Emergency Off (EMO) vs Emergency Stop

A red mushroom head pushbutton with white capital letters "EMO" printed on it. A partial yellow shroud extends above and below the button. The button is installed on a brushed stainless steel surface. — Photo: Sarah Grice

The concept of Emergency Off (EMO) used by the semiconductor manufacturing sector is similar in many ways to the emergency stop used in all other types of machinery, with some differences. This article covers the differences between these concepts.

NOTE: This is a long post!

TL;DR: EMO and emergency stop are very similar; however, some differences need to be understood, including marking the EMO device used to activate the circuit/function. SEMI S2 has energy limits on EMO systems that do not exist in emergency stop systems.

Introduction

The differences between EMO and emergency stop are both subtle and not-so-subtle. On the subtle side, the energy limits placed on EMO circuits are not addressed in the ISO standards. On the not-so-subtle side, the markings and shrouding for EMO are quite different from an emergency stop in many ways, except red and yellow are still the standard colours used to identify the triggering devices.

One further subtlety: ISO 13850 and IEC 60204-33 are International Standards developed under an internationally recognized, transparent, consensus process. The SEMI Guidelines are neither standards nor does SEMI follow an internationally recognized, transparent, consensus process, although, to be fair, they each have their unique methodology.

Want to know more? Read on!

Standards and Guidelines

These standards and guidelines are discussed in this article:

SEMI S2 Environmental, Health, and Safety Guideline for Semiconductor Manufacturing Equipment
IEC 60204-1 Safety of machinery — Electrical equipment of machines — Part 1: General requirements
IEC 60204-33 Safety of machinery — Electrical equipment of machines — Part 33: Requirements for semiconductor fabrication equipment
ISO 12100 Safety of machinery — General principles for design — Risk assessment and risk reduction
ISO 13850 Safety of machinery — Emergency stop — Principles for design

Standards vs Guidelines

Since this article references standards and guidelines, it’s important to understand the differences between these documents. If you’ve been reading Machinery Safety 101 for a while, you’ll know that I strongly support using standards in design. If you’re unsure why this is so important, you might want to read this article.

Voluntary standards, like those published by ANSI, CSA, IEC and ISO, are developed following a rigorous process that focuses on expert consensus. Consensus does not mean unanimity. It means that most of the experts on the committee agree. This process is designed to include stakeholders in the development process and includes National and public review of the documents developed through this process. You can read more about this process by visiting the ISO website. If you are interested in finding out about your National Standards Body, you can find a list on the ISO Members page. ISO Members are national standards bodies, not individual people.

A standard, according to the ISO definition, is a:

Document established by consensus and approved by a recognized body that provides for common and repeated use, rules, guidelines or characteristics for activities or their results aimed at achieving the optimum degree of order in a given context.
ISO Guide 2, 3.2 [6]

Standards bodies

The National Standards Body accredits national standards development organizations in countries that are members of the World Trade Organization (WTO). ANSI is the American standards body accredited by the US National Institute of Standards and Technology (NIST). The Canadian Standards Association (CSA) is accredited by the Standards Council of Canada (SCC). SCC is Canada’s National Standards Body.

Verbal forms

Consensus standards include specific words, called verbal forms, that indicate requirements, recommendations, permissions, possibilities and capabilities [10]. These terms are used very deliberately [11]:

“shall” is used to express a requirement, i.e., a provision that the user is obliged to satisfy in order to comply with the Standard;
“should” is used to express a recommendation or that which is advised but not required; and
“may” is used to express an option or that which is permissible within the limits of the standard. For example, “IEC 60512-26-100 may be used as an alternative to IEC 60512-27-100 for connecting hardware that has been previously qualified to IEC 60603-7-3:2010.” [13].
“can” is used to express possibility or capability. For example, “Use of this connector in corrosive atmospheric conditions can lead to failure of the locking mechanism.” [13]
“must” is used to express an external constraint of some kind. “Must” is not a synonym for “shall” in a standard. For example, “Particular conditions existing in a country: Because Japan is a seismically active country, all buildings must be earthquake-resistant.” [13].
Notes to definitions are normative. Since the definition should be written so that it could be placed into any sentence in the text where the defined term is used without changing the meaning of the sentence, any note accompanying the definition text has to be normative.
Notes accompanying clauses in the body of the document are informative. They do not include requirements or alternative requirements; the purpose of a note accompanying a clause is to separate from the text explanatory or informative material.
Notes to tables and figures are normative. They are considered part of the table or figure and may be written as requirements.
Annexes are designated normative (mandatory) or informative (non-mandatory) to define their application. Annexes are used to provide additional supporting information needed to use the normative text of the document effectively.

This usage is common to voluntary consensus standards developed under the WTO model.

The difference between guidelines and standards

SEMI, formerly Semiconductor Equipment and Materials International, is a global industry association for the electronics industry. SEMI produces guidelines for use in the industry sector. These documents can be considered “consortium standards” because an industry consortium writes them.

Consortia standards is also a frequently used term, describing standards developed and used by a plurality of actors, but for which the level of consensus is usually restricted to the members of a consortium (not necessarily representing the views of all the concerned and affected parties).
Teaching Standards [8]

Experts working on developing these standards and guidelines are drawn from the consortium members, and there is no public review process. In the quote below from the SEMI website [7], I added italics to emphasize an important point,

Standards are voluntary technical agreements between suppliers and customers, aimed at improving product quality and reliability at a reasonable price and steady supply. Standards ensure compatibility and inter-operability of goods and services.
SEMI standards are written documents in the form of specifications, guides, test methods, terminology, practices, etc.
[6], [9]

SEMI includes a statement of limitation on their guidelines that limit any authority,

3.1 This guideline is intended for use by supplier and user as a reference for EHS considerations. It is not intended to be used to verify compliance with local regulatory requirements.
3.2 It is not the philosophy of this guideline to provide all of the detailed EHS design criteria that may be applied to semiconductor manufacturing equipment. This guideline provides industry-specific criteria, and refers to some of the many international codes, regulations, standards, and specifications that should be considered when designing semiconductor manufacturing equipment.
[1]

The term “shall” is not used in SEMI Guidelines based on the Statement of Limitation, which means that SEMI Guidelines do not include any requirements. This is fundamentally different from voluntary consensus standards. SEMI Guidelines do not follow the standardized terminology in consensus standards developed under the WTO model. This might seem like pure semantics or pedantry, but it has real-world implications; SEMI Guidelines cannot be used for regulatory compliance, like CE Marking. Also, since these documents do not go through consensus review, individual stakeholders can have an outsized influence on the content. This can result in the exclusion of competitors or the exclusion of new technologies from the marketplace.

SEMI S2 EMO Requirements

Chapter 12 of SEMI S2 [1], Emergency Shutdown, provides the requirements for EMO in detail. Since that section is quite long, I will only reproduce the sections where there are significant differences from the emergency stop function defined by ISO 13850 [2]. Also, note that the version I am using as a reference is a few years old (2012), so the most recent edition of that document may have changes that have not been reflected in this article.

One other important detail: At no point does SEMI S2 define the terms “emergency off,” “emergency off circuit,” or “emergency off function.” These terms are expected to be sufficiently explained in Chapter 12, so no separate definitions are required. I think this is a significant shortcoming in SEMI S2. Clarity of language, particularly in standards and guidelines, is critical to the reader’s understanding of complex topics.

Requirement for an EMO circuit

ISO 12100 [3, 6.3.5.2] states, “If, following a risk assessment, a machine needs to be fitted with components and elements to achieve an emergency stop function for enabling actual or impending emergency situations to be averted, the following requirements apply…” There are two primary cases where an emergency stop function is needed: If a type C standard requires it, and in the general case when the risk assessment shows a need to provide this capability. Outside of this, there is one other mandatory case, and that is when local legislation mandates it.

It’s also important to note that ISO 12100 refers to “…components and elements to achieve an emergency stop function…” The word “function” in the normative text suggests that an emergency stop function may require more than electrical circuitry to be realized. Pneumatic equipment, electromechanical brakes, control software, and other components or subsystems may be needed depending on the type of machinery and the specifics of its design.

If we contrast this with what is required by [1], we find a similar idea, expressed in some slightly different language:

12.1 The equipment should have an “emergency off” (EMO) circuit.
[1, 12.1]

At this point, [1] does not give any specific guidance on what would determine the requirement, and no mention is made of risk assessment.

Exceptions to the requirement for EMO

There are two exceptions given in the text. I’ll quote them here and then analyze them in turn:

EXCEPTION 1: An EMO circuit is not needed for equipment rated 2.4 kVA or less, where the hazards are only electrical in nature, provided that the main disconnect meets the accessibility provisions of ?12.5.2 and that the effect of disconnecting the main power supply is equivalent to activating an EMO circuit.
[1, 12.1]

EXCEPTION 2: Assemblies that are not intended to be used as stand-alone equipment, but rather within an overall integrated system, and that receive their power from the user?s system, are not required to have an emergency off circuit. The assembly?s installation manual should provide clear instructions to the equipment installer to connect the assembly to the integrated system?s emergency off circuit.
[1, 12.1]

SEMI S2 is focused on circuits, excluding all other means of creating the emergency off function. The word “function” is not used at all. It is not clear from the SEMI text whether EMO could be created using fluidic circuits, as this point is not directly addressed; however, it can be inferred that electrical circuits were the writers’ focus by examining the rest of chapter 12. Since S2 is focused on electrical circuits, we will need to consider the requirements of IEC 60204-1 [4]. I should note here the IEC 60204 series includes IEC 60204-33 [5] for semiconductor equipment which builds upon the requirements in IEC 60204-1 and is written to harmonize with SEMI S2. If CE Marking is your focus, [5] has been harmonized as EN 60204-33 [11].

EMO Devices

S2 goes on to say,

The EMO actuator (e.g., button), when activated, should place the equipment into a safe shutdown condition, without generating any additional hazard to personnel or the facility.
[1, 12.1]

I think the language in S2 misses an important point. While the EMO actuator might be a purely electromechanical device installed to switch off the power, in most cases, some circuitry will be attached to the actuator that switches off power. It is this circuitry that is responsible for creating the shutdown condition. The S2 language could imply that the actuator itself does the switching off, which I think is incorrect based on the rest of the chapter.

EMO device exceptions

On to the exceptions to these requirements. In the first exception, small, relatively low-power electrical equipment where only electrical hazards exist can use the main disconnect for EMO.

EXCEPTION 1: An EMO circuit is not needed for equipment rated 2.4 kVA or less, where the hazards are only electrical in nature, provided that the main disconnect meets the accessibility provisions of ?12.5.2 and that the effect of disconnecting the main power supply is equivalent to activating an EMO circuit.
[1, 12.1]

This is equivalent to the “Emergency Switching Off” concept discussed in IEC 60204-1 [4, 10.8]. The emergency switching off device is defined in [4] as follows:

emergency switching off device
manually actuated control device used to switch off or to initiate the switching off of the supply of electrical energy to all or a part of an installation where a risk of electric shock or another risk of electrical origin is involved

Note 1 to entry: See 9.2.3.4.3.
[4, 3.1.22]

Since [4, 10.8] allows designers to use a disconnecting device for emergency switching off, we can consider the S2 and IEC 60204-1 requirement equivalent to each other.

The second exception is focused on assemblies that aren’t intended to be stand-alone equipment. These assemblies must be integrated into other equipment to be useful. They must draw their power from other equipment fitted with an EMO circuit. This special circumstance is not considered by [3] since that document relies on risk assessment to determine the need for an emergency stop or switching off function. In contrast, S2 does not consider risk assessment.

EXCEPTION 2: Assemblies that are not intended to be used as stand-alone equipment, but rather within an overall integrated system, and that receive their power from the user?s system, are not required to have an emergency off circuit. The assembly?s installation manual should provide clear instructions to the equipment installer to connect the assembly to the integrated system?s emergency off circuit.
[1, 12.1]

[1, Note 42] brings some confusion to the topic since it refers to emergency off functions, while the initial paragraph and exceptions are focused on circuits. The text of the guideline makes no effort to clarify this point, so designers can only use their best judgment about how to apply the text.

NOTE 42: It is recommended that the emergency off function not reduce the effectiveness of safety devices or of devices with safety-related functions (e.g., magnetic chucks or braking devices) necessary to bring the equipment to a safe shutdown condition effectively.
[1, Note 42]

Additionally, Note 42 does not require the prevention of any impacts on other safety devices or functions due to the operation of the EMO circuits/function, which is also a significant error. An operator may activate the EMO because a gas leak has been detected or a fire is in progress. If operating the EMO impairs or disables other safety devices/functions, this could lead to catastrophe. Before anyone posts angry comments, [1, 14.4.4.7] requires that fire detection systems remain operable even during EMO conditions. I point out that readers need to be aware of some apparent inconsistencies when using SEMI S2.

Effects of EMO Activation

When the EMO function/circuit is activated, specific actions are required.

12.2 Activation of the emergency off circuit should de-energize all hazardous voltage and all power greater than 240 volt-amps in the equipment beyond the main power enclosure.
[1, 12.2]

SEMI S2 does not explain the 240 VA lower limit; however, since there are three typical voltages commonly used for control systems, 230 V 1 ph., 120 V 1 ph., and 24 Vdc, we can do the math to see the kinds of current levels NOT affected by this requirement.

\frac{240~\text{VA}}{230~\text{V}}=1.04~\text{A}

\frac{240~\text{VA}}{120~\text{V}}=2~\text{A}

\frac{240~\text{VA}}{24~\text{V}}=10~\text{A}

All of the above are relatively low-energy circuits, although they do not fall into the voltage range for PELV. PELV requires special ground or earth connection handling. What the SEMI S2 committee is doing in this clause is providing the designer with an exemption for these low-energy circuits. Also, clause 12.2 stipulates that the requirement applies to “…equipment beyond the main power enclosure.” They are trying to ensure that equipment supplied by hazardous voltages is effectively shut off when the EMO button is pressed.

Exceptions to the “240 VA rule”

There are four exceptions provided in the document to the “240 VA rule”:

EXCEPTION 1: A non-hazardous voltage EMO circuit (typically 24 volts) and its supply may remain energized.

Exception 1 is not surprising, and most equipment built with a 24 V control system will fall into this category. Keeping the EMO system functional is beneficial as long as power is available to other potentially hazardous equipment parts.

EXCEPTION 2: Safety related devices (e.g., smoke detectors, gas/water leak detectors, pressure measurement devices, etc.) may remain energized from a non-hazardous power source.

Exception 2 makes sense since keeping life-safety systems functional under abnormal conditions is a good idea. In this case, any situation that causes the user to need to use the EMO system should be considered “abnormal.”

EXCEPTION 3: A computer system performing data/alarm logging and error recovery functions may remain energized, provided that the energized breaker(s), receptacle(s), and each energized conductor termination are clearly labeled as remaining energized after EMO activation. Hazardous energized parts that remain energized after EMO activation should be insulated or guarded to prevent inadvertent contact by personnel.

Exception 3 makes sense because keeping data collection systems functioning means you may have clues as to the abnormal conditions that led to using the EMO system.

EXCEPTION 4: Multiple units mounted separately with no shared hazards and without interconnecting circuits with hazardous voltages, energy levels or other hazardous conditions may have:
— separate sources of power and separate supply circuit disconnect means if clearly identified, or
— separate EMO circuits, if they are clearly identified.

Exception 4 points to a key aspect of interface design for integration with other equipment. Usually, the best design approach is to provide potential-free contacts as the interface between safety systems, when this can be done. Alternatively, modern “safety” buses allow for reliable information communication between safety systems. Using a networked safety protocol can solve some issues, including the need for galvanic isolation between the control systems. The hardware layer in networking systems, like Ethernet, has built-in galvanic separation using optocouplers, thus ensuring any lack of equipotentiality between pieces of equipment that are integrated into a single application won’t cause a problem with noise.

Reliability

The reliability of emergency stop functions is important. ISO 13850 requires that emergency stop functions provide at least PL=c performance. This can be achieved with ISO 13849-1 structure category 1, 2 or 3, and the relevant levels of diagnostic coverage, depending on how the designer wants to approach the function.

In contrast, SEMI S2 does not follow the ISO 13849 approach, instead providing the following guidance:

12.2.1 The EMO circuit should not include features that are intended to allow it to be defeated or bypassed.

IEC and ISO hold that the control system should keep interlocking and emergency stop functions separate. There are several reasons for this, but probably the most important ones are:

Emergency stop systems are designed to bring equipment to a stop as quickly as possible and remove power from the prime movers powering the hazardous motions. The deceleration rate used for emergency stop functions can damage the machine, so using the emergency stop function under normal conditions should be avoided unless the machine is already stopped. Loss of position and ease of recovery are not generally considered in the design of an e-stop safety function because some recovery procedures will be necessary following an emergency.
Safety functions like guard interlocks and light-curtain safety functions are designed for thousands of cycles. The stopping process they use is designed to bring the equipment to a stop quickly but below the threshold of damage, and power may be maintained on the prime movers. Ease of recovery is an important part of the design of these safety functions.
The Performance Level of an interlocking function and an emergency stop function need not be the same. There are reasons why one might be higher or lower than the other.

This discussion is deep enough on its own to need a separate article.

12.2.2 The EMO circuit should consist of electromechanical components.

Clause 12.2.2 follows many engineers’ long-held position that solid-state devices cannot be reliable enough for safety systems. Therefore suitably selected electromechanical relays are the only thing reliable enough since solid-state devices tend to fail into “indeterminate” states – not open and not shorted, but something in between.

Developments in functional safety over the last 25 years have shown that this is not the case. Light curtains and other dual-channel devices are built with solid-state outputs to tolerate high-frequency operation. When these devices are connected to safety modules or safety PLCs, they can and do provide more than reliable-enough operation. Having said that, an electromechanical relay is often the best for low-frequency applications like emergency stop functions or EMO.

Suppose your equipment was originally designed under a standard other than SEMI-S2. In that case, you may need to replace some e-stop system components with electromechanical ones to meet this guideline or put together sufficient rationale to convince your customer of the benefits of your current design. Note that the Exceptions below give you that latitude. A careful functional safety analysis should provide the support needed.

EXCEPTION 1: Solid-state devices and components may be used, provided the system or relevant parts of the system are evaluated and found suitable for use. The components should be evaluated and found suitable considering abnormal conditions such as over voltage, under voltage, power supply interruption, transient overvoltage, ramp voltage, electromagnetic susceptibility, electrostatic discharge, thermal cycling, humidity, dust, vibration and jarring. The final removal of power should be accomplished by means of electromechanical components.

To understand the next exception, we need a definition for the acronyms FECS and PES used in the text.

5.2.14 fail-to-safe equipment control system (FECS) — a safety-related programmable system of control circuits designed and implemented for safety functions in accordance with recognized standards such as ISO 13849-1 (EN 954-1) or IEC 61508, ANSI SP 84. These systems (e.g., safety programmable logic controller (PLC), safetyrelated input and output (I/O) modules) diagnose internal and external faults and react upon detected faults in a controlled manner in order to bring the equipment to a safe state.
NOTE 3: A FECS is a subsystem to a programmable electronic system (PES) as defined in IEC 61508-4 Definitions.
NOTE 4: Related Information 13 provides additional information on applications of FECS design.
[1]

So, although the normative text of the guideline does not explicitly use ISO 13849 as the basis for determining the functional safety of an EMO system, the definition for FECS does. The definition allows for common functional safety standards, including ISO 13849 and IEC 62061 [14].

EXCEPTION 2: FECS may be used provided the FECS conforms to an appropriate standard for electronic safety systems. Components of the FECS should be tested and certified according to the requirements of the standard used. IEC 61508 and ISO 13849-1 are examples of internationally recognized electronic safety systems standards. The final removal of power should be accomplished by means of electromechanical components.
[1]

NOTE 44: ¶ 13.4.3 states additional assessment criteria for safety-related components and assemblies.
[1]

NOTE 45: A FECS is a subsystem of a PES. IEC 61508 is the preferred standard for complex PES.
[1]

Safety-related software is permitted by Exception 2 and Note 45; however, the bar is set quite high. The effort necessary to follow IEC 61508 will be prohibitive in many organizations, pushing smaller machine builders back to hardware-based EMO circuits.

12 Emergency Shutdown

If you’re still reading, you’re almost at the end. We just need to discuss the requirements of the Emergency Shutdown safety function.

12.2.3 All EMO circuits should be fault-tolerant.

If you’ve followed the reliability requirements discussed previously, fault tolerance may already be looked after. However, ISO 13850 makes the minimum PL for emergency stop PL=c. This performance level can be met with ISO 13849-1 Category 1 single-channel architecture, which can be achieved using basic and well-tried safety principles and well-tried components, but no diagnostics or with Category 2 single-channel architecture, which uses basic and well-tried safety principles with some degree of diagnostics (DC_avg = LOW, 60% < DC ≤ 90%). Neither Category 1 nor 2 is fault-tolerant because a single fault can cause the loss of the safety function. To get to fault tolerance, you need at least two channels to provide redundancy. That will require ISO 13849-1 Category 3 or 4 architecture, or IEC 62061, 1oo2 with HFT=1.

12.2.4 Resetting the EMO switch should not re-energize circuits, equipment, or subassemblies.

A separate manual reset is required. This is true under ISO 13850 as well, so this should not be a surprise. You may want to read my posts on the manual reset safety function and manual reset via an HMI.

12.2.5 The EMO circuit should shut down the equipment by de-energizing rather than energizing control components.

This requirement exists in ISO 13849 as part of the well-tried safety principles. For more on that, see ISO 13849-2.

12.2.6 The EMO circuit should require manual resetting so that power cannot be restored automatically.

12.2.6 is tightly linked to 12.2.4, so I won’t add to that further.

12.3 The emergency off button should be red, mushroom shaped, and self latching. A yellow background for the EMO should be provided.

Guideline 12.3 is harmonized with the requirements in ISO 13850 and IEC 60204-1, both of which require a yellow background behind a red mushroom-head operator like that illustrated below.

Typical red emergency stop button with a yellow background. — Typical emergency stop button

12.4 All emergency off buttons should be clearly labeled as “EMO,” “Emergency Off,” or the equivalent and should be clearly legible from the viewing location. The label may appear on the button or on the yellow background.
[1]

Guideline 12.4 differs significantly from the international requirements. Outside of older equipment built in North America, marking the background with any text, whether it was “emergency stop,” “arrête d’urgence,” “not-aus,” or something else, machinery standards have not required any text on the yellow background at all. Internationally, the use of text can be a significant problem since the machine users may not be able to read English. In any jurisdiction, it is possible to have partially or completely illiterate users. As a consequence, the use of the colour combination RED-and-YELLOW is now universally recognized to mean “emergency stop.” IEC 60617 offers the pictogram shown below that can be used:

IEC Symbol for emergency stop. Black and white figure showing a circle with an inverted equilateral triangle inside, with an exclamation point contained inside the triangle. — IEC 60417-5638 – Symbol for “emergency stop” ©IEC.

Here’s the problem:

There is no pictogram for emergency off
Emergency stop and EMO are not considered to be exactly equivalent
IEC 60204-33 does not discuss emergency stop, although clause 9.2.1 NOTE 2 states, “The EMO can fulfil the requirement to provide an emergency stop function.”

Based on all these points, if you are building a machine that requires EMO, the SEMI S2 guidelines must be met, and the device must be marked “EMO” as shown in the first image in this post. You cannot use the e-stop symbol IEC 60417-5638. If you are CE Marking your equipment in addition to conforming to SEMI S2, then you should apply IEC 60204-33.

12.5 Emergency off buttons should be readily accessible from operating and regularly scheduled maintenance locations and appropriately sized to enable activation by the heel of the palm.

This same requirement applies to emergency stop buttons as to EMO buttons. “Readily accessible” is commonly considered to mean “within easy reach,” described in more detail below.

12.5.1 Emergency off buttons should be located or guarded to minimize accidental activation.

⚠️ ISO 13850 allows for “shrouds” to help prevent inadvertent actuation of the devices. However, using any structure around the e-stop button is not permitted in many jurisdictions. Be careful about this one since the structures around buttons marked red-and-yellow represent “low-hanging fruit” for inspectors since the structures are easily visible. ⚠️

12.5.2 No operation or regularly scheduled maintenance location should require more than 3 m (10 ft.) travel to an EMO button.

Paragraph 12.5.2 confirms the arm’s-length/1-metre convention previously mentioned.

⚠️ Best practices, and some regulations and standards, use the “within easy reach” rule for the location of e-stop devices. This rule recommends that emergency stop devices be located “within easy reach” of the operator when they are at the defined operator station. Typically “within easy reach” is interpreted as with an arm’s length, or about 1 metre / 3 feet measured from the centreline of workstations or other locations where you expect workers to be normally. Apart from the operator stations, no requirement exists unless a requirement is made in a type-C standard. SEMI S2, on the other hand, requires that emergency off devices be located within 3 metres / 10 feet of operation and maintenance locations. This is a very different requirement.

12.5.3 The person actuating or inspecting the EMO switch assembly should not be exposed to hazards with a SEMI S10 risk of Medium or greater. Examples of hazards that could have such risk are:
— contacting energized electrical parts,
— contacting moving machinery,
— contacting surfaces that are at excessively high or low temperatures, and
— limited or poor access causing impacts, tripping or falling during rapid movement during an emergency.

Guideline 12.5.3 can be very difficult to ensure, at least in some parts. Preventing contact with live electrical parts when actuating the EMO should not be difficult. However, preventing contact with moving machinery may not be possible, nor may it be possible to prevent “limited or poor access causing impacts, tripping or falling during rapid movement during an emergency.” Great care is needed when designing for conformity with this guideline.

12.6 See § 13.5 for additional EMO guidelines when EMOs are used with UPSs.

I will not explore the requirements for implementing EMO with a UPS integrated into the machinery. I’ll leave that up to you if you’re so inclined.

Definitions

The following definitions are excerpts from [1].

5.2.13 fail-safe: designed so that a failure does not result in an increased risk.; NOTE 2: For example, a fail-safe temperature limiting device would indicate an out-of-control temperature if it were to fail. This might interrupt a process, but would be preferable to the device indicating that the temperature is within the control limits, regardless of the actual temperature, in case of a failure.
5.2.14 fail-to-safe equipment control system (FECS): a safety-related programmable system of control circuits designed and implemented for safety functions in accordance with recognized standards such as ISO 13849-1 (EN 954-1) or IEC 61508, ANSI SP 84. These systems (e.g., safety programmable logic controller (PLC), safety related input and output (I/O) modules) diagnose internal and external faults and react upon detected faults in a controlled manner in order to bring the equipment to a safe state.; NOTE 3: A FECS is a subsystem to a programmable electronic system (PES) as defined in IEC 61508-4 Definitions.; NOTE 4: Related Information 13 provides additional information on applications of FECS design.
5.2.15 failure: the termination of the ability of an item to perform a required function. Failure is an event, as distinguished from ?fault,? which is a state.
5.2.16 fault: the state of an item characterized by inability to perform a required function, excluding the inability during preventive maintenance or other planned actions, or due to lack of external resources.
5.2.17 fault-tolerant: designed so that a reasonably foreseeable single point failure does not result in an unsafe condition.
5.2.28 hazardous voltage: unless otherwise defined by an appropriate international standard applicable to the equipment, voltages greater than 30 volts RMS, 42.4 volts peak, 60 volts dc are defined in this Document as hazardous voltage.; NOTE 5: The specified levels are based on normal conditions in a dry location.
5.2.58 positive-opening: as applied to electromechanical control devices. The achievement of contact separation as a direct result of a specified movement of the switch actuator through non-resilient members (i.e., contact separation is not dependent upon springs).
5.2.68 safe shutdown condition: a condition in which all hazardous energy sources are removed or suitably contained and hazardous production materials are removed or contained, unless this results in additional hazardous conditions.
5.2.69 safety critical part: discrete device or component, such as used in a power or safety circuit, whose proper operation is necessary to the safe performance of the system or circuit.

From IEC 61508-4:

3.3.1 programmable electronic system PE system: system for control, protection or monitoring based on one or more programmable electronic
devices, including all elements of the system such as power supplies, sensors and other input
devices, data highways and other communication paths, and actuators and other output
devices (see Figure 2); NOTE The structure of a PES is shown in Figure 2 a). Figure 2 b) illustrates the way in which a PES is represented in this International Standard, with the programmable electronics shown as a unit distinct from sensors and actuators on the EUC and their interfaces, but the programmable electronics could exist at several places in the PES. Figure 2 c) illustrates a PES with two discrete units of programmable electronics. Figure 2 d) illustrates a PES with dual programmable electronics (i.e. two-channel), but with a single sensor and a single actuator; IEC 61508-4:2010

References

[1] Environmental, Health, and Safety Guideline for Semiconductor Manufacturing Equipment, SEMI S2, 2012.

[2] Safety of machinery — Emergency stop — Principles for design, ISO 13850. 2015

[3] Safety of machinery — General principles for design — Risk assessment and risk reduction, ISO 12100. International Organization for Standardization (ISO). 2010.

[4] Safety of machinery — Electrical equipment of machines — Part 1: General requirements, IEC 60204-1. International Electrotechnical Commission (IEC). 2016.

[5] Safety of machinery — Electrical equipment of machines — Part 33: Requirements for semiconductor fabrication equipment, IEC 60204-33. International Electrotechnical Commission (IEC). 2009.

[6] Standardization and related activities — General vocabulary, ISO/IEC Guide 2. 2004.

[7] “About SEMI Standards | SEMI”, Semi.org, 2020. [Online]. Available: https://www.semi.org/en/Standards/P_000787. [Accessed: 14- Jun- 2020].

[8] Teaching Standards — Good practices for collaboration between National Standards Bodies and universities, 1st ed. Geneva: International Organization for Standardization (ISO), 2014.

[9] PROCEDURE MANUAL DETAILING SEMI™ STANDARDS PROCESSES AND PRACTICES. Milpitas, California: SEMI, 2020.

[11] Safeguarding of Machinery, CSA Z432, Canadian Standards Association (CSA). 2016.

[12] Safety of machinery — Electrical equipment of machines — Part 33: Requirements for semiconductor fabrication equipment, EN 60204-33. European Committee for Electrotechnical Standardization (CENELEC), Brussels. 2011.

[13] “ISO/IEC Directives, Part 2 — Principles and rules for the structure and drafting of ISO and IEC documents”, iso.org, 2021. [Online]. Available: https://www.iso.org/sites/directives/current/part2/index.xhtml#_idTextAnchor078. [Accessed: 08- Sep- 2022].

[14] Safety of machinery — Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC 62061. International Electrotechnical Commission (IEC). 2021.

© 2022, Compliance inSight Consulting Inc.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

2 thoughts on “Emergency Off (EMO) vs Emergency Stop”

Ana Sidorka says:

2022-05-10 at 01:47

This is really useful, thank you for sharing!

1. Doug Nix says:
  
  2022-05-10 at 11:47
  
  You’re welcome! Do you do arc flash studies in Canada?