Machinery Safety 101

Emergency Stop Categories

I’ve noticed a lot of people look­ing for inform­a­tion on Emer­gency Stop cat­egor­ies recently; this art­icle is aimed at those read­ers who want to under­stand this top­ic in more depth. First, a cla­ri­fic­a­tion: Emer­gency stop cat­egor­ies DO NOT EXIST, but stop cat­egor­ies do. A stop cat­egory is a descrip­tion of a con­trol func­tion – what the con­trol does – and not the archi­tec­ture of the sys­tem that provides the func­tion. Stop cat­egor­ies are often con­fused with cir­cuit or sys­tem archi­tec­ture cat­egor­ies from EN 954 – 1[1] and ISO 13849 – 1 [2].  The con­fu­sion between these two sets of Cat­egor­ies often leads to incor­rect assump­tions about the applic­a­tion of these requirements.

Emer­gency stop” is a descrip­tion of a con­trol func­tion, with the added “emer­gency” telling you WHEN this stop func­tion is inten­ded to be used – only dur­ing an emer­gency situ­ation. A “cycle stop” is also a func­tion­al descrip­tion that tells the user WHAT the stop func­tion does. Both the emer­gency stop func­tion and the cycle stop func­tion use the SAME stop cat­egor­ies, with some lim­it­a­tions on the emer­gency stop func­tion. More about that later in this article.

Stop Categories

The stop cat­egor­ies dis­cussed here are not exclus­ive to emer­gency stop func­tions. They are STOP func­tions and may be used for nor­mal stop­ping func­tions as well as the Emer­gency Stop function.

Stop cat­egor­ies and func­tion­al safety sys­tem archi­tec­ture cat­egor­ies are not the same, and there are sig­ni­fic­ant dif­fer­ences that need to be under­stood by con­trol sys­tem design­ers. I’m going to sling a num­ber of stand­ards at you in this post, and I will provide ref­er­ences at the end if you want to dig deeper.

Func­tion­al safety archi­tec­tur­al cat­egor­ies are defined and described in ISO 13849 – 1, and I’ve writ­ten quite a bit on these in the past. If you want to know more about Cat­egor­ies B, 1 – 4, check out this series of posts on ISO 13849 – 1 Cat­egor­ies.

Originating Standards

There are three stand­ards that define the require­ments for stop cat­egor­ies, and thank­fully they are fairly closely har­mon­ised, mean­ing that the defin­i­tions for the cat­egor­ies are essen­tially the same in each doc­u­ment. They are:

  • ISO 13850, Safety of machinery — Emer­gency stop func­tion — Prin­ciples for design [3]
  • IEC 60204 – 1, Safety of machinery – Elec­tric­al equip­ment of machines – Part 1: Gen­er­al require­ments (aka EN 60204 – 1) [4]
  • NFPA 79, Elec­tric­al Stand­ard for Indus­tri­al Machinery [5]

A new Cana­dian stand­ard was added in 2016, CSA C22.2 No. 301 [9]. This stand­ard draws heav­ily on a num­ber of stand­ards for core mater­i­al, includ­ing IEC 60204 – 1 and NFPA 79. No. 301 uses identic­al defin­i­tions for stop func­tion categories.

Down­load ANSI standards

Down­load IEC standards

Stop Category Definitions

Emergency Stop ButtonThe stop cat­egor­ies are broken down into three gen­er­al groups in [4], [5], and  [9]:

  • Cat­egory 0 – Equi­val­ent to pulling the plug;
  • Cat­egory 1 – Bring things to a grace­ful stop, then pull the plug; and
  • Cat­egory 2 – Bring things to a stop and hold them there under power.

Let’s look at the defin­i­tions in more detail. For com­par­is­on, I’m going to show the defin­i­tions from the stand­ards side-by-side.

Table 1
Com­par­is­on of Stop Categories
Cat­egory IEC 60204 – 1 NFPA 79 CSA C22.2 No. 301
0 stop­ping by imme­di­ate remov­al of power to the machine actu­at­ors (i.e. an uncon­trolled stop – see 3.56); is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actuators.

stop­ping by imme­di­ate remov­al of power to the machine actu­at­ors (i.e., an uncon­trolled stop;

1 a con­trolled stop (see 3.11) with power avail­able to the machine actu­at­ors to achieve the stop and then remov­al of power when the stop is achieved; is a con­trolled stop with power to the machine actu­at­ors avail­able to achieve the stop then remove power when the stop is achieved.

a con­trolled stop with power avail­able to the machine actu­at­ors to achieve the stop and then remov­al of power when the stop is achieved;

2 a con­trolled stop with power left avail­able to the machine actuators. is a con­trolled stop with power left avail­able to the machine actuators.

a con­trolled stop with power left avail­able to the machine actuators.

Defin­i­tions from IEC 60204 – 1:

3.11 con­trolled stop
>stop­ping of machine motion with elec­tric­al power to the machine actu­at­ors main­tained dur­ing the stop­ping process
3.56 uncon­trolled stop
stop­ping of machine motion by remov­ing elec­tric­al power to the machine actuators
NOTE This defin­i­tion does not imply any par­tic­u­lar state of oth­er stop­ping devices, for example mech­an­ic­al or hydraul­ic brakes.

As you can see, the Stop Cat­egory descrip­tions are vir­tu­ally identic­al, with the primary dif­fer­ence being the use of the defin­i­tions in the IEC stand­ard instead of includ­ing that inform­a­tion in the descrip­tion as in the NFPA standard.

Down­load ANSI standards

Down­load IEC standards

Minimum Requirements

[4], [5], and [9] require that all machines have at least a Cat­egory 0 stop. This could be achieved by switch­ing off (i.e., by using the dis­con­nect­ing means to switch off power for example), by phys­ic­ally “pulling the plug” from the power sup­ply sock­et on the wall, or through a ‘mas­ter con­trol relay’ cir­cuit, or through an emer­gency stop cir­cuit. Note that this does not require that all machines have an e‑stop!! The need for an emer­gency stop func­tion is determ­ined in two ways:

  1. Exist­ence of a Type‑C (i.e., machine spe­cif­ic) tech­nic­al stand­ard that requires that type of machinery to have an emer­gency stop func­tion, or
  2. through the risk assess­ment, based on the poten­tial to avoid or lim­it harm.

If these goals can­not be achieved through an emer­gency stop func­tion, there is no require­ment to have one. I have yet to read legis­la­tion (not stand­ards) in any jur­is­dic­tion that states that all machines must have an e‑stop. Cer­tain classes of machines may have this require­ment, nor­mally defined in the rel­ev­ant type‑C machinery stand­ard, e.g., ISO 10218 – 1 [10] for indus­tri­al robots.

ISO 13850 lim­its the selec­tion of stop cat­egory to Cat­egory 0 or 1 and excludes Cat­egory 2. This exclu­sion can be found in NFPA 79, IEC 60204 – 1, and CSA C22.2 No. 301 as well. Cat­egory 2 may only be used for oper­a­tion­al or “nor­mal” stop­ping functions.

To learn more about how to determ­ine the need for an emer­gency stop, see, “Emer­gency Stop – What’s so con­fus­ing about that?”

Selecting a Stop Function

How do you decide on what stop cat­egory to use? First, a risk assess­ment is required. Second, a start/stop ana­lys­is should be con­duc­ted. More on this top­ic a bit later.

Once the risk assess­ment is com­plete, ask these questions:

1) Will the machinery stop safely using an uncon­trolled stop?

If the machinery does not have a sig­ni­fic­ant amount of iner­tia, mean­ing it won’t coast more than a very short time, then a Cat­egory 0 stop may be all that is required.

2) If the machinery can coast when power is removed, or if the machinery can be stopped more quickly under con­trol than when power is simply removed, then a Cat­egory 1 stop is likely the best choice, even if the power-off coast­ing time is fairly short.

Ver­tic­al axes that may col­lapse when power is removed will likely need addi­tion­al mech­an­ic­al hard­ware to pre­vent the tool­ing from fall­ing dur­ing an emer­gency stop con­di­tion. This could be a mech­an­ic­al brake or oth­er means that will pre­vent the tool­ing from fall­ing unexpectedly.

3) If the machinery includes devices that require power to keep them in a safe state, then a Cat­egory 2 stop is likely the best choice.

If you choose to use a Cat­egory 2 stop, be aware that leav­ing power on the machinery leaves the user open to haz­ards related to hav­ing power on the machinery. Care­ful risk assess­ment is required in these cases especially.

Cat­egory 2 stops are not per­mit­ted for emer­gency stop func­tions, although you may use them for nor­mal stop func­tions. ISO 13850, IEC 60204 – 1, and NFPA 79  expli­citly lim­it emer­gency stop func­tions to Cat­egor­ies 0 and 1. CSA C22.2 No. 301 per­mits the use of Cat­egory 2 stop func­tions for emer­gency stopping.

Risk Assessment and Stop/Start Analysis

Risk assess­ment is crit­ic­al to the spe­cific­a­tion of all safety-related func­tions. While emer­gency stop is not a safe­guard, it is con­sidered to be a ‘com­ple­ment­ary pro­tect­ive meas­ure’ [6,], [7, 3.19, 6.3]. Under­stand­ing the haz­ards that need to be con­trolled and the degree of risk related to the haz­ards is basic design inform­a­tion that will provide spe­cif­ic dir­ec­tion on the stop cat­egory required and the degree of con­trol reli­ab­il­ity neces­sary to provide the expec­ted risk reduction.

Stop/Start Ana­lys­is is quite simple, ori­gin­at­ing in ISO 12100. It amounts to con­sid­er­ing all of the inten­ded stop/start con­di­tions for the machinery and then includ­ing con­di­tions that may res­ult from reas­on­ably fore­see­able fail­ure modes of the machinery and fore­see­able mis­uses of the machinery. Cre­ate a table with three columns as a start­ing point, sim­il­ar to Table 2.

Table 2
Example Start/Stop Analysis

Descrip­tion Start Con­di­tion Stop Con­di­tion
Lub­ric­ant Pump Lub­ric­ant Pump Start But­ton Pressed Lub­ric­ant Pump Stop But­ton Pressed
Low Lub­ric­ant Level in reservoir
High-pres­sure drop across lub­ric­ant filter
Main Spindle Motor Start enabled and Start But­ton Pressed Low Lub­ric­ant Pressure
Stop but­ton pressed
Feed Advance motor Feed Advance but­ton pressed Feed Stop but­ton pressed
Feed end of travel lim­it reached
Emer­gency Stop All motions stop, lub­ric­ant pump remains running

The above table is simply an example of what a start/stop ana­lys­is might look like. You can have as much detail as you like.

Control Reliability Requirements

Both ISO 13849 – 1 and IEC 62061 [8] base the ini­tial require­ments for reli­ab­il­ity on the out­come of the risk assess­ment (PLr or SILr). If the stop­ping con­di­tion is part of nor­mal oper­a­tion, then simple cir­cuit require­ments (i.e. PLa, Cat­egory 1) are all that may be required. If the stop­ping con­di­tion is inten­ded to be an Emer­gency Stop, then addi­tion­al ana­lys­is is needed to determ­ine exactly what may be required.

More Information

How have you typ­ic­ally imple­men­ted your stops and emer­gency stop systems?

Have you ever used the START/STOP ana­lys­is method?

I care about what you think as a read­er, so please leave me com­ments and ques­tions! If you would prefer to dis­cuss your ques­tion privately,  con­tact me dir­ectly.

Ed. Note: This art­icle was updated 15-Jan-2018.


5% Dis­count on All Stand­ards with code: CC2011 

[1]          Safety of Machinery — Safety Related Parts of Con­trol Sys­tems — Part 1: Gen­er­al Prin­ciples for Design. CEN Stand­ard EN 954 – 1.1996.

[2]          Safety of Machinery — Safety Related Parts of Con­trol Sys­tems — Part 1: Gen­er­al Prin­ciples for Design. ISO Stand­ard 13849 – 1. 2015. Down­load ISO Standards 

[3]          Safety of machinery — Emer­gency stop func­tion — Prin­ciples for design. ISO Stand­ard 13850. 2015

[4]          Elec­tric­al Equip­ment of Indus­tri­al Machines. IEC Stand­ard 60204 – 1. 2009. Down­load IEC standards

[5]          Elec­tric­al Stand­ard for Indus­tri­al Machinery, ANSI/NFPA Stand­ard 79, 2015. Down­load stand­ards from ANSI

[6]          Safe­guard­ing of Machinery. CSA Stand­ard Z432, 2016.

[7]          Safety of machinery — Gen­er­al prin­ciples for design — Risk assess­ment and risk reduc­tion. ISO Stand­ard 12100. 2010.

[8]          Safety of machinery – Func­tion­al safety of safety-related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. IEC Stand­ard 62061. 2005.

[9]         Indus­tri­al elec­tric­al machinery. CSA Stand­ard C22.2 No. 301. 2016.

[10]       Robots and robot­ic devices — Safety require­ments for indus­tri­al robots — Part 1: Robots. ISO Stand­ard 10218 – 1. 2011.

46 thoughts on “Emergency Stop Categories

  1. Thanks, Doug Nix, words are too small for the value you add through your con­tent, This is the best guide I have seen so far on the inter­net. Emer­gency Stop Cat­egor­ies were easy to under­stand with com­pre­hens­ive and easy explanations.

  2. Thanks for pub­lish­ing such use­ful inform­a­tion. This will be a great site for us to ref­er­ence when we are train­ing new employ­ees at our safety briefings.

    1. Hi Dav­id,

      You’re very wel­come. I’m glad that you are find­ing my work help­ful. If I can answer any oth­er ques­tions, please get in touch.

  3. Mov­ing machinery can cause injur­ies in many ways: … Injur­ies can also occur due to machinery becom­ing unre­li­able and devel­op­ing faults or when machines are used improp­erly through inex­per­i­ence or lack of training.

    1. Hi Bri­an,

      You are cor­rect. This is one of the reas­ons why com­ple­ment­ary pro­tect­ive meas­ures like the emer­gency stop func­tion are needed and are so com­mon on machines. Emer­gency stop sys­tems are not a sub­sti­tute for train­ing and super­vi­sion. If you have train­ees or appren­tices work­ing with haz­ard­ous machinery the pres­ence of an emer­gency stop sys­tem will not pre­vent injur­ies – only prop­erly designed safe­guard­ing can do that, and even then not in all cases. Emer­gency stop func­tions are not safe­guard­ing, and can­not be used as such. Nation­al machinery safety stand­ards make that very clear.

  4. Thank you for shar­ing with us the dif­fer­ent stop cat­egor­ies and how they apply to machinery used in the indus­tries. I would ima­gine that it is vital for a fact­ory to main­tain watch­ful­ness on its oper­at­ing machines at all times to ensure the safety of the oper­at­ors and work­ers. I have a friend who is think­ing of going into machinery. I will share with him about machine con­trol safety and remind him to take good care of him­self when hand­ling high-risk machines.

      1. Hi Doug,
        Is there any time lim­it giv­en for Stop­ping the machine. For example if stop is ini­ti­ated then the machine should stop in a giv­en time (say 1 or 2 sec) or immediately.

        1. Hi Wiquar,
          No, there is no defined time lim­it for an emer­gency stop. The stand­ards recom­mend that it hap­pens as quickly as pos­sible, but con­sid­er­a­tion must be giv­en to poten­tial dam­age to the machinery which might then cre­ate new haz­ards. So as quickly as prac­tic­al, without doing cata­stroph­ic dam­age to the machine.

  5. So if you had a risk assess­ment for a par­tic­u­lar piece of equip­ment and it came to a par­tic­u­lar PLd require­ment, if you safe guarded the haz­ard with the appro­pri­ate fencing/interlocks etc., and thus suc­cess­fully reduced the risk to an accept­able level. Would you still need to cre­ate a PLd emer­gency stop cir­cuit or just stick to the min­im­um level PLc?

    1. Hey RN! Good ques­tion. The PL require­ment for the estop is determ­ined in the same way as any oth­er safety func­tion, with the dif­fer­ence being the min­im­um PLc require­ment. You need to con­sider the types of events that might occur where the e‑stop might be help­ful in redu­cing or avoid­ing harm. This will require a bit of brain­storm­ing, since what you are look­ing for is unusu­al events that the reg­u­lar safe­guard­ing is not designed to mit­ig­ate. Here’s an example: The machine is a CNC lathe with a com­plete enclos­ing guard that is inter­locked. The chuck is pneu­mat­ic­ally actu­ated. Dur­ing oper­a­tion, the valve con­trolling the chuck suf­fers a seal fail­ure, and the chuck is unex­pec­tedly released. It does­n’t open fully, but its grasp on the part relaxes enough that the part starts to oscil­late in the jaws. If noth­ing is done, even­tu­ally the part will be ejec­ted. In the inter­ven­ing time, the part is slap­ping around and is start­ing to break tools and dam­age the tool car­ri­er. The guard­ing is designed to con­tain swarf and coolant, and MAY con­tain an eject part, but it’s not guar­an­teed. Using this scen­ario, assess the risk. If I use the ISO 14121 – 2 decision tree, I’d get S2, F1, O1, A2 –> R2. That score maps to an ISO 13849 – 1 decision tree of S2, F1, P2 –> PLr = d. Now, if the guard­ing was designed to con­tain an ejec­ted part of the largest size that the machine could handle, then you could change the S scores to S1, which would drop the ini­tial risk to R1, and the PLr to b. Since you aren’t per­mit­ted to go lower than PLr=c for estop, then that would be the answer.

      I hope that helps!

      1. So is it stated any­where that the Emer­gency stop cir­cuit should meet the same per­form­ance level as any safety func­tion with­in a machine? Even though you may con­tain the risk com­pletely with this safety func­tion at a high­er per­form­ance level.

        1. No. You could con­sider that idea to be an ‘accept­able prac­tice’, but there is no tech­nic­al or engin­eer­ing basis for tak­ing that approach.

          The per­form­ance require­ments for any safety func­tion is always taken in isol­a­tion, based on the safety require­ment spe­cific­a­tion for the safety func­tion. Per­form­ance require­ments are nev­er linked to the per­form­ance require­ments of any oth­er safety function.

          The min­im­um per­form­ance require­ment for an emer­gency stop func­tion is giv­en in ISO 13850. After that, if there is an applic­able type C stand­ard (machine spe­cif­ic stand­ard), that stand­ard MAY give a require­ment. If not, it is always based on the risk assess­ment and is not linked to the PLr for any oth­er safety function.

  6. What about racks of test equip­ment that has meters and scopes for low-voltage meas­ure­ments, but there’s no machine motion to stop? Is a Cat­egory 0 E‑Stop still required to remove power from everything, includ­ing the computer?

    1. Hey Rick!

      First – E‑stops are not 100% man­dat­ory in most cases. The require­ment is based on a couple of things:

      1) Is there a Type‑C (i.e., machine spe­cif­ic) tech­nic­al stand­ard that applies AND requires an e‑stop?
      2) Does a risk assess­ment show that an e‑stop might have bene­fits for avoid­ing or lim­it­ing harm?

      If the answers to those ques­tions are both “NO”, then there is no require­ment for an e‑stop.

      On to your spe­cif­ic example. A machine is defined as “an assembly of linked parts, at least one of which moves, with the power and con­trols neces­sary for a defined end-func­tion”. This defin­i­tion is derived from the EU Machinery Dir­ect­ive, but is increas­ingly accep­ted around the world. The equip­ment that you describe is not a machine based on this descrip­tion. The move­ment of ana­log gauge needles would not be enough to trig­ger the require­ments, because the move­ment of the needles is not haz­ard­ous (see ques­tion #2 above).

      Also, bear in mind that cord con­nec­ted equip­ment already has a Cat­egory 0 stop built-in – Pulling the plug from the wall counts as a dis­con­nect­ing means and meets all of the require­ments for Cat. 0 stop func­tions AND energy isol­a­tion for the pur­pose of haz­ard­ous energy con­trol procedures.

      Let me know if you need more inform­a­tion on this top­ic. You can book a con­sulta­tion with me by vis­it­ing

  7. Anoth­er great dis­cus­sion! I stumbled upon this because many ser­vos include the STO func­tion. I looked in the manu­al of the product that I am work­ing with on this par­tic­u­lar product and the manu­al claims the STO func­tion to be com­pli­ant with a safe stop 0. How­ever, every time I see a servo with STO cap­ab­il­ity imple­men­ted, there is still a con­tact­or killing the line feed into the servo that is driv­en by the same con­di­tions as the STO sig­nals. It seems as if STO would replace the need to use a con­tact­or to break the feed com­ing into the servo. Am I incor­rect? Are there still advant­ages to open­ing up the line con­nec­tion with a con­tact­or in addi­tion to using STO? If it is redund­ant, are you aware of any man­u­fac­tur­ing plants that still require both?

    1. Inter­est­ing ques­tion. I’m actu­ally plan­ning an art­icle on this top­ic right now, but I’ve got a couple of addi­tion­al pieces to fin­ish out the 13849 series first.

      If the drive has STO, it will already have the cap­ab­il­ity to provide a reli­able zero-torque con­di­tion to the motor. If you look at the specs for the drive you will find that the STO func­tion will nor­mally have a PL or SIL rat­ing, or a PFHd giv­en. If the STO func­tion is rated as PLe, for example, there is no need for an addi­tion­al line con­tact­or upstream of the drive unless the drive install­a­tion calls for one.

      Safe-off”, “safe-stop” and sim­il­ar terms are used by drive man­u­fac­tur­ers but are not reflec­ted in the tech­nic­al stand­ards for these products, and so don’t have a stand­ard­ised tech­nic­al definition.

      This ques­tion is com­plex enough that I can­’t fully address it here, but I will try to hit the whole top­ic in the art­icle when I pub­lish it.

      Thanks for your con­tin­ued interest!

      1. Fur­ther to this com­ment, watch the blog on 3‑Jul-17 for the art­icle on STO, SS1, SS2 and SOS func­tions for motor drives!

  8. Am I allowed to wire coded mag­net­ic switches or keyed inter­lock switches in series with an E‑stop or will I need to use 2 seper­ate safety relays?
    Just found your site, thanks for tak­ing the time to inform us, greatly appreciated.

    1. T‑mac,

      It’s not so much a case of “allowed to” wire them in series or not. Let me explain.

      Best prac­tice is to sep­ar­ate the e‑stop func­tion and the safe­guard­ing func­tions. This is done for a few of reasons:

      1) Emer­gency Stop con­trols are con­sidered to be “com­ple­ment­ary pro­tect­ive meas­ures”, not safe­guards. They are manu­ally activ­ated, and should nor­mally be infre­quently used. This is because they are used to back up the primary safe­guards, like inter­locked guards, or safe­guard­ing devices. As backup devices, they typ­ic­ally require a lower level of reli­ab­il­ity than the primary safe­guards. ISO 13850, which defines emer­gency stop func­tions, requires a min­im­um per­form­ance level of PLc for these sys­tems, how­ever, high­er per­form­ance levels may be required based on the risk assessment.

      2) Safe­guards are required to act auto­mat­ic­ally, without the user being aware of the oper­a­tion of the func­tion. The reli­ab­il­ity of the safety func­tion is driv­en dir­ectly by the risk assess­ment. On most indus­tri­al machinery, these sys­tems require PLc, PLd, or PLe.

      3) Recov­ery from an emer­gency stop con­di­tion, and recov­ery from a safe­guard­ing con­di­tion are often quite dif­fer­ent. Depend­ing on what kind of emer­gency stop func­tion is selec­ted (IEC 60204 – 1/NFPA 79 Cat­egory 0 or 1), the effects on the machine can be quite severe, and recov­ery can be com­plex. Safe­guard­ing con­di­tions com­monly use Cat­egory 1 or 2 stop func­tions, which are more con­trolled and gen­er­ally don’t leave the machine badly dis­ordered. Recov­ery is nor­mally sim­pler. Since safe­guard­ing con­di­tions are more com­mon as oper­at­ors open doors/gates or break light cur­tain fields, the machine reac­tions usu­ally need to be dif­fer­ent from what hap­pens in an emer­gency situation.

      Daisy-chain­ing devices, wheth­er it’s e‑stop but­tons, inter­lock switches, or some­thing else, can cre­ate fault-mask­ing con­di­tions, where a fail­ure can occur in one device in the chain, but the fault is masked by the oper­a­tion of anoth­er device in the chain. This can be a ser­i­ous prob­lem, since ISO 13849 – 1 requires that sys­tems with Cat­egory 3 or 4 archi­tec­tures detect faults either as they occur, or on the next demand on the safety func­tion. Masked faults may be detec­ted, and this leads to fail­ure modes that are not per­mit­ted, nor are they what you want in your con­trol system.

      Where you have e‑stop devices or inter­locks that are infre­quently used, they may not be tested fre­quently enough to meet the test­ing require­ments of the archi­tec­ture you’ve selec­ted, and this may lead to masked faults as well.

      So, in gen­er­al, com­bin­ing emer­gency stop func­tions with safe­guard­ing func­tions is con­sidered bad prac­tice, even though it is still often done. I would recom­mend sep­ar­at­ing the func­tions for all of the reas­ons giv­en, and I would also recom­mend against daisy chain­ing input devices to a single safety relay.

      1. I would gen­er­ally seper­ate them as I have always done in the past.
        This applic­a­tion is installing coded mag switches on new guard­ing. There is a PILZ safety PLC installed on the machine and my request to pur­chase the PLC soft­ware (along with the new PSR after modi­fy­ing the pro­gram) was declined.
        The switches are rated to be used cat 4 and there is a monthly pro­ced­ure where the oper­at­ors test the E‑stops, and inter­locks on the equipment.
        The exist­ing guard­ing is done by light cur­tains that bring the machine the a “cycle stop” as not to des­troy the product and make for a longer restart/set up.
        The new guard­ing is at a much closer prox­im­ity to the actu­al haz­ard and I need the machine to stop immediately.
        Although not ideal, wir­ing in series would still be accep­ted in this scenario?

        1. T‑mac,

          If the new guard­ing is close to the tool­ing, the first thing I would sug­gest is a stop time test. You need to know if the guard­ing is with­in the min­im­um safety dis­tance. You use the same cal­cu­la­tion as used for a light cur­tain, Ds=KxT, K=1600 mm/s or 63 in/s. T is the stop­ping time in seconds. Since you men­tion that the machine is already using stop cat­egory 1, the stop­ping time may be quite long.

          If the guards are too close to the haz­ards to meet this safety dis­tance, then you will need to imple­ment guard lock­ing. This can be com­bined with a “request to enter” func­tion, or can simply be held locked until the machine is stopped, either at the end of a cycle, or until the machine is switched out of auto­mat­ic mode and into manu­al mode. There are tons of options in how to do this.

          WRT your com­ments about the inter­lock switches being Cat­egory 4, all this tells you is that the switch/controller com­bin­a­tion uses Cat­egory 4 archi­tec­ture. There will be a PL asso­ci­ated with this – have a look at the data sheet. This inform­a­tion is used in assess­ing the safety sys­tem PL. The two pieces of inform­a­tion are import­ant. You may also find an MTTFd spec, and this is also import­ant, but less so than the the PL initially.

          1. Machine stop­ing via the cur­rent estop is instant, no coast­ing, no revers­ing by ten­sion upon the material.
            This “new” pinch point is a roller that was pre­vi­ously missed and now being addressed.
            The hinged guards that are now on that roller(s) are roughly 3.5″ away. The door has to be swung out when opened which adds a little more dis­tance when accessing.
            I should have gave more info about the applic­a­tion in my first ques­tion, sorry.

          2. T‑mac,

            Thanks for the addi­tion­al inform­a­tion. Unfor­tu­nately, no machinery stops instant­an­eously, since that would require infin­ite neg­at­ive accel­er­a­tion. Even if the stop­ping time is very short, let’s say 100 ms for argu­ment sake, the safety dis­tance is Ds=63″/s * 0.100 s = 6.3″. To make the 3.5″ dis­tance work the stop­ping time would have to be 3.5/63=0.055 s. So, thing 1: Stop Time Test. Without this you can­not say that the inter­locked door will provide the pro­tec­tion required. If you can­’t do the test for any reas­on, then go to inter­locked doors with guard lock­ing. You will need a zero-speed detec­tion sys­tem so that the lock can­not be released until the web/roller speed = zero.

            WRT the open­ing of the guard and the addi­tion­al dis­tance that you would like to claim, unless the inter­lock is activ­ated before a gap appears between the door and the frame, you really can­’t make this claim. You need to meas­ure the gap between the edge of the door and the frame at the point where the inter­lock activ­ates, and then apply the open­ings table in ANSI B11.19, or ISO 13857, or CSA Z432 to determ­ine the safety dis­tance related to the gap. 

            So, there are TWO dis­tance require­ments: 1) the gap between door and frame when the inter­lock is activ­ated, and 2) based on the stop­ping time.

            Guard lock­ing elim­in­ates both of these con­sid­er­a­tions, since the guard can­not be opened when the haz­ard exists.

            Hope that helps!

          3. Helps alot.
            I always install my switches as close to trip­ping as pos­sible without nuis­ance tripping.
            It might take a little tri­al and error dur­ing install­a­tion but I think it’s worth it later.

          4. Great ques­tion and great answers so far. I had to dig to answer this ques­tion myself some years ago. Cor­rect me if I am wrong. If I remem­ber right, by daisy chain­ing you only get to cat3, or per­haps pl d. Doug men­tions fault mask­ing. I believe that when daisy chained you lose your exclus­ive dia­gnostics for each device. One device could be jumpered or shor­ted and the cir­cuit would not dia­gnose this when anoth­er estop is pressed, released, and the sys­tem is reset). I believe this is an example of the defin­ing dif­fer­ence between the last two levels. I also believe this example is an exsmple that Doug men­tions in one of his posts about how a device can be advert­ised as cat4 amd mis­lead­ing because the cir­cuit is not designed to cat 4. The man­u­fac­tur­ers are simply stat­ing that the device has what is need to be designed into a cat 4 circuit. 

          5. Hey, con­trols­girl! You are essen­tially cor­rect about fault mask­ing. There is an ISO Tech­nic­al Report that dis­cusses this issue, ISO/TR 24119,, which is rel­ev­ant to this dis­cus­sion. Schmersal also pub­lishes a free white paper on this top­ic,, which you may find interesting.

            In ISO/TR 24119 there is a table that shows the reduc­tion in PL that occurs depend­ing on the num­ber of daisy-chained devices and the fre­quency of use of the devices. Loss of Dia­gnost­ic Cov­er­age due to fault mask­ing res­ults in a reduc­tion of PL. It’s pos­sible to go from PLe to PLc if you have enough devices daisy-chained. Hmmmm, I think I feel anoth­er art­icle com­ing on… 😉

            BTW, this is not a case of man­u­fac­tur­ers mis­lead­ing users, but rather one of mis­ap­plic­a­tion of a device. Keep in mind that a “safety relay” or oth­er sim­il­ar devices can be assessed under ISO 13849 or IEC 62061 and provided with a PL or SIL. That allows the design­er to treat that device as a black-box with defined reli­ab­il­ity char­ac­ter­ist­ics. The prob­lem comes when someone wants to assume that they will achieve a cer­tain degree of reli­ab­il­ity simply because they used a cer­tain com­pon­ent. It just does­n’t work that way.

  9. For roll form­ing machines, our com­pany determ­ined with a risk assess­ment, that the rollers need to retract upon hit­ting the e‑stop but­ton. Unfor­tu­nately, that does not meet the NFPA79 E‑stop cat­egor­ies. Do you know of a code pro­vi­sion for this scenario?

    1. Gina,

      Good ques­tion. NFPA 79 offers two options for e‑stop func­tions: Cat­egory 0, which imme­di­ately removes power from the haz­ard­ous motions (sim­il­ar to “pulling the plug”), and Cat­egory 1, which allows for a grace­ful stop under con­trol, fol­lowed by remov­al of power.

      If the best way to min­im­ize the risk is to lift the form­ing rollers, then this is the neces­sary approach. In my opin­ion, this falls under Cat­egory 1 stop func­tions, since motion is per­mit­ted for a brief time after the e‑stop device is activ­ated. The key to this is the pneu­mat­ics appro­pri­ately so that the rollers won’t fall or drift when the Cat­egory 0 stop occurs. The oth­er key part of this is select­ing and set­ting up the motor drive so that the drive stops as quickly as pos­sible before going to a zero energy state. You will need a drive with Safe Torque Off, or equivalent.

      If you need addi­tion­al help with this, I would be happy to dis­cuss it with you offline. 🙂

      1. Thank you for the reply, that is what I was think­ing as well. Addi­tion­ally, we found ANSI B11.12 E6.5 that allows for the rolls to raise/open on press­ing e‑stop. They are call­ing it a cat­egory 1 e‑stop also. Thanks again!

        1. You’re wel­come! Sorry I did­n’t think about B11.12 – I guess I assumed you were already using that in your design. 

          Let me know if there is any­thing else I can help you with!

  10. Andrew, you need to have a look at a safety relay cata­log from any of the big man­u­fac­tur­ers, Rock­well/Al­len-Brad­ley, ABB/Jokab, Pilz, Telemecanique/Square‑D, Schmersal, OMRON/STI, Pizzato, etc. All of them have sug­ges­ted schem­at­ic dia­grams in the cata­logs. All mod­ern safety relay products provide the required test fre­quency for auto­mat­ic test­ing if they are cor­rectly imple­men­ted in the sys­tem design. That does not remove your respons­ib­il­ity as a design­er to mit­ig­ate the undetect­able dan­ger­ous faults to those with an MTTFd < 30 a (for PLc applic­a­tions, lower for lower Per­form­ance Levels).

    There is more to this than just a schematic.

  11. Hi Doug,

    Again a great read!
    Although I am nor­mally involved in design­ing “incom­plete Machines” accord­ing the European Machine Dir­ect­ive (2006/42), this top­ic is also import­ant for me to under­stand fully. More and more I see that know­ledge of these kinds of top­ics greatly add to the value you can sup­ply your cus­tom­ers with. There is a fine bal­ance between design­ing a “incom­plete machine” and deliv­er­ing a solu­tion the cus­tom­er can actu­ally use to build a safe com­plete machine and under­stands what the lim­it­a­tions and bene­fits are. Thanks again.

    1. Wouter,

      Thanks for the kind words. As I’m sure you know, the only real dif­fer­ence between com­plete machines and incom­plete machines are install­a­tion instruc­tions that detail the resid­ual risks that the user must safe­guard once the product is integ­rated into the final machinery or install­a­tion. The need for emer­gency stop is determ­ined in exactly the same way. One major myth that I run into here in Canada is “All machines must have an emer­gency stop”. This is incor­rect. If an emer­gency stop will not improve the like­li­hood of avoid­ing harm or reduce the sever­ity of injury, then there is no bene­fit to hav­ing one. Selec­tion of the right cat­egory of stop is equally import­ant, since many motor driv­en loads that use a VFD, servo or step­per drive can be stopped more quickly under con­trol than by simply drop­ping power.

      Thanks again for your comments!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.