The Emergency Stop - 2012 Ver 2.0

8/13/2019 The Emergency Stop - 2012 Ver 2.0

1/27

THE EMERGENCY STOP BUTTON

the button of last resort

An overview of the Emergency Stop Button and methods for establishing and maintaining

its reliability of it action throughout a control system.

by

Robin J CarverEurOSHM MIET MIntMC CMIOSH FIIRSM

Chartered Safety Practitioner

Registered European Occupational Safety and Health Manager

Re-written February 2012


2/27

2

THE EMERGENCY STOP BUTTON

the button of last resort

Preface to the 2012 edition

A lot has changed in the world of machinery controls since I first wrote The Emergency Stop Button

- the button of last resort back in the late 90s and then revised it in 2002. The Machinery Directive

has been re-cast and the supporting harmonised standards have been revised opening the doors

to the use of electronic and programmable Black-Box type controls in safety related parts of

control systems. Significantly the old faithful standard for Safety Related Parts of Control Systems,

EN 954-1 has given way to EN ISO 13849-1:2008 which, despite its complications, has finally made

the long awaited link between risk and system reliability. But what of the Emergency Stop? Many

years ago, when I was a Junior System Designer, the Emergency Stop was the only personnel safety

system available. Now the re-cast Machinery Directive formally places it in its correct setting as a

back-up to other safeguarding measures and not a substitute for them. This 2012 edition of The

Emergency Stop Button - the button of last resort has been completely re-written and attempts to

bring the application what, where & hows up to date, providing designers with, I hope, sound

methods for assessing the required levels of reliability, practical suggestions for system architecture

and component selection and methods of co-ordination with machine assemblies.

The Emergency Stop Button - the button of last resort may not have a thrilling plot (or any plot at

all for that matter) but I hope it will help guide designers to the industry standards and norms and,

maybe, will pass on some of my experience and knowledge I have gained over many years of doing,

reading and listening.

Robin Carver February 2012

Email: [email protected]

Web: www.hs-compliance.com
http://www.hs-compliance.com/http://www.hs-compliance.com/


3/27

3

Background and history

During the industrial revolution machinery designers soon realised that there could be a need to

stop their machines quickly if something went wrong, though their concern was, undoubtedly, not

one of benevolence or concern for the safety of the workers on the machine, but rather that of

protecting the investment, the safety of the valuable machine itself! From this was born the

Emergency Stop control as a machine protector. This remained the primary consideration

throughout the 19th early 20th century, but with an increasing awareness that that the workforces

welfare should be considered, enforced by the Factory Acts and later, the Unfenced Machinery

Regulations. Finally, in 1972 the United Kingdom, the new Health & Safety at Work Act insisted that

it is the duty of every employer to ensure the health, safety and welfare at work of all employees. The

Machinery Safety came of age and with it the Emergency Stop became a safety device.


4/27

4

Introduction - [....Houston, we have a problem....]

The Emergency Stop device is a unique part in any safety related control system. Unlike the normal

protective systems such as guard interlocking, light curtains, area detection, etc. which are as

proactively preventative, i.e. serving to prepare for, or control an expected risk situation, the

Emergency Stop function is reactive, initiated by a single human action, reducing the effects of the

risk incident following its occurrence.

Recently, I was asked to review near miss (or more appropriately a near hit) on an industrial

meat mincing machine. A trained and experience maintenance engineer ignored written

procedures and without isolating and locking off the machine supplies, took it upon himself to

remove the 12 bolts on fixed guarding, removed and bypassed an additional safety interlock, opened

the guarding to expose blade hazards and accidentally pressed the start button! It was a co-worker

that reacted to the situation and pressed the Emergency Stop button that saved the maintenance

engineer from severe injury or even death. Thats why we have Emergency Stops!

In Europe the EU Machinery Directive states that, unless it would not lessen the risk, machinery

must be fitted with one or more emergency stop devices to enable actual or impending danger to be

averted; but importantly, Emergency Stop devices must be a back-up to other safe-

guarding measures and not a substitute for them.

When considering the design of any machine it is important to assess the risks and, where

reasonably practicable reduce those risks by applying the following hierarchical principles:

1) eliminate hazards as far as possible (inherently safe machinery design),

2) take the necessary safeguarding and protective measures in relation to hazards that cannot

be eliminated,

3) inform users of the residual risks due to any shortcomings of the safeguarding and

protective measures adopted.

For hazards that cannot be reasonably removed or limited by design, guards and/or similar

protective measures are required. These guards and protective measures may well be associated

with safety related control systems. The reliability of the safety related parts of the control system

(SRP/CS) should be considered in relationship to the associated risk for the particular safety function

as advised in EN ISO 13849-1.

Having refined the design to reduce the risks to a practical minimum and provided all the safety

information possible, the machine should be safe for all the safety incidents foreseen by the

designer.

But what about the un-foreseen incidents?

This is what the Emergency Stop button is for!


5/27

5

Obligations (The mandatory requirements)

The EU Machinery Directive 2006/42/EC, being mandatory for machines in the European Union,

dictates the basic requirements for an Emergency Stop in the Essential Health and Safety

Requirements (EHSRs) in clause 1.2.4.3. of Annex I.

These requirements are summarised as follows:-

Unless an Emergency Stop device would not lessen the risk, machinery must be fitted with

emergency stop(s) to enable actual or impending danger to be averted quickly as possible,

The Emergency Stop device must be clearly identifiable, clearly visible and quickly accessible,

The Emergency Stop function must be available and operational at all times, regardless of

the operating mode,

Disengaging the Emergency Stop device must not restart the machinery but only permit

restarting,

Emergency Stop devices must be a back-up to other safeguarding measures and not a

substitute for them.

An Emergency Stop device classed as safety component by the Machinery Directive which means it

is a component:

which serves to fulfil a safety function,

which is independently placed on the market,

the failure and/or malfunction of which endangers the safety of persons,

and

which is not necessary in order for the machinery to function.

As such Emergency Stop devices must be manufactured in accordance with the harmonised

standards or follow procedures for assessment of conformity using a Notified Body. It is important to

note, however, that this applies to safety components and not to the design of the safety related

part of a control system itself.


6/27

6

Application (what, where & how)

What?

The types of device for emergency stop include:

mushroom-type pushbuttons;

grab-wires, ropes,

bars & handles;

foot-pedals (without a protective cover);or a combination of devices.

The most common Emergency Stop device is the Emergency Stop button made familiar by its red

mushroom shaped actuator. So who specified that it should be like that? Standard EN 60947-5-5

Low-voltage switchgear and controlgear. Electrical emergency stop devices with mechanical

latching function provides the detailed specifications for the electrical and mechanical construction

and their testing.

Whatever actuations are used they must be capable of withstanding foreseeable forces considering

that they may be liable to be subjected to considerable forces.

The figure illustrates a typical simulation requirement for an Emergency Stop button from EN 60947-

5-5.

Selection of an Emergency Stop Device

The requirements for Emergency Stop devices are given in EN ISO 13850 Safety of machinery -

Emergency stop - Principles for design.

Types of device for emergency stop include, commonly, mushroom-type pushbuttons, grab-

wires/ropes and foot-pedals, and less commonly, bars or handles.

They must not be soft buttons programmed onto touch-screens, HMIs or similar unless theirintegrity, including the HMI hardware, the embedded software (firmware) and application software,

can be proven absolutely. However, Light Curtains (AOPDs) and similar devices could be utilised

where appropriate.

The selection of the type of device must take into account the environment into which they are to

be installed so that they are able to operate correctly under the expected operating conditions and

site and location influences. We must take into consideration the fact that they may be infrequently

operated and effects due to exposure to vibration, shock, temperature, dust, foreign bodies,

moisture, corrosive materials and fluids, including hosing down. Emergency Stop devices are often

lost and forgotten but when they are needed they MUST work!

Normally Emergency Stop devices are electromechanical. But here we must be cautious. Reliability is

often considered related to the number of operations the device will tolerate, but when dealing with


7/27

7

Emergency Stop devices we must consider that it may be operated infrequently, hopefully, very

infrequently!

Accidents, including fatalities, have occurred when contact blocks have fallen from the back of

Emergency Stop buttons actuators due to deterioration of the plastic in some ageing button

assemblies. The monitoring by the safety system may not always detect such a failure if all the both

the blocks become detached simultaneously.

Self-monitoring contact blocks are available which have a contact arrangement that monitors the

installation of contact blocks to the actuator. There is a normally open monitoring contact that is

held closed when the contact block is properly installed on the actuator. This normally open contact

is wired in series with the normally closed contact of the standard contact with the operator. If the

contact block becomes detached from the actuator the normally open contact opens and an

emergency stop command is issued.

Accidental or Nuisance Operation may be a problem and should be considered especially when

Emergency Stop devices are sited in areas near walkways and corridors between machines. If

accidental operation is considered a possibility due to persons brushing passed then shrouding the

button is preferable to moving it out of the area or making it invisible and/or inaccessible bycovering it completely.

A Footswitch type Emergency Stop device, however, must NOT have a cover.


8/27

8

Grab-Wires and Ropes as Actuators

When Grab-Wires or Ropes are used as the actuators for Emergency Stop devices, they must be

positioned for ease of use. Consideration must be given to the individual manufacturers

specifications and installation requirements. These may include the amount of deflection necessary

to generate the emergency stop command, the maximum deflection possible (which EN 60947 5-5

recommends should not exceed 400mm) and the force required (which should not exceed 200N).

Also, the supports and tensioning devices required and number of switching units required at each

end based on the length of the actuator cords, normally advised by the manufacturer. The minimum

clearance between the actuator cord and objects in the vicinity must be considered where it could

reduce effectiveness. Consider also ways of making the cords or ropes visible for the operators (e.g.

fitting marker flags). If it is likely that actuation will be by pulling the wire along its axis, it will be

necessary to ensure that pulling the wire in either direction will generate the emergency stop

command. Grab-Wires or Ropes actuated Emergency Stop devices must be tensioned monitored

devices so that breakage or disengagement of the actuator is detected.

The means to reset the emergency stop device should be placed so that the whole length of the wire

or rope is visible from the location of the resetting means.

Other Emergency Stop Device ActuatorsBars and handles used as Emergency Stop devices are less common but may be found, for example,

on machines with roller hazards or moving carriages, etc. These are often fabricated to suit the

specific application but provided they meet the criteria, set by EN ISO 13850, that the emergency

stop function shall be maintained by latching of the actuating system then these are usually

acceptable.

When Emergency Stop devices are associated with cable-less control systems, the Emergency Stop

function must be tripped off when correct control signals are not received or there is a loss of

communication.

The use of a safe-edge type device is a little more controversial. A safe-edge usually takes the

form of an extended, flexible, profiled rubber strip installed near to the hazard(s) which, when

depressed at any point along its length, will send a signal which will trip the Emergency Stop safety

system.


9/27

9

The contact initiation uses the principle of conductive rubber surfaces running the length of the

profile strip. The wires are terminated with a known resistor. When the profile is deformed, by being

pressed, the conductive rubber comes in contact with each other and causes the overall resistance

to drop. The controversy concerns the fact that initiation of the safety system is generated by the

closing of a contact, contrary to the requirements of EN ISO 13850, that requires that the device

shall have a direct electrical positive opening action. Also the criteria, set by EN ISO 13850, that

the emergency stop function shall be maintained by latching of the actuating system will bedifficult to achieve.

However, subject to a specific risk assessment, the safety edge, along with a suitable controller,

could provide a versatile and flexible emergency stop system for use in applications where a

machine user must have easy, contiguous access to an Emergency Stop device actuator.

Device Operation

The operation of the Emergency Stop device should result in it mechanically latching in (e.g. press

and stay-put) and only manual action will de- latch the device. The method of de-latching may

be rotation of the button (twist to reset) or by a pulling motion, either with or without a keylocking/release facility.

Without exception operation of the Emergency Stop should result in the de-energisation of the

Emergency Stop related part of the control system. This must be achieved through opening of the

contacts and positive mode operation where the contact separation must be as a direct result of

the movement of the switch actuator. Emergency Stop buttons using detachable contact blocks

should be configured such that the contact will open should the contact block become detached

ensuring Fail Safe operation. The resetting of the emergency stop device must only be a manual

action at that location where the command was been initiated but this action itself may only permit

restarting. It must not allow the machine to a restart without further commands such as resetting

the Emergency Stop related part of the control system and/or initiating a complete machine restart.


10/27

10

Where?

Clearly, when required, the Emergency Stop must be accessible and recognisable by all who may

have to operate them, their location should be obvious and they must, at all times, work, reliably

and safely. Emergency Stop devices should be located at each operator control workstation (except

where the risk assessment indicates that this is not necessary). We should also consider other

locations where the initiation of an emergency stop may be required. Risk Assessment should be

used to determine all the locations. Consider all the human interaction during the whole operationallife cycle of the machine. This should focus on all tasks associated with every phase of the machine

e.g.:-

setting, testing, teaching/programming;

process/tool changeover;

start-up, restarting & all modes of operation;

feeding & removal of product from machine;

stopping the machine;

clearing jams or blockages;

fault-finding/trouble-shooting (operator intervention); cleaning & housekeeping and maintenance.

In general control devices should not be located in or near danger zones. The Emergency Stop is an

exception. Consider where the human interaction may be taking place and where an unexpected

dangerous event could occur; this could be in the guarded area (e.g. within perimeter guarding

around a robot). Whilst a machine user is within the guarded area (the danger zone) an

unforeseen event could have caused the robot (or any moving hazard) to move. Access to an

Emergency Stop provides the user with a means to react to the immediate situation and, hopefully,

stop the hazardous action before the risks become a reality. Analysis of what went wrong can take

place later AND actions taken to stop it happening again!

Typical location arrangement for Emergency Stop devices

on an assembly of machines (based on risk assessment)

E/Stop Grab-wires


11/27

11

The actuator of the emergency stop device must be coloured RED. (Note: The colour RED for any

push-button actuators may only be used for emergency stop and emergency switching off of

actuators). The colour RED for the emergency stop actuator must not depend on the illumination of

a backlight. As far as a background exists behind the actuator and as far as it is practicable, the

background should be coloured YELLOW.

Where markers are required the symbol below from IEC 60417-5638 (DB:2002-10) should be used.

(When did you last see one of those?)

When using the grab-wires or rope actuated devices, it can be useful to improve their visibility by

attaching marker flags to them.

Dealing with Cableless or Detachable Pendant type controls

Pendant or teaching control device such as those associated with industrial robots are required toinclude an emergency stop function (in accordance with EN ISO 10218-1 Robots and robotic devices

Safety requirements for industrial robots). Clearly, this can pose some problems in that the

Machinery Directive EHSRs require that the Emergency Stop function must be available and

operational at all times, regardless of the operating mode! What if a cableless unit is out of range or

the pendant is unplugged and bypassed?

EN ISO 10218-1 requires that where pendant or other teaching controls have no cables connecting

to the robot control, or where they can be detached, the following should apply:-

a) A visual indication, on the pendant display, must be provided to show that the pendant is

active;

b) Any loss of communication should result in a protective stop and restoration ofcommunication must not restart robot without a separate deliberate action.

c) Confusion between active and inactive emergency stop devices must be avoided by

providing appropriate storage or design and the Information for use must contain a

description of the storage or design.

EN 60204-1 Safety of machinery Electrical equipment of machines offers little more in the way of

guidance and simply states that where confusion can occur between active and inactive emergency

stop devices caused by disabling the operator control station provision should be made to minimise

confusion. EN ISO 13850 Safety of machinery - Emergency stop - Principles for design

unfortunately gives no guidance at all!Some German manufacturers are using Grey actuator buttons in place of Red!


12/27

12

How?

Operation in an emergency - Considerations

The nature and operation of the machine must be considered and the risks assessed.

Is it safe to have the Emergency Stop system cut the power to the machine drives and

actuators? This may result in the hazard freefalling leading to a more dangerous situation.

Should the system actuate a brake or clamp?

Would stopping the machine in position result in a worsening of an injury?

Should the system allow the machine to continue on or reverse to a safe position?

The risk assessment must indicate the most suitable method of shutting down following the

operation of the Emergency Stop device. Either by immediate stopping by the removal of power to

the machine actuator(s) (classified as Stop Category 0) or a controlled stop with power to the

machine actuator(s) available to allow them to stop in a safe position followed by removal of power

when the stop is achieved (classified as Stop Category 1). The Emergency Stop function must be

designed for operation without hesitation so that a decision to use the device does not require the

machine operator to consider the resultant effects.

Note: A controlled stop with power left available to the machine actuator(s) (classified as Stop

Category 2) are NOT acceptable for Emergency Stops.

We should also consider the following as defined in EN 60204-1:-

Emergency Stop device

Manually actuated control device used to initiate an emergency stop function.

Emergency Switching off device

Manually actuated control device used to switch off the supply of electrical energy effecting

a Stop Category 0 of machine actuators connected to this incoming supply.

Where the supply disconnecting device (usually an Electrical Isolator) is to be used for

emergency switching off, it must be readily accessible and should meet the colour

requirements of an Emergency Stop actuator (Red coloured actuator on a Yellow

background).

Note: if the supply disconnecting device is not suitable as an Emergency Switching off device

it must NOT have a Red coloured actuator on a Yellow background but should be coloured

BLACK or GREY as described in EN 60204-1.

Emergency Switch off device?


13/27

13

Hi h Risk

Low Risk

From EN ISO 13849-1 Fig A.1

Performance

A lot has changed since I first wrote this in 2000. In those days the design requirements for safety

related parts of the control system were easier based on the standard, Safety of machinery Safety

related parts of control systems, EN 954-1. Programmable and networked safety systems were not

considered to be acceptable and we only had to consider the wiring of the circuit (the Category)

and the use of, what is nebulously termed, proven components and principles. Sadly, however, it

could not make the link between the risk and the Category. EN 954-1 was withdrawn in December2010 in favour of EN ISO 13849-1:2008 which opened the gates for the employment of

programmable and networked safety systems and, thankfully, does relate the performance of the

system to the risk, however, in doing so it imposes, on the designers, much more onerous duties to

quantify the reliability of the design including the components used. Unfortunately EN ISO 13849-1

gives no specific guidance on Emergency Stop functions. EN ISO 13849-1:2008 is like the Curates

Egg good in parts!

EN ISO 13849-1 provides a reasonably sound method of determining the performance required by

a normal safety function related to the risk. This method takes into account the basic elements of

risk, these being the Severity of any Injury (S), the Frequency and/or Duration of exposure to the risk

(F) and the Possibility of Avoiding or Limiting the Harm (P). From this it is possible to estimate the

Performance Level required (PLr) by the safety function as shown below:

(Since he publication of the cartoon on Punch Magazine in 1895, theexpression "a Curate's Egg" has come to mean something that is partly good

and partly bad, but as a result is entirely spoiled.)

Right Reverend Host: Im afraid youve got a bad egg, Mr. Jones

The Curate: Oh, no. My Lord. I assure you. Parts of it are excellent!


14/27

14

Following estimation of the Performance Level required (PLr) by a particular safety function, the

designer may quantify the performance required of the components, in terms of Mean Time to

Dangerous Failure (MTTFd), and the principles to be employed to link the components into a suitable

architecture (as before, the Category, but now including, where appropriate, diagnostics and

examination of possible Common Cause Failures).

Performance Level for an Emergency Stop?

This determination, however, may not be easily applied to the Emergency Stop function because, as

stated at the outset, the Emergency Stop function is reactive, reducing the effects of the risk incident

following its occurrence.

e.g.:-

S - Severity of any Injury

This may well be the worst case situation for the machine.

probably S2

F - Frequency and/or Duration of exposure to the risk

This is not relevant unless one assumes that it refers to the frequency with whichthe Emergency Stop function is likely to used, which should be never, because we

are dealing with an assessment of incidents that are unforeseen by the designer.

probably, if any, F1

P - Possibility of Avoiding or Limiting the Harm

This is also not relevant as the harm may have already been realised and the action

of the Emergency Stop function IS to attempt to limit the harm.

probably, if any, P1.

On this assessment basis the Performance Level required (PLr) for an Emergency Stop function

would be PLr = C in all cases, even were other safety functions require a higher PLr! As an Emergency

Stop function is a back-up to other safeguarding measures, then this may be considered acceptable

but as a designer I wouldnt feel comfortable with this estimation. I would suggest that, in view of

the minimal costs involved, that it would be reasonably practicable to design an Emergency Stop

function that meets with the highest PLr assessed for the machine as a whole. When the machine is

a part of an assembly of machines designed to function as an integral whole with a common

Emergency Stop function then this should be the highest PLr assessed for the machine assembly.

Architectures and Circuits

The configuration (known as the architecture) of a safety related part of a control system, arguably,

remains the most important factor in any safety system and is classified by Category (not to be

confused with the Stop Category). In industry there are four; Category 1, 2, 3 & 4 (Category B is

below Category 1 and is not considered to be appropriate for industrial use).


15/27

15

Category Requirement Characteristics Recommended

for E/Stop

functions?

B A fault can lead to the loss of the safety function.(Generally not considered suitable for industrial

applications)

Mainly by selection of

components

NO

1 A fault can lead to the loss of the safety function.Well-tried components and safety principles used.

Mainly by selection of

components

NO ADVISED


Safety function is checked at suitable intervals by the

machine control system. (test to demand ratio of >100:1)

Mainly by structure NO ADVISED

(not practicable?)


Safety-related parts designed, so that

a single fault in any of these parts does not lead to the

loss of the safety function, and whenever reasonably practicable, the single fault is

detected.

Mainly by structure RECOMMENDED


Safety-related parts designed, so that:

a single fault in any of these parts does not lead to a

loss of the safety function, and

the single fault is detected at or before the next demand

upon the safety function, but if this detection is not

possible, an accumulation of undetected faults shall not

lead to the loss of the safety function.

Mainly by structure &

selection of

components

RECOMMENDED

Typical BUT simplistic architectures:-

SIMPLE CATEGORY 1 CONFIGURATION:-


16/27

16

SIMPLE CATEGORY 2 CONFIGURATION:-

Advisory note: If it is foreseeable that, despite advice and instruction to the contrary, the Emergency

Stop device(s) may be used as the sole method of preventing start-up of a machine when dangerous

parts are being accessed, then it is inadvisable to rely solely on single-channel (Category 1 or 2)

systems due to risks resulting from the malfunction of the control system.

SIMPLE CATEGORY 3 or 4 CONFIGURATION:-

The above illustrates the application of architectures using conventional electromechanical

devices for the logic and outputs but these could well be replaced by programmable intelligent

systems without changing the principles of the structures.

Note: test to demand ratio of >100:1


17/27

17

SIMPLE CATEGORY 3 or 4 CONFIGURATION (using Safety PLC & Drive):

Programmable Safety

Even with programmable safety, the principles of the machinery safety systems remains broadly

unchanged from that used under the old EN954-1 concepts but the use of electronics and

programmable safety relays make it possible to bring the safety function within the programmable

controller. Nevertheless, the features of the conventional safety relay are still recognizable in the

program firmware and the inputs, outputs and field wiring required are unchanged:-

E/StopInput

FunctionBlock

E/StopOutput

FunctionBlock

Fault Diagnosis FunctionBlock

SafeTorque Off

Drive

Function

Switch

Ch A

Switch

Ch BData

Links

Safety PLC Firmware:

Drive Firmware:


18/27

18

Diagnostics (a Functional Check & Fault Detection)

The safety related parts of control systems excluding Category B & 1 should perform functional

checking, by monitoring the correct operation of the input devices and the correct response of the

output drive functions. This is also known as the system diagnostics. This may be achieved by testing

the system and/or checking the systems response.

A functional response check of the Emergency Stop input device is usually achieved by the

duplication of contacts which will be expected to operate together. Each set of contacts willeffectively check the other.

A functional response check of the output switching devices, such as supply switching contactors, is

best achieved by the fitting of contacts which will reliably reflect the actions the main power

contacts powering the actuator devices. However ideally, it would appear, the direct monitoring of

the driven device (motor shaft, etc.) would reflect with certainty the state of the operation.

Direct monitoring of the driven device (motor shaft, etc.) is a feasible as an effective functional check

only in a Category 2 configuration. In a Category 3 or 4 configurations the redundancy effectively

masks the fault as even if only one of the redundant pair is operating correctly the motor still

appears to stop correctly.

Functional Checks in Category 3 or 4

configurations

Functional Checks in a Category 2

configuration


19/27

19

Diagnostic Coverage

Diagnostic Coverage (DC) is the parameter used in EN ISO 13849-1 as the measure of the

effectiveness of diagnostics, which may is given by the ratio between the failure rate of detected

dangerous failures and the failure rate of total dangerous failures. Arguably, the two most important

factors in any safety related system is the outputs response to the inputs command. Therefore

monitoring of the input command, e.g. the Emergency Stop device, and the outputs actions, e.g. the

correct response of the motor contactor(s), are vital. Typically, EN ISO 13849-1 in Annex E indicatesthat direct monitoring of electromechanical devices by mechanically linked contact elements, such

as with 2 sets of contacts on an Emergency Stop button and using mirror contacts of a motor

contactor, may each provide a DC of 99%.

Note: Mirror contacts on a device are monitoring contacts that mirror the actions of the function

contacts because they are mechanically linked together.


20/27

20

Typical (but simple) supply tripping Emergency Stop system

The Emergency Stop is monitored by the Emergency Stop Logic (typically a Safety Relay or E/Stop

firmware in a Safety PLC) and in response, the logic controls the power fed to the machines control

system outputs that drive the hazardous features of the machine. The diagnostic logic monitors the

correct operation of both the Emergency Stop device(s) and the correct response of the outputs

controlling the power. If the Emergency Stop is operated or there is a fault in the system, the

Emergency Stop Logic removes the power to the machine. It cannot then be reset until theEmergency Stop device has been de-latched and any fault has been attended to and the failed

component replaced.

SIMPLE EMERGENCY STOP FUNCTION(Category 3 & 4)

Mirrored Contacts

Redundancy & Functional

check of device contacts

Mirror

contacts

Redundancy of

motor controllers

Inc. Internal

Monitoring

Motor

Contactors

E/STOP

LOGIC

Output Response Functional Check

Inputs

Outputs

Load Break Contacts

Load Break Contacts

+

+

+

Primary 3ph

Supply

K1

K2

Reset

Functional Logic and associated Safety Functions

Functional 3ph Bus


21/27

21

Practical Emergency Stop system

A more practical Emergency Stop function is shown below. Rather than using all heavy duty

redundant contactors or redundant contactors in each motor circuit, this safety system controls both

the drive power supply and the control supply. In the event that the Emergency Stop is pressed both

the, lower load, control supply to the drive contactors (via an common feed) AND the, heavier load,

3 phase drive supply is switched off. This provides the redundancy required of a Category 3 and 4

system and also Diversity which increases the systems robustness against common cause failures(CCF).

Dont forget the pneumatics

The essential requirements of the Machinery Directive states that ... [machinery]... must be so

designed, constructed and equipped as to avoid all potential risks associated with ... [all]... sources of

energy. This must be taken into account in the design of the safety control system. Unfortunately, it

is a common omission in machinery designs that whilst the electrical part of the safety systems is

compliant, by meeting the determined performance levels, other sources of energy remain seem to

be forgotten, yet the potential for harm remains present and is often more significant.

The practical safety system must take these sources of harm into account, in particular they

pneumatic and hydraulic systems. Hydraulics is often easier to incorporate as the power source is

derived from a local, electric powered, power pack, however, the pneumatic supply is a little moreinvolved.

RESET

Outputs

Monitor

SAFETY

RELAY

PLC o/p

MACHINE

MOTORS

Drives

Redundancy &

Diversity

Drive supply (3ph)

Control supply

E/Stop

Logic


22/27

22

Such as system, developing the system illustrated above is shown below.

Functional Check of the Pneumatic Valves

As with redundant motor contactors, if one valve sticks in the on position then the redundant valve

will (we hope) still operate correctly and block the air. Again, the need for a functional check of the

valves is obvious because, if the redundant valve is the only one operating correctly the air supply is

correctly blocked so the first valve fault does not become apparent until the redundant valve also

fails and the safety function is lost. Monitoring the air pressure clearly doesnt reveal the fault. Ouronly practical option is to monitor the mechanical operation of the valves. The use of valves that

Air or Fluid supply

Control supply

RESET

Outputs

Monitor

E/STOP

LOGIC

PLC o/p

Pneumatic/

Hydraulic

Drives

SolenoidValves

Master

Solenoid

Valve

Valve spindle

monitor

Master SV

Drive supply (3ph)

Electric

Drives

Common Control

Elec Drive Power


23/27

23

have functional check contacts that change state upon movement of the valve spool will contribute

to meeting the requirements.

Stored Energy

When controlling pneumatic systems it must be remembered that, in general, a pneumatic system

can retain more stored energy than an electrical system (trapped in pipework, cylinders, reservoirs,

etc.). The primary consideration is what to do with the residual energy after the safety system has

called for the machine to shut down. See the Stop Categories. First reaction may be to dissipate

the energy by venting the pipework and associated actuators. However, consider the situation

where the machine is transporting sheets of material held under vacuum suction cups. Pressing ofthe Emergency Stop could result in the sheet being dropped possibly creating a more significant

injury, it could be sheets of steel or even glass!

In your design risk assessment you must decide whether:

to leave the air on, and then remove it when safe to do so (Stop Category 1)

or

shut the air supply off but trap the air residual in the system (allow the user to release the

air at his discretion)

Air Supply

Spindle monitoring

Spindle monitoring

Function

monitoring


24/27

24

Dealing with Assemblies of machines

The Machinery Directive states that particular attention must paid to ensuring that the safety-

related parts of the control system (including the Emergency Stop function) must apply in a coherent

way to the whole of an assembly of machinery and/or partly completed machinery.

In the case of machinery or parts of machinery designed to work together, the machinery must be

designed and constructed in such a way that the stop controls, including the emergency stop devices,

can stop not only the machinery itself but also all related equipment, if its continued operation may

be dangerous. (EHSRs 1.2.4.4. - Assembly of machinery)

When dealing with machine assemblies or complex systems, e.g. machinery or parts of machinery

designed to work together such as Integrated Manufacturing systems and integrated production

lines, it is very important to ensure that the Emergency Stops can stop not only a particular

component machine but also all equipment upstream and/or downstream if their continued

operation can be hazardous. Remember that the person using the Emergency Stop may not

necessarily be the person in danger! It may, therefore, be prudent to position an emergency stop

near an adjacent machine, or machine zone in the case of a complex system, giving the neighbouring

operator the opportunity to stop the machine if the operator gets into trouble. All Emergency Stop

devices should be integrated to have the same span of control, however, if for some reason the

Emergency Stop systems are segregated then their zones of effectiveness must be clearly indicated

to avoid confusion.

When designing and manufacturing a piece of machinery, provision must be made to the

foreseeable possibility that it may have to integrate with common Emergency Stop functions and

other safety-related parts of the control system. The design should include provision to exchange

status with other Emergency Stop devices and systems and to transmit the machines status to those

other Emergency Stop systems, including system response diagnostics.

Remember that Emergency Stop devices must be a back-up to other safeguarding measures andtherefore the illustrative configurations shown above are unlikely to be satisfactory in a practical

machine safety system.

The Emergency Stop takes the roll of a global and overriding function and must be available and

operational at all times, regardless of the operating mode.


25/27

25

Diagrammatic arrangement for an assembly of machines integrating several safety functions:-

Maintenance, Inspection & Testing

The European Use of Work Equipment Directive, 2009/104/EC, requires that Where appropriate,

and depending on the hazards the equipment presents and its normal stopping time, work

equipment must be fitted with an emergency stop device. This directive is enacted in the United

Kingdom under the Provision and Use of Work Equipment Regulations 1998 (PUWER98) and

Emergency Stops are covered specifically in Regulation 16. Regulation 6 also requires that it is

necessary to check that the safety-related parts, (including the Emergency Stop devices) are working

as they should.

In the case of the Emergency Stop devices frequent (preferably daily) inspections should be

considered part of the formal routine inspection and testing process to ensure that they will operate

in an actual emergency situation.

Equipment controlled by

Safety Function 2Equipment controlled by

Safety Function 3

E/Stop

Logic

Common E/Stop function

Safety

Logic

SF1

Safety

Logic

SF2

Safety

Logic

SF3

Diagnostics (Functional Check of SF3)

Diagnostics (Functional

Check of SF2)

Diagnostics (Functional

Check of SF1)

Equipment controlled by

Safety Function 1


26/27

26

Reference Documents:-

2006/42/EC European Union Machinery Directive

European Harmonised Standards:-

EN ISO 13849-1 - Safety of machinery - Safety-related parts of control systems - Part 1:

General principles for design.

EN 60204-1 - Safety of machinery Electrical equipment of machines. Part 1: General

requirements

EN 60947-5-5 - Low-voltage switchgear and controlgear. Electrical emergency stop

devices with mechanical latching function

EN ISO 11161 - Safety of machinery - Integrated manufacturing systems Basic

requirements

EN ISO 13850 - Safety of machinery - Emergency stop - Principles for design

About the author - Robin J Carver

Robin is a qualified Safety Systems Engineer and a Safety Practitioner with over 40 years experience

in the design and assessment of wide range of machinery in an equally wide field of applications &

environments. He is involved in aiding and assisting companies with the safety of machinery

including bringing products and machinery to market (CE Marking) the use of work equipment(PUWER98) and systems and product verification and validation.

Robin is formally recognised and listed on the Occupational Safety & Health Consultants Register as

offering sensible and proportionate advice on machinery safety.

Other attributes:-

BSI committee member, Safety of Machinery MCE/003 panel;

Chartered Health and Safety Practitioner;

East Midlands Brokerage Quality Assured standard - 5 star rating;

Listed on the Occupational Safety & Health Consultants Register;

Registered European Occupational Safety and Health Manager;

Chartered Member of the Institute of Occupational Health and Safety;

Member of the Institute of Measurement & Control; Fellow of the International Institute of Risk and Safety Management;

Member of the Institute of Engineering and Technology;

Robin J CarverEurOSHM MIET MIntMC CMIOSH MIIRSM

Chartered Safety Practitioner

Registered European Occupational Safety and Health Manager

Email: [email protected]

Web: www.hs-compliance.com
http://www.hs-compliance.com/http://www.hs-compliance.com/


27/27

Notes: