Emergency Stop Categories

Typical red emergency stop button with a yellow background.
Typical emergency stop button

I’ve noticed a lot of people looking for information on Emergency Stop categories recently; this article is aimed at those readers who want to understand this topic in more depth. First, a clarification: Emergency stop categories DO NOT EXIST, but stop categories do. A stop category is a description of a control function – what the control does – and not the architecture of the system that provides the function.

Stop categories are often confused with circuit or system architecture categories from EN 954-1 [1] and ISO 13849-1 [2]. The confusion between these two sets of Categories often leads to incorrect assumptions about the application of these requirements.

“Emergency stop” is a description of a control function, with the added “emergency” telling you WHEN this stop function is intended to be used – only during an emergency situation. A “cycle stop” is also a functional description that tells the user WHAT the stop function does. Both the emergency stop function and the cycle stop function use the SAME stop categories, with some limitations on the emergency stop function. More about that later in this article.

Stop Categories

The stop categories discussed here are not exclusive to emergency stop functions. They are STOP functions and may be used for normal stopping functions as well as the Emergency Stop function.

Stop categories and functional safety system architecture categories are not the same, and there are significant differences that need to be understood by control system designers. I’m going to sling a number of standards at you in this post, and I will provide references at the end if you want to dig deeper.

Functional safety architectural categories are defined and described in ISO 13849-1, and I’ve written quite a bit on these in the past. If you want to know more about Categories B, 1-4, check out this series of posts on ISO 13849-1 Categories.

Originating Standards

There are three standards that define the requirements for stop categories, and thankfully they are fairly closely harmonised, meaning that the definitions for the categories are essentially the same in each document. They are:

  • ISO 13850, Safety of machinery — Emergency stop function — Principles for design [3]
  • IEC 60204-1, Safety of machinery — Electrical equipment of machines — Part 1: General requirements (aka EN 60204-1) [4]
  • NFPA 79, Electrical Standard for Industrial Machinery [5]

A new Canadian standard was added in 2016, CSA C22.2 No. 301 [9]. This standard draws heavily on a number of standards for core material, including IEC 60204-1 and NFPA 79. CSA C22.2 No. 301 uses identical definitions for stop function categories.

Stop Category Definitions

Emergency Stop Button

The stop categories are broken down into three general groups in [4], [5], and ?[9]:

  • Category 0 – Equivalent to pulling the plug;
  • Category 1 – Bring things to a graceful stop, then pull the plug; and
  • Category 2 – Bring things to a stop and hold them there under power.

Let’s look at the definitions in more detail. For comparison, I’m going to show the definitions from the standards side-by-side.

CategoryIEC 60204-1NFPA 79CSA C22.2 No. 301
0stopping by immediate removal of power to the machine actuators (i.e. an uncontrolled stop ? see 3.56);is an uncontrolled stop by immediately removing power to the machine actuators.

stopping by immediate removal of power to the machine actuators (i.e., an uncontrolled stop;

1a controlled stop (see 3.11) with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved;is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.

a controlled stop with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved;

2a controlled stop with power left available to the machine actuators.is a controlled stop with power left available to the machine actuators.

a controlled stop with power left available to the machine actuators.

Definitions from IEC 60204-1:

3.11 controlled stop
>stopping of machine motion with electrical power to the machine actuators maintained during the stopping process
3.56 uncontrolled stop
stopping of machine motion by removing electrical power to the machine actuators
NOTE This definition does not imply any particular state of other stopping devices, for example mechanical or hydraulic brakes.

As you can see, the Stop Category descriptions are virtually identical, with the primary difference being the use of the definitions in the IEC standard instead of including that information in the description as in the NFPA standard.

Minimum Requirements

[4], [5], and [9] require that all machines have at least a Category 0 stop. This could be achieved by switching off (i.e., by using the disconnecting means to switch off power for example), by physically “pulling the plug” from the power supply socket on the wall, or through a ‘master control relay’ circuit, or through an emergency stop circuit. Note that this does not require that all machines have an e-stop! The need for an emergency stop function is determined in two ways:

  1. Existence of a Type-C (i.e., machine specific) technical standard that requires that type of machinery to have an emergency stop function, or
  2. through the risk assessment, based on the potential to avoid or limit harm.

If these goals cannot be achieved through an emergency stop function, there is no requirement to have one. I have yet to read legislation (not standards) in any jurisdiction that states that all machines must have an e-stop. Certain classes of machines may have this requirement, normally defined in the relevant type-C machinery standard, e.g., ISO 10218-1 [10] for industrial robots.

ISO 13850 limits the selection of stop category to Category 0 or 1 and excludes Category 2. This exclusion can be found in NFPA 79, IEC 60204-1, and CSA C22.2 No. 301 as well. Category 2 may only be used for operational or “normal” stopping functions.

To learn more about how to determine the need for an emergency stop, see, “Emergency Stop — What’s so confusing about that?”

Selecting a Stop Function

How do you decide on what stop category to use? First, a risk assessment is required. Second, a start/stop analysis should be conducted. More on this topic a bit later.

Once the risk assessment is complete, ask these questions:

1) Will the machinery stop safely using an uncontrolled stop?

If the machinery does not have a significant amount of inertia, meaning it won’t coast more than a very short time, then a Category 0 stop may be all that is required.

2) If the machinery can coast when power is removed, or if the machinery can be stopped more quickly under control than when power is simply removed, then a Category 1 stop is likely the best choice, even if the power-off coasting time is fairly short.

Vertical axes that may collapse when power is removed will likely need additional mechanical hardware to prevent the tooling from falling during an emergency stop condition. This could be a mechanical brake or other means that will prevent the tooling from falling unexpectedly.

3) If the machinery includes devices that require power to keep them in a safe state, then a Category 2 stop is likely the best choice.

If you choose to use a Category 2 stop, be aware that leaving power on the machinery leaves the user open to hazards related to having power on the machinery. Careful risk assessment is required in these cases especially.

Category 2 stops are not permitted for emergency stop functions under most circumstances, although you may use them for normal stop functions. There is an option to use a Category 2 stop if it can be justified by the risk assessment, however, I strongly recommend that you conduct an FMEA on the emergecy stop function. It’s important to look for failures that could lead to a catastrophic loss of control if power is lost while the machine is in the emergecy stop state. ISO 13850, IEC 60204-1, and NFPA 79 explicitly limit emergency stop functions to Categories 0 and 1. CSA C22.2 No. 301 permits the use of Category 2 stop functions for emergency stopping.

Risk Assessment and Stop/Start Analysis

Risk assessment is critical to the specification of all safety-related functions. While emergency stop is not a safeguard, it is considered to be a ‘complementary protective measure’ [6, 6.2.3.5.3], [7, 3.19, 6.3]. Understanding the hazards that need to be controlled and the degree of risk related to the hazards is basic design information that will provide specific direction on the stop category required and the degree of control reliability necessary to provide the expected risk reduction.

Stop/Start Analysis is quite simple, originating in ISO 12100. It amounts to considering all of the intended stop/start conditions for the machinery and then including conditions that may result from reasonably foreseeable failure modes of the machinery and foreseeable misuses of the machinery. Create a table with three columns as a starting point, similar to Table 2.

Table 2 - Example start/stop analysis

DescriptionStart ConditionStop Condition
Lubricant PumpLubricant Pump Start Button PressedLubricant Pump Stop Button Pressed
Low Lubricant Level in reservoir
High-pressure drop across lubricant filter
Main Spindle MotorStart enabled and Start Button PressedLow Lubricant Pressure
Stop button pressed
Feed Advance motorFeed Advance button pressedFeed Stop button pressed
Feed end of travel limit reached
Emergency StopAll motions stop, lubricant pump remains running

The above table is simply an example of what a start/stop analysis might look like. You can have as much detail as you like.

Control Reliability Requirements

Both ISO 13849-1 and IEC 62061 [8] base the initial requirements for reliability on the outcome of the risk assessment (PLr or SILr). If the stopping condition is part of normal operation, then simple circuit requirements (i.e. PLa, Category 1) are all that may be required. If the stopping condition is intended to be an Emergency Stop, then additional analysis is needed to determine exactly what may be required.

More Information

How have you typically implemented your stops and emergency stop systems?

Have you ever used the START/STOP analysis method?

I care about what you think as a reader, so please leave me comments and questions! If you would prefer to discuss your question privately, contact me directly.

Ed. Note: This article was updated 2022-08-24.


References

[1] Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design, EN 954-1. European Committee for Standardization (CEN). 1996.

[2] Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design, ISO 13849-1. International Organizaton for Standardization (ISO). 2015.

[3] Safety of machinery — Emergency stop function — Principles for design, ISO 13850. International Organizaton for Standardization (ISO). 2015.

[4] Electrical Equipment of Industrial Machines, IEC 60204-1. International Electrotechnical Commission (IEC). 2009.

[5] Electrical Standard for Industrial Machinery, ANSI/NFPA 79. National Fire Protection Association (NFPA). 2015.

[6] Safeguarding of Machinery, CSA Z432. Canadian Standards Association (CSA). 2016.

[7] Safety of machinery — General principles for design — Risk assessment and risk reduction, ISO 12100. International Organizaton for Standardization (ISO). 2010.

[8] Safety of machinery — Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC 62061. International Electrotechnical Commission (IEC). 2005.

[9] Industrial electrical machinery, CSA C22.2 No. 301. Canadian Standards Association (CSA). 2016.

[10] Robots and robotic devices — Safety requirements for industrial robots — Part 1: Robots. ISO 10218-1. International Organizaton for Standardization (ISO). 2011.

© 2010 – 2022, Compliance inSight Consulting Inc. Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

44 thoughts on “Emergency Stop Categories

  1. Thanks, Doug Nix, words are too small for the value you add through your content, This is the best guide I have seen so far on the internet. Emergency Stop Categories were easy to understand with comprehensive and easy explanations.

  2. Thanks for publishing such useful information. This will be a great site for us to reference when we are training new employees at our safety briefings.

    1. Hi David,

      You’re very welcome. I’m glad that you are finding my work helpful. If I can answer any other questions, please get in touch.

  3. Moving machinery can cause injuries in many ways: … Injuries can also occur due to machinery becoming unreliable and developing faults or when machines are used improperly through inexperience or lack of training.

    1. Hi Brian,

      You are correct. This is one of the reasons why complementary protective measures like the emergency stop function are needed and are so common on machines. Emergency stop systems are not a substitute for training and supervision. If you have trainees or apprentices working with hazardous machinery the presence of an emergency stop system will not prevent injuries – only properly designed safeguarding can do that, and even then not in all cases. Emergency stop functions are not safeguarding, and cannot be used as such. National machinery safety standards make that very clear.

  4. Thank you for sharing with us the different stop categories and how they apply to machinery used in the industries. I would imagine that it is vital for a factory to maintain watchfulness on its operating machines at all times to ensure the safety of the operators and workers. I have a friend who is thinking of going into machinery. I will share with him about machine control safety and remind him to take good care of himself when handling high-risk machines.

      1. Hi Doug,
        Is there any time limit given for Stopping the machine. For example if stop is initiated then the machine should stop in a given time (say 1 or 2 sec) or immediately.

        1. Hi Wiquar,
          No, there is no defined time limit for an emergency stop. The standards recommend that it happens as quickly as possible, but consideration must be given to potential damage to the machinery which might then create new hazards. So as quickly as practical, without doing catastrophic damage to the machine.

  5. So if you had a risk assessment for a particular piece of equipment and it came to a particular PLd requirement, if you safe guarded the hazard with the appropriate fencing/interlocks etc., and thus successfully reduced the risk to an acceptable level. Would you still need to create a PLd emergency stop circuit or just stick to the minimum level PLc?

    1. Hey RN! Good question. The PL requirement for the estop is determined in the same way as any other safety function, with the difference being the minimum PLc requirement. You need to consider the types of events that might occur where the e-stop might be helpful in reducing or avoiding harm. This will require a bit of brainstorming, since what you are looking for is unusual events that the regular safeguarding is not designed to mitigate. Here’s an example: The machine is a CNC lathe with a complete enclosing guard that is interlocked. The chuck is pneumatically actuated. During operation, the valve controlling the chuck suffers a seal failure, and the chuck is unexpectedly released. It doesn’t open fully, but its grasp on the part relaxes enough that the part starts to oscillate in the jaws. If nothing is done, eventually the part will be ejected. In the intervening time, the part is slapping around and is starting to break tools and damage the tool carrier. The guarding is designed to contain swarf and coolant, and MAY contain an eject part, but it’s not guaranteed. Using this scenario, assess the risk. If I use the ISO 14121-2 decision tree, I’d get S2, F1, O1, A2 –> R2. That score maps to an ISO 13849-1 decision tree of S2, F1, P2 –> PLr = d. Now, if the guarding was designed to contain an ejected part of the largest size that the machine could handle, then you could change the S scores to S1, which would drop the initial risk to R1, and the PLr to b. Since you aren’t permitted to go lower than PLr=c for estop, then that would be the answer.

      I hope that helps!

      1. So is it stated anywhere that the Emergency stop circuit should meet the same performance level as any safety function within a machine? Even though you may contain the risk completely with this safety function at a higher performance level.

        1. No. You could consider that idea to be an ‘acceptable practice’, but there is no technical or engineering basis for taking that approach.

          The performance requirements for any safety function is always taken in isolation, based on the safety requirement specification for the safety function. Performance requirements are never linked to the performance requirements of any other safety function.

          The minimum performance requirement for an emergency stop function is given in ISO 13850. After that, if there is an applicable type C standard (machine specific standard), that standard MAY give a requirement. If not, it is always based on the risk assessment and is not linked to the PLr for any other safety function.

  6. What about racks of test equipment that has meters and scopes for low-voltage measurements, but there’s no machine motion to stop? Is a Category 0 E-Stop still required to remove power from everything, including the computer?

    1. Hey Rick!

      First – E-stops are not 100% mandatory in most cases. The requirement is based on a couple of things:

      1) Is there a Type-C (i.e., machine specific) technical standard that applies AND requires an e-stop?
      2) Does a risk assessment show that an e-stop might have benefits for avoiding or limiting harm?

      If the answers to those questions are both “NO”, then there is no requirement for an e-stop.

      On to your specific example. A machine is defined as “an assembly of linked parts, at least one of which moves, with the power and controls necessary for a defined end-function”. This definition is derived from the EU Machinery Directive, but is increasingly accepted around the world. The equipment that you describe is not a machine based on this description. The movement of analog gauge needles would not be enough to trigger the requirements, because the movement of the needles is not hazardous (see question #2 above).

      Also, bear in mind that cord connected equipment already has a Category 0 stop built-in – Pulling the plug from the wall counts as a disconnecting means and meets all of the requirements for Cat. 0 stop functions AND energy isolation for the purpose of hazardous energy control procedures.

      Let me know if you need more information on this topic. You can book a consultation with me by visiting https://dougnix.acuityscheduling.com/schedule.php.

  7. Another great discussion! I stumbled upon this because many servos include the STO function. I looked in the manual of the product that I am working with on this particular product and the manual claims the STO function to be compliant with a safe stop 0. However, every time I see a servo with STO capability implemented, there is still a contactor killing the line feed into the servo that is driven by the same conditions as the STO signals. It seems as if STO would replace the need to use a contactor to break the feed coming into the servo. Am I incorrect? Are there still advantages to opening up the line connection with a contactor in addition to using STO? If it is redundant, are you aware of any manufacturing plants that still require both?

    1. Interesting question. I’m actually planning an article on this topic right now, but I’ve got a couple of additional pieces to finish out the 13849 series first.

      If the drive has STO, it will already have the capability to provide a reliable zero-torque condition to the motor. If you look at the specs for the drive you will find that the STO function will normally have a PL or SIL rating, or a PFHd given. If the STO function is rated as PLe, for example, there is no need for an additional line contactor upstream of the drive unless the drive installation calls for one.

      “Safe-off”, “safe-stop” and similar terms are used by drive manufacturers but are not reflected in the technical standards for these products, and so don’t have a standardised technical definition.

      This question is complex enough that I can’t fully address it here, but I will try to hit the whole topic in the article when I publish it.

      Thanks for your continued interest!

      1. Further to this comment, watch the blog on 3-Jul-17 for the article on STO, SS1, SS2 and SOS functions for motor drives!

  8. Am I allowed to wire coded magnetic switches or keyed interlock switches in series with an E-stop or will I need to use 2 seperate safety relays?
    Just found your site, thanks for taking the time to inform us, greatly appreciated.

    1. T-mac,

      It’s not so much a case of “allowed to” wire them in series or not. Let me explain.

      Best practice is to separate the e-stop function and the safeguarding functions. This is done for a few of reasons:

      1) Emergency Stop controls are considered to be “complementary protective measures”, not safeguards. They are manually activated, and should normally be infrequently used. This is because they are used to back up the primary safeguards, like interlocked guards, or safeguarding devices. As backup devices, they typically require a lower level of reliability than the primary safeguards. ISO 13850, which defines emergency stop functions, requires a minimum performance level of PLc for these systems, however, higher performance levels may be required based on the risk assessment.

      2) Safeguards are required to act automatically, without the user being aware of the operation of the function. The reliability of the safety function is driven directly by the risk assessment. On most industrial machinery, these systems require PLc, PLd, or PLe.

      3) Recovery from an emergency stop condition, and recovery from a safeguarding condition are often quite different. Depending on what kind of emergency stop function is selected (IEC 60204-1/NFPA 79 Category 0 or 1), the effects on the machine can be quite severe, and recovery can be complex. Safeguarding conditions commonly use Category 1 or 2 stop functions, which are more controlled and generally don’t leave the machine badly disordered. Recovery is normally simpler. Since safeguarding conditions are more common as operators open doors/gates or break light curtain fields, the machine reactions usually need to be different from what happens in an emergency situation.

      Daisy-chaining devices, whether it’s e-stop buttons, interlock switches, or something else, can create fault-masking conditions, where a failure can occur in one device in the chain, but the fault is masked by the operation of another device in the chain. This can be a serious problem, since ISO 13849-1 requires that systems with Category 3 or 4 architectures detect faults either as they occur, or on the next demand on the safety function. Masked faults may be detected, and this leads to failure modes that are not permitted, nor are they what you want in your control system.

      Where you have e-stop devices or interlocks that are infrequently used, they may not be tested frequently enough to meet the testing requirements of the architecture you’ve selected, and this may lead to masked faults as well.

      So, in general, combining emergency stop functions with safeguarding functions is considered bad practice, even though it is still often done. I would recommend separating the functions for all of the reasons given, and I would also recommend against daisy chaining input devices to a single safety relay.

      1. I would generally seperate them as I have always done in the past.
        This application is installing coded mag switches on new guarding. There is a PILZ safety PLC installed on the machine and my request to purchase the PLC software (along with the new PSR after modifying the program) was declined.
        The switches are rated to be used cat 4 and there is a monthly procedure where the operators test the E-stops, and interlocks on the equipment.
        The existing guarding is done by light curtains that bring the machine the a “cycle stop” as not to destroy the product and make for a longer restart/set up.
        The new guarding is at a much closer proximity to the actual hazard and I need the machine to stop immediately.
        Although not ideal, wiring in series would still be accepted in this scenario?

        1. T-mac,

          If the new guarding is close to the tooling, the first thing I would suggest is a stop time test. You need to know if the guarding is within the minimum safety distance. You use the same calculation as used for a light curtain, Ds=KxT, K=1600 mm/s or 63 in/s. T is the stopping time in seconds. Since you mention that the machine is already using stop category 1, the stopping time may be quite long.

          If the guards are too close to the hazards to meet this safety distance, then you will need to implement guard locking. This can be combined with a “request to enter” function, or can simply be held locked until the machine is stopped, either at the end of a cycle, or until the machine is switched out of automatic mode and into manual mode. There are tons of options in how to do this.

          WRT your comments about the interlock switches being Category 4, all this tells you is that the switch/controller combination uses Category 4 architecture. There will be a PL associated with this – have a look at the data sheet. This information is used in assessing the safety system PL. The two pieces of information are important. You may also find an MTTFd spec, and this is also important, but less so than the the PL initially.

          1. Machine stoping via the current estop is instant, no coasting, no reversing by tension upon the material.
            This “new” pinch point is a roller that was previously missed and now being addressed.
            The hinged guards that are now on that roller(s) are roughly 3.5″ away. The door has to be swung out when opened which adds a little more distance when accessing.
            I should have gave more info about the application in my first question, sorry.

          2. T-mac,

            Thanks for the additional information. Unfortunately, no machinery stops instantaneously, since that would require infinite negative acceleration. Even if the stopping time is very short, let’s say 100 ms for argument sake, the safety distance is Ds=63″/s * 0.100 s = 6.3″. To make the 3.5″ distance work the stopping time would have to be 3.5/63=0.055 s. So, thing 1: Stop Time Test. Without this you cannot say that the interlocked door will provide the protection required. If you can’t do the test for any reason, then go to interlocked doors with guard locking. You will need a zero-speed detection system so that the lock cannot be released until the web/roller speed = zero.

            WRT the opening of the guard and the additional distance that you would like to claim, unless the interlock is activated before a gap appears between the door and the frame, you really can’t make this claim. You need to measure the gap between the edge of the door and the frame at the point where the interlock activates, and then apply the openings table in ANSI B11.19, or ISO 13857, or CSA Z432 to determine the safety distance related to the gap.

            So, there are TWO distance requirements: 1) the gap between door and frame when the interlock is activated, and 2) based on the stopping time.

            Guard locking eliminates both of these considerations, since the guard cannot be opened when the hazard exists.

            Hope that helps!

          3. Helps alot.
            I always install my switches as close to tripping as possible without nuisance tripping.
            It might take a little trial and error during installation but I think it’s worth it later.

          4. Great question and great answers so far. I had to dig to answer this question myself some years ago. Correct me if I am wrong. If I remember right, by daisy chaining you only get to cat3, or perhaps pl d. Doug mentions fault masking. I believe that when daisy chained you lose your exclusive diagnostics for each device. One device could be jumpered or shorted and the circuit would not diagnose this when another estop is pressed, released, and the system is reset). I believe this is an example of the defining difference between the last two levels. I also believe this example is an exsmple that Doug mentions in one of his posts about how a device can be advertised as cat4 amd misleading because the circuit is not designed to cat 4. The manufacturers are simply stating that the device has what is need to be designed into a cat 4 circuit.

          5. Hey, controlsgirl! You are essentially correct about fault masking. There is an ISO Technical Report that discusses this issue, ISO/TR 24119, https://www.iso.org/standard/63160.html, which is relevant to this discussion. Schmersal also publishes a free white paper on this topic, http://www.schmersalusa.com/cms17/opencms/html/en/service/contributions.html?id=28, which you may find interesting.

            In ISO/TR 24119 there is a table that shows the reduction in PL that occurs depending on the number of daisy-chained devices and the frequency of use of the devices. Loss of Diagnostic Coverage due to fault masking results in a reduction of PL. It’s possible to go from PLe to PLc if you have enough devices daisy-chained. Hmmmm, I think I feel another article coming on… 😉

            BTW, this is not a case of manufacturers misleading users, but rather one of misapplication of a device. Keep in mind that a “safety relay” or other similar devices can be assessed under ISO 13849 or IEC 62061 and provided with a PL or SIL. That allows the designer to treat that device as a black-box with defined reliability characteristics. The problem comes when someone wants to assume that they will achieve a certain degree of reliability simply because they used a certain component. It just doesn’t work that way.

  9. For roll forming machines, our company determined with a risk assessment, that the rollers need to retract upon hitting the e-stop button. Unfortunately, that does not meet the NFPA79 E-stop categories. Do you know of a code provision for this scenario?

    1. Gina,

      Good question. NFPA 79 offers two options for e-stop functions: Category 0, which immediately removes power from the hazardous motions (similar to “pulling the plug”), and Category 1, which allows for a graceful stop under control, followed by removal of power.

      If the best way to minimize the risk is to lift the forming rollers, then this is the necessary approach. In my opinion, this falls under Category 1 stop functions, since motion is permitted for a brief time after the e-stop device is activated. The key to this is the pneumatics appropriately so that the rollers won’t fall or drift when the Category 0 stop occurs. The other key part of this is selecting and setting up the motor drive so that the drive stops as quickly as possible before going to a zero energy state. You will need a drive with Safe Torque Off, or equivalent.

      If you need additional help with this, I would be happy to discuss it with you offline. 🙂

      1. Thank you for the reply, that is what I was thinking as well. Additionally, we found ANSI B11.12 E6.5 that allows for the rolls to raise/open on pressing e-stop. They are calling it a category 1 e-stop also. Thanks again!

        1. You’re welcome! Sorry I didn’t think about B11.12 – I guess I assumed you were already using that in your design.

          Let me know if there is anything else I can help you with!

  10. Andrew, you need to have a look at a safety relay catalog from any of the big manufacturers, Rockwell/Allen-Bradley, ABB/Jokab, Pilz, Telemecanique/Square-D, Schmersal, OMRON/STI, Pizzato, etc. All of them have suggested schematic diagrams in the catalogs. All modern safety relay products provide the required test frequency for automatic testing if they are correctly implemented in the system design. That does not remove your responsibility as a designer to mitigate the undetectable dangerous faults to those with an MTTFd < 30 a (for PLc applications, lower for lower Performance Levels).

    There is more to this than just a schematic.

  11. Hi Doug,

    Again a great read!
    Although I am normally involved in designing “incomplete Machines” according the European Machine Directive (2006/42), this topic is also important for me to understand fully. More and more I see that knowledge of these kinds of topics greatly add to the value you can supply your customers with. There is a fine balance between designing a “incomplete machine” and delivering a solution the customer can actually use to build a safe complete machine and understands what the limitations and benefits are. Thanks again.

    1. Wouter,

      Thanks for the kind words. As I’m sure you know, the only real difference between complete machines and incomplete machines are installation instructions that detail the residual risks that the user must safeguard once the product is integrated into the final machinery or installation. The need for emergency stop is determined in exactly the same way. One major myth that I run into here in Canada is “All machines must have an emergency stop”. This is incorrect. If an emergency stop will not improve the likelihood of avoiding harm or reduce the severity of injury, then there is no benefit to having one. Selection of the right category of stop is equally important, since many motor driven loads that use a VFD, servo or stepper drive can be stopped more quickly under control than by simply dropping power.

      Thanks again for your comments!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.