- Emergency Stop — What’s so confusing about that?
- Checking Emergency Stop Systems
- Busting Emergency Stop Myths
- Guarding Emergency Stop Devices
- Emergency Stop Categories
- Using E-Stops in Lockout Procedures
- Reader Question: Multiple E-Stops and Resets
- Updates to Popular Articles
- New contact block design for Emergency Stop devices from Siemens
- Emergency stop devices: the risks of installer liability
- Testing Emergency Stop Systems
- STO)”>Safe Drive Control including Safe Torque Off (STO)
- Emergency Stop Failures
I’ve noticed a lot of people looking for information on Emergency Stop categories recently; this article is aimed at those readers who want to understand this topic in more depth. First, a clarification: Emergency stop categories DO NOT EXIST, but stop categories do. A stop category is a description of a control function — what the control does — and not the architecture of the system that provides the function. Stop categories are often confused with circuit or system architecture categories from EN 954–1 and ISO 13849–1 . The confusion between these two sets of Categories often leads to incorrect assumptions about the application of these requirements.
“Emergency stop” is a description of a control function, with the added “emergency” telling you WHEN this stop function is intended to be used — only during an emergency situation. A “cycle stop” is also a functional description that tells the user WHAT the stop function does. Both the emergency stop function and the cycle stop function use the SAME stop categories, with some limitations on the emergency stop function. More about that later in this article.
The stop categories discussed here are not exclusive to emergency stop functions. They are STOP functions and may be used for normal stopping functions as well as the Emergency Stop function.
Stop categories and functional safety system architecture categories are not the same, and there are significant differences that need to be understood by control system designers. I’m going to sling a number of standards at you in this post, and I will provide references at the end if you want to dig deeper.
Functional safety architectural categories are defined and described in ISO 13849–1, and I’ve written quite a bit on these in the past. If you want to know more about Categories B, 1–4, check out this series of posts on ISO 13849–1 Categories.
There are three standards that define the requirements for stop categories, and thankfully they are fairly closely harmonised, meaning that the definitions for the categories are essentially the same in each document. They are:
- ISO 13850, Safety of machinery — Emergency stop function — Principles for design 
- IEC 60204–1, Safety of machinery — Electrical equipment of machines — Part 1: General requirements (aka EN 60204–1) 
- NFPA 79, Electrical Standard for Industrial Machinery 
A new Canadian standard was added in 2016, CSA C22.2 No. 301 . This standard draws heavily on a number of standards for core material, including IEC 60204–1 and NFPA 79. No. 301 uses identical definitions for stop function categories.
Stop Category Definitions
- Category 0 — Equivalent to pulling the plug;
- Category 1 — Bring things to a graceful stop, then pull the plug; and
- Category 2 — Bring things to a stop and hold them there under power.
Let’s look at the definitions in more detail. For comparison, I’m going to show the definitions from the standards side-by-side.
|Category||IEC 60204–1||NFPA 79||CSA C22.2 No. 301|
|0||stopping by immediate removal of power to the machine actuators (i.e. an uncontrolled stop – see 3.56);||is an uncontrolled stop by immediately removing power to the machine actuators.||
stopping by immediate removal of power to the machine actuators (i.e., an uncontrolled stop;
|1||a controlled stop (see 3.11) with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved;||is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.||
a controlled stop with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved;
|2||a controlled stop with power left available to the machine actuators.||is a controlled stop with power left available to the machine actuators.||
a controlled stop with power left available to the machine actuators.
Definitions from IEC 60204–1:
- 3.11 controlled stop
- >stopping of machine motion with electrical power to the machine actuators maintained during the stopping process
- 3.56 uncontrolled stop
- stopping of machine motion by removing electrical power to the machine actuators
- NOTE This definition does not imply any particular state of other stopping devices, for example mechanical or hydraulic brakes.
As you can see, the Stop Category descriptions are virtually identical, with the primary difference being the use of the definitions in the IEC standard instead of including that information in the description as in the NFPA standard.
, , and  require that all machines have at least a Category 0 stop. This could be achieved by switching off (i.e., by using the disconnecting means to switch off power for example), by physically “pulling the plug” from the power supply socket on the wall, or through a ‘master control relay’ circuit, or through an emergency stop circuit. Note that this does not require that all machines have an e-stop!! The need for an emergency stop function is determined in two ways:
- Existence of a Type-C (i.e., machine specific) technical standard that requires that type of machinery to have an emergency stop function, or
- through the risk assessment, based on the potential to avoid or limit harm.
If these goals cannot be achieved through an emergency stop function, there is no requirement to have one. I have yet to read legislation (not standards) in any jurisdiction that states that all machines must have an e-stop. Certain classes of machines may have this requirement, normally defined in the relevant type-C machinery standard, e.g., ISO 10218–1  for industrial robots.
ISO 13850 limits the selection of stop category to Category 0 or 1 and excludes Category 2. This exclusion can be found in NFPA 79, IEC 60204–1, and CSA C22.2 No. 301 as well. Category 2 may only be used for operational or “normal” stopping functions.
To learn more about how to determine the need for an emergency stop, see, “Emergency Stop – What’s so confusing about that?”
Selecting a Stop Function
How do you decide on what stop category to use? First, a risk assessment is required. Second, a start/stop analysis should be conducted. More on this topic a bit later.
Once the risk assessment is complete, ask these questions:
1) Will the machinery stop safely using an uncontrolled stop?
If the machinery does not have a significant amount of inertia, meaning it won’t coast more than a very short time, then a Category 0 stop may be all that is required.
2) If the machinery can coast when power is removed, or if the machinery can be stopped more quickly under control than when power is simply removed, then a Category 1 stop is likely the best choice, even if the power-off coasting time is fairly short.
Vertical axes that may collapse when power is removed will likely need additional mechanical hardware to prevent the tooling from falling during an emergency stop condition. This could be a mechanical brake or other means that will prevent the tooling from falling unexpectedly.
3) If the machinery includes devices that require power to keep them in a safe state, then a Category 2 stop is likely the best choice.
If you choose to use a Category 2 stop, be aware that leaving power on the machinery leaves the user open to hazards related to having power on the machinery. Careful risk assessment is required in these cases especially.
Category 2 stops are not permitted for emergency stop functions, although you may use them for normal stop functions. ISO 13850, IEC 60204–1, and NFPA 79 explicitly limit emergency stop functions to Categories 0 and 1. CSA C22.2 No. 301 permits the use of Category 2 stop functions for emergency stopping.
Risk Assessment and Stop/Start Analysis
Risk assessment is critical to the specification of all safety-related functions. While emergency stop is not a safeguard, it is considered to be a ‘complementary protective measure’ [6, 220.127.116.11.3], [7, 3.19, 6.3]. Understanding the hazards that need to be controlled and the degree of risk related to the hazards is basic design information that will provide specific direction on the stop category required and the degree of control reliability necessary to provide the expected risk reduction.
Stop/Start Analysis is quite simple, originating in ISO 12100. It amounts to considering all of the intended stop/start conditions for the machinery and then including conditions that may result from reasonably foreseeable failure modes of the machinery and foreseeable misuses of the machinery. Create a table with three columns as a starting point, similar to Table 2.
Example Start/Stop Analysis
|Description||Start Condition||Stop Condition|
|Lubricant Pump||Lubricant Pump Start Button Pressed||Lubricant Pump Stop Button Pressed|
|Low Lubricant Level in reservoir|
|High-pressure drop across lubricant filter|
|Main Spindle Motor||Start enabled and Start Button Pressed||Low Lubricant Pressure|
|Stop button pressed|
|Feed Advance motor||Feed Advance button pressed||Feed Stop button pressed|
|Feed end of travel limit reached|
|Emergency Stop||All motions stop, lubricant pump remains running|
The above table is simply an example of what a start/stop analysis might look like. You can have as much detail as you like.
Control Reliability Requirements
Both ISO 13849–1 and IEC 62061  base the initial requirements for reliability on the outcome of the risk assessment (PLr or SILr). If the stopping condition is part of normal operation, then simple circuit requirements (i.e. PLa, Category 1) are all that may be required. If the stopping condition is intended to be an Emergency Stop, then additional analysis is needed to determine exactly what may be required.
How have you typically implemented your stops and emergency stop systems?
Have you ever used the START/STOP analysis method?
I care about what you think as a reader, so please leave me comments and questions! If you would prefer to discuss your question privately, contact me directly.
Ed. Note: This article was updated 15-Jan-2018.
 Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design. CEN Standard EN 954–1.1996.
 Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design. ISO Standard 13849–1. 2015. Download ISO Standards
 Safety of machinery — Emergency stop function — Principles for design. ISO Standard 13850. 2015
 Electrical Equipment of Industrial Machines. IEC Standard 60204–1. 2009. Download IEC standards
 Electrical Standard for Industrial Machinery, ANSI/NFPA Standard 79, 2015. Download standards from ANSI
 Safety of machinery — General principles for design — Risk assessment and risk reduction. ISO Standard 12100. 2010.
 Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems. IEC Standard 62061. 2005.