Reader Question: Multiple E-Stops and Resets

This entry is part 7 of 13 in the series Emer­gency Stop

Control Panel with Emergency Stop Button.I had an inter­est­ing ques­tion come in from a read­er today that is rel­e­vant to many sit­u­a­tions:

When you have mul­ti­ple E-Stop but­tons I have often got­ten into an argu­ment that says you can have a reset beside each one. I was taught that you were required to have a sin­gle point of reset. Who is cor­rect?”

— Michael Barb, Sr. Elec­tri­cal Engi­neer

The Short Answer

There is noth­ing in the EU, US or Cana­di­an reg­u­la­tions that would for­bid hav­ing mul­ti­ple reset but­tons. How­ev­er, you must under­stand the over­lap­ping require­ments for emer­gency stop and pre­ven­tion of unex­pect­ed start-up.

The Long Answer:

First I need to define two dif­fer­ent types of reset for clar­i­ty:

  1. Emer­gency Stop Device Reset: Each e-stop device, i.e. but­ton, pull cord, foot switch, etc., is required to latch in the acti­vat­ed state and must be indi­vid­u­al­ly reset. Reset­ting the e-stop device is NOT per­mit­ted to re-start the machin­ery, only to per­mit restart­ing. (NFPA 79, CSA Z432, ISO 14118).
  2. Restart­ing the machine is a sep­a­rate delib­er­ate action from reset­ting the emer­gency stop device(s).

ANSI B11-2008 pro­vides some direct guid­ance on this top­ic:

7.2.2 Zones

A machine or an assem­bly of machines may be divid­ed into sev­er­al con­trol zones (e.g., for emer­gency stop­ping, stop­ping as a result of safe­guard­ing devices, start-up, iso­la­tion or ener­gy dis­si­pa­tion). The machine and con­trols in dif­fer­ent zones shall be defined and iden­ti­fied. Con­trols for machines in zones can be local for each machine, across sev­er­al machines in a zone, or glob­al­ly for machines across zones. The con­trol require­ments shall be based on the oper­a­tional require­ments and on the risk assessment.The inter­faces between zones, includ­ing syn­chro­niza­tion and inde­pen­dent oper­a­tion, shall be designed such that no func­tion in one zone cre­ates a hazard(s) / haz­ardous sit­u­a­tion in anoth­er zone.

CSA Z432-04 has sim­i­lar word­ing:

When zones can be deter­mined, their delim­i­ta­tions shall be evi­dent (includ­ing the effect of the asso­ci­at­ed emer­gency stop device). This shall also apply to the effect of iso­la­tion and ener­gy dis­si­pa­tion.

Let’s take a case with a sin­gle e-stop but­ton first. The same require­ments apply for all e-stop devices. The require­ments include:

  1. But­ton must be in ‘easy-reach’ of the nor­mal oper­a­tor posi­tion. I con­sid­er ‘easy-reach’ to be the range I can touch while sit­ting or stand­ing at the nor­mal oper­a­tor posi­tion. This posi­tion is not nec­es­sar­i­ly in front of the con­trol pan­el. This is the posi­tion where the oper­a­tor is expect­ed to be while car­ry­ing out the tasks expect­ed of them when the machine is oper­at­ing. This is the require­ment that dri­ves hav­ing mul­ti­ple but­tons in most cas­es.
  2. E-stop devices can­not be locat­ed so that the oper­a­tor must reach over or past a haz­ard to acti­vate them.
  3. The but­ton must latch in the oper­at­ed posi­tion.
  4. The but­ton must be robust enough to han­dle the mechan­i­cal and elec­tri­cal stress­es that will be placed on it when used. i.e. rugged but­tons are required.
  5. When the e-stop device is reset — i.e returned to the ‘RUN’ posi­tion — the machine is NOT per­mit­ted to restart. It is only PERMITTED to restart. It must be restart­ed through anoth­er delib­er­ate action, like press­ing a ‘Pow­er On’ but­ton.

So what do you do with the ‘POWER ON’ or safe­ty cir­cuit reset but­ton? The first ques­tion to ask is: ‘What hap­pens when I reset this cir­cuit, apply­ing pow­er to the con­trol cir­cuits?”

Case A: If it is impos­si­ble to see the entire machine from the loca­tion of the reset but­ton, then I would rec­om­mend a sin­gle reset but­ton locat­ed at the HMI or main con­sole. The oper­a­tor must check to make sure the machine is clear before re-apply­ing pow­er. Where the machine is too big to be com­plete­ly vis­i­ble from the main oper­a­tor con­sole, then I would also rec­om­mend:

  • warn­ing horn,
  • warn­ing lights, and
  • a start-up delay that is long enough to allow a per­son to get clear of the machine before it starts mov­ing.

Case B: If the machine is sim­ply ‘enabled’ at this point, but no motion occurs, then mul­ti­ple ‘reset’ or ‘pow­er on’ but­tons may be accept­able, depend­ing on the out­come of the risk assess­ment and start/stop analy­sis. Hav­ing said that, the oper­a­tor will like­ly have to return to a main con­sole to reset the machine and restart oper­a­tion, and chances are there is only one HMI screen on the machine, so there may not be any advan­tage to hav­ing mul­ti­ple reset but­tons.

I would rec­om­mend doing two things to get a good han­dle on this: Con­duct a detailed risk assess­ment and include all nor­mal oper­a­tions and all main­te­nance oper­a­tions. Then con­duct a start/stop analy­sis to look at all of the start­ing and stop­ping con­di­tions that you can rea­son­ably fore­see. Com­bine the results of these two analy­ses to find the start­ing and stop­ping con­di­tions with the high­est risk, and then deter­mine if hav­ing mul­ti­ple reset but­tons will con­tribute to the risk or not. You may also want to look at the con­trol reli­a­bil­i­ty require­ments for the emer­gency stop sys­tem based on the out­come of the risk assess­ment and the start/stop analy­sis.

In a case where there are mul­ti­ple emer­gency stop devices, loca­tions are impor­tant. There must be one at each nor­mal work­sta­tion to meet the reg­u­la­to­ry require­ments in most juris­dic­tions, and with­in ‘easy reach’. You may also want some inside the machine if it is pos­si­ble to gain full body access inside the machin­ery. i.e. inside a robot work cell. Make sure that the but­tons or oth­er devices are locat­ed so that a per­son exposed to the hazard(s) inside the machine is not required to reach over or past the haz­ard to get to the but­ton.

Michael, I hope that set­tles the argu­ment!

BSI Publishes New Guide to Machinery Safety

BSI pub­lish­es a new guide on the appli­ca­tion of 2006/42/EC and the PUWER regs. If you are UK based or export to the UK mar­ket you need this guide.

The British Stan­dards Insti­tute (BSI) recent­ly pub­lished a new guide to machin­ery safe­ty enti­tled: “BIP 2184:2009 — Risk Man­age­ment of Machin­ery and Work Equip­ment”.
Down­load BSI Stan­dards (British Stan­dards Insti­tu­tion)

This guide, writ­ten by John Glover, a high­ly expe­ri­enced and well respect­ed con­sul­tant in this area, cov­ers the appli­ca­tion of the Machin­ery Direc­tive and the Pro­vi­sion of Use of Work Equip­ment Reg­u­la­tions (PUWER). Aimed at machin­ery users, buy­ers, spec­i­fiers, con­sul­tants, man­agers and engi­neers, this book pro­vides insight and direc­tion in the appli­ca­tion of these impor­tant require­ments.

The guide will help you to under­stand how your respon­si­bil­i­ties have changed and will help you to meet the legal require­ments of the new Machin­ery Direc­tive.

The guide also pro­vides infor­ma­tion on the appli­ca­tion of risk man­age­ment tech­niques in the work­place.

If your orga­ni­za­tion is UK-based or exports into the UK mar­ket, this is a must-have guide to the cur­rent reg­u­la­tions.

Contents of Risk Management of Machinery and Work Equipment include:

  • Cor­po­rate risk man­age­ment
  • Risk man­ag­er vs insur­ance man­ag­er
  • Health and safe­ty and the law
  • The Sup­ply of Machin­ery (Safe­ty) Reg­u­la­tions 2008
  • The Pro­vi­sion and Use of Work Equip­ment Reg­u­la­tions 1998
  • The use of har­mo­nized stan­dards
  • ISO 13849–1, Safe­ty of machin­ery. Safe­ty-relat­ed parts of con­trol sys­tems. Gen­er­al prin­ci­ples for design
  • High-risk envi­ron­ments
  • Why sys­tems fail
  • The costs of non-com­pli­ance
  • Bib­li­og­ra­phy
  • Index of ques­tions by top­ic

Get more infor­ma­tion or pur­chase a copy in the BSI Shop.
Down­load BSI Stan­dards (British Stan­dards Insti­tu­tion)

Interlocked gate testing

Did you know that inter­locked gates require stop­ping per­for­mance test­ing?

Machin­ery needs to be able to stop in the time it takes a per­son to open the guard and reach the haz­ard. If the dis­tance from the guard open­ing to the haz­ard is short enough that a per­son can reach the dan­ger point before the haz­ard can be con­trolled, the guard is use­less. The result­ing sit­u­a­tion may be worse

Did you know that inter­locked gates require stop­ping per­for­mance test­ing?

Machin­ery needs to be able to stop in the time it takes a per­son to open the guard and reach the haz­ard. If the dis­tance from the guard open­ing to the haz­ard is short enough that a per­son can reach the dan­ger point before the haz­ard can be con­trolled, the guard is use­less. The result­ing sit­u­a­tion may be worse than not hav­ing a guard because it’s pres­ence leads to a false sense of secu­ri­ty in users.

Test the stop­ping time of guard­ed haz­ards and make sure that guards are far enough away from the dan­ger zone to be effec­tive. For more on stop­ping per­for­mance require­ments, see CSA Z434, EN 999 (soon to be replaced by EN 13855:2010), and in the USA, 29 CFR 1910.217(h)(9)(v).

Down­load ISO Stan­dards
Down­load IEC stan­dards, Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion stan­dards.
Down­load BSI Stan­dards (British Stan­dards Insti­tu­tion)
Down­load ANSI stan­dards

Need help with stop­ping per­for­mance test­ing? Con­tact us!