Machine & Operator Safety
Myth busting: Three emergency stop myths
January 20, 2011 by Doug Nix
There are a number of myths that have grown up around emergency stops over the years. These myths can lead to injury or death, so it’s time for a little myth busting.
Myth #1: The emergency stop is a safety device
Early in the Industrial Revolution, machine builders realized that users needed a way to quickly stop a machine when something went wrong. At that time, machines were powered by overhead line shafts driven by large central power sources like waterwheels, steam engines or large electric motors. Machinery was coupled to the central shafts with pulleys, clutches and belts, which transmitted the power to the machinery.
These central engines powered an entire factory, so they were much larger than an individual motor sized for a modern machine. In addition, they could not be easily stopped, since stopping the central power source would mean stopping the entire factory – not a welcome choice. Emergency stop devices were born in this environment.
Due to their early use as a safety device, some people incorrectly consider emergency stop systems to be safeguarding devices. Modern standards make the difference very clear. The easiest way to understand the current meaning of the term “emergency stop” is to begin by looking at the definition:
Emergency stop/emergency stop function – a function that is intended to avert arising or reduce existing hazards to persons, damage to machinery or work in progress; and be initiated by a single human action. [NOTE: Hazards, for the purposes of this International Standard, are those which can arise from functional irregularities (e.g. machinery malfunction, unacceptable properties of the material processed, human error), and normal operation.] (Source: Safety of machinery – Emergency stop – Principles for design, ISO 13850, Geneva, 2006)
It is important to understand that an emergency stop function is “initiated by a single human action.” This means that it is not automatic and, therefore, cannot be considered to be a risk control measure for operators or bystanders. Emergency stop may provide the ability to avoid or reduce harm by providing a means to stop the equipment once something has already gone wrong.
Safeguarding systems act automatically to prevent a person from becoming involved with the hazard in the first place. This is a reduction in the probability of a hazardous situation arising, and may also involve a reduction in the severity of injury by controlling the hazard (i.e. slowing or stopping rotating machinery before it can be reached). This constitutes a risk control measure, and can be shown to reduce the risk of injury to an exposed person.
Emergency stop is reactive; safeguarding systems are proactive.
In Canada, CSA defines emergency stop as a “complementary protective measure” in CSA Z432-04, 188.8.131.52.1 and 184.108.40.206.3.
220.127.116.11.1: Safeguards (guards, protective devices) shall be used to protect persons from the hazards that cannot reasonably be avoided or sufficiently limited by inherently safe design. Complementary protective measures involving additional equipment (e.g. emergency stop equipment) may have to be taken.
18.104.22.168.3 Complementary protective measures: Following the risk assessment, the measures in this clause either shall be applied to the machine or shall be dealt with in the information for use. Protective measures that are neither inherently safe design measures, nor safeguarding (implementation of guards and/or protective devices), nor information for use, may have to be implemented as required by the intended use and the reasonably foreseeable misuse of the machine. Such measures shall include, but are not limited to, emergency stop; means of rescue of trapped persons; and means of energy isolation and dissipation.
Myth #2: Cycle stop and emergency stop are equivalent
Emergency stop systems act primarily by removing power from the prime movers in a machine, ensuring that power is removed and the equipment brought to a standstill as quickly as possible, regardless of the stage of the operating cycle that the machine is in. After an emergency stop, the machine is inoperable until the emergency stop system is reset. In some cases, emergency stopping the machine may damage the equipment due to the forces involved in halting the process quickly.
Cycle stop is a control system command function that is used to bring the machine cycle to a graceful stop at the end of the current cycle. The machine is still fully operable and may still be in automatic mode at the completion of this stop.
Myth #3: Emergency stop systems can be used for control of hazardous energy procedures
Fifteen to 20 years ago, it was not uncommon to see emergency stop buttons fitted with locking devices. The locking device allowed a person to prevent the resetting of the emergency stop device. This was done as part of a “lockout procedure.” Lockout is one aspect of hazardous energy control procedures (HECP). HECPs recognize that live work needs to be done from time to time, and that normal safeguards may be bypassed or disconnected temporarily, to allow diagnostics and testing to be carried out. This process is detailed in two current standards – CSA Z460 and ANSI Z244.1. (Source: Control of Hazardous Energy – Lockout/Tagout and Alternative Methods, ANSI ASSE Z244.1, 2003, American National Standards Institute / American Society of Safety Engineers, Des Plaines, Ill.)
No current standard allows for the use of control devices, such as push buttons or selector switches, to be used as energy-isolation devices. CSA Z460-05 specifically prohibits this use in their definition of energy-isolation devices:
Energy-isolating device – a mechanical device that physically prevents the transmission or release of energy, including but not limited to the following: a manually operated electrical circuit breaker; a disconnect switch; a manually operated switch by which the conductors of a circuit can be disconnected from all ungrounded supply conductors; a line valve; a block; and other devices used to block or isolate energy (push-button selector switches and other control-type devices are not energy-isolating devices). (Source: Control of hazardous energy – Lockout and other methods, CSA Z460, Canadian Standards Association, Toronto, 2005.)
Emergency stop is a control that is often designed with little thought and used for a variety of things that it was never intended to be used for. The three myths discussed in this column are just the tip of the iceberg.
Consider the following questions when thinking about the design and use of emergency stop systems:
• Have all the intended uses and foreseeable misuses of the equipment been considered?
• What do I expect the emergency stop system to do for the user of the machine? (The answer to this should be in the risk assessment.)
• How much risk reduction am I expecting to achieve with the emergency stop?
• How reliable does the emergency stop system need to be?
• Am I expecting the emergency stop to be used for other purposes, like “Power Off,” energy isolation or regular stopping of the machine? (The answer to this should be “No.”)
Taking the time to assess the design requirements before designing the system can help ensure that the machine controls are designed to provide the functionality that the user needs, and the risk reduction that is required.
Doug Nix is managing director with Compliance InSight Consulting Inc., a firm specializing in risk assessment, industrial machinery safety and regulatory compliance. A version of this article was originally posted on September 3, 2010, on Doug’s blog, Machinery Safety 101. To view this and more of Doug’s blog posts, visit http://machinerysafety101.com.