Checking Emergency Stop Systems

A while back I wrote about the basic design require­ments for Emer­gency Stop sys­tems. I’ve had sev­er­al peo­ple con­tact me want­i­ng to know about check­ing and test­ing emer­gency stops, so here are my thoughts on this process.

Fig­ure 1 below, excerpt­ed from the 1996 edi­tion of ISO 13850, Safe­ty of machin­ery — Emer­gency stop — Prin­ci­ples for design, shows the emer­gency stop func­tion graph­i­cal­ly. As you can see, the ini­ti­at­ing fac­tor in this func­tion is a per­son becom­ing aware of the need for an emer­gency stop. This is NOT an auto­mat­ic func­tion and is NOT a safe­ty or safe­guard­ing func­tion.

Down­load ISO Stan­dards

Down­load ISO Stan­dards

I men­tion this because many peo­ple are con­fused about this point. Emer­gency stop sys­tems are con­sid­ered to be ‘com­pli­men­ta­ry pro­tec­tive mea­sures’, mean­ing that their func­tions com­ple­ment the safe­guard­ing sys­tems, but can­not be con­sid­ered to be safe­guards in and of them­selves. This is sig­nif­i­cant. Safe­guard­ing sys­tems are required to act auto­mat­i­cal­ly to pro­tect an exposed per­son. Think about how an inter­locked gate or a light cur­tain acts to stop haz­ardous motion BEFORE the per­son can reach it. Emer­gency stop is nor­mal­ly used AFTER the per­son is already involved with the haz­ard, and the next step is nor­mal­ly to call 911.

All of that is impor­tant from the per­spec­tive of con­trol reli­a­bil­i­ty. The con­trol reli­a­bil­i­ty require­ments for emer­gency stop sys­tems are often dif­fer­ent from those for the safe­guard­ing sys­tems because they are a back­up sys­tem. Deter­mi­na­tion of the reli­a­bil­i­ty require­ments is based on the risk assess­ment and on an analy­sis of the cir­cum­stances where you, as the design­er, antic­i­pate that emer­gency stop may be help­ful in reduc­ing or avoid­ing injury or machin­ery dam­age. Fre­quent­ly, these sys­tems have low­er con­trol reli­a­bil­i­ty require­ments than do safe­guard­ing sys­tems.

Before you begin any test­ing, under­stand what effects the test­ing will have on the machin­ery. Emer­gency stops can be par­tial­ly test­ed with the machin­ery at rest. Depend­ing on the func­tion of the machin­ery and the dif­fi­cul­ty in recov­er­ing from an emer­gency stop con­di­tion, you may need to adjust your approach to these tests. Start by review­ing the emer­gency stop func­tion­al descrip­tion in the man­u­al. Here’s an exam­ple tak­en from a real machine man­u­al:

Emergency Stop (E-Stop) Button

A red emer­gency stop (E-Stop) but­ton is a safe­ty device which allows the oper­a­tor to stop the machine in an emer­gency. At any time dur­ing oper­a­tion, press the E-Stop but­ton to dis­con­nect actu­a­tor pow­er and stop all con­nect­ed machines in the pro­duc­tion line. Fig­ure 2.1 shows the emer­gency stop but­ton.

There is one E-Stop but­ton on the pneu­mat­ic pan­el.

NOTE: After press­ing the E-Stop but­ton, the entire pro­duc­tion line from spread­er-feed­er to stack­er shuts down. When the E-Stop but­ton is reset, all machines in the pro­duc­tion line will need to be restart­ed.

DANGER: These devices do not dis­con­nect main elec­tri­cal pow­er from the machine. See “Elec­tri­cal Dis­con­nect” on page 21.

As you can see, the gen­er­al func­tion of the but­ton is described, and some warn­ings are giv­en about what does and doesn’t hap­pen when the but­ton is pressed.

Now, if the emer­gency stop sys­tem has been designed prop­er­ly and the machine is oper­at­ing nor­mal­ly, press­ing the emer­gency stop but­ton while the machine is in mid-cycle should result in the machin­ery com­ing to a fast and grace­ful stop. Here is what ISO 13850 has to say about this con­di­tion:

4.1.3 The emer­gency stop func­tion shall be so designed that, after actu­a­tion of the emer­gency stop actu­a­tor, haz­ardous move­ments and oper­a­tions of the machine are stopped in an appro­pri­ate man­ner, with­out cre­at­ing addi­tion­al haz­ards and with­out any fur­ther inter­ven­tion by any per­son, accord­ing to the risk assess­ment.
An “appro­pri­ate man­ner” can include

• choice of an opti­mal decel­er­a­tion rate,
• selec­tion of the stop cat­e­go­ry (see 4.1.4), and
• employ­ment of a pre­de­ter­mined shut­down sequence.

The emer­gency stop func­tion shall be so designed that a deci­sion to use the emer­gency stop device does not require the machine oper­a­tor to con­sid­er the resul­tant effects.

The inten­tion of this func­tion is to bring the machin­ery to a halt as quick­ly as pos­si­ble with­out dam­ag­ing the machine. How­ev­er, if the brak­ing sys­tems fail, e.g. the ser­vo dri­ve fails to decel­er­ate the tool­ing as it should, then drop­ping pow­er and poten­tial­ly dam­ag­ing the machin­ery is accept­able.

In many sys­tems, press­ing the e-stop but­ton or oth­er­wise acti­vat­ing the emer­gency stop sys­tem will result in a fault or an error being dis­played on the machine’s oper­a­tor dis­play. This can be used as an indi­ca­tion that the con­trol sys­tem ‘knows’ that the sys­tem has been acti­vat­ed.

ISO 13850 requires that emer­gency stop sys­tems exhib­it the fol­low­ing key behav­iours:

• It must over­ride all oth­er con­trol func­tions, and no start func­tions are per­mit­ted (intend­ed, unin­tend­ed or unex­pect­ed) until the emer­gency stop has been reset;
• Use of the emer­gency stop can­not impair the oper­a­tion of any func­tions of the machine intend­ed for the release of trapped per­sons;
• It is not per­mit­ted to affect the func­tion of any oth­er safe­ty crit­i­cal sys­tems or devices.

Tests

Once the emer­gency stop device has been acti­vat­ed, con­trol pow­er is nor­mal­ly lost. Press­ing any START func­tion on the con­trol pan­el, except POWER ON or RESET should have no effect. If any aspect of the machine starts, count this as a FAILED test.

If reset­ting the emer­gency stop device results in con­trol pow­er being re-applied, count this as a FAILED test.

Press­ing POWER ON or RESET before the acti­vat­ed emer­gency stop device has been reset (i.e. the e-stop but­ton has been pulled out to the ‘oper­ate’ posi­tion), should have no effect. If you can turn the pow­er back on before you reset the emer­gency stop device, count this as a FAILED test.

Once the emer­gency stop device has been reset, press­ing POWER ON or RESET should result in the con­trol pow­er being restored. This is accept­able. The machine should not restart. If the machine restarts nor­mal oper­a­tion, count this as a FAILED test.

Once con­trol pow­er is back on, you may have a num­ber of faults to clear. When all the faults have been cleared, press­ing the START but­ton should result in the machine restart­ing. This is accept­able behav­iour.

If you break the machine while test­ing the emer­gency stop sys­tem, count this as a FAILED test.

Test all emer­gency stop devices. A wiring error or oth­er prob­lems may not be appar­ent until the emer­gency stop device is test­ed. Push all but­tons, pull all pull cords, acti­vate all emer­gency stop devices. If any fail to cre­ate the emer­gency stop con­di­tion, count this as a FAILED test.

If, hav­ing con­duct­ed all of these tests, no fail­ures have been detect­ed, con­sid­er the sys­tem to have passed basic func­tion­al test­ing. Depend­ing on the com­plex­i­ty of the sys­tem and the crit­i­cal­i­ty of the emer­gency stop func­tion, addi­tion­al test­ing may be required. It may be nec­es­sary to devel­op some func­tion­al tests that are con­duct­ed while var­i­ous EMI sig­nals are present, for exam­ple.

If you have any ques­tions regard­ing test­ing of emer­gency stop devices, please email me!

Down­load ISO Stan­dards

Series Nav­i­ga­tion

Emer­gency Stop — What’s so con­fus­ing about that?Bust­ing Emer­gency Stop Myths