Checking Emergency Stop Systems

A while back I wrote about the basic design require­ments for Emer­gency Stop sys­tems. I’ve had sev­er­al people con­tact me want­ing to know about check­ing and test­ing emer­gency stops, so here are my thoughts on this process.

Fig­ure 1 below, excerp­ted from the 1996 edi­tion of ISO 13850, Safety of machinery — Emer­gency stop — Prin­ciples for design, shows the emer­gency stop func­tion graph­ic­ally. As you can see, the ini­ti­at­ing factor in this func­tion is a per­son becom­ing aware of the need for an emer­gency stop. This is NOT an auto­mat­ic func­tion and is NOT a safety or safe­guard­ing function.

Down­load ISO Standards 

Down­load ISO Standards 

I men­tion this because many people are con­fused about this point. Emer­gency stop sys­tems are con­sidered to be ‘com­pli­ment­ary pro­tect­ive meas­ures’, mean­ing that their func­tions com­ple­ment the safe­guard­ing sys­tems, but can­not be con­sidered to be safe­guards in and of them­selves. This is sig­ni­fic­ant. Safe­guard­ing sys­tems are required to act auto­mat­ic­ally to pro­tect an exposed per­son. Think about how an inter­locked gate or a light cur­tain acts to stop haz­ard­ous motion BEFORE the per­son can reach it. Emer­gency stop is nor­mally used AFTER the per­son is already involved with the haz­ard, and the next step is nor­mally to call 911.

All of that is import­ant from the per­spect­ive of con­trol reli­ab­il­ity. The con­trol reli­ab­il­ity require­ments for emer­gency stop sys­tems are often dif­fer­ent from those for the safe­guard­ing sys­tems because they are a backup sys­tem. Determ­in­a­tion of the reli­ab­il­ity require­ments is based on the risk assess­ment and on an ana­lys­is of the cir­cum­stances where you, as the design­er, anti­cip­ate that emer­gency stop may be help­ful in redu­cing or avoid­ing injury or machinery dam­age. Fre­quently, these sys­tems have lower con­trol reli­ab­il­ity require­ments than do safe­guard­ing systems.

Before you begin any test­ing, under­stand what effects the test­ing will have on the machinery. Emer­gency stops can be par­tially tested with the machinery at rest. Depend­ing on the func­tion of the machinery and the dif­fi­culty in recov­er­ing from an emer­gency stop con­di­tion, you may need to adjust your approach to these tests. Start by review­ing the emer­gency stop func­tion­al descrip­tion in the manu­al. Here’s an example taken from a real machine manual:

As you can see, the gen­er­al func­tion of the but­ton is described, and some warn­ings are giv­en about what does and does­n’t hap­pen when the but­ton is pressed.

Now, if the emer­gency stop sys­tem has been designed prop­erly and the machine is oper­at­ing nor­mally, press­ing the emer­gency stop but­ton while the machine is in mid-cycle should res­ult in the machinery com­ing to a fast and grace­ful stop. Here is what ISO 13850 has to say about this condition:

The inten­tion of this func­tion is to bring the machinery to a halt as quickly as pos­sible without dam­aging the machine. How­ever, if the brak­ing sys­tems fail, e.g. the servo drive fails to decel­er­ate the tool­ing as it should, then drop­ping power and poten­tially dam­aging the machinery is acceptable.

In many sys­tems, press­ing the e‑stop but­ton or oth­er­wise activ­at­ing the emer­gency stop sys­tem will res­ult in a fault or an error being dis­played on the machine’s oper­at­or dis­play. This can be used as an indic­a­tion that the con­trol sys­tem ‘knows’ that the sys­tem has been activated.

ISO 13850 requires that emer­gency stop sys­tems exhib­it the fol­low­ing key behaviours:

• It must over­ride all oth­er con­trol func­tions, and no start func­tions are per­mit­ted (inten­ded, unin­ten­ded or unex­pec­ted) until the emer­gency stop has been reset;
• Use of the emer­gency stop can­not impair the oper­a­tion of any func­tions of the machine inten­ded for the release of trapped persons;
• It is not per­mit­ted to affect the func­tion of any oth­er safety crit­ic­al sys­tems or devices.

Tests

Here are a few typ­ic­al tests yo might want to use:

• Once the emer­gency stop device has been activ­ated, con­trol power is nor­mally lost. Press­ing any START func­tion on the con­trol pan­el, except POWER ON or RESET should have no effect. If any aspect of the machine starts, count this as a FAILED test.
• If reset­ting the emer­gency stop device res­ults in con­trol power being re-applied, count this as a FAILED test.
• Once the emer­gency stop device has been reset, press­ing POWER ON or RESET should res­ult in the con­trol power being restored. This is accept­able. The machine should not restart. If the machine restarts nor­mal oper­a­tion, count this as a FAILED test.
• Once con­trol power is back on, you may have a num­ber of faults to clear. When all the faults have been cleared, press­ing the START but­ton should res­ult in the machine restart­ing. This is accept­able behaviour.
• If you break the machine while test­ing the emer­gency stop sys­tem, count this as a FAILED test.
• Test all emer­gency stop devices. A wir­ing error or oth­er prob­lems may not be appar­ent until the emer­gency stop device is tested. Push all but­tons, pull all pull cords, activ­ate all emer­gency stop devices. If any fail to cre­ate the emer­gency stop con­di­tion, count this as a FAILED test.

If, hav­ing con­duc­ted all of these tests, no fail­ures have been detec­ted, con­sider the sys­tem to have passed basic func­tion­al test­ing. Depend­ing on the com­plex­ity of the sys­tem and the crit­ic­al­ity of the emer­gency stop func­tion, addi­tion­al test­ing may be required. It may be neces­sary to devel­op some func­tion­al tests that are con­duc­ted while vari­ous EMI sig­nals are present, for example.

If you have any ques­tions regard­ing test­ing of emer­gency stop devices, please email me!

Down­load ISO Standards 

Series Nav­ig­a­tion

Emer­gency Stop – What’s so con­fus­ing about that?Guard­ing Emer­gency Stop Devices