Machinery Safety 101

There are a number of myths that have grown up around emergency stops over the years. These myths can lead to injury or death, so it’s time for a little Myth Busting here on the MS101 blog!

Myth #1 – The Emergency Stop Is A Safety Device

Early in the Industrial Revolution machine builders realized that users of their machinery needed a way to quickly stop a machine when something went wrong. At that time, overhead line shafts were driven by large central power sources like waterwheels, steam engines or large electric motors. Machinery was coupled to the central shafts with pulleys, clutches and long leather or fabric belts which transmitted the power to the machinery.

See pictures of a lineshaft powered machine shop.

These central engines were sized to power the entire load of the factory, so they were much larger than an individual motor sized for a particular machine might be on a modern machine. In addition, they could not be easily stopped, and stopping the central power source for the factory would mean stopping the entire factory – not a welcome choice. Emergency stop devices were born in this environment.

Due to their early use as a safety device, emergency stop systems have incorrectly come to be looked upon as safeguarding devices by some. Modern standards make the differentiation very clear. The easiest way to understand the current meaning of the term “EMERGENCY STOP” is to begin by looking at the international standards published by IEC and ISO.

emergency stop
emergency stop function

function that is intended to

—   avert arising, or reduce existing, hazards to persons, damage to machinery or to work in progress,

—   be initiated by a single human action

NOTE 1

Hazards, for the purposes of this International Standard, are those which can arise from

—   functional irregularities (e.g. machinery malfunction, unacceptable properties of the material processed, human error),

—   normal operation.

Safety of machinery – Emergency stop – Principles for design, ISO 13850, Geneva, 2006

Reading this definition, it is important to understand first that the function is “initiated by a single human action”. This means that it is not an automatic function, and therefore cannot be considered to be a factor in risk reduction to operators or bystanders from the machinery. It does provide the ability to avert or reduce hazards by providing a means to stop the equipment once something has already gone wrong.

Safeguarding systems, on the other hand, act automatically to prevent a person from becoming involved with the hazard in the first place. This is a reduction in the probability of a hazardous situation arising, and it may also involve a reduction in the severity of injury by controlling the hazard, i.e. stopping rotating machinery before it can be reached. This constitutes a risk control measure and can be shown to reduce the risk of injury to an exposed person.

In Canada, CSA defines emergency stop as a ‘Complementary Protective Measure’ in CSA Z432-04, §6.2.2.1.1 and 6.2.3.5.3:

6.2.2.1.1
Safeguards (guards, protective devices) shall be used to protect persons from the hazards that cannot reasonably be avoided or sufficiently limited by inherently safe design. Complementary protective measures involving additional equipment (e.g., emergency stop equipment) may have to be taken.

6.2.3.5.3 Complementary protective measures
Following the risk assessment, the measures in this clause either shall be applied to the machine or shall be dealt with in the information for use.
Protective measures that are neither inherently safe design measures, nor safeguarding (implementation of guards and/or protective devices), nor information for use may have to be implemented as required by the intended use and the reasonably foreseeable misuse of the machine. Such measures shall include, but not be limited to,
(a) emergency stop;
(b) means of rescue of trapped persons; and
(c) means of energy isolation and dissipation.

Myth #2 – Cycle Stop And Emergency Stop Are Equivalent

Emergency stop systems act primarily by removing power from the prime movers in a machine. This can be done in a variety of ways that are outside the scope of this article, but the intent is to ensure that power can be removed and the equipment brought to a standstill as quickly as possible, regardless of the portion of the operating cycle that the machine is in. At the end of an emergency stop, the machine is inoperable until the emergency stop is reset. In some cases, emergency stopping the machine may damage the equipment due to the forces involved in halting the process quickly.

Cycle stop is a control system command function that is used to bring the machine cycle to a graceful stop at the end of the current cycle. The machine is still fully operable and may still be in automatic mode at the completion of this stop.

Myth #3 – Emergency Stop Systems Can Be Used For Control Of Hazardous Energy Procedures

Fifteen to twenty years ago it was not uncommon to see emergency stop buttons fitted with locking devices that would allow a person to depress the button and then fit a lock or tag to prevent the resetting of the emergency stop device. This was done as part of a “lockout procedure”. The term “lockout” has been expanded recently to include additional means of hazardous energy control in recognition of the fact that live work does need to be done from time to time, and that normal safeguards may be bypassed or disconnected temporarily to allow diagnostics and testing to be carried out. This process is more correctly called “control of hazardous energy” and is detailed in two current standards, CSA Z460 and ANSI Z244.1.

No current standard allows for the use of control devices such as push buttons or selector switches to be used as energy isolation devices for hazardous energy control, regardless of the type of control circuit it is connected into, or the reliability of that circuit.

CSA Z460-05 specifically prohibits this use in their definition of ‘energy isolation devices’:

Energy-isolating device — a mechanical device that physically prevents the transmission or release of energy, including but not limited to the following: a manually operated electrical circuit breaker; a disconnect switch; a manually operated switch by which the conductors of a circuit can be disconnected from all ungrounded supply conductors; a line valve; a block; and other devices used to block or isolate energy (push-button selector switches and other control-type devices are not energy-isolating devices).

Control of hazardous energy — Lockout and other methods, CSA Z460, Canadian Standards Association, Toronto, 2005

Note that I added the bold-face type for emphasis in the above quotation.

Got any more myths about e-stops you’d like to share? Leave a comment or email it to us and we’ll consider adding it to this article!

References

1. IEC – International Electrotechnical Commission.
2. ISO – International Organization for Standardization
3. Safety of machinery — Emergency stop — Principles for design, ISO 13850, 2006, ISO, Geneva, Switzerland.
4. Control of Hazardous Energy ­– Lockout and Other Methods, CSA Z460, 2005, Canadian Standards Association, Toronto, Canada.
5. Control of Hazardous Energy – Lockout/Tagout and Alternative Methods, ANSI ASSE Z244.1, 2003, American National Standards Institute / American Society of Safety Engineers, Des Plaines, IL, USA.

I get a lot of calls and emails asking about emergency stops. This is one of those deceptively simple concepts that has managed to get very complicated over time. Not every machine needs or can benefit from an emergency stop. In some cases, it may lead to an unreasonable expectation of safety from the user, which can lead to injury if they don’t understand the hazards involved. Some product-specific standards mandate the requirement for emergency stop, such as CSA Z434-03, where robot controllers are required to provide emergency stop functionality and work cells integrating robots are also required to have emergency stop capability.

Defining Emergency Stop

So what is an Emergency Stop, or e-stop, and when do you need to have one? Let’s look at a few definitions taken from CSA Z432-04:

Emergency situation — an immediately hazardous situation that needs to be ended or averted quickly in order to prevent injury or damage.

Emergency stop — a function that is intended to avert harm or to reduce existing hazards to persons, machinery, or work in progress.

Emergency stop button — a red mushroom-headed button that, when activated, will immediately start the emergency stop sequence.

and one more:

6.2.3.5.3 Complementary protective measures
Following the risk assessment, the measures in this clause either shall be applied to the machine or shall be dealt with in the information for use.

Protective measures that are neither inherently safe design measures, nor safeguarding (implementation of guards and/or protective devices), nor information for use may have to be implemented as required by the intended use and the reasonably foreseeable misuse of the machine. Such measures shall include, but not be limited to,

(a) emergency stop;

(b) means of rescue of trapped persons; and

(c) means of energy isolation and dissipation.

So, an e-stop is a system that is intended for use in Emergency conditions to try to limit or avert harm to someone or something. It isn’t a safeguard, but is considered to be a Complementary Protective Measure. So far so, good.

Is an Emergency Stop Required?

Depending on the regulations and the standards you choose to read, machinery is not required to have  an Emergency Stop. Quoting from CSA Z432-04:

6.2.5.2.1 Components and elements to achieve the emergency stop function
If, following a risk assessment, it is determined that in order to achieve adequate risk reduction under emergency circumstances a machine must be fitted with components and elements necessary to achieve an emergency stop function so that actual or impending emergency situations can be controlled, the following requirements shall apply:

(a) The actuators shall be clearly identifiable, clearly visible, and readily accessible.

(b) The hazardous process shall be stopped as quickly as possible without creating additional hazards.
If this is not possible or the risk cannot be adequately reduced, this may indicate that an emergency stop function may not be the best solution (i.e., other solutions should be sought). (Bolding added for emphasis – DN)

(c) The emergency stop control shall trigger or permit the triggering of certain safeguard movements where necessary.

Note: For more detailed provisions, see NFPA 79.

Download NFPA standards through ANSI

In fact, if you read Ontario’s Industrial Establishments regulation (Regulation 851), you will find that the only requirement for an emergency stop is that it is properly identified and located “within easy reach” of the operator. What does “properly identified” mean? In Canada, the USA and Internationally, a RED operator device on a YELLOW background, with or without any text behind it, is recognized as EMERGENCY STOP or EMERGENCY OFF, in the case of disconnecting switches or control switches. I’ve scattered some examples of different compliant and non-compliant e-stop devices through this article.

How Many and Where?

Where? “Within easy reach”. Consider the locations where you EXPECT an operator to be. Besides the main control console, these could include feed hoppers, consumables feeders, finished goods exit points… you get the idea. Anywhere you can reasonably expect an operator to be under normal circumstances is a reasonable place to put an e-stop device. “Easy Reach” I interpret as within the arm-span of an adult (presuming the equipment is not intended for use by children). This translates to 500-600 mm either side of the center line of most work stations.

How do you know if you need an emergency stop? Start with a stop/start analysis. Identify all the normal starting and stopping modes that you anticipate on the equipment. Consider all of the different operating modes that you are providing, such as Automatic, Manual, Teach, Setting, etc. Identify all of the matching stop conditions in the same modes, and ensure that all start functions have a matching stop function.

Do a risk assessment. This is a basic requirement in almost every jurisdiction today.

As you determine your risk control measures (following the hierarchy of controls), look at what risks you might control with an Emergency Stop. Remember that e-stops fall below safeguards in the hierarchy, so you must use a safeguarding technique if possible, you can’t just default down to an emergency stop. IF the e-stop can provide you with the required risk reduction, then use it. If not, you need to reduce the risks in other ways first.

Control Reliability Requirements

Finally, once you determine the need for an emergency stop system, you need to consider the system’s functionality and controls architecture. NFPA 79 is the reference standard for Canada, although you can find very similar requirements in IEC 60204-1 if you are working in an international market.

Download NFPA standards through ANSI
Download IEC standards, International Electrotechnical Commission standards.

NFPA 79 calls out three basic categories of stop. Note that these are NOT reliability categories, but are different ways of functioning. Reliability is not addressed in these sections. Quoting from the standard:

9.2.2 Stop Functions. The three categories of stop functions shall be as follows:

(1) Category 0 is an uncontrolled stop by immediately removing power to the machine actuators.

(2) Category 1 is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.

(3) Category 2 is a controlled stop with power left available to the machine actuators.

A bit later, the standards says:

9.2.5.3 Stop.
9.2.5.3.1 Each machine shall be equipped with a Category 0 stop.

9.2.5.3.2 Category 0, Category 1, and/or Category 2 stops shall be provided where indicated by an analysis of the risk assessment (DN) and the functional requirements of the machine. Category 0 and Category 1 stops shall be operational regardless of operating modes, and Category 0 shall take priority. Stop function shall operate by de-energizing that relevant circuit and shall override related start functions.

Note that 9.2.5.3.1 does NOT mean that every machine must have an e-stop. It simply says that every machine must have a way to stop the machine that is equivalent to “pulling the plug”. The main disconnect on the control panel can be used for this function if sized and rated appropriately. The question of HOW to effect the Category 0 stop depends on WHEN it will be used – i.e. what risks must be reduced, or what hazards must be controlled by the e-stop.

You’ll also note that that pesky “risk assessment” pops up again in 9.2.5.3.2. You just can’t get away from it…

Once you know what category of stop you need, and what degree of risk reduction you are expecting from the emergency stop system, you can determine the degree of reliability required. In Canada, CSA Z432 gives us these categories: SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL MONITORED and CONTROL RELIABLE. These categories are being replaced slowly by Performance Levels (PL) as defined in ISO 13849-1 2007.

The short answer is that the greater the risk reduction required, the higher the degree of reliability required. In many cases, a SINGLE CHANNEL or SINGLE CHANNEL MONITORED solution may be acceptable, particularly when there are more reliable safeguards in place. On the other hand, you may require CONTROL RELIABLE designs if the e-stop is the primary risk reduction for some risks or specific tasks.

Extra points go to any reader who noticed that the ‘electrical hazard’ warning label immediately above the disconnect handle in the above photo is a) upside down, and b) using a non-standard lighting flash.

Cheap hazard warning labels are often as good as none at all. I’ll be writing more on hazard warnings in future posts.

Use of Emergency Stop as part of a Lockout Procedure or HECP.

One last note: Emergency stop systems (with the exception of emergency switching off devices, such as disconnect switches used for e-stop) CANNOT be used for energy isolation in a Hazardous Energy Control Procedure (a.k.a. Lockout). Devices for this purpose must physically separate the energy source from the down-stream components. See CSA Z460-05 for more on that subject.

Standards Referenced in this post:

CSA Z432-04, Safeguarding of Machinery

NFPA 79-07, Electrical Standard for Industrial Machinery Download NFPA standards at ANSI

IEC 60204-1:09,  SAFETY OF MACHINERY – ELECTRICAL EQUIPMENT OF MACHINES – PART 1: GENERAL REQUIREMENTS

ISO 13849-1-2007, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design

See also

ISO 13850:06, SAFETY OF MACHINERY – EMERGENCY STOP – PRINCIPLES FOR DESIGN

Download IEC standards, International Electrotechnical Commission standards.
Download ISO Standards