A while back I wrote about the basic design requirements for Emergency Stop systems. I’ve had several people contact me wanting to know about checking and testing emergency stops, so here are my thoughts on this process.
Figure 1 below, excerpted from the 1996 edition of ISO 13850, Safety of machinery — Emergency stop — Principles for design, shows the emergency stop function graphically. As you can see, the initiating factor in this function is a person becoming aware of the need for an emergency stop. This is NOT an automatic function and is NOT a safety or safeguarding function.
I mention this because many people are confused about this point. Emergency stop systems are considered to be ‘complimentary protective measures’, meaning that their functions complement the safeguarding systems, but cannot be considered to be safeguards in and of themselves. This is significant. Safeguarding systems are required to act automatically to protect an exposed person. Think about how an interlocked gate or a light curtain acts to stop hazardous motion BEFORE the person can reach it. Emergency stop is normally used AFTER the person is already involved with the hazard, and the next step is normally to call 911.
All of that is important from the perspective of control reliability. The control reliability requirements for emergency stop systems are often different from those for the safeguarding systems because they are a backup system. Determination of the reliability requirements is based on the risk assessment and on an analysis of the circumstances where you, as the designer, anticipate that emergency stop may be helpful in reducing or avoiding injury or machinery damage. Frequently, these systems have lower control reliability requirements than do safeguarding systems.
Before you begin any testing, understand what effects the testing will have on the machinery. Emergency stops can be partially tested with the machinery at rest. Depending on the function of the machinery and the difficulty in recovering from an emergency stop condition, you may need to adjust your approach to these tests. Start by reviewing the emergency stop functional description in the manual. Here’s an example taken from a real machine manual:
Emergency Stop (E-Stop) Button
A red emergency stop (E-Stop) button is a safety device which allows the operator to stop the machine in an emergency. At any time during operation, press the E-Stop button to disconnect actuator power and stop all connected machines in the production line. Figure 2.1 shows the emergency stop button.
There is one E-Stop button on the pneumatic panel.
NOTE: After pressing the E-Stop button, the entire production line from spreader-feeder to stacker shuts down. When the E-Stop button is reset, all machines in the production line will need to be restarted.
DANGER: These devices do not disconnect main electrical power from the machine. See “Electrical Disconnect” on page 21.
As you can see, the general function of the button is described, and some warnings are given about what does and doesn’t happen when the button is pressed.
Now, if the emergency stop system has been designed properly and the machine is operating normally, pressing the emergency stop button while the machine is in mid-cycle should result in the machinery coming to a fast and graceful stop. Here is what ISO 13850 has to say about this condition:
4.1.3 The emergency stop function shall be so designed that, after actuation of the emergency stop actuator, hazardous movements and operations of the machine are stopped in an appropriate manner, without creating additional hazards and without any further intervention by any person, according to the risk assessment.
An “appropriate manner” can include
- choice of an optimal deceleration rate,
- selection of the stop category (see 4.1.4), and
- employment of a predetermined shutdown sequence.
The emergency stop function shall be so designed that a decision to use the emergency stop device does not require the machine operator to consider the resultant effects.
The intention of this function is to bring the machinery to a halt as quickly as possible without damaging the machine. However, if the braking systems fail, e.g. the servo drive fails to decelerate the tooling as it should, then dropping power and potentially damaging the machinery is acceptable.
In many systems, pressing the e-stop button or otherwise activating the emergency stop system will result in a fault or an error being displayed on the machine’s operator display. This can be used as an indication that the control system ‘knows’ that the system has been activated.
ISO 13850 requires that emergency stop systems exhibit the following key behaviours:
- It must override all other control functions, and no start functions are permitted (intended, unintended or unexpected) until the emergency stop has been reset;
- Use of the emergency stop cannot impair the operation of any functions of the machine intended for the release of trapped persons;
- It is not permitted to affect the function of any other safety critical systems or devices.
Once the emergency stop device has been activated, control power is normally lost. Pressing any START function on the control panel, except POWER ON or RESET should have no effect. If any aspect of the machine starts, count this as a FAILED test.
If resetting the emergency stop device results in control power being re-applied, count this as a FAILED test.
Pressing POWER ON or RESET before the activated emergency stop device has been reset (i.e. the e-stop button has been pulled out to the ‘operate’ position), should have no effect. If you can turn the power back on before you reset the emergency stop device, count this as a FAILED test.
Once the emergency stop device has been reset, pressing POWER ON or RESET should result in the control power being restored. This is acceptable. The machine should not restart. If the machine restarts normal operation, count this as a FAILED test.
Once control power is back on, you may have a number of faults to clear. When all the faults have been cleared, pressing the START button should result in the machine restarting. This is acceptable behaviour.
If you break the machine while testing the emergency stop system, count this as a FAILED test.
Test all emergency stop devices. A wiring error or other problems may not be apparent until the emergency stop device is tested. Push all buttons, pull all pull cords, activate all emergency stop devices. If any fail to create the emergency stop condition, count this as a FAILED test.
If, having conducted all of these tests, no failures have been detected, consider the system to have passed basic functional testing. Depending on the complexity of the system and the criticality of the emergency stop function, additional testing may be required. It may be necessary to develop some functional tests that are conducted while various EMI signals are present, for example.
If you have any questions regarding testing of emergency stop devices, please email me!