Control FunctionsEmergency Stop

Checking Emergency Stop Systems

This entry is part 2 of 14 in the series Emer­gency Stop

A while back I wrote about the basic design require­ments for Emer­gency Stop sys­tems. I’ve had sev­er­al people con­tact me want­ing to know about check­ing and test­ing emer­gency stops, so here are my thoughts on this pro­cess.

Fig­ure 1 below, excerp­ted from the 1996 edi­tion of ISO 13850, Safety of machinery — Emer­gency stop — Prin­ciples for design, shows the emer­gency stop func­tion graph­ic­ally. As you can see, the ini­ti­at­ing factor in this func­tion is a per­son becom­ing aware of the need for an emer­gency stop. This is NOT an auto­mat­ic func­tion and is NOT a safety or safe­guard­ing func­tion.

Down­load ISO Stand­ards

ISO 13850 1996 Figure 1 - Emergency Stop Function
ISO 13850 1996 Fig­ure 1 – Emer­gency Stop Func­tion

Down­load ISO Stand­ards

I men­tion this because many people are con­fused about this point. Emer­gency stop sys­tems are con­sidered to be ‘com­pli­ment­ary pro­tect­ive meas­ures’, mean­ing that their func­tions com­ple­ment the safe­guard­ing sys­tems, but can­not be con­sidered to be safe­guards in and of them­selves. This is sig­ni­fic­ant. Safe­guard­ing sys­tems are required to act auto­mat­ic­ally to pro­tect an exposed per­son. Think about how an inter­locked gate or a light cur­tain acts to stop haz­ard­ous motion BEFORE the per­son can reach it. Emer­gency stop is nor­mally used AFTER the per­son is already involved with the haz­ard, and the next step is nor­mally to call 911.

All of that is import­ant from the per­spect­ive of con­trol reli­ab­il­ity. The con­trol reli­ab­il­ity require­ments for emer­gency stop sys­tems are often dif­fer­ent from those for the safe­guard­ing sys­tems because they are a backup sys­tem. Determ­in­a­tion of the reli­ab­il­ity require­ments is based on the risk assess­ment and on an ana­lys­is of the cir­cum­stances where you, as the design­er, anti­cip­ate that emer­gency stop may be help­ful in redu­cing or avoid­ing injury or machinery dam­age. Fre­quently, these sys­tems have lower con­trol reli­ab­il­ity require­ments than do safe­guard­ing sys­tems.

Before you begin any test­ing, under­stand what effects the test­ing will have on the machinery. Emer­gency stops can be par­tially tested with the machinery at rest. Depend­ing on the func­tion of the machinery and the dif­fi­culty in recov­er­ing from an emer­gency stop con­di­tion, you may need to adjust your approach to these tests. Start by review­ing the emer­gency stop func­tion­al descrip­tion in the manu­al. Here’s an example taken from a real machine manu­al:

Emergency Stop (E-Stop) Button

Emergency Stop Button
Fig­ure 2.1 Emer­gency Stop (E-Stop) But­ton

A red emer­gency stop (E-Stop) but­ton is a safety device which allows the oper­at­or to stop the machine in an emer­gency. At any time dur­ing oper­a­tion, press the E-Stop but­ton to dis­con­nect actu­at­or power and stop all con­nec­ted machines in the pro­duc­tion line. Fig­ure 2.1 shows the emer­gency stop but­ton.

There is one E-Stop but­ton on the pneu­mat­ic pan­el.

NOTE: After press­ing the E-Stop but­ton, the entire pro­duc­tion line from spread­er-feed­er to stack­er shuts down. When the E-Stop but­ton is reset, all machines in the pro­duc­tion line will need to be restar­ted.

DANGER: These devices do not dis­con­nect main elec­tric­al power from the machine. See “Elec­tric­al Dis­con­nect” on page 21.

As you can see, the gen­er­al func­tion of the but­ton is described, and some warn­ings are giv­en about what does and doesn’t hap­pen when the but­ton is pressed.

Now, if the emer­gency stop sys­tem has been designed prop­erly and the machine is oper­at­ing nor­mally, press­ing the emer­gency stop but­ton while the machine is in mid-cycle should res­ult in the machinery com­ing to a fast and grace­ful stop. Here is what ISO 13850 has to say about this con­di­tion:

4.1.3 The emer­gency stop func­tion shall be so designed that, after actu­ation of the emer­gency stop actu­at­or, haz­ard­ous move­ments and oper­a­tions of the machine are stopped in an appro­pri­ate man­ner, without cre­at­ing addi­tion­al haz­ards and without any fur­ther inter­ven­tion by any per­son, accord­ing to the risk assess­ment.
An “appro­pri­ate man­ner” can include

  • choice of an optim­al decel­er­a­tion rate,
  • selec­tion of the stop cat­egory (see 4.1.4), and
  • employ­ment of a pre­de­ter­mined shut­down sequence.

The emer­gency stop func­tion shall be so designed that a decision to use the emer­gency stop device does not require the machine oper­at­or to con­sider the res­ult­ant effects.

The inten­tion of this func­tion is to bring the machinery to a halt as quickly as pos­sible without dam­aging the machine. How­ever, if the brak­ing sys­tems fail, e.g. the servo drive fails to decel­er­ate the tool­ing as it should, then drop­ping power and poten­tially dam­aging the machinery is accept­able.

In many sys­tems, press­ing the e-stop but­ton or oth­er­wise activ­at­ing the emer­gency stop sys­tem will res­ult in a fault or an error being dis­played on the machine’s oper­at­or dis­play. This can be used as an indic­a­tion that the con­trol sys­tem ‘knows’ that the sys­tem has been activ­ated.

ISO 13850 requires that emer­gency stop sys­tems exhib­it the fol­low­ing key beha­viours:

  • It must over­ride all oth­er con­trol func­tions, and no start func­tions are per­mit­ted (inten­ded, unin­ten­ded or unex­pec­ted) until the emer­gency stop has been reset;
  • Use of the emer­gency stop can­not impair the oper­a­tion of any func­tions of the machine inten­ded for the release of trapped per­sons;
  • It is not per­mit­ted to affect the func­tion of any oth­er safety crit­ic­al sys­tems or devices.


Once the emer­gency stop device has been activ­ated, con­trol power is nor­mally lost. Press­ing any START func­tion on the con­trol pan­el, except POWER ON or RESET should have no effect. If any aspect of the machine starts, count this as a FAILED test.

If reset­ting the emer­gency stop device res­ults in con­trol power being re-applied, count this as a FAILED test.

Press­ing POWER ON or RESET before the activ­ated emer­gency stop device has been reset (i.e. the e-stop but­ton has been pulled out to the ‘oper­ate’ pos­i­tion), should have no effect. If you can turn the power back on before you reset the emer­gency stop device, count this as a FAILED test.

Once the emer­gency stop device has been reset, press­ing POWER ON or RESET should res­ult in the con­trol power being restored. This is accept­able. The machine should not restart. If the machine restarts nor­mal oper­a­tion, count this as a FAILED test.

Once con­trol power is back on, you may have a num­ber of faults to clear. When all the faults have been cleared, press­ing the START but­ton should res­ult in the machine restart­ing. This is accept­able beha­viour.

If you break the machine while test­ing the emer­gency stop sys­tem, count this as a FAILED test.

Test all emer­gency stop devices. A wir­ing error or oth­er prob­lems may not be appar­ent until the emer­gency stop device is tested. Push all but­tons, pull all pull cords, activ­ate all emer­gency stop devices. If any fail to cre­ate the emer­gency stop con­di­tion, count this as a FAILED test.

If, hav­ing con­duc­ted all of these tests, no fail­ures have been detec­ted, con­sider the sys­tem to have passed basic func­tion­al test­ing. Depend­ing on the com­plex­ity of the sys­tem and the crit­ic­al­ity of the emer­gency stop func­tion, addi­tion­al test­ing may be required. It may be neces­sary to devel­op some func­tion­al tests that are con­duc­ted while vari­ous EMI sig­nals are present, for example.

If you have any ques­tions regard­ing test­ing of emer­gency stop devices, please email me!

Down­load ISO Stand­ards

Series Nav­ig­a­tionEmer­gency Stop – What’s so con­fus­ing about that?Guard­ing Emer­gency Stop Devices