Best Viewed in Firefox rather than Internet Explorer
Emergency Stop
A machine or system Emergency Stop, sometimes called Estop or E-stop, is a control function defined in
NFPA 79 Industrial Machinery Safety. Other documents include ansi b11-1, ansi b20-1,
ansi b11-2.
EMERGENCY STOP ACTUATOR
When required the emergency stop must be accessible, recognisable and must work,
reliably and safely. It may not be a button. It could be a grab wire, rope, bar or handle and in
some specific applications, a foot pedal without a protective cover or a combination of devises.
Whatever actuations are used they must be accessible to all who may have to operate them and their
location should be obvious.
Location They should be positioned for easy access by the operator or
anyone who may need to use them, however, they should not be located where their use could endanger the user.
Remember that the person using the emergency stop may not necessarily be the person in danger!
It may, therefore, be prudent to position an emergency stop near an adjacent machine, or machine zone
in the case of a complex system, giving the neighbouring operator the opportunity to stop the machine if the
operator gets into trouble. Where this is done, the zone of effectiveness of the
Emergency Stop must be clearly indicated to avoid confusion.
Presentation The colour, and action of the emergency stop actuator is clearly defined in BS EN 418.
It should be red and, as far as is practicable on a yellow background.
An emergency stop button must be of a mushroom style.
Action Emergency stop devices should meet the requirements defined by BS EN 418 and BS EN 60947-5-5.
In common with all other actuators the emergency stop operation should result in it mechanically “latched in”
and not “delatching” until the device itself has been reset.
Without exception operation of the emergency stop should result in the “de-energisation”
of the emergency stop control circuit. This must be achieved through opening of the
contacts and “positive mode operation” where the contact separation must be as a direct
result of the movement of the switch actuator. Emergency Stop buttons using detachable contact blocks
should be configured such that the contact will open should the contact block
become detached ensuring Fail Safe operation. The resetting of the emergency stop device itself
must not allow the machine to a restart.
EMERGENCY STOP SYSTEM
The design of the emergency stop system should take into account that,
hopefully, it will be used very infrequently but it must be available and ready for operation at all times.
Operation in an emergency The nature and operation of the machine must be considered.
Is it safe to have the emergency stop system cut the power to the machine drives and actuators?
This may result in the hazard freefalling leading to a more dangerous situation. Should the system actuate a
brake or clamp? Would stopping the machine in position result in a worsening of an injury?
Should the system allow the machine to continue on or reverse to a safe position? BS EN 418 categorizes
these considerations and BS EN 60204 further refines these as follows.
Stop category 0
Uncontrolled stop -- stopping by immediate removal of power to the machine
actuator(s), all brakes and/or mechanical stopping devices being applied.
Stop category
Controlled stop -- with power available to the machine actuator(s) to
achieve the stop and then removal of the power when the stop is achieved.
Stop category 2
Controlled stop -- with power left available to the machine actuator(s).
System integrity
The integrity of the system and its ability to resist faults requires consideration.
Positively Driven Contacts
The use of positively driven contacts in buttons, relays and contactors
(also known as forced guidance) is common and needs some clarification. These terms mean that all device contacts,
in a set of contacts, must be mechanically linked in a manner that prevents abnormal operation; contacts must switch
together or not at all. For example, if one set of contacts has welded (due to external circuit overload)
it is impossible for the normally open and normally closed contacts in a set to be simultaneously conducting.
Therefore, a safety system can employ simple logical tests, which rely on the relay's predictable performance.
Electronic or programmable electronic systems
With the exception of very sophisticated Programmable Electronic Safety Systems as defined in BS EN 61508,
electronic, PLC or computer systems are not considered to be acceptable as safety systems.
The safety system must be external and supervisory to any such systems and in accordance with BS EN 60204-1
section 9 must be hard-wired with final removal of power to actuators by means of electromechanical components.
BS EN954
Categories With regard to determining the integrity of the Emergency Stop system overall;
BS EN954 lists five categories of fault integrity determined by the following factors
the severity of any possible injury
the frequency and exposure to the hazard and the possibility of avoiding the hazard
The five categories range from the simplest category “B” through to category 1 up to category
4”this being the most stringent in acknowledgment of the higher risk anticipated.
British Standard publishes a category assessment chart in BS EN 954-1 based on the factors above.
The following assessment chart extracted from BS EN 954-1 determines the category.
Category B
The least demanding category, applicable in general to low risk “domestic” type equipment and
hand tools. Here a single fault may lead to a loss of the safety function.
Notwithstanding, the component parts of the control system must be suitable for the
application and must be able to withstand the expected stresses and anticipated uses.
Category 1
As with Category B, a single fault may lead to a loss of the safety function but the design must employ well
proven components and principles. Use of components that have been life tested, have positive mode operation and
a known and appropriate failure characteristic would be expected. Arguably, Category 1 would be the minimum
level of system integrity used for industrial equipment.
Category 2
As with Category 1, the design must employ well proven components and principles but in addition a functional
check of the safety system must be performed as the machine commences operation and, if possible, periodically during operation.
The simplified example above illustrates a Category 2 Emergency Stop system employs a functional check of the safety
monitoring the action of the Final Control relay C. Both relays (ER and C) must be “positive driven” types
ensuring that if the main load contacts weld the other contacts will be held in the matching position
allowing the system to detect the failure. (Note: The auxiliary contact of relay C must be a directly operated
contact of the relay, not an add-on auxiliary as they can be removed and may not correctly represent the
action of the device.) On powering up the system the Emergency Stop button must be de-latched and the
Emergency Stop Reset button must be pressed. If the Final Control relay has failed during the last operation
C/aux will be open and the system will not be allowed to reset.
With a Category 2 system, a routine of regular testing is essential and this should be included into the
Instruction Manual and as a notice on the machine.
Category 3
All that applies to Category 2 applies to Category 3 plus the requirement that a single
fault in the safety system shall not create any loss of safety. This means that not all faults need be detected and
that an accumulation of faults could still cause a loss of safety.
The simplified example above illustrates a Category 3 Emergency Stop system similar to Category 2 it
employs “positive driven” relays and a functional check of the action of the Final Control relays.
The requirement is that a single fault should not create a loss of safety. To this end some
device redundant systems are employed. The Emergency Stop button has two independent sets of contacts each controlling two
Emergency Stop relays (ERA and ERB).
To allow the system to operate both relays must be energised. A failure of one of the Emergency Stop
button contacts in the closed position, whilst not being detected, would not result in the Emergency Stop
function being inoperative. Similarly, the Final Control relays (CA and CB) are duplicated.
In this instance, however, the action of both is monitored by the feedback contacts CA/aux and CB/aux.
If either of these contact assemblies should fail (welded) in the closed position then the feedback contact would not
close inhibiting the safety system from being reset following a power failure or the operation of the Emergency Stop button.
The integrity of a Category 3 system is much more demanding and, clearly, the use of some redundant devices is appropriate.
When emergency stop devices are connected via flexible cables, which are subject to constant flexing then
care must be taken in the design of the system. With the type of configuration shown above (known as a 3-wire system)
there is an increased risk of a short circuit between cables, which may not be detected and render the safety circuits ineffective.
This is a very rare occurrence, but experience has shown that it can occur. When flexing of cables is
considered a potential problem a 4-wire dual channel arrangement should be employed such as that illustrated for
Category 4, below, were each channel can detect any short circuit between two conductors.
Category 4
This is the most demanding category. All that applies to the lower categories applies
to Category 4. The design must employ well-proven components and principles.
A functional check of the safety system must be performed as the machine commences operation and, if possible,
periodically during operation.
Plus
Any fault must be detected before the safety system is called
upon to function so that there is no loss of safety.
If this is not possible an accumulation of faults in the
safety system shall not create any loss of safety.
Category 4 demands a very sophisticated safety system and the only practical and cost effective solution
is to employ a dedicated Emergency Stop Relay. This is included in the illustration above. Emergency Stop Relays
are fail safe, maintaining the safety function in all circumstances. The circuit is redundant with built in
self monitoring and the correct opening and closing of the safety function relay is automatically tested in each
on/off cycle.
The unit employs a 4-wire duel channel circuit that monitors the Emergency Stop button contacts
independently and can determine cross connections (i.e. due to cable damage etc.). The duplicated Final Control
Relays are monitored inhibiting the safety system from being reset if a failure is detected. The integrity of a Category 4
system is vital and, clearly, the use of redundant devices is essential.
ADDITIONAL PARTS OF THE EMERGENCY STOP SYSTEM
When designing the Emergency Stop safety system there is a tendency to think only in terms of the electrical controls.
It is vital to take into account all the sources of power used on the machine, pneumatic, hydraulic, etc., and for the
safety system to encompass them. It is important to remember that, unlike most standard ac electrical systems,
pneumatic and hydraulic systems may retain significant amounts of energy even when the primary supply source has
been isolated. From a safety perspective this retained energy may be a hazard or on the other hand the retained energy
may be used to retard the hazard. These should be significant considerations in the safety design.
Safety Shutoff Solenoids
Special safety soft start/dump valves are available and should be used as appropriate, particularly
in the primary supply. These valves, when first energised, allow for a slow build-up of pressure in the system,
providing time for faults, such as leaking valves etc. to become apparent before the system has generated enough
energy to be a significant hazard. Integrated into the Emergency Stop system the valve allows the supply to be
shut off and the pressure retained in the system to be quickly “dumped” from the system.
Pressure Proving
In pressure-powered systems, consideration should be given to providing “proving” feedback
to the safety system, via a pressure switch. As with the electrical systems, this would confirm that following a
supply shutdown that the pressure in the system has been removed or lowered to a safe level. It is common practice to
employ a valve plug proving contact, although this is only indicative of a safe pressure by virtue of the valve
being closed. This configuration would be a requirement of most Category 3 or 4 systems and it desirability should
be considered for Category 2. Device redundancy would be provided by safety isolation of the electrical control feeds
to the individual control solenoids.
Valve Proving
Valve redundancy may be demanded and in its simplest configuration can be provided in the
form of two shut off valves in series known as a “double block”. However, unlike electrical contactors with positively
driven contacts, the successful operation of the valves (as a tight shut off) cannot be, absolutely, proven by
limit switches. Pressure switches cannot be relied upon as trapped pressures between Valves may indicate a failure when none exists.
THE LAST RESORT
The emergency stop is the control you hope never to use but if it is necessary to resort to using it,
it must work, reliably and safely. The design of the emergency stop system should take into account that, hopefully,
it will be used very infrequently but it must be available and ready for operation at all times. During, possibly years
of inactivity the circuitry may be subjected to neglect, wear, contamination etc. but if the time comes, and all the
safety measures fail to prevent the risk becoming realised then the Emergency Stop system may be the last resort in
preventing or reducing the consequences of an accident. The emergency stop system should NEVER be an alternative to proper
safeguarding nor as a substitute for proper automatic safety devices.
Artzat Consulting is owned by Arthur Zatarain, PE in Metairie Louisiana,
a suburb of New Orleans Artzat provides consulting and expert witness services
to attorneys, insurers, and end users. Typical projects relate to equipment,
automation, instrumentation, and control systems. Service is available nationwide
with engineering licenses held in Louisiana, Alabama, California, and Alaska.
Forensic Engineer
A forensic engineer performs analysis and reporting on technhical matters
that are typically being pricessed through some form of legal matter. However,
a legal environment isn't required for a forensic examination. The analysis
may be performed merely to determine the cause of a specific event or condition.
For example, a forensic examination may be made on a control system to determine
why an accident occured, or why a system did not perform as expected. The
forensic analysis may be of software code such as ladder lofic in a PLC,
or it may involve hard wired relay logic, electrical controls, power distribution,
or instrumentation. Forensic engineering is therefore useful in a variety
of situations regardless of the legal entanglement.
Industrial Equipment
Typical equipment includes programmable logic controller PLC, distrubited
control system DCS, and electric relay logic. PLC systems use ladder logic
for most operations, while a DCS will often use function block programming.
The concepts of PLC and DCS have merged into a unified control platform based
on open architecture interfaces. The use if ladder logic is widespread due
to its earlier application to relay logic circuits.
An expert witness is used to investigate and evaluate the technical and
commercial aspects of accidents, intellectual property, and commercial matters.
Artzat consulting can assist clients in all these areas, with experience
with steam boilers, paper mill, steel mill, burner management, and telemetry
scada. Other areas include medical devices, flow measurement, meters, power
distribution, and refridgeration.
Expert Witness Services
Expert witness can be provided in any state, with experience in Louisiana,
California, Alabama, and Alaska. Other states include North Carolina, Olkahoma,
Illionis, and Indiana and Texas. Michigan has also been served, with the
states of Washington, Colorado, Oregon, and District of Columbia DC. Any
state such as New York or New Jersey can also be served by expert witness
service. Professional credentials are important, such as licensed engineer
or registered engineer. Also importnat is a masters degree in engineering
or similar field. A phd is not a necessity for an expert witness because
career experience and expert witness experience is more useful to the client
than a phd with no relevant experience.
product Liability
A forensic engineer is useful for matters of product liability and product defects.
Artzat Consulting has experience with product liability for industrial and commercial
equipment. Product liability has also been analyzed for control systems, programmable
controllers, ladder logic, and engineering design. Product liability can result from
an original product manufacturer oem, or from a systems integrator who combines components
into a complete system.
Forensic Engineering Locations
Service in Louisiana, Mississippi, Texas, and Alabama is efficient due
to the proximity of Metairie to those areas. However, an airplane will take
Artzat anywhere within the USA in a matter of hours. Travel to Alabama areas
such as Birmingham or Montgomery or Mobile is easy, with Huntsville also
accessible by car. Visits to Houston, Dallas, San Antonio, and Austin are
also less than one day away by car. A phd is not unusual for an expert witness,
but is not really important when compared to real life experience with equipment,
controls and automation with PLC and DCS control system equipment.
Service in California includes Los Angeles, San Francisco, and San Diego
as well as outlying Bakersfield and Antioch. Seattle is a bit far, but the
airline does most of the heavy lifting. Travel to New York NYC occurs easily
on JetBlue and Delta. Once in NYC the entire tri-state area is easily accessibls,
as is upstate new york.
Service to New England is welcomed, so please inquire with your technical
requirements for an expert witness. Travel to new England such as Boston
is by JetBlue, or other carriers, which can then lead to other New England
cities.
Engineer for Machine Accident
An engineer ma be required to serve as an expert witness or forensic
for a machine accident such as with a conveyor, power press, steel mill,
or extraction machine. The instance could be an equipment accident, or it
could be a process accident. A typical example is an expert engineer for
a manufacturing accident. This could be an expert engineer or forensic engineer
in an assembly plant, or an expert engineer in a production line or on a
vehicle assembly line.
Oilfield accident
An expert engineer can be useful to evaluate an oilfield or oil and gas
accident. Those events may include oil and gas or the related products such
as water, co2, h2s, and sulfates. The accidents occur on oil wells, gas
wells, pipelines, storage tanks, and production vessels such as separators,
treaters, waste heat recovery units, and water treating facilities. Such
events can be generally divided into an oil and gas drilling accident or
an oil and gas production accident. An oilfield accident requiring an expert
engineer can occur onshore of offshore. The expert engineer can be for control
system, production system, safety system or automation system, or instrumentation.
The system can be electrical, electric, electronic, hydraulic, and pneumatic.
A computer control system can also require an expert engineer. An industiral
engineer can also be used if the matter involves safety and production systems.
Automatic control
An expert engineer may be required for an accident involving automatic
control. That expert could be for electrical engineer, control system engineer,
or automation engineer. A mechanical engineer or someone with experience
with mechanical engineering can also be useful for an automatic control
accident. A certified systems integrator is someone who can be an expert
engineer for automatic control. The systems integration involves combining
multiple equipment and techology into a single control system. This involves
design, programming, fabrication, testing installation, and maintenance.
industrial accident
An industrial accident may require an expert engineer or forensic engineer
to analyze and evaluate the control system connected with the event. The
accident may have nothing to do with the control system. Still, a forensic
engineer may be required to analyze the system to determine that the control
system was not af fault.
Equipment accident
An equipment accident can require an expert engineer or expert witness
to help evaluate the circumstances and situation including the mechanical
and electrical components of the equipment. This can be industrial equipment,
process equipment, manufacturing system, commercial equipment such as heater
or dryer, or pump and compresssor. Industrial equipment is also a flow meter,
electrical switchgear, control switch, button, and instrumentation. End
devices are pressure, temperature, level, and other physical measurement.
Many equipment is used for food production, packaging, transportation, storage,
and conveyor. Metal processing such as steel mill, paper mill, refinery,
petrochemical, and tank farm. Vehicle can also be equipment itself, or it
can contain devices related to an equipment accident.
