THE EMERGENCY STOP BUTTON

the button of last resort

An overview of the Emergency Stop Button and methods for establishing and maintaining its reliability of it action throughout a control system.

by

Robin J Carver
EurOSHM MIET MIntMC CMIOSH FIIRSM Chartered Safety Practitioner Registered European Occupational Safety and Health Manager

Re-written February 2012

THE EMERGENCY STOP BUTTON the button of last resort

Preface to the 2012 edition

A lot has changed in the world of machinery controls since I first wrote The Emergency Stop Button - the button of last resort back in the late 90s and then revised it in 2002. The Machinery Directive has been re-cast and the supporting harmonised standards have been revised opening the doors to the use of electronic and programmable Black-Box type controls in safety related parts of control systems. Significantly the old faithful standard for Safety Related Parts of Control Systems, EN 954-1 has given way to EN ISO 13849-1:2008 which, despite its complications, has finally made the long awaited link between risk and system reliability. But what of the Emergency Stop? Many years ago, when I was a Junior System Designer, the Emergency Stop was the only personnel safety system available. Now the re-cast Machinery Directive formally places it in its correct setting as a back-up to other safeguarding measures and not a substitute for them. This 2012 edition of The Emergency Stop Button - the button of last resort has been completely re-written and attempts to bring the application what, where & hows up to date, providing designers with, I hope, sound methods for assessing the required levels of reliability, practical suggestions for system architecture and component selection and methods of co-ordination with machine assemblies. The Emergency Stop Button - the button of last resort may not have a thrilling plot (or any plot at all for that matter) but I hope it will help guide designers to the industry standards and norms and, maybe, will pass on some of my experience and knowledge I have gained over many years of doing, reading and listening.

Robin Carver February 2012

Email: robin@hs-compliance.com Web: www.hs-compliance.com

Background and history

During the industrial revolution machinery designers soon realised that there could be a need to stop their machines quickly if something went wrong, though their concern was, undoubtedly, not one of benevolence or concern for the safety of the workers on the machine, but rather that of protecting the investment, the safety of the valuable machine itself! From this was born the Emergency Stop control as a machine protector. This remained the primary consideration throughout the 19th early 20th century, but with an increasing awareness that that the workforces welfare should be considered, enforced by the Factory Acts and later, the Unfenced Machinery Regulations. Finally, in 1972 the United Kingdom, the new Health & Safety at Work Act insisted that it is the duty of every employer to ensure the health, safety and welfare at work of all employees. The Machinery Safety came of age and with it the Emergency Stop became a safety device.

Introduction - [....Houston, we have a problem....]

The Emergency Stop device is a unique part in any safety related control system. Unlike the normal protective systems such as guard interlocking, light curtains, area detection, etc. which are as proactively preventative, i.e. serving to prepare for, or control an expected risk situation, the Emergency Stop function is reactive, initiated by a single human action, reducing the effects of the risk incident following its occurrence. Recently, I was asked to review near miss (or more appropriately a near hit) on an industrial meat mincing machine. A trained and experience maintenance engineer ignored written procedures and without isolating and locking off the machine supplies, took it upon himself to remove the 12 bolts on fixed guarding, removed and bypassed an additional safety interlock, opened the guarding to expose blade hazards and accidentally pressed the start button! It was a co-worker that reacted to the situation and pressed the Emergency Stop button that saved the maintenance engineer from severe injury or even death. Thats why we have Emergency Stops! In Europe the EU Machinery Directive states that, unless it would not lessen the risk, machinery must be fitted with one or more emergency stop devices to enable actual or impending danger to be averted; but importantly, Emergency Stop devices must be a back-up to other safeguarding measures and not a substitute for them. When considering the design of any machine it is important to assess the risks and, where reasonably practicable reduce those risks by applying the following hierarchical principles: 1) eliminate hazards as far as possible (inherently safe machinery design), 2) take the necessary safeguarding and protective measures in relation to hazards that cannot be eliminated, 3) inform users of the residual risks due to any shortcomings of the safeguarding and protective measures adopted. For hazards that cannot be reasonably removed or limited by design, guards and/or similar protective measures are required. These guards and protective measures may well be associated with safety related control systems. The reliability of the safety related parts of the control system (SRP/CS) should be considered in relationship to the associated risk for the particular safety function as advised in EN ISO 13849-1. Having refined the design to reduce the risks to a practical minimum and provided all the safety information possible, the machine should be safe for all the safety incidents foreseen by the designer. But what about the un-foreseen incidents? This is what the Emergency Stop button is for!

Obligations (The mandatory requirements)

The EU Machinery Directive 2006/42/EC, being mandatory for machines in the European Union, dictates the basic requirements for an Emergency Stop in the Essential Health and Safety Requirements (EHSRs) in clause 1.2.4.3. of Annex I. These requirements are summarised as follows: Unless an Emergency Stop device would not lessen the risk, machinery must be fitted with emergency stop(s) to enable actual or impending danger to be averted quickly as possible, The Emergency Stop device must be clearly identifiable, clearly visible and quickly accessible, The Emergency Stop function must be available and operational at all times, regardless of the operating mode, Disengaging the Emergency Stop device must not restart the machinery but only permit restarting, Emergency Stop devices must be a back-up to other safeguarding measures and not a substitute for them.

An Emergency Stop device classed as safety component by the Machinery Directive which means it is a component: which serves to fulfil a safety function, which is independently placed on the market, the failure and/or malfunction of which endangers the safety of persons, and which is not necessary in order for the machinery to function. As such Emergency Stop devices must be manufactured in accordance with the harmonised standards or follow procedures for assessment of conformity using a Notified Body. It is important to note, however, that this applies to safety components and not to the design of the safety related part of a control system itself.

Application (what, where & how)

What? The types of device for emergency stop include: mushroom-type pushbuttons; grab-wires, ropes, bars & handles; foot-pedals (without a protective cover); or a combination of devices. The most common Emergency Stop device is the Emergency Stop button made familiar by its red mushroom shaped actuator. So who specified that it should be like that? Standard EN 60947-5-5 Low-voltage switchgear and controlgear. Electrical emergency stop devices with mechanical latching function provides the detailed specifications for the electrical and mechanical construction and their testing. Whatever actuations are used they must be capable of withstanding foreseeable forces considering that they may be liable to be subjected to considerable forces. The figure illustrates a typical simulation requirement for an Emergency Stop button from EN 609475-5.

Selection of an Emergency Stop Device The requirements for Emergency Stop devices are given in EN ISO 13850 Safety of machinery Emergency stop - Principles for design. Types of device for emergency stop include, commonly, mushroom-type pushbuttons, grabwires/ropes and foot-pedals, and less commonly, bars or handles. They must not be soft buttons programmed onto touch-screens, HMIs or similar unless their integrity, including the HMI hardware, the embedded software (firmware) and application software, can be proven absolutely. However, Light Curtains (AOPDs) and similar devices could be utilised where appropriate. The selection of the type of device must take into account the environment into which they are to be installed so that they are able to operate correctly under the expected operating conditions and site and location influences. We must take into consideration the fact that they may be infrequently operated and effects due to exposure to vibration, shock, temperature, dust, foreign bodies, moisture, corrosive materials and fluids, including hosing down. Emergency Stop devices are often lost and forgotten but when they are needed they MUST work! Normally Emergency Stop devices are electromechanical. But here we must be cautious. Reliability is often considered related to the number of operations the device will tolerate, but when dealing with 6

Emergency Stop devices we must consider that it may be operated infrequently, hopefully, very infrequently! Accidents, including fatalities, have occurred when contact blocks have fallen from the back of Emergency Stop buttons actuators due to deterioration of the plastic in some ageing button assemblies. The monitoring by the safety system may not always detect such a failure if all the both the blocks become detached simultaneously.

Self-monitoring contact blocks are available which have a contact arrangement that monitors the installation of contact blocks to the actuator. There is a normally open monitoring contact that is held closed when the contact block is properly installed on the actuator. This normally open contact is wired in series with the normally closed contact of the standard contact with the operator. If the contact block becomes detached from the actuator the normally open contact opens and an emergency stop command is issued. Accidental or Nuisance Operation may be a problem and should be considered especially when Emergency Stop devices are sited in areas near walkways and corridors between machines. If accidental operation is considered a possibility due to persons brushing passed then shrouding the button is preferable to moving it out of the area or making it invisible and/or inaccessible by covering it completely.

A Footswitch type Emergency Stop device, however, must NOT have a cover.

Grab-Wires and Ropes as Actuators

When Grab-Wires or Ropes are used as the actuators for Emergency Stop devices, they must be positioned for ease of use. Consideration must be given to the individual manufacturers specifications and installation requirements. These may include the amount of deflection necessary to generate the emergency stop command, the maximum deflection possible (which EN 60947 5-5 recommends should not exceed 400mm) and the force required (which should not exceed 200N). Also, the supports and tensioning devices required and number of switching units required at each end based on the length of the actuator cords, normally advised by the manufacturer. The minimum clearance between the actuator cord and objects in the vicinity must be considered where it could reduce effectiveness. Consider also ways of making the cords or ropes visible for the operators (e.g. fitting marker flags). If it is likely that actuation will be by pulling the wire along its axis, it will be necessary to ensure that pulling the wire in either direction will generate the emergency stop command. Grab-Wires or Ropes actuated Emergency Stop devices must be tensioned monitored devices so that breakage or disengagement of the actuator is detected. The means to reset the emergency stop device should be placed so that the whole length of the wire or rope is visible from the location of the resetting means. Other Emergency Stop Device Actuators Bars and handles used as Emergency Stop devices are less common but may be found, for example, on machines with roller hazards or moving carriages, etc. These are often fabricated to suit the specific application but provided they meet the criteria, set by EN ISO 13850, that the emergency stop function shall be maintained by latching of the actuating system then these are usually acceptable. When Emergency Stop devices are associated with cable-less control systems, the Emergency Stop function must be tripped off when correct control signals are not received or there is a loss of communication. The use of a safe-edge type device is a little more controversial. A safe-edge usually takes the form of an extended, flexible, profiled rubber strip installed near to the hazard(s) which, when depressed at any point along its length, will send a signal which will trip the Emergency Stop safety system.

The contact initiation uses the principle of conductive rubber surfaces running the length of the profile strip. The wires are terminated with a known resistor. When the profile is deformed, by being pressed, the conductive rubber comes in contact with each other and causes the overall resistance to drop. The controversy concerns the fact that initiation of the safety system is generated by the closing of a contact, contrary to the requirements of EN ISO 13850, that requires that the device shall have a direct electrical positive opening action. Also the criteria, set by EN ISO 13850, that the emergency stop function shall be maintained by latching of the actuating system will be difficult to achieve.

However, subject to a specific risk assessment, the safety edge, along with a suitable controller, could provide a versatile and flexible emergency stop system for use in applications where a machine user must have easy, contiguous access to an Emergency Stop device actuator.

Device Operation The operation of the Emergency Stop device should result in it mechanically latching in (e.g. press and stay-put) and only manual action will de- latch the device. The method of de-latching may be rotation of the button (twist to reset) or by a pulling motion, either with or without a key locking/release facility.

Without exception operation of the Emergency Stop should result in the de-energisation of the Emergency Stop related part of the control system. This must be achieved through opening of the contacts and positive mode operation where the contact separation must be as a direct result of the movement of the switch actuator. Emergency Stop buttons using detachable contact blocks should be configured such that the contact will open should the contact block become detached ensuring Fail Safe operation. The resetting of the emergency stop device must only be a manual action at that location where the command was been initiated but this action itself may only permit restarting. It must not allow the machine to a restart without further commands such as resetting the Emergency Stop related part of the control system and/or initiating a complete machine restart.

Where? Clearly, when required, the Emergency Stop must be accessible and recognisable by all who may have to operate them, their location should be obvious and they must, at all times, work, reliably and safely. Emergency Stop devices should be located at each operator control workstation (except where the risk assessment indicates that this is not necessary). We should also consider other locations where the initiation of an emergency stop may be required. Risk Assessment should be used to determine all the locations. Consider all the human interaction during the whole operational life cycle of the machine. This should focus on all tasks associated with every phase of the machine e.g.: setting, testing, teaching/programming; process/tool changeover; start-up, restarting & all modes of operation; feeding & removal of product from machine; stopping the machine; clearing jams or blockages; fault-finding/trouble-shooting (operator intervention); cleaning & housekeeping and maintenance. In general control devices should not be located in or near danger zones. The Emergency Stop is an exception. Consider where the human interaction may be taking place and where an unexpected dangerous event could occur; this could be in the guarded area (e.g. within perimeter guarding around a robot). Whilst a machine user is within the guarded area (the danger zone) an unforeseen event could have caused the robot (or any moving hazard) to move. Access to an Emergency Stop provides the user with a means to react to the immediate situation and, hopefully, stop the hazardous action before the risks become a reality. Analysis of what went wrong can take place later AND actions taken to stop it happening again!
E/Stop Grab-wires

Typical location arrangement for Emergency Stop devices on an assembly of machines (based on risk assessment)

10

The actuator of the emergency stop device must be coloured RED. (Note: The colour RED for any push-button actuators may only be used for emergency stop and emergency switching off of actuators). The colour RED for the emergency stop actuator must not depend on the illumination of a backlight. As far as a background exists behind the actuator and as far as it is practicable, the background should be coloured YELLOW. Where markers are required the symbol below from IEC 60417-5638 (DB:2002-10) should be used.

(When did you last see one of those?) When using the grab-wires or rope actuated devices, it can be useful to improve their visibility by attaching marker flags to them.

Dealing with Cableless or Detachable Pendant type controls Pendant or teaching control device such as those associated with industrial robots are required to include an emergency stop function (in accordance with EN ISO 10218-1 Robots and robotic devices Safety requirements for industrial robots). Clearly, this can pose some problems in that the Machinery Directive EHSRs require that the Emergency Stop function must be available and operational at all times, regardless of the operating mode! What if a cableless unit is out of range or the pendant is unplugged and bypassed? EN ISO 10218-1 requires that where pendant or other teaching controls have no cables connecting to the robot control, or where they can be detached, the following should apply:a) A visual indication, on the pendant display, must be provided to show that the pendant is active; b) Any loss of communication should result in a protective stop and restoration of communication must not restart robot without a separate deliberate action. c) Confusion between active and inactive emergency stop devices must be avoided by providing appropriate storage or design and the Information for use must contain a description of the storage or design.

EN 60204-1 Safety of machinery Electrical equipment of machines offers little more in the way of guidance and simply states that where confusion can occur between active and inactive emergency stop devices caused by disabling the operator control station provision should be made to minimise confusion. EN ISO 13850 Safety of machinery - Emergency stop - Principles for design unfortunately gives no guidance at all! Some German manufacturers are using Grey actuator buttons in place of Red! 11

How? Operation in an emergency - Considerations The nature and operation of the machine must be considered and the risks assessed. Is it safe to have the Emergency Stop system cut the power to the machine drives and actuators? This may result in the hazard freefalling leading to a more dangerous situation. Should the system actuate a brake or clamp? Would stopping the machine in position result in a worsening of an injury? Should the system allow the machine to continue on or reverse to a safe position? The risk assessment must indicate the most suitable method of shutting down following the operation of the Emergency Stop device. Either by immediate stopping by the removal of power to the machine actuator(s) (classified as Stop Category 0) or a controlled stop with power to the machine actuator(s) available to allow them to stop in a safe position followed by removal of power when the stop is achieved (classified as Stop Category 1). The Emergency Stop function must be designed for operation without hesitation so that a decision to use the device does not require the machine operator to consider the resultant effects. Note: A controlled stop with power left available to the machine actuator(s) (classified as Stop Category 2) are NOT acceptable for Emergency Stops. We should also consider the following as defined in EN 60204-1:Emergency Stop device Manually actuated control device used to initiate an emergency stop function. Emergency Switching off device Manually actuated control device used to switch off the supply of electrical energy effecting a Stop Category 0 of machine actuators connected to this incoming supply. Where the supply disconnecting device (usually an Electrical Isolator) is to be used for emergency switching off, it must be readily accessible and should meet the colour requirements of an Emergency Stop actuator (Red coloured actuator on a Yellow background). Note: if the supply disconnecting device is not suitable as an Emergency Switching off device it must NOT have a Red coloured actuator on a Yellow background but should be coloured BLACK or GREY as described in EN 60204-1.

Emergency Switch off device? 12

Performance A lot has changed since I first wrote this in 2000. In those days the design requirements for safety related parts of the control system were easier based on the standard, Safety of machinery Safety related parts of control systems, EN 954-1. Programmable and networked safety systems were not considered to be acceptable and we only had to consider the wiring of the circuit (the Category) and the use of, what is nebulously termed, proven components and principles. Sadly, however, it could not make the link between the risk and the Category. EN 954-1 was withdrawn in December 2010 in favour of EN ISO 13849-1:2008 which opened the gates for the employment of programmable and networked safety systems and, thankfully, does relate the performance of the system to the risk, however, in doing so it imposes, on the designers, much more onerous duties to quantify the reliability of the design including the components used. Unfortunately EN ISO 13849-1 gives no specific guidance on Emergency Stop functions. EN ISO 13849-1:2008 is like the Curates Egg good in parts!
(Since the publication of the cartoon on Punch Magazine in 1895, the expression "a Curate's Egg" has come to mean something that is partly good and partly bad, but as a result is entirely spoiled.)

Right Reverend Host: Im afraid youve got a bad egg, Mr. Jones The Curate: Oh, no. My Lord. I assure you. Parts of it are excellent!

EN ISO 13849-1 provides a reasonably sound method of determining the performance required by a normal safety function related to the risk. This method takes into account the basic elements of risk, these being the Severity of any Injury (S), the Frequency and/or Duration of exposure to the risk (F) and the Possibility of Avoiding or Limiting the Harm (P). From this it is possible to estimate the Performance Level required (PLr) by the safety function as shown below:
Low Risk

High Risk

From EN ISO 13849-1 Fig A.1 13

Following estimation of the Performance Level required (PLr) by a particular safety function, the designer may quantify the performance required of the components, in terms of Mean Time to Dangerous Failure (MTTFd), and the principles to be employed to link the components into a suitable architecture (as before, the Category, but now including, where appropriate, diagnostics and examination of possible Common Cause Failures).

Performance Level for an Emergency Stop? This determination, however, may not be easily applied to the Emergency Stop function because, as stated at the outset, the Emergency Stop function is reactive, reducing the effects of the risk incident following its occurrence. e.g.:S - Severity of any Injury This may well be the worst case situation for the machine. probably S2 F - Frequency and/or Duration of exposure to the risk This is not relevant unless one assumes that it refers to the frequency with which the Emergency Stop function is likely to used, which should be never, because we are dealing with an assessment of incidents that are unforeseen by the designer. probably, if any, F1 P - Possibility of Avoiding or Limiting the Harm This is also not relevant as the harm may have already been realised and the action of the Emergency Stop function IS to attempt to limit the harm. probably, if any, P1. On this assessment basis the Performance Level required (PLr) for an Emergency Stop function would be PLr = C in all cases, even were other safety functions require a higher PLr! As an Emergency Stop function is a back-up to other safeguarding measures, then this may be considered acceptable but as a designer I wouldnt feel comfortable with this estimation. I would suggest that, in view of the minimal costs involved, that it would be reasonably practicable to design an Emergency Stop function that meets with the highest PLr assessed for the machine as a whole. When the machine is a part of an assembly of machines designed to function as an integral whole with a common Emergency Stop function then this should be the highest PLr assessed for the machine assembly.

Architectures and Circuits The configuration (known as the architecture) of a safety related part of a control system, arguably, remains the most important factor in any safety system and is classified by Category (not to be confused with the Stop Category). In industry there are four; Category 1, 2, 3 & 4 (Category B is below Category 1 and is not considered to be appropriate for industrial use).

14

Category

Requirement

Characteristics

Recommended for E/Stop functions?

NO

B 1 2

A fault can lead to the loss of the safety function. (Generally not considered suitable for industrial applications) A fault can lead to the loss of the safety function. Well-tried components and safety principles used. A fault can lead to the loss of the safety function. Well-tried components and safety principles used. Safety function is checked at suitable intervals by the machine control system. (test to demand ratio of >100:1) A fault can lead to the loss of the safety function. Well-tried components and safety principles used. Safety-related parts designed, so that a single fault in any of these parts does not lead to the loss of the safety function, and whenever reasonably practicable, the single fault is detected. A fault can lead to the loss of the safety function. Well-tried components and safety principles used. Safety-related parts designed, so that: a single fault in any of these parts does not lead to a loss of the safety function, and the single fault is detected at or before the next demand upon the safety function, but if this detection is not possible, an accumulation of undetected faults shall not lead to the loss of the safety function.

Mainly by selection of components Mainly by selection of components Mainly by structure

NO ADVISED NO ADVISED (not practicable?)

Mainly by structure

RECOMMENDED

Mainly by structure & selection of components

RECOMMENDED

Typical BUT simplistic architectures:SIMPLE CATEGORY 1 CONFIGURATION:-

15

SIMPLE CATEGORY 2 CONFIGURATION:-

Note: test to demand ratio of >100:1

Advisory note: If it is foreseeable that, despite advice and instruction to the contrary, the Emergency Stop device(s) may be used as the sole method of preventing start-up of a machine when dangerous parts are being accessed, then it is inadvisable to rely solely on single-channel (Category 1 or 2) systems due to risks resulting from the malfunction of the control system. SIMPLE CATEGORY 3 or 4 CONFIGURATION:-

The above illustrates the application of architectures using conventional electromechanical devices for the logic and outputs but these could well be replaced by programmable intelligent systems without changing the principles of the structures.

16

SIMPLE CATEGORY 3 or 4 CONFIGURATION (using Safety PLC & Drive):

Safety PLC Firmware:

Switch Ch A Switch Ch B

E/Stop Input Function Block

E/Stop Output Function Block Data Links

Drive Firmware:

SafeTorque-Off

Drive Function

Fault Diagnosis Function Block

Programmable Safety Even with programmable safety, the principles of the machinery safety systems remains broadly unchanged from that used under the old EN954-1 concepts but the use of electronics and programmable safety relays make it possible to bring the safety function within the programmable controller. Nevertheless, the features of the conventional safety relay are still recognizable in the program firmware and the inputs, outputs and field wiring required are unchanged:-

17

Diagnostics (a Functional Check & Fault Detection) The safety related parts of control systems excluding Category B & 1 should perform functional checking, by monitoring the correct operation of the input devices and the correct response of the output drive functions. This is also known as the system diagnostics. This may be achieved by testing the system and/or checking the systems response. A functional response check of the Emergency Stop input device is usually achieved by the duplication of contacts which will be expected to operate together. Each set of contacts will effectively check the other. A functional response check of the output switching devices, such as supply switching contactors, is best achieved by the fitting of contacts which will reliably reflect the actions the main power contacts powering the actuator devices. However ideally, it would appear, the direct monitoring of the driven device (motor shaft, etc.) would reflect with certainty the state of the operation.

Functional Checks in a Category 2 configuration

Direct monitoring of the driven device (motor shaft, etc.) is a feasible as an effective functional check only in a Category 2 configuration. In a Category 3 or 4 configurations the redundancy effectively masks the fault as even if only one of the redundant pair is operating correctly the motor still appears to stop correctly.

Functional Checks in Category 3 or 4 configurations

18

Diagnostic Coverage Diagnostic Coverage (DC) is the parameter used in EN ISO 13849-1 as the measure of the effectiveness of diagnostics, which may is given by the ratio between the failure rate of detected dangerous failures and the failure rate of total dangerous failures. Arguably, the two most important factors in any safety related system is the outputs response to the inputs command. Therefore monitoring of the input command, e.g. the Emergency Stop device, and the outputs actions, e.g. the correct response of the motor contactor(s), are vital. Typically, EN ISO 13849-1 in Annex E indicates that direct monitoring of electromechanical devices by mechanically linked contact elements, such as with 2 sets of contacts on an Emergency Stop button and using mirror contacts of a motor contactor, may each provide a DC of 99%. Note: Mirror contacts on a device are monitoring contacts that mirror the actions of the function contacts because they are mechanically linked together.

19

Typical (but simple) supply tripping Emergency Stop system The Emergency Stop is monitored by the Emergency Stop Logic (typically a Safety Relay or E/Stop firmware in a Safety PLC) and in response, the logic controls the power fed to the machines control system outputs that drive the hazardous features of the machine. The diagnostic logic monitors the correct operation of both the Emergency Stop device(s) and the correct response of the outputs controlling the power. If the Emergency Stop is operated or there is a fault in the system, the Emergency Stop Logic removes the power to the machine. It cannot then be reset until the Emergency Stop device has been de-latched and any fault has been attended to and the failed component replaced. +
Mirrored Contacts Reset

Output Response Functional Check Inputs

Redundancy & Functional check of device contacts

Inc. Internal Monitoring

Primary 3ph Supply

E/STOP LOGIC

Motor Contactors

Load Break Contacts

+
Outputs

K1

Load Break Contacts

K2 Mirror contacts Redundancy of motor controllers

Functional 3ph Bus

Functional Logic and associated Safety Functions

SIMPLE EMERGENCY STOP FUNCTION (Category 3 & 4) 20

Practical Emergency Stop system A more practical Emergency Stop function is shown below. Rather than using all heavy duty redundant contactors or redundant contactors in each motor circuit, this safety system controls both the drive power supply and the control supply. In the event that the Emergency Stop is pressed both the, lower load, control supply to the drive contactors (via an common feed) AND the, heavier load, 3 phase drive supply is switched off. This provides the redundancy required of a Category 3 and 4 system and also Diversity which increases the systems robustness against common cause failures (CCF).
Drive supply (3ph) Control supply PLC o/p

Redundancy & Diversity

RESET

Monitor

E/Stop SAFETY Logic RELAY

Outputs Drives

MACHINE MOTORS

Dont forget the pneumatics The essential requirements of the Machinery Directive states that ... [machinery]... must be so designed, constructed and equipped as to avoid all potential risks associated with ... [all]... sources of energy. This must be taken into account in the design of the safety control system. Unfortunately, it is a common omission in machinery designs that whilst the electrical part of the safety systems is compliant, by meeting the determined performance levels, other sources of energy remain seem to be forgotten, yet the potential for harm remains present and is often more significant. The practical safety system must take these sources of harm into account, in particular they pneumatic and hydraulic systems. Hydraulics is often easier to incorporate as the power source is derived from a local, electric powered, power pack, however, the pneumatic supply is a little more involved. 21

Such as system, developing the system illustrated above is shown below.

Master Solenoid Valve Air or Fluid supply Drive supply (3ph) Control supply PLC o/p Valve spindle monitor

RESET

Electric Drives

Monitor E/STOP LOGIC Master SV Solenoid Valves

Common Control Outputs Elec Drive Power

Pneumatic/ Hydraulic Drives

Functional Check of the Pneumatic Valves As with redundant motor contactors, if one valve sticks in the on position then the redundant valve will (we hope) still operate correctly and block the air. Again, the need for a functional check of the valves is obvious because, if the redundant valve is the only one operating correctly the air supply is correctly blocked so the first valve fault does not become apparent until the redundant valve also fails and the safety function is lost. Monitoring the air pressure clearly doesnt reveal the fault. Our only practical option is to monitor the mechanical operation of the valves. The use of valves that 22

have functional check contacts that change state upon movement of the valve spool will contribute to meeting the requirements.

Function monitoring

Spindle monitoring

Spindle monitoring

Air Supply

Stored Energy When controlling pneumatic systems it must be remembered that, in general, a pneumatic system can retain more stored energy than an electrical system (trapped in pipework, cylinders, reservoirs, etc.). The primary consideration is what to do with the residual energy after the safety system has called for the machine to shut down. See the Stop Categories. First reaction may be to dissipate the energy by venting the pipework and associated actuators. However, consider the situation where the machine is transporting sheets of material held under vacuum suction cups. Pressing of the Emergency Stop could result in the sheet being dropped possibly creating a more significant injury, it could be sheets of steel or even glass! In your design risk assessment you must decide whether: to leave the air on, and then remove it when safe to do so (Stop Category 1) or shut the air supply off but trap the air residual in the system (allow the user to release the air at his discretion)

23

Dealing with Assemblies of machines The Machinery Directive states that particular attention must paid to ensuring that the safetyrelated parts of the control system (including the Emergency Stop function) must apply in a coherent way to the whole of an assembly of machinery and/or partly completed machinery. In the case of machinery or parts of machinery designed to work together, the machinery must be designed and constructed in such a way that the stop controls, including the emergency stop devices, can stop not only the machinery itself but also all related equipment, if its continued operation may be dangerous. (EHSRs 1.2.4.4. - Assembly of machinery) When dealing with machine assemblies or complex systems, e.g. machinery or parts of machinery designed to work together such as Integrated Manufacturing systems and integrated production lines, it is very important to ensure that the Emergency Stops can stop not only a particular component machine but also all equipment upstream and/or downstream if their continued operation can be hazardous. Remember that the person using the Emergency Stop may not necessarily be the person in danger! It may, therefore, be prudent to position an emergency stop near an adjacent machine, or machine zone in the case of a complex system, giving the neighbouring operator the opportunity to stop the machine if the operator gets into trouble. All Emergency Stop devices should be integrated to have the same span of control, however, if for some reason the Emergency Stop systems are segregated then their zones of effectiveness must be clearly indicated to avoid confusion. When designing and manufacturing a piece of machinery, provision must be made to the foreseeable possibility that it may have to integrate with common Emergency Stop functions and other safety-related parts of the control system. The design should include provision to exchange status with other Emergency Stop devices and systems and to transmit the machines status to those other Emergency Stop systems, including system response diagnostics. Remember that Emergency Stop devices must be a back-up to other safeguarding measures and therefore the illustrative configurations shown above are unlikely to be satisfactory in a practical machine safety system. The Emergency Stop takes the roll of a global and overriding function and must be available and operational at all times, regardless of the operating mode.

24

Diagrammatic arrangement for an assembly of machines integrating several safety functions:-

Common E/Stop function E/Stop Logic Diagnostics (Functional Check of SF1)

Diagnostics (Functional Check of SF3)

Diagnostics (Functional Check of SF2)

SF1 Safety Logic

SF2 Safety Logic

SF3 Safety Logic

Equipment controlled by Safety Function 1

Equipment controlled by Safety Function 2

Equipment controlled by Safety Function 3

Maintenance, Inspection & Testing

The European Use of Work Equipment Directive, 2009/104/EC, requires that Where appropriate, and depending on the hazards the equipment presents and its normal stopping time, work equipment must be fitted with an emergency stop device. This directive is enacted in the United Kingdom under the Provision and Use of Work Equipment Regulations 1998 (PUWER98) and Emergency Stops are covered specifically in Regulation 16. Regulation 6 also requires that it is necessary to check that the safety-related parts, (including the Emergency Stop devices) are working as they should. In the case of the Emergency Stop devices frequent (preferably daily) inspections should be considered part of the formal routine inspection and testing process to ensure that they will operate in an actual emergency situation.

25

Reference Documents:2006/42/EC European Union Machinery Directive European Harmonised Standards:EN ISO 13849-1 - Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design. EN 60204-1 - Safety of machinery Electrical equipment of machines. Part 1: General requirements EN 60947-5-5 - Low-voltage switchgear and controlgear. Electrical emergency stop devices with mechanical latching function EN ISO 11161 - Safety of machinery - Integrated manufacturing systems Basic requirements EN ISO 13850 - Safety of machinery - Emergency stop - Principles for design

About the author - Robin J Carver

Robin is a qualified Safety Systems Engineer and a Safety Practitioner with over 40 years experience in the design and assessment of wide range of machinery in an equally wide field of applications & environments. He is involved in aiding and assisting companies with the safety of machinery including bringing products and machinery to market (CE Marking) the use of work equipment (PUWER98) and systems and product verification and validation. Robin is formally recognised and listed on the Occupational Safety & Health Consultants Register as offering sensible and proportionate advice on machinery safety. Other attributes: BSI committee member, Safety of Machinery MCE/003 panel; Chartered Health and Safety Practitioner; East Midlands Brokerage Quality Assured standard - 5 star rating; Listed on the Occupational Safety & Health Consultants Register; Registered European Occupational Safety and Health Manager; Chartered Member of the Institute of Occupational Health and Safety; Member of the Institute of Measurement & Control; Fellow of the International Institute of Risk and Safety Management; Member of the Institute of Engineering and Technology;

Robin J Carver
EurOSHM MIET MIntMC CMIOSH MIIRSM Chartered Safety Practitioner Registered European Occupational Safety and Health Manager

Email: robin@hs-compliance.com Web: www.hs-compliance.com

26

Notes:

27