CanadaCE MarkComplementary Protective MeasuresControl FunctionsEmergency StopEU European UnionUSA

Emergency Stop Categories

Emergency Stop on machine console
This entry is part 4 of 14 in the series Emer­gency Stop

I’ve noticed a lot of people look­ing for inform­a­tion on Emer­gency Stop cat­egor­ies recently; this art­icle is aimed at those read­ers who want to under­stand this top­ic in more depth. First, a cla­ri­fic­a­tion: Emer­gency stop cat­egor­ies DO NOT EXIST, but stop cat­egor­ies do. A stop cat­egory is a descrip­tion of a con­trol func­tion – what the con­trol does – and not the archi­tec­ture of the sys­tem that provides the func­tion. Stop cat­egor­ies are often con­fused with cir­cuit or sys­tem archi­tec­ture cat­egor­ies from EN 954 – 1[1] and ISO 13849 – 1 [2].  The con­fu­sion between these two sets of Cat­egor­ies often leads to incor­rect assump­tions about the applic­a­tion of these require­ments.

Emer­gency stop” is a descrip­tion of a con­trol func­tion, with the added “emer­gency” telling you WHEN this stop func­tion is inten­ded to be used – only dur­ing an emer­gency situ­ation. A “cycle stop” is also a func­tion­al descrip­tion that tells the user WHAT the stop func­tion does. Both the emer­gency stop func­tion and the cycle stop func­tion use the SAME stop cat­egor­ies, with some lim­it­a­tions on the emer­gency stop func­tion. More about that later in this art­icle.

Stop Categories

The stop cat­egor­ies dis­cussed here are not exclus­ive to emer­gency stop func­tions. They are STOP func­tions and may be used for nor­mal stop­ping func­tions as well as the Emer­gency Stop func­tion.

Stop cat­egor­ies and func­tion­al safety sys­tem archi­tec­ture cat­egor­ies are not the same, and there are sig­ni­fic­ant dif­fer­ences that need to be under­stood by con­trol sys­tem design­ers. I’m going to sling a num­ber of stand­ards at you in this post, and I will provide ref­er­ences at the end if you want to dig deep­er.

Func­tion­al safety archi­tec­tur­al cat­egor­ies are defined and described in ISO 13849 – 1, and I’ve writ­ten quite a bit on these in the past. If you want to know more about Cat­egor­ies B, 1 – 4, check out this series of posts on ISO 13849 – 1 Cat­egor­ies.

Originating Standards

There are three stand­ards that define the require­ments for stop cat­egor­ies, and thank­fully they are fairly closely har­mon­ised, mean­ing that the defin­i­tions for the cat­egor­ies are essen­tially the same in each doc­u­ment. They are:

  • ISO 13850, Safety of machinery — Emer­gency stop func­tion — Prin­ciples for design [3]
  • IEC 60204 – 1, Safety of machinery – Elec­tric­al equip­ment of machines – Part 1: Gen­er­al require­ments (aka EN 60204 – 1) [4]
  • NFPA 79, Elec­tric­al Stand­ard for Indus­tri­al Machinery [5]

A new Cana­dian stand­ard was added in 2016, CSA C22.2 No. 301 [9]. This stand­ard draws heav­ily on a num­ber of stand­ards for core mater­i­al, includ­ing IEC 60204 – 1 and NFPA 79. No. 301 uses identic­al defin­i­tions for stop func­tion cat­egor­ies.

Down­load ANSI stand­ards

Down­load IEC stand­ards

Stop Category Definitions

Emergency Stop ButtonThe stop cat­egor­ies are broken down into three gen­er­al groups in [4], [5], and  [9]:

  • Cat­egory 0 – Equi­val­ent to pulling the plug;
  • Cat­egory 1 – Bring things to a grace­ful stop, then pull the plug; and
  • Cat­egory 2 – Bring things to a stop and hold them there under power.

Let’s look at the defin­i­tions in more detail. For com­par­is­on, I’m going to show the defin­i­tions from the stand­ards side-by-side.

Table 1
Com­par­is­on of Stop Cat­egor­ies
Cat­egory IEC 60204 – 1 NFPA 79 CSA C22.2 No. 301
0 stop­ping by imme­di­ate remov­al of power to the machine actu­at­ors (i.e. an uncon­trolled stop – see 3.56); is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actu­at­ors.

stop­ping by imme­di­ate remov­al of power to the machine actu­at­ors (i.e., an uncon­trolled stop;

1 a con­trolled stop (see 3.11) with power avail­able to the machine actu­at­ors to achieve the stop and then remov­al of power when the stop is achieved; is a con­trolled stop with power to the machine actu­at­ors avail­able to achieve the stop then remove power when the stop is achieved.

a con­trolled stop with power avail­able to the machine actu­at­ors to achieve the stop and then remov­al of power when the stop is achieved;

2 a con­trolled stop with power left avail­able to the machine actu­at­ors. is a con­trolled stop with power left avail­able to the machine actu­at­ors.

a con­trolled stop with power left avail­able to the machine actu­at­ors.

Defin­i­tions from IEC 60204 – 1:

3.11 con­trolled stop
>stop­ping of machine motion with elec­tric­al power to the machine actu­at­ors main­tained dur­ing the stop­ping pro­cess
3.56 uncon­trolled stop
stop­ping of machine motion by remov­ing elec­tric­al power to the machine actu­at­ors
NOTE This defin­i­tion does not imply any par­tic­u­lar state of oth­er stop­ping devices, for example mech­an­ic­al or hydraul­ic brakes.

As you can see, the Stop Cat­egory descrip­tions are vir­tu­ally identic­al, with the primary dif­fer­ence being the use of the defin­i­tions in the IEC stand­ard instead of includ­ing that inform­a­tion in the descrip­tion as in the NFPA stand­ard.

Down­load ANSI stand­ards

Down­load IEC stand­ards

Minimum Requirements

[4], [5], and [9] require that all machines have at least a Cat­egory 0 stop. This could be achieved by switch­ing off (i.e., by using the dis­con­nect­ing means to switch off power for example), by phys­ic­ally “pulling the plug” from the power sup­ply sock­et on the wall, or through a ‘mas­ter con­trol relay’ cir­cuit, or through an emer­gency stop cir­cuit. Note that this does not require that all machines have an e-stop!! The need for an emer­gency stop func­tion is determ­ined in two ways:

  1. Exist­ence of a Type-C (i.e., machine spe­cif­ic) tech­nic­al stand­ard that requires that type of machinery to have an emer­gency stop func­tion, or
  2. through the risk assess­ment, based on the poten­tial to avoid or lim­it harm.

If these goals can­not be achieved through an emer­gency stop func­tion, there is no require­ment to have one. I have yet to read legis­la­tion (not stand­ards) in any jur­is­dic­tion that states that all machines must have an e-stop. Cer­tain classes of machines may have this require­ment, nor­mally defined in the rel­ev­ant type-C machinery stand­ard, e.g., ISO 10218 – 1 [10] for indus­tri­al robots.

ISO 13850 lim­its the selec­tion of stop cat­egory to Cat­egory 0 or 1 and excludes Cat­egory 2. This exclu­sion can be found in NFPA 79, IEC 60204 – 1, and CSA C22.2 No. 301 as well. Cat­egory 2 may only be used for oper­a­tion­al or “nor­mal” stop­ping func­tions.

To learn more about how to determ­ine the need for an emer­gency stop, see, “Emer­gency Stop – What’s so con­fus­ing about that?”

Selecting a Stop Function

How do you decide on what stop cat­egory to use? First, a risk assess­ment is required. Second, a start/stop ana­lys­is should be con­duc­ted. More on this top­ic a bit later.

Once the risk assess­ment is com­plete, ask these ques­tions:

1) Will the machinery stop safely using an uncon­trolled stop?

If the machinery does not have a sig­ni­fic­ant amount of iner­tia, mean­ing it won’t coast more than a very short time, then a Cat­egory 0 stop may be all that is required.

2) If the machinery can coast when power is removed, or if the machinery can be stopped more quickly under con­trol than when power is simply removed, then a Cat­egory 1 stop is likely the best choice, even if the power-off coast­ing time is fairly short.

Ver­tic­al axes that may col­lapse when power is removed will likely need addi­tion­al mech­an­ic­al hard­ware to pre­vent the tool­ing from fall­ing dur­ing an emer­gency stop con­di­tion. This could be a mech­an­ic­al brake or oth­er means that will pre­vent the tool­ing from fall­ing unex­pec­tedly.

3) If the machinery includes devices that require power to keep them in a safe state, then a Cat­egory 2 stop is likely the best choice.

If you choose to use a Cat­egory 2 stop, be aware that leav­ing power on the machinery leaves the user open to haz­ards related to hav­ing power on the machinery. Care­ful risk assess­ment is required in these cases espe­cially.

Cat­egory 2 stops are not per­mit­ted for emer­gency stop func­tions, although you may use them for nor­mal stop func­tions. ISO 13850, IEC 60204 – 1, and NFPA 79  expli­citly lim­it emer­gency stop func­tions to Cat­egor­ies 0 and 1. CSA C22.2 No. 301 per­mits the use of Cat­egory 2 stop func­tions for emer­gency stop­ping.

Risk Assessment and Stop/Start Analysis

Risk assess­ment is crit­ic­al to the spe­cific­a­tion of all safety-related func­tions. While emer­gency stop is not a safe­guard, it is con­sidered to be a ‘com­ple­ment­ary pro­tect­ive meas­ure’ [6, 6.2.3.5.3], [7, 3.19, 6.3]. Under­stand­ing the haz­ards that need to be con­trolled and the degree of risk related to the haz­ards is basic design inform­a­tion that will provide spe­cif­ic dir­ec­tion on the stop cat­egory required and the degree of con­trol reli­ab­il­ity neces­sary to provide the expec­ted risk reduc­tion.

Stop/Start Ana­lys­is is quite simple, ori­gin­at­ing in ISO 12100. It amounts to con­sid­er­ing all of the inten­ded stop/start con­di­tions for the machinery and then includ­ing con­di­tions that may res­ult from reas­on­ably fore­see­able fail­ure modes of the machinery and fore­see­able mis­uses of the machinery. Cre­ate a table with three columns as a start­ing point, sim­il­ar to Table 2.

Table 2
Example Start/Stop Ana­lys­is

Descrip­tion Start Con­di­tion Stop Con­di­tion
Lub­ric­ant Pump Lub­ric­ant Pump Start But­ton Pressed Lub­ric­ant Pump Stop But­ton Pressed
Low Lub­ric­ant Level in reser­voir
High-pres­sure drop across lub­ric­ant fil­ter
Main Spindle Motor Start enabled and Start But­ton Pressed Low Lub­ric­ant Pres­sure
Stop but­ton pressed
Feed Advance motor Feed Advance but­ton pressed Feed Stop but­ton pressed
Feed end of travel lim­it reached
Emer­gency Stop All motions stop, lub­ric­ant pump remains run­ning

The above table is simply an example of what a start/stop ana­lys­is might look like. You can have as much detail as you like.

Control Reliability Requirements

Both ISO 13849 – 1 and IEC 62061 [8] base the ini­tial require­ments for reli­ab­il­ity on the out­come of the risk assess­ment (PLr or SILr). If the stop­ping con­di­tion is part of nor­mal oper­a­tion, then simple cir­cuit require­ments (i.e. PLa, Cat­egory 1) are all that may be required. If the stop­ping con­di­tion is inten­ded to be an Emer­gency Stop, then addi­tion­al ana­lys­is is needed to determ­ine exactly what may be required.

More Information

How have you typ­ic­ally imple­men­ted your stops and emer­gency stop sys­tems?

Have you ever used the START/STOP ana­lys­is meth­od?

I care about what you think as a read­er, so please leave me com­ments and ques­tions! If you would prefer to dis­cuss your ques­tion privately,  con­tact me dir­ectly.

Ed. Note: This art­icle was updated 15-Jan-2018.

References

5% Dis­count on All Stand­ards with code: CC2011 

[1]          Safety of Machinery — Safety Related Parts of Con­trol Sys­tems — Part 1: Gen­er­al Prin­ciples for Design. CEN Stand­ard EN 954 – 1.1996.

[2]          Safety of Machinery — Safety Related Parts of Con­trol Sys­tems — Part 1: Gen­er­al Prin­ciples for Design. ISO Stand­ard 13849 – 1. 2015. Down­load ISO Stand­ards 

[3]          Safety of machinery — Emer­gency stop func­tion — Prin­ciples for design. ISO Stand­ard 13850. 2015

[4]          Elec­tric­al Equip­ment of Indus­tri­al Machines. IEC Stand­ard 60204 – 1. 2009. Down­load IEC stand­ards

[5]          Elec­tric­al Stand­ard for Indus­tri­al Machinery, ANSI/NFPA Stand­ard 79, 2015. Down­load stand­ards from ANSI

[6]          Safe­guard­ing of Machinery. CSA Stand­ard Z432, 2016.

[7]          Safety of machinery — Gen­er­al prin­ciples for design — Risk assess­ment and risk reduc­tion. ISO Stand­ard 12100. 2010.

[8]          Safety of machinery – Func­tion­al safety of safety-related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. IEC Stand­ard 62061. 2005.

[9]         Indus­tri­al elec­tric­al machinery. CSA Stand­ard C22.2 No. 301. 2016.

[10]       Robots and robot­ic devices — Safety require­ments for indus­tri­al robots — Part 1: Robots. ISO Stand­ard 10218 – 1. 2011.

Series Nav­ig­a­tionGuard­ing Emer­gency Stop DevicesBust­ing Emer­gency Stop Myths