Reader Question: Multiple E-Stops and Resets

Control Panel with Emergency Stop Button.I had an interesting question come in from a reader today that is relevant to many situations:

“When you have multiple E-Stop buttons I have often gotten into an argument that says you can have a reset beside each one. I was taught that you were required to have a single point of reset. Who is correct?”

? Michael Barb, Sr. Electrical Engineer

The Short Answer

There is nothing in the EU, US or Canadian regulations that would forbid having multiple reset buttons. However, you must understand the overlapping requirements for emergency stop and prevention of unexpected start-up.

The Long Answer:

First I need to define two different types of reset for clarity:

  1. Emergency Stop Device Reset: Each e-stop device, i.e. button, pull cord, foot switch, etc., is required to latch in the activated state and must be individually reset. Resetting the e-stop device is NOT permitted to re-start the machinery, only to permit restarting. (NFPA 79, CSA Z432, ISO 14118).
  2. Restarting the machine is a separate deliberate action from resetting the emergency stop device(s).

ANSI B11-2008 provides some direct guidance on this topic:

7.2.2 Zones

A machine or an assembly of machines may be divided into several control zones (e.g., for emergency stopping, stopping as a result of safeguarding devices, start-up, isolation or energy dissipation). The machine and controls in different zones shall be defined and identified. Controls for machines in zones can be local for each machine, across several machines in a zone, or globally for machines across zones. The control requirements shall be based on the operational requirements and on the risk assessment.The interfaces between zones, including synchronization and independent operation, shall be designed such that no function in one zone creates a hazard(s) / hazardous situation in another zone.

CSA Z432-04 has similar wording:

6.2.1.8.4

When zones can be determined, their delimitations shall be evident (including the effect of the associated emergency stop device). This shall also apply to the effect of isolation and energy dissipation.

Let’s take a case with a single e-stop button first. The same requirements apply for all e-stop devices. The requirements include:

  1. Button must be in ‘easy-reach’ of the normal operator position. I consider ‘easy-reach’ to be the range I can touch while sitting or standing at the normal operator position. This position is not necessarily in front of the control panel. This is the position where the operator is expected to be while carrying out the tasks expected of them when the machine is operating. This is the requirement that drives having multiple buttons in most cases.
  2. E-stop devices cannot be located so that the operator must reach over or past a hazard to activate them.
  3. The button must latch in the operated position.
  4. The button must be robust enough to handle the mechanical and electrical stresses that will be placed on it when used. i.e. rugged buttons are required.
  5. When the e-stop device is reset – i.e returned to the ‘RUN’ position – the machine is NOT permitted to restart. It is only PERMITTED to restart. It must be restarted through another deliberate action, like pressing a ‘Power On’ button.

So what do you do with the ‘POWER ON’ or safety circuit reset button? The first question to ask is: ‘What happens when I reset this circuit, applying power to the control circuits?”

Case A: If it is impossible to see the entire machine from the location of the reset button, then I would recommend a single reset button located at the HMI or main console. The operator must check to make sure the machine is clear before re-applying power. Where the machine is too big to be completely visible from the main operator console, then I would also recommend:

  • warning horn,
  • warning lights, and
  • a start-up delay that is long enough to allow a person to get clear of the machine before it starts moving.

Case B: If the machine is simply ‘enabled’ at this point, but no motion occurs, then multiple ‘reset’ or ‘power on’ buttons may be acceptable, depending on the outcome of the risk assessment and start/stop analysis. Having said that, the operator will likely have to return to a main console to reset the machine and restart operation, and chances are there is only one HMI screen on the machine, so there may not be any advantage to having multiple reset buttons.

I would recommend doing two things to get a good handle on this: Conduct a detailed risk assessment and include all normal operations and all maintenance operations. Then conduct a start/stop analysis to look at all of the starting and stopping conditions that you can reasonably foresee. Combine the results of these two analyses to find the starting and stopping conditions with the highest risk, and then determine if having multiple reset buttons will contribute to the risk or not. You may also want to look at the control reliability requirements for the emergency stop system based on the outcome of the risk assessment and the start/stop analysis.

In a case where there are multiple emergency stop devices, locations are important. There must be one at each normal workstation to meet the regulatory requirements in most jurisdictions, and within ‘easy reach’. You may also want some inside the machine if it is possible to gain full body access inside the machinery. i.e. inside a robot work cell. Make sure that the buttons or other devices are located so that a person exposed to the hazard(s) inside the machine is not required to reach over or past the hazard to get to the button.

Michael, I hope that settles the argument!

© 2011, Compliance inSight Consulting Inc. Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

6 thoughts on “Reader Question: Multiple E-Stops and Resets

  1. Anthony,
    I decided to revise Case A after I read your comment because I realized that it was a bad example, and specifically non-compliant with the requirements. I hope you can agree with the new version! 🙂

  2. As far as Canadian reg’s go, case ‘A’ should not happen. An e-stop reset shall not initiate motion. If I were to perform a PHSR on a machine that fell into Case ‘A’, I would have to report a non-compliance.

    Any control system I have designed myself only re-homed it’s servos on the press of the machine start button, or separate manual mode controls on the HMI.

    Regarding multiple e-stops, what the CSA Z432 7.17.1.2 actually says is any control station that can cause motion must have a manually initiate e-stop device.

    1. Anthony,
      Thanks for your comment! I really appreciate hearing from my readers!

      I agree with you, and I would report a non-compliance with Reg 851 and CSA Z432 as well. Unfortunately, I have seen machines where this was the case, and since the reader did not tell me where he was located geographically or give me any specific machinery details to work with I could not be more specific. I did specifically state that resetting of the e-stop system may only PERMIT restart of the machine and is not allowed to actually cause restarting.

      I agree with your reference to Z432 and Clause 7.17, however I don’t think it goes far enough, particularly in light of Reg 851 Clause 27(b), that requires that an e-stop device be within easy reach of the operator. Limiting installation to workstations with controls that can start motion MAY not be enough. Consider a conveyor system that may have the start/stop controls located at one end and a manual unloading station at the opposite end. There are no controls at the unload station that can cause motion, but locating an e-stop there is sensible and required by Clause 27(b), as well as Z432 and ASME B20.1.

      My control system designs have had similar functionality to yours. I normally require a) the e-stop device to be reset, b) the emergency stop system to be reset (this usually re-applies power to the control system), and then c) the process can be reset / homed / whatever in order to prepare for restarting the operation of the machine.

  3. Anthony,
    I decided to revise Case A after I read your comment because I realized that it was a bad example, and specifically non-compliant with the requirements. I hope you can agree with the new version! 🙂

  4. As far as Canadian reg’s go, case ‘A’ should not happen. An e-stop reset shall not initiate motion. If I were to perform a PHSR on a machine that fell into Case ‘A’, I would have to report a non-compliance.

    Any control system I have designed myself only re-homed it’s servos on the press of the machine start button, or separate manual mode controls on the HMI.

    Regarding multiple e-stops, what the CSA Z432 7.17.1.2 actually says is any control station that can cause motion must have a manually initiate e-stop device.

    1. Anthony,
      Thanks for your comment! I really appreciate hearing from my readers!

      I agree with you, and I would report a non-compliance with Reg 851 and CSA Z432 as well. Unfortunately, I have seen machines where this was the case, and since the reader did not tell me where he was located geographically or give me any specific machinery details to work with I could not be more specific. I did specifically state that resetting of the e-stop system may only PERMIT restart of the machine and is not allowed to actually cause restarting.

      I agree with your reference to Z432 and Clause 7.17, however I don’t think it goes far enough, particularly in light of Reg 851 Clause 27(b), that requires that an e-stop device be within easy reach of the operator. Limiting installation to workstations with controls that can start motion MAY not be enough. Consider a conveyor system that may have the start/stop controls located at one end and a manual unloading station at the opposite end. There are no controls at the unload station that can cause motion, but locating an e-stop there is sensible and required by Clause 27(b), as well as Z432 and ASME B20.1.

      My control system designs have had similar functionality to yours. I normally require a) the e-stop device to be reset, b) the emergency stop system to be reset (this usually re-applies power to the control system), and then c) the process can be reset / homed / whatever in order to prepare for restarting the operation of the machine.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.