establishments reg­u­la­tion (Regulation 851), you will find that the only require­ment for an emer­gency stop is that it is prop­erly iden­ti­fied and located “within easy reach” of the oper­a­tor. What does “prop­erly iden­ti­fied” mean? In Canada, the USA and Internationally, a RED oper­a­tor device on a YELLOW back­ground, with or with­out any text behind it, is rec­og­nized as EMERGENCY STOP or EMERGENCY OFF, in the case of dis­con­nect­ing switches or con­trol switches. I’ve scat­tered some exam­ples of dif­fer­ent com­pli­ant and non-​​compliant e-​​stop devices through this article.

The EU Machinery Directive, 2006/​42/​EC, and Emergency Stop

Interestingly, the European Union has taken what looks like an oppos­ing view of the need for emer­gency stop sys­tems. Quoting from Annex I of the Machinery Directive:

1.2.4.3. Emergency stop
Machinery must be fit­ted with one or more emer­gency stop devices to enable actual or impend­ing dan­ger to be averted.

Notice the words “…actual or impend­ing dan­ger…” This har­mo­nizes with the def­i­n­i­tion of Complementary Protective Measures, in that they are intended to allow a user to “avert or limit harm” from a haz­ard. Clearly, the direc­tion from the European per­spec­tive is that ALL machines need to have an emer­gency stop. Or do they? The same clause goes on to say:

The fol­low­ing excep­tions apply:

  • machin­ery in which an emer­gency stop device would not lessen the risk, either because it would not reduce the stop­ping time or because it would not enable the spe­cial mea­sures required to deal with the risk to be taken,
  • portable hand-​​held and/​or hand-​​guided machinery.

From these two bul­lets it becomes clear that, just as in the Canadian and US reg­u­la­tions, machines only need emer­gency stops WHEN THEY CAN REDUCE THE RISK. This is hugely impor­tant, and often over­looked. If the risks can­not be con­trolled effec­tively with an emer­gency stop, or if the risk would be increased or new risks would be intro­duced by the action of an e-​​stop sys­tem, then it should not be included in the design.

Carrying on with the same clause:

The device must:

  • have clearly iden­ti­fi­able, clearly vis­i­ble and quickly acces­si­ble con­trol devices,
  • stop the haz­ardous process as quickly as pos­si­ble, with­out cre­at­ing addi­tional risks,
  • where nec­es­sary, trig­ger or per­mit the trig­ger­ing of cer­tain safe­guard movements.

Once again, this is con­sis­tent with the gen­eral require­ments found in the Canadian and US reg­u­la­tions. The direc­tive goes on to define the func­tion­al­ity of the sys­tem in more detail:

Once active oper­a­tion of the emer­gency stop device has ceased fol­low­ing a stop com­mand, that com­mand must be sus­tained by engage­ment of the emer­gency stop device until that engage­ment is specif­i­cally over­rid­den; it must not be pos­si­ble to engage the device with­out trig­ger­ing a stop com­mand; it must be pos­si­ble to dis­en­gage the device only by an appro­pri­ate oper­a­tion, and dis­en­gag­ing the device must not restart the machin­ery but only per­mit restarting.

The emer­gency stop func­tion must be avail­able and oper­a­tional at all times, regard­less of the oper­at­ing mode.

Emergency stop devices must be a back-​​up to other safe­guard­ing mea­sures and not a sub­sti­tute for them.

The first sen­tence of the first para­graph above is the one that requires e-​​stop devices to latch in the acti­vated posi­tion. The last part of that sen­tence is even more impor­tant: “…dis­en­gag­ing the device must not restart the machin­ery but only per­mit restart­ing.” That phrase requires that every emer­gency stop sys­tem have a sec­ond dis­crete action to reset the emer­gency stop sys­tem. Pulling out the e-​​stop but­ton and hav­ing power come back imme­di­ately is not OK. Once that but­ton has been reset, a sec­ond action, such as push­ing a “POWER ON” or “RESET” but­ton to restore con­trol power is needed. Point of Clarification: I had a ques­tion come from a reader ask­ing if com­bin­ing the e-​​stop func­tion and the reset func­tion was accept­able. It can be, but only if:

  • The risk assess­ment for the machin­ery does not indi­cate any haz­ards that might pre­clude this approach; and
  • The device is designed with the fol­low­ing characteristics:
  • The device must latch in the acti­vated position;
  • The device must have a “neu­tral” posi­tion where the machine’s emer­gency stop sys­tem can be reset, or where the machine can be enabled to run;
  • The reset posi­tion must be dis­tinct from the pre­vi­ous two posi­tions, and the device must spring-​​return to the neu­tral position.

The sec­ond sen­tence har­mo­nizes with the require­ments of the Canadian and US standards.

Finally, the last sen­tence har­mo­nizes with the idea of “Complementary Protective Measures” as described in CSA Z432.

How Many and Where?

Where? “Within easy reach”. Consider the loca­tions where you EXPECT an oper­a­tor to be. Besides the main con­trol con­sole, these could include feed hop­pers, con­sum­ables feed­ers, fin­ished goods exit points… you get the idea. Anywhere you can rea­son­ably expect an oper­a­tor to be under nor­mal cir­cum­stances is a rea­son­able place to put an e-​​stop device. “Easy Reach” I inter­pret as within the arm-​​span of an adult (pre­sum­ing the equip­ment is not intended for use by chil­dren). This trans­lates to 500–600 mm either side of the cen­ter line of most work stations.

How do you know if you need an emer­gency stop? Start with a stop/​start analy­sis. Identify all the nor­mal start­ing and stop­ping modes that you antic­i­pate on the equip­ment. Consider all of the dif­fer­ent oper­at­ing modes that you are pro­vid­ing, such as Automatic, Manual, Teach, Setting, etc. Identify all of the match­ing stop con­di­tions in the same modes, and ensure that all start func­tions have a match­ing stop function.

Do a risk assess­ment. This is a basic require­ment in most juris­dic­tions today.

As you deter­mine your risk con­trol mea­sures (fol­low­ing the hier­ar­chy of con­trols), look at what risks you might con­trol with an Emergency Stop. Remember that e-​​stops fall below safe­guards in the hier­ar­chy, so you must use a safe­guard­ing tech­nique if pos­si­ble, you can’t just default down to an emer­gency stop. IF the e-​​stop can pro­vide you with the addi­tional risk reduc­tion, then use it but first,  reduce the risks in other ways.

The Stop Function and Control Reliability Requirements

Finally, once you deter­mine the need for an emer­gency stop sys­tem, you need to con­sider the system’s func­tion­al­ity and con­trols archi­tec­ture. NFPA 79 is the ref­er­ence stan­dard for Canada, although you can find very sim­i­lar require­ments in IEC 60204–1 if you are work­ing in an inter­na­tional market.

Download NFPA stan­dards through ANSI
Download IEC stan­dards, International Electrotechnical Commission standards.

Functional Stop Categories

NFPA 79 calls out three basic cat­e­gories of stop. Note that these are NOT reli­a­bil­ity cat­e­gories, but are func­tional cat­e­gories. Reliability is not addressed in these sec­tions. Quoting from the standard:

9.2.2 Stop Functions. The three cat­e­gories of stop func­tions shall be as follows:

(1) Category 0 is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actuators.

(2) Category 1 is a con­trolled stop with power to the machine actu­a­tors avail­able to achieve the stop then remove power when the stop is achieved.

(3) Category 2 is a con­trolled stop with power left avail­able to the machine actuators.

This E-Stop Button is correct.

This E-​​Stop but­ton is CORRECT. Note the Push-​​Pull-​​Twist oper­a­tor and the YELLOW background.

A bit later, the stan­dards says:

9.2.5.3 Stop.
9.2.5.3.1 Each machine shall be equipped with a Category 0 stop.

9.2.5.3.2 Category 0, Category 1, and/​or Category 2 stops shall be pro­vided where indi­cated by an analy­sis of the risk assess­ment and the func­tional require­ments of the machine. Category 0 and Category 1 stops shall be oper­a­tional regard­less of oper­at­ing modes, and Category 0 shall take pri­or­ity. Stop func­tion shall oper­ate by de-​​energizing that rel­e­vant cir­cuit and shall over­ride related start functions.

Note that 9.2.5.3.1 does NOT mean that every machine must have an e-​​stop. It sim­ply says that every machine must have a way to stop the machine that is equiv­a­lent to “pulling the plug”. The main dis­con­nect on the con­trol panel can be used for this func­tion if sized and rated appro­pri­ately. The ques­tion of HOW to effect the Category 0 stop depends on WHEN it will be used — i.e. what risks must be reduced, or what haz­ards must be con­trolled by the e-​​stop.

You’ll also note that that pesky “risk assess­ment” pops up again in 9.2.5.3.2. You just can’t get away from it…

Control Reliability

Disconnect with E-Stop Colours indicates that this device is intended to be used for EMERGENCY SWITCHING OFF.

Disconnect with E-​​Stop Colours indi­cates that this device is intended to be used for EMERGENCY SWITCHING OFF.

Once you know what func­tional cat­e­gory of stop you need, and what degree of risk reduc­tion you are expect­ing from the emer­gency stop sys­tem, you can deter­mine the degree of reli­a­bil­ity required. In Canada, CSA Z432 gives us these cat­e­gories: SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL MONITORED and CONTROL RELIABLE. These cat­e­gories are being replaced slowly by Performance Levels (PL) as defined in ISO 13849–1 2007.

The short answer is that the greater the risk reduc­tion required, the higher the degree of reli­a­bil­ity required. In many cases, a SINGLE CHANNEL or SINGLE CHANNEL MONITORED solu­tion may be accept­able, par­tic­u­larly when there are more reli­able safe­guards in place. On the other hand, you may require CONTROL RELIABLE designs if the e-​​stop is the pri­mary risk reduc­tion for some risks or spe­cific tasks.

Extra points go to any reader who noticed that the ‘elec­tri­cal haz­ard’ warn­ing label imme­di­ately above the dis­con­nect han­dle in the above photo is a) upside down, and b) using a non-​​standard light­ing flash. Cheap haz­ard warn­ing labels, like this one, are often as good as none at all. I’ll be writ­ing more on haz­ard warn­ings in future posts.

Use of Emergency Stop as part of a Lockout Procedure or HECP.

One last note: Emergency stop sys­tems (with the excep­tion of emer­gency switch­ing off devices, such as dis­con­nect switches used for e-​​stop) CANNOT be used for energy iso­la­tion in a Hazardous Energy Control Procedure (a.k.a. Lockout). Devices for this pur­pose must phys­i­cally sep­a­rate the energy source from the down-​​stream com­po­nents. See CSA Z460-​​05 for more on that subject.

Read our Article on Using E-​​Stops in HECP.

Pneumatic E-Stop Device

Pneumatic E-​​Stop/​Isolation device.

Standards Referenced in this post:

CSA Z432-​​04, Safeguarding of Machinery

NFPA 79–07, Electrical Standard for Industrial Machinery
Download NFPA stan­dards at ANSI

IEC 60204–1:09,  SAFETY OF MACHINERYELECTRICAL EQUIPMENT OF MACHINESPART 1: GENERAL REQUIREMENTS

Download IEC stan­dards, International Electrotechnical Commission standards.

ISO 13849−1−2007, Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 1: General prin­ci­ples for design

See also

ISO 13850:06, SAFETY OF MACHINERYEMERGENCY STOPPRINCIPLES FOR DESIGN

Download IEC stan­dards, International Electrotechnical Commission stan­dards.
Download ISO Standards

All original content on these pages is fingerprinted and certified by Digiprove
Performance Optimization WordPress Plugins by W3 EDGE