The most used safety function on machinery is the safety-related stop function. The requirements discussed in this post are not generally applicable to process-related stop functions unless the process and safety stop functions share the same control system hardware and software.
The purpose of a stop function is pretty obvious: When activated, the stop function stops whatever is operating. After that, things start to get a bit muddy. So what is a safety-related stop function, and what makes it different from a process-related stop? By the end of this post, you’ll understand this clearly.
Process-related stop function
Any control function that can bring a process to a stop is a process-related stop function. It can be executed in hardware or software without any special requirements.
An example in daily life is the stop function that operates in your car’s engine controller when you press the START engine button. When the engine is already running, pressing the start/stop button will
- turn off the ignition for gasoline/petrol-fuelled engines, or
- it cuts off the fuel supply to a diesel engine, or
- if your car is fully electric, it shuts down the motor drives.
There is a safety function that operates here, too — if the car is in gear or rolling, the engine controller will require repeated button presses before shutting down power, putting warning messages on the driver display to confirm the shutdown. The stopping function is not safety-related because it cannot be activated immediately.
The “cycle stop” or “top-stop” button on a mechanical power press is another good example. When the press cycles continuously, pressing the cycle stop button will complete the current stroke and stop at the top-dead-centre position. Other ways can be used to stop the press safely should it fail to stop.
Process-related stop functions do not need any special hardware or software. Simple hardware or a standard PLC can be used.
Safety-related stop function
Safety-related stop functions appear in various forms, with the emergency stop function being one of the most common. Guard interlocking functions are another type of safety-related stop function. Let’s look at the requirement from ISO 13849-1 [1].
5.2.1 Safety-related stop function
The following applies in addition to the requirements of Table 8.
A safety-related stop function (e.g. initiated by a safeguard) shall, as soon as necessary after actuation, put the machine in a safe state. Such a stop shall have priority over a stop for operational reasons.
When a group of machines are working together in a coordinated manner, provision shall be made for signalling the supervisory control and/or the other machines that such a stop condition exists.
NOTE A safety-related stop function can cause operational problems and a difficult restart, e.g. in an arc welding application. To reduce the temptation to defeat this stop function, it can be preceded with a stop for operational reasons to finalize the actual operation and prepare for an easy and quick restart from the stop position (e.g. without any damage of the production). One solution is the use of interlocking device with guard locking where the guard locking is released when the cycle has reached a defined position where the easy restart is possible.
[1, 5.2.1]
Unpacking the requirement
Table 8 is shown below. On the first line, you’ll notice that the safety-related stop function is also covered in IEC 60204-1 [3], ISO 14119 [4] and ISO 13855 [5].
Speed and priority
A safety-related stop function (e.g. initiated by a safeguard) shall, as soon as necessary after actuation, put the machine in a safe state. Such a stop shall have priority over a stop for operational reasons.
The second paragraph above opens with a requirement for operation in a short time. It also establishes the priority level of the safety-related stop above any process stop function. The emergency stop function is unique because it has priority over all other control functions. More about that in a moment.
Achieving a safe state
The second paragraph also requires that the machine must be placed in a safe state.
When a group of machines are working together in a coordinated manner, provision shall be made for signalling the supervisory control and/or the other machines that such a stop condition exists.
Integration of multiple machines
The third paragraph speaks to the integration of machines into a larger system, like a production line. This paragraph does not require that an emergency stop on one machine stop all other machines in the line but only provides the capability to signal a supervisory system about the stop.
The integration of the emergency stop functions between machines must be determined by the risk assessment of the integrated line. The need to interconnect the emergency stop functions must be carefully considered. Problems can be created in restarting the machines if bi-directional emergency stop integration is done since a race condition can be created, preventing resetting the emergency stop functions on one or both machines.
Restarting
NOTE A safety-related stop function can cause operational problems and a difficult restart, e.g. in an arc welding application. To reduce the temptation to defeat this stop function, it can be preceded with a stop for operational reasons to finalize the actual operation and prepare for an easy and quick restart from the stop position (e.g. without any damage of the production). One solution is the use of interlocking device with guard locking where the guard locking is released when the cycle has reached a defined position where the easy restart is possible.
The NOTE in [1, 5.2.1] does not include requirements because notes in standards are informative, not normative. Thus, you won’t see the word “shall” used in a Note. If you want to learn more about reading standards, check out the course I’m teaching.
The NOTE discusses difficult restart conditions that can occur from a safety-related stop. In the case discussed, a robotic welding system can end up stuck to the work if the interlocked guard is opened while the welding is in progress. Similar problems can occur in other continuous flow processes, like painting or adhesive application. Two possible solutions are offered,
- Integrate a fast process stop to bring the machine into a state where restarting will be easily possible, or
- Use a guard locking function to keep the guarding closed until the cycle can be gracefully stopped. Guard locking systems typically use a “request to enter” button at the entry point. Pressing the button initiates a cycle stop. When the machine cycle is stopped, the guard lock is released, allowing the guard to be opened, which also opens the interlock. The interlock will ensure that the machine cannot be restarted until the guard is closed again. Closing the guard or restarting the cycle will lock the guard shut again.
Emergency stop function
The emergency stop function is complex enough to warrant a standard of its own, ISO 13850 [6]. Since I can’t reproduce that standard here, I recommend you obtain a copy for yourself; however, I can offer the definition and a bit of explanation.
- 3.1
- emergency stop (E-stop)
- emergency stop function
- function which is intended to
- avert arising or reduce existing hazards to persons, damage to machinery or to work in progress, and
- be initiated by a single human action
- [SOURCE: ISO 12100:2010, 3.40]
Emergency stop functions are MANUALLY INITIATED, i.e., a button or another device needs to be activated to initiate the stop. When the emergency stop is activated, the machine is either already broken, or a person is already hurt. The next step is often to call 911 or 112 to get emergency help.
This is different from a guard interlock or other automatic safety stop function, which initiates the stop BEFORE a person can be harmed. Interlocked guards and presence-sensing safeguarding devices like light curtains and scanners are designed into applications where they are located in a way that provides enough time for the machine to safely stop when a person is detected, preventing any injuries from occurring.
In the same way, an over-speed detection system will activate automatically when an over-speed condition is detected, invoking a safety-related stop function to bring the machine to a safe standstill condition.
There is much more to know about emergency stop functions, so if you’re interested, check out my series on the topic.
Courses
If you are unsure how to proceed with functional safety or ISO 13849, check out our FS101 course. This course will teach you how to proceed:
- with a review of machinery risk assessment
- developing the Safety Requirement Specifications
- analyzing your design
- developing the validation documentation, and
- developing the validation test procedure
This course is suitable for control systems designers and engineers. If you have a CMSE designation or equivalent, and you’re still not feeling confident about how to use ISO 13849, this course will work for you too. The course includes a review of machinery risk assessment according to ISO 12100. Our RA101 course will give you the needed expertise if you have never had risk assessment training.
References
[1] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO 13849-1. International Organization for Standardization (ISO), Geneva. 2015.
[2] Safety of machinery — Safety-related parts of control systems — Part 2: Validation, ISO 13849-2. International Organization for Standardization (ISO), Geneva. 2012.
[3] Safety of machinery — Electrical equipment of machines — Part 1: General requirements, IEC 60204-1. International Electrotechnical Commission (IEC), Geneva. 2018.
[4] Safety of machinery — Interlocking devices associated with guards — Principles for design and selection, ISO 14119. International Organization for Standardization (ISO), Geneva. 2013.
[5] Safety of machinery — Positioning of safeguards with respect to the approach speeds of parts of the human body, ISO 13855. International Organization for Standardization (ISO), Geneva. 2010.
[6] Safety of machinery — Emergency stop — Principles for design, ISO 13850. International Organization for Standardization (ISO), Geneva. 2015.
© 2021 – 2022, Compliance inSight Consulting Inc. 
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.