Reader Question: Multiple E-Stops and Resets

This entry is part 7 of 13 in the series Emer­gency Stop

Control Panel with Emergency Stop Button.I had an inter­est­ing ques­tion come in from a read­er today that is rel­e­vant to many sit­u­a­tions:

When you have mul­ti­ple E-Stop but­tons I have often got­ten into an argu­ment that says you can have a reset beside each one. I was taught that you were required to have a sin­gle point of reset. Who is cor­rect?”

— Michael Barb, Sr. Elec­tri­cal Engi­neer

The Short Answer

There is noth­ing in the EU, US or Cana­di­an reg­u­la­tions that would for­bid hav­ing mul­ti­ple reset but­tons. How­ev­er, you must under­stand the over­lap­ping require­ments for emer­gency stop and pre­ven­tion of unex­pect­ed start-up.

The Long Answer:

First I need to define two dif­fer­ent types of reset for clar­i­ty:

  1. Emer­gency Stop Device Reset: Each e-stop device, i.e. but­ton, pull cord, foot switch, etc., is required to latch in the acti­vat­ed state and must be indi­vid­u­al­ly reset. Reset­ting the e-stop device is NOT per­mit­ted to re-start the machin­ery, only to per­mit restart­ing. (NFPA 79, CSA Z432, ISO 14118).
  2. Restart­ing the machine is a sep­a­rate delib­er­ate action from reset­ting the emer­gency stop device(s).

ANSI B11-2008 pro­vides some direct guid­ance on this top­ic:

7.2.2 Zones

A machine or an assem­bly of machines may be divid­ed into sev­er­al con­trol zones (e.g., for emer­gency stop­ping, stop­ping as a result of safe­guard­ing devices, start-up, iso­la­tion or ener­gy dis­si­pa­tion). The machine and con­trols in dif­fer­ent zones shall be defined and iden­ti­fied. Con­trols for machines in zones can be local for each machine, across sev­er­al machines in a zone, or glob­al­ly for machines across zones. The con­trol require­ments shall be based on the oper­a­tional require­ments and on the risk assessment.The inter­faces between zones, includ­ing syn­chro­niza­tion and inde­pen­dent oper­a­tion, shall be designed such that no func­tion in one zone cre­ates a hazard(s) / haz­ardous sit­u­a­tion in anoth­er zone.

CSA Z432-04 has sim­i­lar word­ing:

6.2.1.8.4

When zones can be deter­mined, their delim­i­ta­tions shall be evi­dent (includ­ing the effect of the asso­ci­at­ed emer­gency stop device). This shall also apply to the effect of iso­la­tion and ener­gy dis­si­pa­tion.

Let’s take a case with a sin­gle e-stop but­ton first. The same require­ments apply for all e-stop devices. The require­ments include:

  1. But­ton must be in ‘easy-reach’ of the nor­mal oper­a­tor posi­tion. I con­sid­er ‘easy-reach’ to be the range I can touch while sit­ting or stand­ing at the nor­mal oper­a­tor posi­tion. This posi­tion is not nec­es­sar­i­ly in front of the con­trol pan­el. This is the posi­tion where the oper­a­tor is expect­ed to be while car­ry­ing out the tasks expect­ed of them when the machine is oper­at­ing. This is the require­ment that dri­ves hav­ing mul­ti­ple but­tons in most cas­es.
  2. E-stop devices can­not be locat­ed so that the oper­a­tor must reach over or past a haz­ard to acti­vate them.
  3. The but­ton must latch in the oper­at­ed posi­tion.
  4. The but­ton must be robust enough to han­dle the mechan­i­cal and elec­tri­cal stress­es that will be placed on it when used. i.e. rugged but­tons are required.
  5. When the e-stop device is reset — i.e returned to the ‘RUN’ posi­tion — the machine is NOT per­mit­ted to restart. It is only PERMITTED to restart. It must be restart­ed through anoth­er delib­er­ate action, like press­ing a ‘Pow­er On’ but­ton.

So what do you do with the ‘POWER ON’ or safe­ty cir­cuit reset but­ton? The first ques­tion to ask is: ‘What hap­pens when I reset this cir­cuit, apply­ing pow­er to the con­trol cir­cuits?”

Case A: If it is impos­si­ble to see the entire machine from the loca­tion of the reset but­ton, then I would rec­om­mend a sin­gle reset but­ton locat­ed at the HMI or main con­sole. The oper­a­tor must check to make sure the machine is clear before re-apply­ing pow­er. Where the machine is too big to be com­plete­ly vis­i­ble from the main oper­a­tor con­sole, then I would also rec­om­mend:

  • warn­ing horn,
  • warn­ing lights, and
  • a start-up delay that is long enough to allow a per­son to get clear of the machine before it starts mov­ing.

Case B: If the machine is sim­ply ‘enabled’ at this point, but no motion occurs, then mul­ti­ple ‘reset’ or ‘pow­er on’ but­tons may be accept­able, depend­ing on the out­come of the risk assess­ment and start/stop analy­sis. Hav­ing said that, the oper­a­tor will like­ly have to return to a main con­sole to reset the machine and restart oper­a­tion, and chances are there is only one HMI screen on the machine, so there may not be any advan­tage to hav­ing mul­ti­ple reset but­tons.

I would rec­om­mend doing two things to get a good han­dle on this: Con­duct a detailed risk assess­ment and include all nor­mal oper­a­tions and all main­te­nance oper­a­tions. Then con­duct a start/stop analy­sis to look at all of the start­ing and stop­ping con­di­tions that you can rea­son­ably fore­see. Com­bine the results of these two analy­ses to find the start­ing and stop­ping con­di­tions with the high­est risk, and then deter­mine if hav­ing mul­ti­ple reset but­tons will con­tribute to the risk or not. You may also want to look at the con­trol reli­a­bil­i­ty require­ments for the emer­gency stop sys­tem based on the out­come of the risk assess­ment and the start/stop analy­sis.

In a case where there are mul­ti­ple emer­gency stop devices, loca­tions are impor­tant. There must be one at each nor­mal work­sta­tion to meet the reg­u­la­to­ry require­ments in most juris­dic­tions, and with­in ‘easy reach’. You may also want some inside the machine if it is pos­si­ble to gain full body access inside the machin­ery. i.e. inside a robot work cell. Make sure that the but­tons or oth­er devices are locat­ed so that a per­son exposed to the hazard(s) inside the machine is not required to reach over or past the haz­ard to get to the but­ton.

Michael, I hope that set­tles the argu­ment!

Series Nav­i­ga­tionUsing E-Stops in Lock­out Pro­ce­duresUpdates to Pop­u­lar Arti­cles

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.