A while back I wrote about the basic design requirements for Emergency Stop systems. I’ve had several people contact me wanting to know about checking and testing emergency stops, so here are my thoughts on this process.
Figure 1 below, excerpted from the 1996 edition of ISO 13850, Safety of machinery ? Emergency stop ? Principles for design, shows the emergency stop function graphically. As you can see, the initiating factor in this function is a person becoming aware of the need for an emergency stop. This is NOT an automatic function and is NOT a safety or safeguarding function.
I mention this because many people are confused about this point. Emergency stop systems are considered to be ‘complimentary protective measures’, meaning that their functions complement the safeguarding systems, but cannot be considered to be safeguards in and of themselves. This is significant. Safeguarding systems are required to act automatically to protect an exposed person. Think about how an interlocked gate or a light curtain acts to stop hazardous motion BEFORE the person can reach it. Emergency stop is normally used AFTER the person is already involved with the hazard, and the next step is normally to call 911.
All of that is important from the perspective of control reliability. The control reliability requirements for emergency stop systems are often different from those for the safeguarding systems because they are a backup system. Determination of the reliability requirements is based on the risk assessment and on an analysis of the circumstances where you, as the designer, anticipate that emergency stop may be helpful in reducing or avoiding injury or machinery damage. Frequently, these systems have lower control reliability requirements than do safeguarding systems.
Before you begin any testing, understand what effects the testing will have on the machinery. Emergency stops can be partially tested with the machinery at rest. Depending on the function of the machinery and the difficulty in recovering from an emergency stop condition, you may need to adjust your approach to these tests. Start by reviewing the emergency stop functional description in the manual. Here’s an example taken from a real machine manual:
Emergency Stop (E-Stop) Button
A red emergency stop (E-Stop) button is a safety device which allows the operator to stop the machine in an emergency. At any time during operation, press the E-Stop button to disconnect actuator power and stop all connected machines in the production line. Figure 2.1 shows the emergency stop button.
There is one E-Stop button on the pneumatic panel.
NOTE: After pressing the E-Stop button, the entire production line from spreader-feeder to stacker shuts down. When the E-Stop button is reset, all machines in the production line will need to be restarted.
DANGER: These devices do not disconnect main electrical power from the machine. See ?Electrical Disconnect? on page 21.
As you can see, the general function of the button is described, and some warnings are given about what does and doesn’t happen when the button is pressed.
Now, if the emergency stop system has been designed properly and the machine is operating normally, pressing the emergency stop button while the machine is in mid-cycle should result in the machinery coming to a fast and graceful stop. Here is what ISO 13850 has to say about this condition:
4.1.3 The emergency stop function shall be so designed that, after actuation of the emergency stop actuator, hazardous movements and operations of the machine are stopped in an appropriate manner, without creating additional hazards and without any further intervention by any person, according to the risk assessment.
An ?appropriate manner? can include
- choice of an optimal deceleration rate,
- selection of the stop category (see 4.1.4), and
- employment of a predetermined shutdown sequence.
The emergency stop function shall be so designed that a decision to use the emergency stop device does not require the machine operator to consider the resultant effects.
The intention of this function is to bring the machinery to a halt as quickly as possible without damaging the machine. However, if the braking systems fail, e.g. the servo drive fails to decelerate the tooling as it should, then dropping power and potentially damaging the machinery is acceptable.
In many systems, pressing the e-stop button or otherwise activating the emergency stop system will result in a fault or an error being displayed on the machine’s operator display. This can be used as an indication that the control system ‘knows’ that the system has been activated.
ISO 13850 requires that emergency stop systems exhibit the following key behaviours:
- It must override all other control functions, and no start functions are permitted (intended, unintended or unexpected) until the emergency stop has been reset;
- Use of the emergency stop cannot impair the operation of any functions of the machine intended for the release of trapped persons;
- It is not permitted to affect the function of any other safety critical systems or devices.
Tests
Here are a few typical tests yo might want to use:
- Once the emergency stop device has been activated, control power is normally lost. Pressing any START function on the control panel, except POWER ON or RESET should have no effect. If any aspect of the machine starts, count this as a FAILED test.
- If resetting the emergency stop device results in control power being re-applied, count this as a FAILED test.
- Once the emergency stop device has been reset, pressing POWER ON or RESET should result in the control power being restored. This is acceptable. The machine should not restart. If the machine restarts normal operation, count this as a FAILED test.
- Once control power is back on, you may have a number of faults to clear. When all the faults have been cleared, pressing the START button should result in the machine restarting. This is acceptable behaviour.
- If you break the machine while testing the emergency stop system, count this as a FAILED test.
- Test all emergency stop devices. A wiring error or other problems may not be apparent until the emergency stop device is tested. Push all buttons, pull all pull cords, activate all emergency stop devices. If any fail to create the emergency stop condition, count this as a FAILED test.
If, having conducted all of these tests, no failures have been detected, consider the system to have passed basic functional testing. Depending on the complexity of the system and the criticality of the emergency stop function, additional testing may be required. It may be necessary to develop some functional tests that are conducted while various EMI signals are present, for example.
If you have any questions regarding testing of emergency stop devices, please email me!
© 2010 – 2019, Compliance inSight Consulting Inc. 
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Hi,
I do have plenty of machines running in the production line but I think none of the machine have been put trough to test the emergency push button as part of Preventive Maintenance checking routine.
Do you think emergency stop button function should be tested annually? or half-yearly?
If that is so, what is your opinion that the E-Stop testing might cause equipment failure due to sudden power off?
Thanks!
Hi Ahmad,
As I’ve said to others who have asked this question, the only correct way to answer this question is in consultation with the machine manufacturer. If they did their functional safety analysis correctly, they will have included some number of test operations in the “nop” number used to determine the MTTFd of the components in the active channels. They will also have a very clear idea of the failure modes that can be expected from the SRP/CS, and what dangerous faults are detectable by the automatic diagnostics (?dd (lambda dd) and which are not, making them “dangerous undetectable, ?du (lambda du)” faults. If you decide to start testing without this information, you run the risk of prematurely wearing out the safety components, which may result in an early failure of these components, i.e., before the 20 mission time has elapsed.
So, start with a call to the machine builder to have a heart-to-heart conversation regarding the functional safety of the machine, and your desire to do additional manual testing of the SRP/CS.
Hi, I couldn’t find a standard time to check the efficacy of the e-stops buttons. Is there any good practice for this? I don’t know if 3 months or 6 months is to much or to less time to do this maintenance.
Hi Victor,
You didn’t find a time like this because there isn’t one. You can actually wear the emergency stop equipment out prematurely by testing it too frequently. Read the manufacturer’s documentation on Preventive Maintenance. If testing the emergency stop system is not included in that PM table, I don’t recommend it. If you are very concerned, then you need to do an ISO 13849-1 analysis of the emergency stop system, using the typical “normal” usage frequency PLUS the testing frequency as an input for calculating n_op and t_op factors for the components. You may find your plan is ok, or you may need to replace some of the components earlier than 20 years lifetime. If t_op is < 20 years, then you will have to replace the components whether or not they have failed by the time they get to t_op years.
I have read through lots of documentation, and recently many of your articles on machinerysafety101.com, but I still cannot derive a definitive answer to my issue. I would greatly appreciate any light you could shed on my scenario.
For example: A machine is using a safety gate circuit to remove all voltage (through a safety relay with redundant & monitored force-guided contacts) to motors located inside the guarding once the gate is opened. The same machine is using an E-Stop safety circuit to remove all control voltage from the PLC and its outputs, but does not disconnect voltage to motors. Based on risk assessments it seems like our operators are completely protected by the safety gate circuit. But, does the inclusion of E-Stop buttons mandate that they have to also protect everything that the safety gate circuit protects?
Your article mentions,
“Emergency stop systems are considered to be ?complimentary protective measures?,” and
“It is not permitted to affect the function of any other safety critical systems or devices.” This makes me think that the E-Stop safety circuit can be mutually exclusive. Would this be a correct conclusion?
Myles, this is a really good question. Here is the answer:
1) Emergency Stop functions, if needed based on the risk assessment, are required to have final control over power to the prime movers. The e-stop function must be able to override ALL OTHER functions.
If the motor starter (contactor and overload combination) coils are driven directly from a PLC output, and the e-stop switched off power to the PLC card, then this is OK. Power disconnection is achieved through the motor starter contactor(s). The contactors must be monitored by the safety system.
If the motors are powered by a VFD or other motor drive, this gets to be more complicated. See my recent article on STO.
2) Safeguarding functions and e-stop functions should normally be completely separate, even if they act upon the same hazards. One major reason for this division is that the functional safety requirements for the safeguarding systems are often much greater than what is required of the e-stop. i.e., the safeguarding requires PLd while the e-stop requires PLc.
The frequency of use for the safeguarding functions (called the “demand frequency”) is almost always significantly higher than the e-stop, which if the machine risk assessment was done well, should almost never be used.
3) It is possible to zone the e-stop functions, so that they can control one small area, like a single cell in a multi-cell line, but there also needs to be a “Master E-Stop” that can stop the whole line. See ISO 13850:2015 for more on that topic.
The key thing to remember here is the word “emergency.” It come from the root word “emergent.” The only time it should be used is to deal with an emergent situation that was not foreseen by the machine builder. It’s a BACK UP to the primary safeguarding, not the other way around.
I hope that helps!
I love these conversations. Although, it bugs me looking at how many projects I have worked on where no testing was conducted before shipping the machine.
I can relate – many clients have no understanding of the fundamental part that system V&V plays. I think part of the problem is that Project Managers may not know that this critical step is needed, so it doesn’t get into the schedule. The other side of this is that V&V takes time; time to plan, time to complete, and that equates to additional costs that may not have been planned for. Anyway, when we know more we do better, and we can help those that control the work better understand what is needed to do the job properly. 🙂