Machine & Operator Safety
Emergency-stops: Myths and misconceptions
January 10, 2018 by Danny C. Marmora
Jan. 10, 2018 – One question I get asked almost daily comes from industrial clientele asking me about the emergency stop (e-stop) function on their machines.
Specifically, they ask very fundamental questions about what the e-stop is used for, when it is to be used, its use for personnel/operator safety at the machine, and whether the e-stop is part of the machine’s overall safety system and if it needs to be wired via safety relays and redundant circuitry.
To answer these questions and dispel a number of myths and misconceptions about e-stops, we need to establish the framework that allows e-stop devices to exist via the applicable standards.
The definition of an e-stop
In Canada, two predominant general machinery safety standards, CSA Z432-2016 – Safeguarding of Machinery and NFPA 79-2015 – Electrical Standard for Industrial Machinery (current editions noted herein), define the requirements of the e-stop function. Specifically, CSA Z432-16 Clause 3 – defines the e-stop as: “A function that is intended to avert harm or to reduce existing hazards to workers, machinery or work in progress.”
Reading a little deeper into CSA Z432-16, C188.8.131.52 states the e-stop shall: “be fully in accordance with NFPA 79, ISO 13850, and IEC 60204-1, override all other machine controls, cause all moving parts to stop, and remove drive power from the machine actuators. Final removal of energy to the machine actuators shall be ensured and shall be by means of electromechanical components.”
Similarly NFPA 79-15 Clause 3.3.35 – defines not the e-stop device itself but the condition of Emergency Switching Off as: “an emergency operation intended to switch off the supply of electrical energy to all or part of an installation.”
Further, NFPA 79 C184.108.40.206 states an e-stop, which enables the Emergency Switching Off, shall: “override all other functions and operations in all modes. Power to the machine actuators, which causes a hazardous condition(s), shall be removed as quickly as possible without creating other hazards (e.g., by the provision of mechanical means of stopping requiring no external power, by reverse current braking for a Category 1 stop. The reset of the command shall not restart the machinery but only permit restarting.”
Myth #1: The e-stop can be used to prevent personal injury
While the two definitions do allow e-stops for injury avoidance, it is only under the condition whereby the machine is malfunctioning. Hence the use of the e-stop in lieu of a traditional safeguarding method such as fixed guarding, interlocked gate or other protective device — i.e. light curtain, area scanner, etc. — is prohibited.
Myth #2: The e-stop is a safeguarding device
E-stops and similar systems are commonly referred to as complementary protective measures (CSA Z432-16 C6.3). These types of devices/systems are in addition to the prescribed/defined/required safeguarding systems/methods. As a complementary protective measure, the e-stop affords the operator an independent means outside the regular control and provided safeguarding devices to shut down the machine. Given this specific use, e-stops are not safeguarding devices.
Myth #3: The e-stop can be used as/in lieu of a cycle stop
From a performance perspective only, the outcome of activating an e-stop and cycle stop would appear to be the same — the machine comes to a stop. It’s important to note that an e-stop and a cycle stop attain that end result differently, due to an e-stop’s unique role within a machine’s control architecture as further defined by the standards.
By definition, an e-stop removes power/energy from the prime movers of a machine, bringing said machine to a standstill as quickly as possible, regardless of where the machine cycle is and/or what mode of operation it is in (automatic versus manual versus jog). Furthermore, the machine cannot by definition resume power to operate until the e-stop (fault) has been manually reset. To that point, the machine remains paralyzed.
Further by definition, e-stop systems are to provide a minimum PLc or SIL1 performance level. This is a minimum requirement and a detailed risk assessment could result in more robust e-stop circuitry being provided. This requirement loosely translates to a Category 0 or 1 type “stop” as defined by NFPA 79.
Conversely, the cycle stop function allows for the controlled stop of the machine during or at the end of the respective cycle (variance based on control design for cycle stop). Furthermore, the cycle stop functionality allows for power to be left available after use. NFPA 79 defines this as a Category 2 stopping system.
The primary difference between an e-stop and cycle stop is how each device attains the no motion condition. E-stops remove power and prohibit the resumption of machine power until the e-stop push button is physically reset (this is a discernible action required by someone), and then there is the ability to resume control power. Meanwhile, cycle stops do not require a discernible reset or power resumption. By definition, post cycle stop, power is still available to resume the cycle or a new one at the operator’s discretion.
In summary, e-stops are present on almost all machinery, and while ubiquitous by design, their use is restricted until needed. CSA Z432-16 suggests the application of e-stops unless a risk assessment can show the e-stop would not contribute to the overall risk reduction of the machine. There are many myths around e-stops, however, relying on the applicable referenced herein will help support future educated and complaint decisions.
Danny C. Marmora, B.Eng., P.Eng., CET, (firstname.lastname@example.org) is the principal at Marmora Consulting based in Stoney Creek, Ont. His firm specializes in Pre-Start Health & Safety Reviews, fire code consulting and forensic engineering.
This column was originally published in the January/February 2018 issue of Manufacturing AUTOMATION.