Busting Emergency Stop Myths

Last updated on August 16th, 2022 at 05:57 pm

There are a number of myths about the emergency stop function that have grown up over the years. These myths can lead to injury or death, so it’s time for a little Myth Busting here on the MS101 blog!

What does ’emergency’ mean?

Consider for a moment the roots of the word “emergency.” This word comes from the word “emergent,” meaning a situation that is developing or emerging at the moment. Emergency stop systems are intended to help the user deal with potentially hazardous conditions that are emerging at the moment. These conditions have probably arisen because the designers of the machinery failed to consider all the foreseeable uses of the equipment, the reasonably predictable failure modes or because someone has chosen to misuse the equipment in a way that was not intended by the designers. The key function of an Emergency Stop system is to provide the user with a backup to the primary safeguards. These systems are referred to as “Complementary Protective Measures” and are intended to give the user a chance to “avert or limit harm” in a hazardous situation. With that in mind, let’s look at three myths I hear about regularly.

By the time someone decides to press the emergency stop, something has already gone wrong. Either the machine is in the process of breaking itself somehow, someone is doing something with the primary safeguards bypassed that they shouldn’t be doing, or someone has been hurt. In none of these examples does the emergency stop prevent injuries, it only offers the hope of reducing the damage done. Safeguards are designed to reliably prevent injuries in the first place, and therefore the emergency stop function cannot qualify as a safeguard.

The Origin of the Emergency Stop

To better understand some of the myths, it’s helpful to know how we ended up with the “emergency stop.”

Early in the Industrial Revolution machine builders realized that users of their machinery needed a way to quickly stop a machine when something went wrong. At that time, power was supplied to machinery using overhead line shafts driven by large central power sources like waterwheels, steam engines or large electric motors. Small, high-efficiency power sources had yet to be developed, and the use of electricity for powering equipment was not yet developed enough to be practical. Machinery was coupled to the central shafts with pulleys, clutches and belts that transmitted the power to the machinery.

To start a machine, the drive belt was shifted from an “idler” pulley to the driving pulley, and to stop it the reverse shift was done. A mechanism like the one on the left was used.

Power transmission typically started in the basement of the factory, as shown in the diagram of the North Mill below. You can see the large waterwheel in the lower two elevations and the driveshafts that ran vertically up the centre of the factory, with horizontal shafts on each floor. Note that there was no emergency stop, since the system would have to brake the entire factory to a stop as there was only one prime mover in the plant: the water wheel in the basement. The belt shifter for each individual machine would have served this purpose.

Here’s an example of how a line shaft system looks when it’s running:

Video: revieck on YouTube

See pictures of a line-shaft-powered machine shop or click the image below.

These central engines could power an entire factory like the Belper Mill, so they were much larger than an individual motor sized for a modern machine or a smaller workshop like that shown in the video. In addition, they could not be easily stopped since stopping the central power source would mean stopping the entire factory — not a welcome choice. Emergency stop devices were born in this environment.

Learn more about Line Shafts at Harry’s Old Engines.

See photos and video of a working line shaft machine shop at Sanderson Iron (Wayback Machine link). 

You might also want to connect with Sanderson Iron on their Facebook page, where they have a few videos and pictures showing some of the vintage machinery in operation.

Myth #1 — The Emergency Stop Is A Safety Device

Due to their early use as safety devices, some have incorrectly considered emergency stop systems safeguarding devices. Modern standards make the difference very clear. The easiest way to understand the current meaning of the term “EMERGENCY STOP” is to begin by looking at the international standards published in ISO 13850 [1].

emergency stop
emergency stop function
function that is intended to
—   avert arising, or reduce existing, hazards to persons, damage to machinery or to work in progress,
—   be initiated by a single human action

NOTE 1 Hazards, for the purposes of this International Standard, are those which can arise from
—   functional irregularities (e.g. machinery malfunction, unacceptable properties of the material processed, human error),
—   normal operation.

[1]

It is important to understand that a single human action initiates an emergency stop. This means that it is not automatic and therefore cannot be considered a safeguarding measure for operators or bystanders. The emergency stop may provide the ability to avoid or reduce harm by providing a means to stop the equipment once something has already gone wrong. Your next actions will usually be to call 911 (or 112, etc.) and administer first aid.

Safeguarding systems act automatically to prevent a person from becoming involved with the hazard in the first place. This is a reduction in the probability of a hazardous situation arising and may also involve a reduction in the severity of injury by controlling the hazard (i.e., slowing or stopping rotating machinery before it can be reached.) This constitutes a risk control measure and can be shown to reduce the risk of injury to an exposed person.

The emergency stop function is reactive; safeguarding systems are proactive.

Canadian requirements

In Canada, following the approach taken in ISO 12100, CSA defines the emergency stop function as a ‘Complementary Protective Measure’ in CSA Z432-16 [10]:

6.3.1 General

Guards and protective devices shall be used to protect persons whenever an inherently safe design measure does not reasonably make it possible either to remove hazards or to sufficiently reduce risks. Complementary protective measures involving additional equipment (for example, emergency stop equipment) may have to be implemented.

NOTE The different kinds of guards and protective devices are defined in 3.27 and 3.28.

Certain safeguards may be used to avoid exposure to more than one hazard.

EXAMPLE A fixed guard preventing access to a zone where a mechanical hazard is present used to reduce noise levels and collect toxic emissions.
6.3.5 Complementary protective measures

6.3.5.1 General

Protective measures which are neither inherently safe design measures, nor safeguarding (implementation of guards and/or protective devices), nor information for use, could have to be implemented as required by the intended use and the reasonably foreseeable misuse of the machine. Such measures include, but are not limited to, those dealt with in 6.3.5.2 to 6.3.5.6.

6.3.5.2 Components and elements to achieve emergency stop function

If, following a risk assessment, a machine needs to be fitted with components and elements to achieve an emergency stop function for enabling actual or impending emergency situations to be averted, the following requirements apply:

— the actuators shall be clearly identifiable, clearly visible and readily accessible;

— the hazardous process shall be stopped as quickly as possible without creating additional hazards, but if this is not possible or the risk cannot be reduced, it should be questioned whether implementation of an emergency stop function is the best solution;

— the emergency stop control shall trigger or permit the triggering of certain safeguard movements where necessary.

NOTE For more detailed provisions, see ISO 13850.

Once active operation of the emergency stop device has ceased following an emergency stop command, the effect of this command shall be sustained until it is reset. This reset shall be possible only at the location where the emergency stop command has been initiated. The reset of the device shall not restart the machinery, but shall only permit restarting.

More details for the design and selection of electrical components and elements to achieve the emergency stop function are provided in IEC 60204 (MS101 ed note: See CSA C22.2 No. 301).

See clause 7.15.

CSA Z432-16

[10, 7.15] expands on the requirements described in 6.3.5.2, so if you are designing an emergency stop function, be sure to refer to these clauses as well.

US requirements

In the USA, three standards apply, ANSI B11, ANSI B11.19-2003, and NFPA 79:

ANSI B11-2008

3.80 stop: Immediate or controlled cessation of machine motion or other hazardous situations. There are many terms used to describe the different kinds of stops, including user- or supplier-specific terms, the operation and function of which is determined by the individual design. Definitions of some of the more commonly used “stop” terminology include:

3.80.2 emergency stop: The stopping of a machine tool, manually initiated, for emergency purposes;

7.6 Emergency stop

Electrical, pneumatic and hydraulic emergency stops shall conform to requirements in the ANSI B11 machine-specific standard or NFPA 79.
Informative Note 1: An emergency stop is not a safeguarding device. See also, B11.19.
Informative Note 2: For additional information, see ISO 13850 and IEC 60204-1.

ANSI B11.19-2003

12.9 Stop and emergency stop devices

Stop and emergency stop devices are not safeguarding devices. They are complementary to the guards, safeguarding device, awareness barriers, signals and signs, safeguarding methods and safeguarding procedures in clauses 7 through 11.

Stop and emergency stop devices shall meet the requirements of ANSI / NFPA 79.

E12.9

Emergency stop devices include but are not limited to, buttons, rope-pulls, and cable-pulls.

A safeguarding device detects or prevents inadvertent access to a hazard, typically without overt action by the individual or others. Since an individual must actuate an emergency stop device to issue the stop command, usually in reaction to an event or hazardous situation, it neither detects nor prevents exposure to the hazard.

If an emergency stop device is to be interfaced into the control system, it should not reduce the level of performance of the safety function (see section 6.1 and Annex C).

NFPA 79 deals with the electrical aspects of the emergency stop function, which is not directly relevant to this article, so I haven’t quoted directly from that document.

As you can see, the essential definitions of these devices in the US and Canada match very closely, although the US does not specifically use the term ‘complementary protective measures.

Myth #2 — Cycle Stop And Emergency Stop Are Equivalent

Emergency stop systems act primarily by removing power from the prime movers in a machine, ensuring that power is removed and the equipment brought to a standstill as quickly as possible, regardless of the portion of the operating cycle the machine is in. After an emergency stop, the machine is inoperable until the emergency stop system is reset. In some cases, emergency stopping the machine may damage the equipment due to the forces involved in halting the process quickly.

Cycle stop is a control system command function that brings the machine cycle to a graceful stop at the end of the current cycle. The machine is still fully operable and may still be in automatic mode after this stop.

Again, referring to ANSI B11-2008:

3.80.1 controlled stop: The stopping of machine motion while retaining power to the machine actuators during the stopping process. Also referred to as Category 1 or 2 stop (see also NFPA 79: 2007, 9.2.2);

3.80.2 emergency stop: The stopping of a machine tool, manually initiated, for emergency purposes;

Myth #3 — Emergency Stop Systems Can Be Used For Energy Isolation

Fifteen to twenty years ago, it was not uncommon to see emergency stop buttons fitted with locking devices.  The locking device prevented a person from resetting the emergency stop device. This was done as part of a “lockout procedure.” A lockout procedure is one aspect of a hazardous energy control procedure (HECP).  HECPs recognize that live work needs to be done from time to time; normal safeguards may be bypassed or disconnected temporarily to allow diagnostics and testing to be carried out. This process is detailed in two current standards, CSA Z460 [2] and ANSI Z244.1 [4]. Note that these locking devices are still available for sale and can be used as part of a HECP to prevent anyone from resetting the emergency stop system or other controls until the machine is ready for testing. They cannot be used to isolate an energy source.

No current standard allows for the use of control devices such as push buttons or selector switches to be used as energy isolation devices.

CSA Z460-05 [2] specifically prohibits this use in their definition of ‘energy isolation devices’:

Energy-isolating device — a mechanical device that physically prevents the transmission or release of energy, including but not limited to the following: a manually operated electrical circuit breaker; a disconnect switch; a manually operated switch by which the conductors of a circuit can be disconnected from all ungrounded supply conductors; a line valve; a block; and other devices used to block or isolate energy (push-button selector switches and other control-type devices are not energy-isolating devices).

Similar requirements are found in ANSI Z244.1 [4] and ISO 13850 [1].

Myth #4 — All Machines are Required to have an Emergency Stop

Some machine designers believe that all machines must have an emergency stop. In the Province of Ontario, Canada, no legislation requires machinery to have an emergency stop, only to be properly marked and located within reach of the operator [8, § 27].

27. An emergency stop control on a power-driven machine shall,
(a) be conspicuously identified; and
(b) be located within easy reach of the operator.  

R.R.O. 1990, Reg. 851, s. 27.

By contrast, in the Province of Québec, Canada, the machine guarding requirements require that all machines have an emergency stop [9, § 192].

192. Emergency stop: Subject to section 270, any machine whose operation requires the presence of at least one worker shall be equipped with an emergency stopping device or switch. This device or switch stops the machine, considering the machine’s design, in the shortest possible time. In addition, it has the following characteristics:

1) it is easily visible and within reach of the worker;

 2) a single action activates it;

 3) it is clearly identified.

The resetting of the emergency stopping device after it is used shall not by itself cause the machine to start up.

O.C. 885-2001, s. 192.

Depending on the regulations in your jurisdiction, machines may or may not be required to have an emergency stop system. Having said that, the basic level standards (sometimes called type A and B) do not require that machines have emergency stop systems. This includes Canada’s CSA Z432-16 [10] and the USA’s ANSI B11.0 [11].    

[10] provides this revised guidance. Underlining added for emphasis:

7.15.1.2
Each operator control station, including pendants, capable of initiating machine motion and/or automatic motion shall have an emergency stop function (see Clause 6.3.5.2), unless a risk assessment determines that the emergency stop function will not contribute to risk control.

Note: There could be situations where an e-stop does not contribute to risk control and alternatives could be considered in conjunction with a risk assessment. See Clause 5.

CSA Z432-16

Product-specific standards (type C standards) normally include requirements for an emergency stop. Emergency stop systems may be useful to the designer where they can provide a backup to other safeguarding systems.

Start-Stop Analysis

To understand where to use an emergency stop, a start-stop analysis must be carried out as part of the design process. The concept was mentioned in [3], although not detailed in any significant way. A stop-start analysis will help the designer develop a clear understanding of the normal starting and stopping conditions for the machine. The analysis also needs to include failure modes for all stop functions.

Once the failure modes are understood, the need for an emergency stop function can be determined. If removing power will cause the hazard to cease in a short time, or if the hazard can be quickly contained in some way, then an emergency stop function is a valid choice. If the hazard will remain for a considerable time following removal of power, i.e., high temperature with significant thermal mass, then an emergency stop is unlikely to have much effect and is probably useless for avoiding or limiting harm.

For example, consider an oven. If the burner stop control failed, and assuming that the only hazard we are concerned with is the hot surfaces inside the oven, then using an emergency stop to turn the burners off only results in the start of the natural cooling cycle of the oven. This could take hours or days, so the emergency stop has no value. It might be useful for controlling other hazards related to the same failure, such as fire or spinning circulating fans. Without a full analysis of the failure modes of the control system, a sound decision cannot be made.

Emergency Switching Off

Simple machines like drill presses and table saws are seldom fitted with emergency stop systems. These machines, which can be very dangerous, could benefit from having an emergency stop. They are sometimes fitted with a disconnecting device with a red and yellow handle that can be used for “emergency switching off.” This differs from an emergency stop function because the machine, and the hazard, will typically re-start immediately when the emergency switching off device is turned back on. This is not permitted with an emergency stop, where resetting the emergency stop device only permits restarting the machine through other controls. Reset of the emergency stop device is not permitted to reapply power to the machine on its own.

These requirements are detailed in ISO 13850 [1], CSA Z432 [11] and other standards.

Design Considerations

Emergency Stop is a control that is often designed with little thought and used for a variety of things that it was never intended to be used to accomplish. The myths discussed in this article are the tip of the iceberg.

Consider these questions when thinking about the design and use of emergency stop systems:

1. Have all the intended uses and foreseeable misuses of the equipment been considered?
2. What do I expect the emergency stop system to do for the user of the machine? (The answer to this should be in the risk assessment.)
3. How much risk reduction am I expecting to achieve with the emergency stop?
4. How reliable does the emergency stop system need to be? (At least PL_c)
5. Am I expecting the emergency stop to be used for other purposes, like “Power Off,” energy isolation, or regular stopping of the machine? (The answer to this should be “NO.”)

Taking the time to assess the design requirements before designing the system can help ensure that the machine controls are designed to provide the functionality that the user needs and the risk reduction that is required. The answers lie in the five questions above.

Have any of these myths affected you? Got any more myths about e-stops you’d like to share? I really appreciate hearing from my readers! Leave a comment or email it to us, and we’ll consider adding it to this article with credit!

---

Updates

2022-07-05 – Updated article by adding embedded lineshaft video and updating the CSA Z432 material in Myth #1 to reflect the 2016 edition. Note that a further update will be made when the 2022 edition publishes. Fixed a few grammatical issues and adjusted some text to reflect the new content.

2020-06-07 – added a new heading and slightly re-organized the material. The “Busting Myths” image was also added at that time.

2018-08-29 – added the North Mill at Belper drawing and fixing a few other editorial issues. Note that CSA Z432-04 is now obsolete and has been replaced by CSA Z432-16. This edition includes similar language to that quoted in this article. In Myth #4, references to Ontario and Québec regulations were added to show the contrast between these two Canadian Provinces. Additional references were made to current standards.

---

References

IEC — International Electrotechnical Commission.

ISO — International Organization for Standardization

[1] Safety of machinery — Emergency stop — Principles for design, ISO 13850, 2006. (obsolete – replaced by 2015 edition)

[2] Control of Hazardous Energy — Lockout and Other Methods, CSA Z460, 2005. (obsolete – replaced by 2013 edition)
Buy CSA Standards online at CSA.ca

[3] Safeguarding of Machinery, CSA Z432. Toronto: Canadian Standards Association (CSA). 2004. (obsolete – replaced by 2016 edition)

[4] Control of Hazardous Energy — Lockout/Tagout and Alternative Methods, ANSI/ASSE Z244.1, 2003, American National Standards Institute / American Society of Safety Engineers, Des Plaines, IL, USA. (obsolete – replaced by 2016 edition)
Download ANSI standards

[5] American National Standard for Machine Tools — Performance Criteria for Safeguarding, ANSI B11.19. 2003. (obsolete – replaced by 2010 edition)

[6] General Safety Requirements Common to ANSI B11 Machines, ANSI B11. 2008. (obsolete – replaced by 2015 edition)

[7] Electrical Standard for Industrial Machinery, NFPA 79. 2007. (obsolete – replaced by 2018 edition)

Buy NFPA 79 online

[8]     “R.R.O. 1990, Reg. 851: INDUSTRIAL ESTABLISHMENTS”, Ontario.ca, 2018. [Online]. Available: https://www.ontario.ca/laws/regulation/900851#BK11. [Accessed: 27- Aug- 2018].
[9]     “S-2.1, r. 13 – Regulation respecting occupational health and safety”, legisquebec.gouv.qc.ca, 2018. [Online]. Available: http://legisquebec.gouv.qc.ca/en/showdoc/cr/S-2.1, r. 13?langCont=en#se:192. [Accessed: 27- Aug- 2018].

[10] Safeguarding of Machinery. CSA Z432. 2016

[11] Safety of Machinery. ANSI B11.0. 2015.

© 2010 – 2022, Compliance inSight Consulting Inc.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.