Emergency Stop Categories

Emergency Stop on machine console
This entry is part 4 of 14 in the series Emer­gency Stop

I’ve noticed a lot of people look­ing for inform­a­tion on Emer­gency Stop cat­egor­ies recently; this art­icle is aimed at those read­ers who want to under­stand this top­ic in more depth. First, a cla­ri­fic­a­tion: Emer­gency stop cat­egor­ies DO NOT EXIST, but stop cat­egor­ies do. A stop cat­egory is a descrip­tion of a con­trol func­tion – what the con­trol does – and not the archi­tec­ture of the sys­tem that provides the func­tion. Stop cat­egor­ies are often con­fused with cir­cuit or sys­tem archi­tec­ture cat­egor­ies from EN 954 – 1[1] and ISO 13849 – 1 [2].  The con­fu­sion between these two sets of Cat­egor­ies often leads to incor­rect assump­tions about the applic­a­tion of these require­ments.

Emer­gency stop” is a descrip­tion of a con­trol func­tion, with the added “emer­gency” telling you WHEN this stop func­tion is inten­ded to be used – only dur­ing an emer­gency situ­ation. A “cycle stop” is also a func­tion­al descrip­tion that tells the user WHAT the stop func­tion does. Both the emer­gency stop func­tion and the cycle stop func­tion use the SAME stop cat­egor­ies, with some lim­it­a­tions on the emer­gency stop func­tion. More about that later in this art­icle.

Stop Categories

The stop cat­egor­ies dis­cussed here are not exclus­ive to emer­gency stop func­tions. They are STOP func­tions and may be used for nor­mal stop­ping func­tions as well as the Emer­gency Stop func­tion.

Stop cat­egor­ies and func­tion­al safety sys­tem archi­tec­ture cat­egor­ies are not the same, and there are sig­ni­fic­ant dif­fer­ences that need to be under­stood by con­trol sys­tem design­ers. I’m going to sling a num­ber of stand­ards at you in this post, and I will provide ref­er­ences at the end if you want to dig deep­er.

Func­tion­al safety archi­tec­tur­al cat­egor­ies are defined and described in ISO 13849 – 1, and I’ve writ­ten quite a bit on these in the past. If you want to know more about Cat­egor­ies B, 1 – 4, check out this series of posts on ISO 13849 – 1 Cat­egor­ies.

Originating Standards

There are three stand­ards that define the require­ments for stop cat­egor­ies, and thank­fully they are fairly closely har­mon­ised, mean­ing that the defin­i­tions for the cat­egor­ies are essen­tially the same in each doc­u­ment. They are:

  • ISO 13850, Safety of machinery — Emer­gency stop func­tion — Prin­ciples for design [3]
  • IEC 60204 – 1, Safety of machinery – Elec­tric­al equip­ment of machines – Part 1: Gen­er­al require­ments (aka EN 60204 – 1) [4]
  • NFPA 79, Elec­tric­al Stand­ard for Indus­tri­al Machinery [5]

A new Cana­dian stand­ard was added in 2016, CSA C22.2 No. 301 [9]. This stand­ard draws heav­ily on a num­ber of stand­ards for core mater­i­al, includ­ing IEC 60204 – 1 and NFPA 79. No. 301 uses identic­al defin­i­tions for stop func­tion cat­egor­ies.

Down­load ANSI stand­ards

Down­load IEC stand­ards

Stop Category Definitions

Emergency Stop ButtonThe stop cat­egor­ies are broken down into three gen­er­al groups in [4], [5], and  [9]:

  • Cat­egory 0 – Equi­val­ent to pulling the plug;
  • Cat­egory 1 – Bring things to a grace­ful stop, then pull the plug; and
  • Cat­egory 2 – Bring things to a stop and hold them there under power.

Let’s look at the defin­i­tions in more detail. For com­par­is­on, I’m going to show the defin­i­tions from the stand­ards side-by-side.

Table 1
Com­par­is­on of Stop Cat­egor­ies
Cat­egory IEC 60204 – 1 NFPA 79 CSA C22.2 No. 301
0 stop­ping by imme­di­ate remov­al of power to the machine actu­at­ors (i.e. an uncon­trolled stop – see 3.56); is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actu­at­ors.

stop­ping by imme­di­ate remov­al of power to the machine actu­at­ors (i.e., an uncon­trolled stop;

1 a con­trolled stop (see 3.11) with power avail­able to the machine actu­at­ors to achieve the stop and then remov­al of power when the stop is achieved; is a con­trolled stop with power to the machine actu­at­ors avail­able to achieve the stop then remove power when the stop is achieved.

a con­trolled stop with power avail­able to the machine actu­at­ors to achieve the stop and then remov­al of power when the stop is achieved;

2 a con­trolled stop with power left avail­able to the machine actu­at­ors. is a con­trolled stop with power left avail­able to the machine actu­at­ors.

a con­trolled stop with power left avail­able to the machine actu­at­ors.

Defin­i­tions from IEC 60204 – 1:

3.11 con­trolled stop
>stop­ping of machine motion with elec­tric­al power to the machine actu­at­ors main­tained dur­ing the stop­ping pro­cess
3.56 uncon­trolled stop
stop­ping of machine motion by remov­ing elec­tric­al power to the machine actu­at­ors
NOTE This defin­i­tion does not imply any par­tic­u­lar state of oth­er stop­ping devices, for example mech­an­ic­al or hydraul­ic brakes.

As you can see, the Stop Cat­egory descrip­tions are vir­tu­ally identic­al, with the primary dif­fer­ence being the use of the defin­i­tions in the IEC stand­ard instead of includ­ing that inform­a­tion in the descrip­tion as in the NFPA stand­ard.

Down­load ANSI stand­ards

Down­load IEC stand­ards

Minimum Requirements

[4], [5], and [9] require that all machines have at least a Cat­egory 0 stop. This could be achieved by switch­ing off (i.e., by using the dis­con­nect­ing means to switch off power for example), by phys­ic­ally “pulling the plug” from the power sup­ply sock­et on the wall, or through a ‘mas­ter con­trol relay’ cir­cuit, or through an emer­gency stop cir­cuit. Note that this does not require that all machines have an e-stop!! The need for an emer­gency stop func­tion is determ­ined in two ways:

  1. Exist­ence of a Type-C (i.e., machine spe­cif­ic) tech­nic­al stand­ard that requires that type of machinery to have an emer­gency stop func­tion, or
  2. through the risk assess­ment, based on the poten­tial to avoid or lim­it harm.

If these goals can­not be achieved through an emer­gency stop func­tion, there is no require­ment to have one. I have yet to read legis­la­tion (not stand­ards) in any jur­is­dic­tion that states that all machines must have an e-stop. Cer­tain classes of machines may have this require­ment, nor­mally defined in the rel­ev­ant type-C machinery stand­ard, e.g., ISO 10218 – 1 [10] for indus­tri­al robots.

ISO 13850 lim­its the selec­tion of stop cat­egory to Cat­egory 0 or 1 and excludes Cat­egory 2. This exclu­sion can be found in NFPA 79, IEC 60204 – 1, and CSA C22.2 No. 301 as well. Cat­egory 2 may only be used for oper­a­tion­al or “nor­mal” stop­ping func­tions.

To learn more about how to determ­ine the need for an emer­gency stop, see, “Emer­gency Stop – What’s so con­fus­ing about that?”

Selecting a Stop Function

How do you decide on what stop cat­egory to use? First, a risk assess­ment is required. Second, a start/stop ana­lys­is should be con­duc­ted. More on this top­ic a bit later.

Once the risk assess­ment is com­plete, ask these ques­tions:

1) Will the machinery stop safely using an uncon­trolled stop?

If the machinery does not have a sig­ni­fic­ant amount of iner­tia, mean­ing it won’t coast more than a very short time, then a Cat­egory 0 stop may be all that is required.

2) If the machinery can coast when power is removed, or if the machinery can be stopped more quickly under con­trol than when power is simply removed, then a Cat­egory 1 stop is likely the best choice, even if the power-off coast­ing time is fairly short.

Ver­tic­al axes that may col­lapse when power is removed will likely need addi­tion­al mech­an­ic­al hard­ware to pre­vent the tool­ing from fall­ing dur­ing an emer­gency stop con­di­tion. This could be a mech­an­ic­al brake or oth­er means that will pre­vent the tool­ing from fall­ing unex­pec­tedly.

3) If the machinery includes devices that require power to keep them in a safe state, then a Cat­egory 2 stop is likely the best choice.

If you choose to use a Cat­egory 2 stop, be aware that leav­ing power on the machinery leaves the user open to haz­ards related to hav­ing power on the machinery. Care­ful risk assess­ment is required in these cases espe­cially.

Cat­egory 2 stops are not per­mit­ted for emer­gency stop func­tions, although you may use them for nor­mal stop func­tions. ISO 13850, IEC 60204 – 1, and NFPA 79  expli­citly lim­it emer­gency stop func­tions to Cat­egor­ies 0 and 1. CSA C22.2 No. 301 per­mits the use of Cat­egory 2 stop func­tions for emer­gency stop­ping.

Risk Assessment and Stop/Start Analysis

Risk assess­ment is crit­ic­al to the spe­cific­a­tion of all safety-related func­tions. While emer­gency stop is not a safe­guard, it is con­sidered to be a ‘com­ple­ment­ary pro­tect­ive meas­ure’ [6, 6.2.3.5.3], [7, 3.19, 6.3]. Under­stand­ing the haz­ards that need to be con­trolled and the degree of risk related to the haz­ards is basic design inform­a­tion that will provide spe­cif­ic dir­ec­tion on the stop cat­egory required and the degree of con­trol reli­ab­il­ity neces­sary to provide the expec­ted risk reduc­tion.

Stop/Start Ana­lys­is is quite simple, ori­gin­at­ing in ISO 12100. It amounts to con­sid­er­ing all of the inten­ded stop/start con­di­tions for the machinery and then includ­ing con­di­tions that may res­ult from reas­on­ably fore­see­able fail­ure modes of the machinery and fore­see­able mis­uses of the machinery. Cre­ate a table with three columns as a start­ing point, sim­il­ar to Table 2.

Table 2
Example Start/Stop Ana­lys­is

Descrip­tion Start Con­di­tion Stop Con­di­tion
Lub­ric­ant Pump Lub­ric­ant Pump Start But­ton Pressed Lub­ric­ant Pump Stop But­ton Pressed
Low Lub­ric­ant Level in reser­voir
High-pres­sure drop across lub­ric­ant fil­ter
Main Spindle Motor Start enabled and Start But­ton Pressed Low Lub­ric­ant Pres­sure
Stop but­ton pressed
Feed Advance motor Feed Advance but­ton pressed Feed Stop but­ton pressed
Feed end of travel lim­it reached
Emer­gency Stop All motions stop, lub­ric­ant pump remains run­ning

The above table is simply an example of what a start/stop ana­lys­is might look like. You can have as much detail as you like.

Control Reliability Requirements

Both ISO 13849 – 1 and IEC 62061 [8] base the ini­tial require­ments for reli­ab­il­ity on the out­come of the risk assess­ment (PLr or SILr). If the stop­ping con­di­tion is part of nor­mal oper­a­tion, then simple cir­cuit require­ments (i.e. PLa, Cat­egory 1) are all that may be required. If the stop­ping con­di­tion is inten­ded to be an Emer­gency Stop, then addi­tion­al ana­lys­is is needed to determ­ine exactly what may be required.

More Information

How have you typ­ic­ally imple­men­ted your stops and emer­gency stop sys­tems?

Have you ever used the START/STOP ana­lys­is meth­od?

I care about what you think as a read­er, so please leave me com­ments and ques­tions! If you would prefer to dis­cuss your ques­tion privately,  con­tact me dir­ectly.

Ed. Note: This art­icle was updated 15-Jan-2018.

References

5% Dis­count on All Stand­ards with code: CC2011 

[1]          Safety of Machinery — Safety Related Parts of Con­trol Sys­tems — Part 1: Gen­er­al Prin­ciples for Design. CEN Stand­ard EN 954 – 1.1996.

[2]          Safety of Machinery — Safety Related Parts of Con­trol Sys­tems — Part 1: Gen­er­al Prin­ciples for Design. ISO Stand­ard 13849 – 1. 2015. Down­load ISO Stand­ards 

[3]          Safety of machinery — Emer­gency stop func­tion — Prin­ciples for design. ISO Stand­ard 13850. 2015

[4]          Elec­tric­al Equip­ment of Indus­tri­al Machines. IEC Stand­ard 60204 – 1. 2009. Down­load IEC stand­ards

[5]          Elec­tric­al Stand­ard for Indus­tri­al Machinery, ANSI/NFPA Stand­ard 79, 2015. Down­load stand­ards from ANSI

[6]          Safe­guard­ing of Machinery. CSA Stand­ard Z432, 2016.

[7]          Safety of machinery — Gen­er­al prin­ciples for design — Risk assess­ment and risk reduc­tion. ISO Stand­ard 12100. 2010.

[8]          Safety of machinery – Func­tion­al safety of safety-related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. IEC Stand­ard 62061. 2005.

[9]         Indus­tri­al elec­tric­al machinery. CSA Stand­ard C22.2 No. 301. 2016.

[10]       Robots and robot­ic devices — Safety require­ments for indus­tri­al robots — Part 1: Robots. ISO Stand­ard 10218 – 1. 2011.

Series Nav­ig­a­tionGuard­ing Emer­gency Stop DevicesBust­ing Emer­gency Stop Myths

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.