Machinery Safety 101

Reader Question: Multiple E‑Stops and Resets

This entry is part 7 of 16 in the series Emer­gency Stop

Control Panel with Emergency Stop Button.I had an inter­est­ing ques­tion come in from a read­er today that is rel­ev­ant to many situ­ations:

When you have mul­tiple E‑Stop but­tons I have often got­ten into an argu­ment that says you can have a reset beside each one. I was taught that you were required to have a single point of reset. Who is cor­rect?”

— Michael Barb, Sr. Elec­tric­al Engin­eer

The Short Answer

There is noth­ing in the EU, US or Cana­dian reg­u­la­tions that would for­bid hav­ing mul­tiple reset but­tons. How­ever, you must under­stand the over­lap­ping require­ments for emer­gency stop and pre­ven­tion of unex­pec­ted start-up.

The Long Answer:

First I need to define two dif­fer­ent types of reset for clar­ity:

  1. Emer­gency Stop Device Reset: Each e‑stop device, i.e. but­ton, pull cord, foot switch, etc., is required to latch in the activ­ated state and must be indi­vidu­ally reset. Reset­ting the e‑stop device is NOT per­mit­ted to re-start the machinery, only to per­mit restart­ing. (NFPA 79, CSA Z432, ISO 14118).
  2. Restart­ing the machine is a sep­ar­ate delib­er­ate action from reset­ting the emer­gency stop device(s).

ANSI B11-2008 provides some dir­ect guid­ance on this top­ic:

7.2.2 Zones

A machine or an assembly of machines may be divided into sev­er­al con­trol zones (e.g., for emer­gency stop­ping, stop­ping as a res­ult of safe­guard­ing devices, start-up, isol­a­tion or energy dis­sip­a­tion). The machine and con­trols in dif­fer­ent zones shall be defined and iden­ti­fied. Con­trols for machines in zones can be loc­al for each machine, across sev­er­al machines in a zone, or glob­ally for machines across zones. The con­trol require­ments shall be based on the oper­a­tion­al require­ments and on the risk assessment.The inter­faces between zones, includ­ing syn­chron­iz­a­tion and inde­pend­ent oper­a­tion, shall be designed such that no func­tion in one zone cre­ates a hazard(s) / haz­ard­ous situ­ation in anoth­er zone.

CSA Z432-04 has sim­il­ar word­ing:

When zones can be determ­ined, their delim­it­a­tions shall be evid­ent (includ­ing the effect of the asso­ci­ated emer­gency stop device). This shall also apply to the effect of isol­a­tion and energy dis­sip­a­tion.

Let’s take a case with a single e‑stop but­ton first. The same require­ments apply for all e‑stop devices. The require­ments include:

  1. But­ton must be in ‘easy-reach’ of the nor­mal oper­at­or pos­i­tion. I con­sider ‘easy-reach’ to be the range I can touch while sit­ting or stand­ing at the nor­mal oper­at­or pos­i­tion. This pos­i­tion is not neces­sar­ily in front of the con­trol pan­el. This is the pos­i­tion where the oper­at­or is expec­ted to be while car­ry­ing out the tasks expec­ted of them when the machine is oper­at­ing. This is the require­ment that drives hav­ing mul­tiple but­tons in most cases.
  2. E‑stop devices can­not be loc­ated so that the oper­at­or must reach over or past a haz­ard to activ­ate them.
  3. The but­ton must latch in the oper­ated pos­i­tion.
  4. The but­ton must be robust enough to handle the mech­an­ic­al and elec­tric­al stresses that will be placed on it when used. i.e. rugged but­tons are required.
  5. When the e‑stop device is reset – i.e returned to the ‘RUN’ pos­i­tion – the machine is NOT per­mit­ted to restart. It is only PERMITTED to restart. It must be restar­ted through anoth­er delib­er­ate action, like press­ing a ‘Power On’ but­ton.

So what do you do with the ‘POWER ON’ or safety cir­cuit reset but­ton? The first ques­tion to ask is: ‘What hap­pens when I reset this cir­cuit, apply­ing power to the con­trol cir­cuits?”

Case A: If it is impossible to see the entire machine from the loc­a­tion of the reset but­ton, then I would recom­mend a single reset but­ton loc­ated at the HMI or main con­sole. The oper­at­or must check to make sure the machine is clear before re-apply­ing power. Where the machine is too big to be com­pletely vis­ible from the main oper­at­or con­sole, then I would also recom­mend:

  • warn­ing horn,
  • warn­ing lights, and
  • a start-up delay that is long enough to allow a per­son to get clear of the machine before it starts mov­ing.

Case B: If the machine is simply ‘enabled’ at this point, but no motion occurs, then mul­tiple ‘reset’ or ‘power on’ but­tons may be accept­able, depend­ing on the out­come of the risk assess­ment and start/stop ana­lys­is. Hav­ing said that, the oper­at­or will likely have to return to a main con­sole to reset the machine and restart oper­a­tion, and chances are there is only one HMI screen on the machine, so there may not be any advant­age to hav­ing mul­tiple reset but­tons.

I would recom­mend doing two things to get a good handle on this: Con­duct a detailed risk assess­ment and include all nor­mal oper­a­tions and all main­ten­ance oper­a­tions. Then con­duct a start/stop ana­lys­is to look at all of the start­ing and stop­ping con­di­tions that you can reas­on­ably fore­see. Com­bine the res­ults of these two ana­lyses to find the start­ing and stop­ping con­di­tions with the highest risk, and then determ­ine if hav­ing mul­tiple reset but­tons will con­trib­ute to the risk or not. You may also want to look at the con­trol reli­ab­il­ity require­ments for the emer­gency stop sys­tem based on the out­come of the risk assess­ment and the start/stop ana­lys­is.

In a case where there are mul­tiple emer­gency stop devices, loc­a­tions are import­ant. There must be one at each nor­mal work­sta­tion to meet the reg­u­lat­ory require­ments in most jur­is­dic­tions, and with­in ‘easy reach’. You may also want some inside the machine if it is pos­sible to gain full body access inside the machinery. i.e. inside a robot work cell. Make sure that the but­tons or oth­er devices are loc­ated so that a per­son exposed to the hazard(s) inside the machine is not required to reach over or past the haz­ard to get to the but­ton.

Michael, I hope that settles the argu­ment!

Series Nav­ig­a­tionUsing E‑Stops in Lock­out Pro­ced­uresUpdates to Pop­u­lar Art­icles

3 thoughts on “Reader Question: Multiple E‑Stops and Resets

  1. Anthony,
    I decided to revise Case A after I read your com­ment because I real­ized that it was a bad example, and spe­cific­ally non-com­pli­ant with the require­ments. I hope you can agree with the new ver­sion! 🙂

  2. As far as Cana­dian reg’s go, case ‘A’ should not hap­pen. An e‑stop reset shall not ini­ti­ate motion. If I were to per­form a PHSR on a machine that fell into Case ‘A’, I would have to report a non-com­pli­ance.

    Any con­trol sys­tem I have designed myself only re-homed it’s ser­vos on the press of the machine start but­ton, or sep­ar­ate manu­al mode con­trols on the HMI.

    Regard­ing mul­tiple e‑stops, what the CSA Z432 actu­ally says is any con­trol sta­tion that can cause motion must have a manu­ally ini­ti­ate e‑stop device.

    1. Anthony,
      Thanks for your com­ment! I really appre­ci­ate hear­ing from my read­ers!

      I agree with you, and I would report a non-com­pli­ance with Reg 851 and CSA Z432 as well. Unfor­tu­nately, I have seen machines where this was the case, and since the read­er did not tell me where he was loc­ated geo­graph­ic­ally or give me any spe­cif­ic machinery details to work with I could not be more spe­cif­ic. I did spe­cific­ally state that reset­ting of the e‑stop sys­tem may only PERMIT restart of the machine and is not allowed to actu­ally cause restart­ing.

      I agree with your ref­er­ence to Z432 and Clause 7.17, how­ever I don’t think it goes far enough, par­tic­u­larly in light of Reg 851 Clause 27(b), that requires that an e‑stop device be with­in easy reach of the oper­at­or. Lim­it­ing install­a­tion to work­sta­tions with con­trols that can start motion MAY not be enough. Con­sider a con­vey­or sys­tem that may have the start/stop con­trols loc­ated at one end and a manu­al unload­ing sta­tion at the oppos­ite end. There are no con­trols at the unload sta­tion that can cause motion, but loc­at­ing an e‑stop there is sens­ible and required by Clause 27(b), as well as Z432 and ASME B20.1.

      My con­trol sys­tem designs have had sim­il­ar func­tion­al­ity to yours. I nor­mally require a) the e‑stop device to be reset, b) the emer­gency stop sys­tem to be reset (this usu­ally re-applies power to the con­trol sys­tem), and then c) the pro­cess can be reset / homed / whatever in order to pre­pare for restart­ing the oper­a­tion of the machine.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

All original content on these pages is fingerprinted and certified by Digiprove