We have a problem with operators using the emergency stop circuits to power down a line rather than doing the "right thing" and going through the sequence of pressing the individual stop PB's (not that it's hard since they're on
the same control desk). Now....
CSA Z432-94, section 7.3 states:
"It is essential that release or resetting of the emergency stopping device does not cause the machine to operate."
Basically this means that any latched control circuits must be broken by the hard-wired e-stop and that the control circuits go through an alternate means to be re-latched.
Ontario Health and Safety Act Reg 851, s.27 states:
"An emergency stop control.... be conspicuously identified..."
Basically this means it has to be visible and obvious.
However, it has been suggested to me that there is also a regulation "somewhere" stating that the e-stop circuit cannot be used as a system general stop. That is, start/stop controls must be separate from the e-stop circuit.
Although this makes good design sense, and would enhance compliance the Reg 851 s.27, I can't find anything that specifically says this must be so!!!!! Help!!!!
Anthony Kerstens P.Eng.
A.G. Simpson Co. Limited
We are in the process of reviewing ANSI and OSHA specs to make certain we comply with all applicable standards. I can not think of a regulation which requires that day-to-day stop circuits are required to be separate from the
emergency stops. A obvious implication in the specs, however, is that since resetting the e-stop device itself cannot restart the equipment, there must be a separate start button or control.
It is conceiveable to me that one could, within the regulations, use the e-stop circuit for day-to-day operations.
Exactly what I was afraid of. The problem is that the e-stop kills everything immediately whereas going through the sequence of stop buttons shuts things down in an orderly manner.
It might be possible to put in place a shutdown sequence to be initiated by one button (not to be construed as an e-stop), but that would be adding complexity to solve a human resources/
management problem. The unwritten rule of systems design is the simpler the user interface, the more complex the inner workings.
It's possible to do many things within the regulations, but you wouldn't necessarily want to.
Anthony Kerstens P.Eng.
> -----Original Message-----
> From: firstname.lastname@example.org
> It is conceiveable to me that one could, within the regulations, use the e-stop circuit for day-to-day operations.<
Anthony's idea is very much logical and practical. I have also experienced similar problem and had used the same idea. Add one push button lebelled SHUT DOWN and define the safe shut down sequence internally. This will also
eliminate the sequential mistake of operators which is quite normal.
Something that you might try to discourage the practice of hitting the e-stop button is to place an irritation such as a horn or strobe near the control desk that is initiated by the e-stop and has to be silenced or acknowledged in some way.
I have never heard of such a regulation, at least in the US. Its a pretty common way to stop a machine here. I really don't see it as a problem unless they are hitting estop in the middle of a cycle. The most common way I see of stopping a machine seems to be "stop on end of cycle" button, then estop once motion has ceased.
If you want to stop the operators from hitting the estop, maybe some training and/or gentle persuasion is in order. OTOH - if there is no good reason to cease such actions why bother to mess with their world unnecessarily?
I am not aware of any such regulation. In fact there has been occasions when it was less expensive and worked very well to used the E-stop as the power down for the machine. The E-stop doesn't need to remove the power from PLC's or anything else, just remove the control power from the actuators that produce a hazardous motion. Unless the operator is using the E-stop to interrupt a cycle in the process that causes a problem with restarting it what's the harm?
The harm is that the meaning of E-STOP becomes lessened. E is for EMERGENCY.
There should be a separate Power Off switch to turn off power. Use a Power On PB and Power Off PB with a seal-in relay circuit to do that job.
I am glad to hear someone else that knows not to 'turn off the brain' each time you want to stop the machine. That brain is usually used to monitor the 'eyes' and 'ears', too. Plus, its un-necessary power cycling of sensitive components.
I think that part of the problem is the company culture or training. I had an incident happen at a company that I worked for where a lab coat of an operator got caught in a slow moving conveyor (~1"/sec). They were dragged for several feet until they removed the coat but never hit the
E-Stop because they thought that the E-Stop was only for "Life or Death" situations and they didn't think that they were really going to die. For any E-Stop to work properly, the E-Stop must be properly wired to stop outputs and operators must be trained on the proper use of an E-Stop.
Additionally, American workers are the most productive workers in the world (Translation: they choose the shortest distance between two points, and this is often the E-Stop if it is faster to "Turn off" the machine than the installed "Off" button).
C. Thomas Wiesen
I've seen E-Stops used for a variety of reasons. Some operators use E-Stops to reset buggy systems. Some use the E-Stop as part of the process. Many yet have never even used an E-Stop at all, which I find much more dangerous than
overusing it. In circumstances where hitting the E-Stop is not only appropriate but could prevent injury, many operators may not even utilize the E-Stop. I'll be the devil's advocate and paint a scenario.
Bubba's an operator at the local semiconductor manufacturer. Bubba works at the Rod Grinding units and has been for over 12 years now. In the 12 years, Bubba has never used the E-Stop. One day Bubba is grinding a rod and the computer malfunctions. Bubba thinks the grinding is done, so he lifts the hood. The rock is spinning so fast, he doesn't know if it's stopped or not. It looks stopped *shrug* so in goes his hand. Suddenly he's spraying himself in the face with his own blood. His hand is stuck and he can't get it out. His free hand is resting on the E-Stop but he doesn't push it! WHY?
A) He's never used it before or seen it used. He doesn't know what it does. It may cause him more harm.
B) He knows what an E-Stop does but he's in panic mode and having never used the E-Stop, he doesn't associate hitting that button with instant pain
C) He thinks E-Stop means kill the power to the city. He doesn't want to be responsible for that.
D) He hasn't had a vacation in 12 years. He could use some time off. Besides, he's been dying to try out his new nubby cozy.
Maybe E-Stops shouldn't be used as frequently as they are and for the circumstances they are used but at least the people who do that will be
highly likely to instinctively hit the button in the true time of need.
Just a thought.
>"Unless the operator is using the E-stop to interrupt a cycle in the process that causes a >problem with restarting it what's the harm?"
The point is if you are going to provide an E-Stop whenever anything surprising or potentially dangerous occurs the operator is expected to use
the E-Stop immediately.
The problem may not be "actuators that produce a hazardous motion" but something integral to the process which is not normally considered a
threat - electrical fire in the controller cabinet, burst hose on hydraulic power pack, power brown out threatening the electric's as examples. The Danger may not be even located or defined - smoke over at the back, or a quickly worsening vibration from "somewhere" will cause a wise operator to use the E-Stop rather than risk damage to equipment or personnel.
The E-Stop is expected to bring the whole process to a safe stop!
If the users believe the E-Stop makes the process / equipment safe as it can be then it should be as safe as you can make it. Unless you going to label the E-Stop with a table of exceptions, and this seems contrary to the idea of the E-Stop, then the equipment should be dead as it can be safely.
In the UK I can find no regulation stating that the e-stop should be separate from the control circuit. The following is an excerpt from our EHSR
(Essential Health and Safety Requirements).
1.2.4. Stopping device
Each machine must be fitted with a control whereby the machine can be brought safely to a complete stop.
Each workstation must be fitted with a control to stop some or all of the moving parts of the machinery, depending on the type of hazard, so that the machinery is rendered safe. The machinery's stop control must have priority
over the start controls.
Once the machinery or its dangerous parts have stopped, the energy supply to the actuators concerned must be cut off.
Each machine must be fitted with one or more emergency stop devices to enable actual or impending danger to be averted. The following exceptions apply:
- machines in which an emergency stop device would not lessen the risk, either because it would not reduce the stopping time or because it would not enable the special measures required to deal with the risk to be taken;
- hand-held portable machines and hand-guided machines.
This device must:
- have clearly identifiable, clearly visible and quickly accessible controls;
- stop the dangerous process as quickly as possible, without creating additional hazards;
- where necessary, trigger or permit the triggering of certain safeguard movements.
The emergency stop control must remain engaged; it must be possible to disengage it only by an appropriate operation; disengaging the control must not restart the machinery, but only permit restarting; the stop control must not trigger the stopping function before being in the engaged position.
In the case of machinery or parts of machinery designed to work together, the manufacturer must so design and construct the machinery that the stop controls, including the emergency stop, can stop not only the machinery itself but also all equipment upstream and/or downstream if its continued operation can be dangerous.
There are various categories of emergency stop, ranging from (0) where all power is removed immediately from the actuators, to where the power is removed from the actuators only after the machine has been bought safely to a controlled stop. ALL machines must have a category zero emergency stop (it is often called the panel isolator - red handle, yellow background) but it is not necessarily caused by hitting a mushroom type E. Stop button, in fact
a category zero stop can be more dangerous than not stopping.
The use of the emergency stop is highly dependent on the application.
Note: I know of one manufacturers Printing Press that stops very happily on an E.Stop, trouble is it often causes a web break.
As some practical advice, consider putting enunciators on the e-stop system (horns and lights) when activated. It may be a better deterrent in the long run than posting of rules and playing the heavy. Your operators will then
have to make a choice of pressing the big red button and listening to the bell go (having to do a reset sequence to stop it) or shutting down normally in silence. The old negative feedback vs. positive feedback thing. Also, having some announcement for an emergency condition is not a bad idea anyhow. As for specific rules, I remember when I was a process engineer at
Michelin that using the e-stop was like pulling the fire-alarm, you had better have a good reason. I don't recall if this mandated by government though. Good Luck.
Barry Baker, P.Eng.
VTS Industrial Control Software
I've designed my fair share of systems. I have my fair share of technical documents and toys from various suppliers. I do know what you're talking about, and I do know what the "right" thing is.
My question is about a code and/or law that might possibly exist who knows where on the face of this Earth.
Anthony Kerstens P.Eng.
> -----Original Message-----
> From: JohnMethod@aol.com [SMTP:JohnMethod@aol.com]
> Sent: Tuesday, February 15, 2000 1:42 PM
> To: AnthonyK@agsimpson.com
> Anthony, you write:
> << We have a problem with operators using the emergency stop circuits to
> power down a line rather than doing the "right thing" and going through
> the sequence of pressing the individual stop PB's >>
> <soap box>
> Safety cannot be compromised for convenience.
> </soap box>
> Depending on a bunch of things, including what "a line" means, using the
> E-Stop must be (i) a painful enough thing that it is reserved for emergencies
> and (ii) renders "the line" ABSOLUTELY passive until it is safe to restart.
> The second part means that the shutdown sequence may not be pretty and
> that restart may not be easy.
> I believe that the "right" thing to do is to make it VERY convenient (large
> red mushroom head or single pull wire all along "the line") to "open" a
> normally closed contact E-Stop and to require a key to unlock and
> "reclose" it. Find better terms for "open" and "reclose" - anyway, it's reverse
> Log E-Stop activity and managerially enforce discipline in its use.
> My 0.02 $US
> "Lurker John" G. Boland, president
> Strateg!c Method$ Corporation
Put yourself in their shoes....Of course the operators are going to use the easiest method of shutting down the line. Don't try to "straighten them out" with regulations, they'll just fight back. Why not give them what they seem to be asking for? That is, adding one additional stop pushbutton that has the sole function of shutting down the line "the right way" as you put it. You still keep the individual stops for when they're needed, but the operators now have a simple method of shutting down without having to resort
to using Emergency Stop and causing you grief ;o)
How many stop pushbuttons are we talking about? If only a few, then wire those stop circuits through individual N.C. contact blocks on this new stop button. If there are many, then wire the stop circuits through the N.O. contacts of a multi-pole relay (or relays) that is/are de-energized by this new stop button. Shouldn't be much work, as you said they're all on the same
control desk. Maybe you should make this new stop button a mushroom-head so it "resembles" that Emergency Stop that they have been using. Nothing says you can't use a mushroom-head for the "stop" function. Just don't label it "Emergency Stop"...maybe "System Stop" or something like that.
If you require the stop buttons be pressed in a specific order, there are ways of accomplishing this with one button as well.
IMHO, I don't mind having the Emergency Stop circuit "exercised" once in a while. Nice to know that it's working!!!
- Eric Nelson
Packaging Associates Automation Inc. email@example.com
Rockaway, NJ, USA
I think a separate 'E-Stop' is a must if several circuits/equipment need to be stopped simultaneously as in an emergency. If a single equip/circuit is to be stopped, I see no reason why an additional stop should be wired on the same console / panel.
It could make sense in such a case to have a separate 'E-Stop' wired away from the main panel near some auxillary manned station. Where someone could take action if the main operator fails to do so. Or pehaps in the field where somebody spotting say a fire or mechanical obstruction can stop the operation without the intervention of the operator.
Just a thought
Reminds me of a similar situation with a robotic system we did at an automotive company many years ago. The operators were doing the same thing here instead of hitting the "cycle stop" button because the cycle stop took longer to execute than the e-stop (I guess they were anxious for the coffee break or something). The controls people in the plant actually asked us to rewire the e-stop to perform a cycle stop because it was taking a long time to rehome the system after an
e-stop and it was having an impact on production rates (I'm not kidding). We refused to do it but it involved some nasty arguments. They eventually wised up but it was real tense for a while.
Why not provide them a single stop button that automates the sequence of a graceful shutdown? The operators seem to lack the motivation of
George Jetson. ;-) Why fight it?
For a well thought out answer to the infamous question "To E-Stop or not to E-Stop":
See Tim Park's timely article in the Feb-2000 issue of PTdesign Magazine. He has an excellent grasp of the intent of the E-stop function.
Tim is with TB Wood's Inc.
Phil Corso, PE
To List members:
In answer to those requesting additional information on the article referenced in my Feb 22 Email "To E-Stop or not to E-stop"
The article entitled "e-stop" was authored by:
Tim Park, Product Manager
Electronic Brakes Division
TB Wood's Inc.
His article covered rotating machinery braking systems. However, he intelligently addressed the difference between "normal" stop and "emergency" action. For the former, time of response is unimportant, while for the latter, fast response is mandatory. This philosophy can be easily extrapolated to cover process SIS/ESD's.
As an example, taking a steam user "offline" doesn't require "slam-bam" action of its inlet valve. Instead, ramp the valve closed... unless a
potential damaging problem has occurred (eg, ruptured tube, lubricant loss, hi-vibration, etc). Then use the "slam-bam" plan!
Mr. Park's article was presented in the Magazine "PTdesign". Their web address is:
Phil Corso, PE
This subject seems to be going around and around without getting to the meat of the issue - which is:
"Is there an industrial safety regulation *anywhere* in *any* country which says you must NOT use an e-stop circuit on a frequent basis?"
I too would be very interested in learning if this were true. I have not heard of one if this is indeed so. Various reasons have been advanced in previous letters as to why this may or may not be a good idea in various
applications from a process perspective. However, all that can be said about any of those particular arguments which were advanced is that the answer depends upon the application. Other arguments were advance giving reasons why you should make sure it doesn't matter.
I can't say if there is such a regulation, however I could offer several postulates as to why one may exist.
Speculations as to why such a regulation *may* exist:
1) Certain types of emergency stopping systems may involve the use of brakes and clutches operating on machines with large amounts of stored mechanical energy. These systems may experience excessive wear which reduces their ability to safely stop the machine if they are exercised on a frequent basis. Although such systems should be subject to regular inspection,
frequent use of them may cause wear to occur more quickly than expected.
2) Certain types of emergency stop circuits which depend upon electrical components such as push buttons, relays, etc. may be designed in a way which is not "control reliable" (i.e. redundant and self checking), but be based upon "proven components". Frequent operation of these components in certain applications may result in more rapid wear than expected, making the experience upon which use of the "proven components" are based invalid.
3) Frequent use of an emergency stop button or other safety device (e.g. cable switch) may result in unexpected wear making mechanical function uncertain. Although the push button may have redundant contacts going to a safety relay, neither of these contacts will operate if the push button binds in its mechanical motion due to exessive wear.
The above are the only reasons I can think of why such a regulation *might* exist. Of the three speculations offered above, "1" sounds the most plausable. It also sounds like a large press application, so perhaps a good place to look would be in regulations which affect presses. Press amputation is a safety concern with a very long history.
The other possibility is of course that this was never actually a regulation, but it may have been a general practice used for certain types of equipment for one or more of the reasons given above. Unfortunately, I can't offer any useful opinions on the likelyhood of any of these possibilities.
London, Ont. Canada
Michael, start with dictionary definition of "emergency". Then embellish with definitions from IEEE Std 100-1992 "The IEEE Standard Dictionary of
Electrical and Electronics terms".
Phil Corso, PE
By either NEC code and/or OHSHA regulation. An E-STOP must remove all electrical control of rotating equipment. This is why an E-STOP can cause severe damage, it is an uncontrolled stop, all regeneration of power "electric braking" is disabled, due to manditory opening of motor contacts.
Thus, a very sinple way to test an E-STOP system regularly is to test duing "OFF RUN" hours, when no physical damage can occur. Hit the E-STOP and check for power loss when no equipment is running.
In my opinion, an Emergency Stop should be accompanied by an audio / visual indication using perhaps a hooter and a beacon especially in a noisy shop floor environement or when large areas are involved. This is necessary so that the others
concerned are aware that some emergency exists. A normal operational stop does not require such indication.
Any emergency stop system should be tested at fixed intervals and this testing should be documented. After all Fire Drills are mandatory in many places? So why should Emergency Stops be
treated differently? Similarly, nobody would sound the fire alarm to announce the end of the day's work, although both may result in the employees leaving the building. So the normal operational stop and Emergency Stop functions should be segregated whenever practical.
Even in chemical plants, though the complete closing of an Emergency Shutdown Valve for testing may not be possible, it is still possible to design a system for 'Partial' Movement of the
valve to test the circuit.
Operating a switch once a month should not wear it out very much. I have known switches to malfunction just because they were not used.
I don't know of a specific regulation that requires a seperate stop button from the E-stop, I bet that an industrial lawyer could tell you right away.
Whilst not a direct answer to Anthony Kerstens' original question, I recently noticed the following statement in an Allen-Bradley "white paper" entitled "Emergency Stop Push Buttons" (Publication 800-WP008A-EN-P - May 2003), available in PDF format on the Web:
One of the more interesting parts of the European standards is the mechanical life requirements. Emergency stop push buttons are only required to be tested to 6,050 operations. This implies that emergency stop push buttons are not meant for everyday use. They are only to be used in emergencies.
I assume the above quote is referring to EN 418: 1992 and/or EN/IEC609457-5-5: 1998.
I hope this is of some help.
Airport Baggage Handling and Screening Specialist