Reader Question: Multiple E-Stops and Resets

This entry is part 7 of 14 in the series Emer­gency Stop

Control Panel with Emergency Stop Button.I had an inter­est­ing ques­tion come in from a read­er today that is rel­ev­ant to many situ­ations:

When you have mul­tiple E-Stop but­tons I have often got­ten into an argu­ment that says you can have a reset beside each one. I was taught that you were required to have a single point of reset. Who is cor­rect?”

— Michael Barb, Sr. Elec­tric­al Engin­eer

The Short Answer

There is noth­ing in the EU, US or Cana­dian reg­u­la­tions that would for­bid hav­ing mul­tiple reset but­tons. How­ever, you must under­stand the over­lap­ping require­ments for emer­gency stop and pre­ven­tion of unex­pec­ted start-up.

The Long Answer:

First I need to define two dif­fer­ent types of reset for clar­ity:

  1. Emer­gency Stop Device Reset: Each e-stop device, i.e. but­ton, pull cord, foot switch, etc., is required to latch in the activ­ated state and must be indi­vidu­ally reset. Reset­ting the e-stop device is NOT per­mit­ted to re-start the machinery, only to per­mit restart­ing. (NFPA 79, CSA Z432, ISO 14118).
  2. Restart­ing the machine is a sep­ar­ate delib­er­ate action from reset­ting the emer­gency stop device(s).

ANSI B11-2008 provides some dir­ect guid­ance on this top­ic:

7.2.2 Zones

A machine or an assembly of machines may be divided into sev­er­al con­trol zones (e.g., for emer­gency stop­ping, stop­ping as a res­ult of safe­guard­ing devices, start-up, isol­a­tion or energy dis­sip­a­tion). The machine and con­trols in dif­fer­ent zones shall be defined and iden­ti­fied. Con­trols for machines in zones can be loc­al for each machine, across sev­er­al machines in a zone, or glob­ally for machines across zones. The con­trol require­ments shall be based on the oper­a­tion­al require­ments and on the risk assessment.The inter­faces between zones, includ­ing syn­chron­iz­a­tion and inde­pend­ent oper­a­tion, shall be designed such that no func­tion in one zone cre­ates a hazard(s) / haz­ard­ous situ­ation in anoth­er zone.

CSA Z432-04 has sim­il­ar word­ing:

6.2.1.8.4

When zones can be determ­ined, their delim­it­a­tions shall be evid­ent (includ­ing the effect of the asso­ci­ated emer­gency stop device). This shall also apply to the effect of isol­a­tion and energy dis­sip­a­tion.

Let’s take a case with a single e-stop but­ton first. The same require­ments apply for all e-stop devices. The require­ments include:

  1. But­ton must be in ‘easy-reach’ of the nor­mal oper­at­or pos­i­tion. I con­sider ‘easy-reach’ to be the range I can touch while sit­ting or stand­ing at the nor­mal oper­at­or pos­i­tion. This pos­i­tion is not neces­sar­ily in front of the con­trol pan­el. This is the pos­i­tion where the oper­at­or is expec­ted to be while car­ry­ing out the tasks expec­ted of them when the machine is oper­at­ing. This is the require­ment that drives hav­ing mul­tiple but­tons in most cases.
  2. E-stop devices can­not be loc­ated so that the oper­at­or must reach over or past a haz­ard to activ­ate them.
  3. The but­ton must latch in the oper­ated pos­i­tion.
  4. The but­ton must be robust enough to handle the mech­an­ic­al and elec­tric­al stresses that will be placed on it when used. i.e. rugged but­tons are required.
  5. When the e-stop device is reset – i.e returned to the ‘RUN’ pos­i­tion – the machine is NOT per­mit­ted to restart. It is only PERMITTED to restart. It must be restar­ted through anoth­er delib­er­ate action, like press­ing a ‘Power On’ but­ton.

So what do you do with the ‘POWER ON’ or safety cir­cuit reset but­ton? The first ques­tion to ask is: ‘What hap­pens when I reset this cir­cuit, apply­ing power to the con­trol cir­cuits?”

Case A: If it is impossible to see the entire machine from the loc­a­tion of the reset but­ton, then I would recom­mend a single reset but­ton loc­ated at the HMI or main con­sole. The oper­at­or must check to make sure the machine is clear before re-apply­ing power. Where the machine is too big to be com­pletely vis­ible from the main oper­at­or con­sole, then I would also recom­mend:

  • warn­ing horn,
  • warn­ing lights, and
  • a start-up delay that is long enough to allow a per­son to get clear of the machine before it starts mov­ing.

Case B: If the machine is simply ‘enabled’ at this point, but no motion occurs, then mul­tiple ‘reset’ or ‘power on’ but­tons may be accept­able, depend­ing on the out­come of the risk assess­ment and start/stop ana­lys­is. Hav­ing said that, the oper­at­or will likely have to return to a main con­sole to reset the machine and restart oper­a­tion, and chances are there is only one HMI screen on the machine, so there may not be any advant­age to hav­ing mul­tiple reset but­tons.

I would recom­mend doing two things to get a good handle on this: Con­duct a detailed risk assess­ment and include all nor­mal oper­a­tions and all main­ten­ance oper­a­tions. Then con­duct a start/stop ana­lys­is to look at all of the start­ing and stop­ping con­di­tions that you can reas­on­ably fore­see. Com­bine the res­ults of these two ana­lyses to find the start­ing and stop­ping con­di­tions with the highest risk, and then determ­ine if hav­ing mul­tiple reset but­tons will con­trib­ute to the risk or not. You may also want to look at the con­trol reli­ab­il­ity require­ments for the emer­gency stop sys­tem based on the out­come of the risk assess­ment and the start/stop ana­lys­is.

In a case where there are mul­tiple emer­gency stop devices, loc­a­tions are import­ant. There must be one at each nor­mal work­sta­tion to meet the reg­u­lat­ory require­ments in most jur­is­dic­tions, and with­in ‘easy reach’. You may also want some inside the machine if it is pos­sible to gain full body access inside the machinery. i.e. inside a robot work cell. Make sure that the but­tons or oth­er devices are loc­ated so that a per­son exposed to the hazard(s) inside the machine is not required to reach over or past the haz­ard to get to the but­ton.

Michael, I hope that settles the argu­ment!

Series Nav­ig­a­tionUsing E-Stops in Lock­out Pro­ced­uresUpdates to Pop­u­lar Art­icles

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.