Reader Question: Multiple E-​Stops and Resets

This entry is part 7 of 13 in the series Emergency Stop

Control Panel with Emergency Stop Button.I had an inter­est­ing ques­tion come in from a read­er today that is rel­ev­ant to many situ­ations:

When you have mul­tiple E-​Stop but­tons I have often got­ten into an argu­ment that says you can have a reset beside each one. I was taught that you were required to have a single point of reset. Who is cor­rect?”

— Michael Barb, Sr. Electrical Engineer

The Short Answer

There is noth­ing in the EU, US or Canadian reg­u­la­tions that would for­bid hav­ing mul­tiple reset but­tons. However, you must under­stand the over­lap­ping require­ments for emer­gency stop and pre­ven­tion of unex­pec­ted start-​up.

The Long Answer:

First I need to define two dif­fer­ent types of reset for clar­ity:

  1. Emergency Stop Device Reset: Each e-​stop device, i.e. but­ton, pull cord, foot switch, etc., is required to latch in the activ­ated state and must be indi­vidu­ally reset. Resetting the e-​stop device is NOT per­mit­ted to re-​start the machinery, only to per­mit restart­ing. (NFPA 79, CSA Z432, ISO 14118).
  2. Restarting the machine is a sep­ar­ate delib­er­ate action from reset­ting the emer­gency stop device(s).

ANSI B11-​2008 provides some dir­ect guid­ance on this top­ic:

7.2.2 Zones

A machine or an assembly of machines may be divided into sev­er­al con­trol zones (e.g., for emer­gency stop­ping, stop­ping as a res­ult of safe­guard­ing devices, start-​up, isol­a­tion or energy dis­sip­a­tion). The machine and con­trols in dif­fer­ent zones shall be defined and iden­ti­fied. Controls for machines in zones can be loc­al for each machine, across sev­er­al machines in a zone, or glob­ally for machines across zones. The con­trol require­ments shall be based on the oper­a­tion­al require­ments and on the risk assessment.The inter­faces between zones, includ­ing syn­chron­iz­a­tion and inde­pend­ent oper­a­tion, shall be designed such that no func­tion in one zone cre­ates a hazard(s) /​ haz­ard­ous situ­ation in anoth­er zone.

CSA Z432-​04 has sim­il­ar word­ing:

When zones can be determ­ined, their delim­it­a­tions shall be evid­ent (includ­ing the effect of the asso­ci­ated emer­gency stop device). This shall also apply to the effect of isol­a­tion and energy dis­sip­a­tion.

Let’s take a case with a single e-​stop but­ton first. The same require­ments apply for all e-​stop devices. The require­ments include:

  1. Button must be in ‘easy-​reach’ of the nor­mal oper­at­or pos­i­tion. I con­sider ‘easy-​reach’ to be the range I can touch while sit­ting or stand­ing at the nor­mal oper­at­or pos­i­tion. This pos­i­tion is not neces­sar­ily in front of the con­trol pan­el. This is the pos­i­tion where the oper­at­or is expec­ted to be while car­ry­ing out the tasks expec­ted of them when the machine is oper­at­ing. This is the require­ment that drives hav­ing mul­tiple but­tons in most cases.
  2. E-​stop devices can­not be loc­ated so that the oper­at­or must reach over or past a haz­ard to activ­ate them.
  3. The but­ton must latch in the oper­ated pos­i­tion.
  4. The but­ton must be robust enough to handle the mech­an­ic­al and elec­tric­al stresses that will be placed on it when used. i.e. rugged but­tons are required.
  5. When the e-​stop device is reset – i.e returned to the ‘RUN’ pos­i­tion – the machine is NOT per­mit­ted to restart. It is only PERMITTED to restart. It must be restar­ted through anoth­er delib­er­ate action, like press­ing a ‘Power On’ but­ton.

So what do you do with the ‘POWER ON’ or safety cir­cuit reset but­ton? The first ques­tion to ask is: ‘What hap­pens when I reset this cir­cuit, apply­ing power to the con­trol cir­cuits?”

Case A: If it is impossible to see the entire machine from the loc­a­tion of the reset but­ton, then I would recom­mend a single reset but­ton loc­ated at the HMI or main con­sole. The oper­at­or must check to make sure the machine is clear before re-​applying power. Where the machine is too big to be com­pletely vis­ible from the main oper­at­or con­sole, then I would also recom­mend:

  • warn­ing horn,
  • warn­ing lights, and
  • a start-​up delay that is long enough to allow a per­son to get clear of the machine before it starts mov­ing.

Case B: If the machine is simply ‘enabled’ at this point, but no motion occurs, then mul­tiple ‘reset’ or ‘power on’ but­tons may be accept­able, depend­ing on the out­come of the risk assess­ment and start/​stop ana­lys­is. Having said that, the oper­at­or will likely have to return to a main con­sole to reset the machine and restart oper­a­tion, and chances are there is only one HMI screen on the machine, so there may not be any advant­age to hav­ing mul­tiple reset but­tons.

I would recom­mend doing two things to get a good handle on this: Conduct a detailed risk assess­ment and include all nor­mal oper­a­tions and all main­ten­ance oper­a­tions. Then con­duct a start/​stop ana­lys­is to look at all of the start­ing and stop­ping con­di­tions that you can reas­on­ably fore­see. Combine the res­ults of these two ana­lyses to find the start­ing and stop­ping con­di­tions with the highest risk, and then determ­ine if hav­ing mul­tiple reset but­tons will con­trib­ute to the risk or not. You may also want to look at the con­trol reli­ab­il­ity require­ments for the emer­gency stop sys­tem based on the out­come of the risk assess­ment and the start/​stop ana­lys­is.

In a case where there are mul­tiple emer­gency stop devices, loc­a­tions are import­ant. There must be one at each nor­mal work­sta­tion to meet the reg­u­lat­ory require­ments in most jur­is­dic­tions, and with­in ‘easy reach’. You may also want some inside the machine if it is pos­sible to gain full body access inside the machinery. i.e. inside a robot work cell. Make sure that the but­tons or oth­er devices are loc­ated so that a per­son exposed to the hazard(s) inside the machine is not required to reach over or past the haz­ard to get to the but­ton.

Michael, I hope that settles the argu­ment!

Understanding Risk Assessment

When people dis­cuss ‘Risk’ there are a lot of dif­fer­ent assump­tions made about what that means. For me, the study of risk and risk assess­ment tech­niques star­ted in 1995. As a tech­no­lo­gist and con­trols design­er, I had to some­how wrap my head around the whole concept in ways I’d nev­er con­sidered. If you’re try­ing to fig­ure out risk and risk assess­ment this is a good place to get star­ted!

What is risk?

From a machinery per­spect­ive, ISO 12100:2010 defines risk as:

com­bin­a­tion of the prob­ab­il­ity of occur­rence of harm and the sever­ity of that harm”

Risk can have pos­it­ive or neg­at­ive out­comes, but when con­sid­er­ing safety, we only con­sider neg­at­ive risk, or events that res­ult in neg­at­ive health effects for the people exposed.

The risk rela­tion­ship is illus­trated in ISO 12100:2010 Figure 3:

ISO 12100-2010 Figure 3
ISO 12100 – 2010 Figure 3


R = Risk

S = Severity of Harm

P = Probability of Occurrence of Harm

The Probability of Occurrence of Harm factor is often fur­ther broken down into three sub-​factors:

  • Probability of Exposure to the haz­ard
  • Probability of Occurrence of the Hazardous Event
  • Probability of Limiting or Avoiding the Harm

How is risk measured?

In order to estim­ate risk a scor­ing tool is needed. There is no one ‘cor­rect’ scor­ing tool, and there are flaws in most scales that can res­ult in blind-​spots where risks may be over or under-​estimated.

At the simplest level are ‘screen­ing’ tools. These tools use very simple scales like ‘High, Medium, Low’, or ‘A, B, C’. These tools are often used when doing a shop-​floor inspec­tion and are inten­ded to provide a quick meth­od of cap­tur­ing obser­va­tions and giv­ing a gut-​feel assess­ment of the risk involved. These tools should be used as a way to identi­fy risks that need addi­tion­al, detailed assess­ment. To get an idea of what a good screen­ing tool can look like, have a look at the SOBANE Déparis sys­tem.

Every scor­ing tool requires a scale for each risk para­met­er included in the tool. For instance, con­sider the CSA tool described in CSA Z434:

CSA Z434-03 Table 1As you can see, each para­met­er (Severity, Exposure and Avoidance) has a scale, with two pos­sible selec­tions for each para­met­er.

When con­sid­er­ing selec­tion of a scor­ing tool, it’s import­ant to take some time to really exam­ine the scales for each factor. The scale shown above has a glar­ing hole in one scale. See if you can spot it and I’ll tell you what I think a bit later in this post.

There are more than 350 dif­fer­ent scales and meth­od­o­lo­gies avail­able for assess­ing risk. You can find a good review of some of them in Bruce Main’s text­book “Risk Assessment: Basics and Benchmarks” avail­able from DSE online.

A sim­il­ar, although dif­fer­ent, tool is found in Annex 1 of ISO 13849 – 1. Note that this tool is provided in an Informative Annex. This means that it is not part of the body of the stand­ard and is NOT man­dat­ory. In fact, this tool was provided as an example of how a user could link the out­put of a risk assess­ment tool to the Performance Levels described in the norm­at­ive text (the man­dat­ory part) of the stand­ard.

Consider cre­at­ing your own scales. There is noth­ing wrong with determ­in­ing what char­ac­ter­ist­ics (para­met­ers) you want to include in your risk assess­ment, and then assign­ing each para­met­er a numer­ic scale that you think is suit­able; 1 – 10, 0 – 5, etc. Some scales may be inver­ted to oth­ers, for example: If the Severity scale runs from 0 – 10, the Avoidability scale might run from 10 – 0 (Unavoidable to Entirely Avoidable).

Once the scales in your tool have been defined, doc­u­ment the defin­i­tions as part of your assess­ment.

Who should conduct risk assessments?

Lake YogaIn many organ­iz­a­tions, I find that risk assess­ment has been del­eg­ated to one per­son. This is a major mis­take for a num­ber of reas­ons. Risk assess­ment is not a solo activ­ity for a ‘guru’ in a lonely office some­where!

Risk assess­ment is not a lot of fun to do, and since risk assess­ments can get to be quite involved, it rep­res­ents a sig­ni­fic­ant amount of work to put on one per­son. Also, leav­ing it to one per­son means that the assess­ment will neces­sar­ily be biased to what that per­son knows, and may miss sig­ni­fic­ant haz­ards because the assessor doesn’t know enough about that haz­ard to spot it and assess it prop­erly.

Risk assess­ment requires mul­tiple view­points from par­ti­cipants with var­ied expert­ise. This includes users, design­ers, engin­eers, law­yers and those who may have spe­cial­ized know­ledge of a par­tic­u­lar haz­ard, like a Laser Safety Officer or a Radiation Safety Officer. The var­ied expert­ise of the people involved will allow the com­mit­tee to bal­ance the opin­ion of each haz­ard, and devel­op a more reasoned assess­ment of the risk.

I recom­mend that risk assess­ment com­mit­tees nev­er be less than three mem­bers. Five is fre­quently a good num­ber. Once you get bey­ond five, it becomes increas­ingly dif­fi­cult to obtain con­sensus on each haz­ard. Also, con­sider the cost. As each com­mit­tee mem­ber is added to the team, the cost of the assess­ment can escal­ate expo­nen­tially.

Training in risk assess­ment is cru­cial to suc­cess. Ensure that the indi­vidu­als involved are trained, and that at least one has some pre­vi­ous exper­i­ence in the prac­tice so that they may guide the com­mit­tee as needed.

When should a risk assessment be conducted?

Risk Assessment Lifetime Flow Chart
Risk Assessment in the Lifetime of a Product

Risk assess­ment should begin at the begin­ning of a pro­ject, wheth­er it’s the design of a product, the devel­op­ment of a pro­cess or ser­vice, or the design of a new build­ing. Understanding risk is crit­ic­al to the design pro­cess. Cost for changes made at the begin­ning of a pro­ject are min­im­al com­pared to those that will be incurred to cor­rect prob­lems that might have been fore­seen at the start. Risk assess­ment should start at the concept stage and be included at each sub­sequent stage in the devel­op­ment pro­cess. The accom­pa­ny­ing graph­ic illus­trates this idea.

Essentially, risk assess­ment is nev­er fin­ished until the product, pro­cess or ser­vice ceases to exist.

What tools are available?

As men­tioned earli­er in this post, the book ‘Risk Assessment: Basics and Benchmarks” provides an over­view of roughly 350 dif­fer­ent scor­ing tools. You can search the Internet and turn up quite a few as well. The key thing with all of these sys­tems is that you will need to devel­op any soft­ware based tools your­self. Depending on your com­fort with soft­ware, this might be a spread­sheet format, a word pro­cessing doc­u­ment a data­base, or some oth­er format that works for your applic­a­tion.

There are a num­ber of risk assess­ment soft­ware tools avail­able as well, includ­ing ISI’s CIRSMA™ and DSE’s DesignSafe. As with the scor­ing tools, you need to be care­ful when eval­u­at­ing tools. Some have sig­ni­fic­ant blind spots that may trip you up if you are not aware of their lim­it­a­tions.

Remember too that the out­put from the soft­ware can only be as good as the input data. The old saw “Garbage In, Garbage Out” holds true with risk assess­ment.

Where can you get training?

There are a few places to get train­ing. Compliance InSight Consulting provides train­ing to cor­por­ate cli­ents and will be launch­ing a series of web-​based train­ing ser­vices in 2011 that will allow indi­vidu­al learners to get train­ing too.

The IEEE PSES oper­ates a Risk Assessment Technical Committee that is open to the pub­lic as well. See the RATC web site.

The Answer to the Scale Question

The Exposure Scale in the CSA tool has a gap between E1 and E2. Looking at the defin­i­tions for each choice, notice that E1 is less than once per day or shift, while E2 is more than once per hour. Exposures that occur once per hour or less, but more than once per day can­not be scored effect­ively using this scale.

Also, notice the Severity scale: S1 encom­passes injur­ies requir­ing not more than basic first aid. One com­mon ques­tion I get is “Does that include CPR*?”. This ques­tion comes up because most basic first aid courses taught in Canada include CPR as part of the course. There is no clear answer for this in the stand­ard. The S2 factor extends from injur­ies requir­ing more than basic first aid, like a broken fin­ger for instance, all the way to a fatal­ity. Does it make sense to group this broad range of injur­ies togeth­er? This defin­i­tion doesn’t quite match with the Province of Ontario’s defin­i­tion of a Critical Injury found in Regulation 834 either.

All of this points to the need to care­fully assess the scales that you choose before you start the pro­cess. Choosing the wrong tool can skew your res­ults in ways that you may not be very happy about.

*Cardio-​Pulmonary Resuscitation

CSA Z1002 Risk Assessment Standard – 60 Day Public Review

Get more inform­a­tion on CSA Z1002. The draft of this doc­u­ment is now avail­able for pub­lic review through CSA.

60 Day Public Review Starts Today

CSA (the Canadian Standards Association) has been work­ing on a new risk assess­ment stand­ard called Z1002 – Occupational Health and Safety Hazard Identification and Elimination and Risk Assessment and Control, since the fall of 2007.

This risk assess­ment stand­ard is the first of its kind glob­ally and will place the CSA Z100x series of Occupational Health and Safety Management stand­ards at the fore­front glob­ally when it is pub­lished this year.

This stand­ard is destined to become a Canadian National Standard and will have influ­ence on all the stand­ards in the CSA Catalog that include risk assess­ment (CSA Z432, CSA Z434, CSA Z460, CSA Z462, etc.)

As of today, the stand­ard is avail­able for pub­lic review. This means that you can down­load a draft copy of the stand­ard for free and have a look at the con­tent of the doc­u­ment. It’s also hoped that you will provide com­ments on the doc­u­ment that will go back to the tech­nic­al com­mit­tee at the end of the Public Review phase on 17-​Apr-​11 17-​Mar-​11. Every com­ment will be reviewed by the Technical Committee. You have the chance to make change in the doc­u­ment before it is pub­lished later this year.

Public Review is only open for 60 days, so act quickly! On 17-​Apr-​11 17-​Mar-​11 review will close per­man­ently for this edi­tion of the doc­u­ment!

Get The Draft

If you are inter­ested in review­ing and com­ment­ing on the draft, please vis­it:


You can down­load the draft and you can link to the com­ments page for the doc­u­ment to provide your thoughts on it.

More Information

Need more inform­a­tion on this stand­ard? Please con­tact the CSA Project Manager:
Elizabeth Rankin,
ph: (416) 747‑2011