janner_10
Lifetime Supporting Member
An Emergency Stop is not solely for humans, damage or reducing damage to plant / machinery is also included in it's scope.
Emergency Stop Pushbutton Design
- Thread starter harryggianakis
- Start date
An Emergency Stop is not solely for humans, damage or reducing damage to plant / machinery is also included in it's scope.
Not when it comes to what you need to have.
In UK/Europe there is the machinery directive and if you look at the EN 13849 standard you'll see that it's all about risk for the human and not the machine. EN 12100 covers the risk assessment and it's the same there.
Last edited:
janner_10
Lifetime Supporting Member
From EN ISO 13850:
According to EN ISO 13850 an emergency stop function is a function that is intended:
• to avert arising or to reduce existing hazards to persons, damage to machinery or to work in
progress;
• to be initiated by a single human action when the normal stopping function is inadequate for this
purpose.
Hazards for the purpose of this standard are those which may arise from:
• functional irregularities (malfunctioning of the machinery, unacceptable properties of the
processed material, human errors);
• normal operation.
Yes, it's nice to have to have for those reasons, I agree, but it has nothing to do with what the e-stop (and other safety functions) must do - protect humans.
The risk assessment that determines what level of e-stop is needed and how safe it has to be is about human risk, not machines or equipment.
I'm sure you know this but the risk determines the Performance Level needed for the safety circuit.
Last edited:
What he said!
Risk Assessment, Risk Assessment, Risk Assessment.
And it is my understanding most system integrators are not qualified to do it. The customer or OEM must do it. Then the SI or electrical designer can figure the necessary components and how to wire it.
Quick collection of recent references in this thread:
Here's the thing: If you look at each of those links/standards, they very clearly apply to safety of MACHINERY. Those links, and the discussion around them are excellent for the case where machinery is under discussion.
However: OP was clearly asking a question about PROCESS safety, which is covered under different standards. If you build a machine to a particular SIL then you are might be following IEC 62061 which has "Safety of Machinery" (Functional safety) in the title. However, it has a sister standard IEC 61511, for Process Safety (Safety Instrumented Systems). They are both industry specific implementations of IEC 61508.
(Note: I don't claim to be an expert on standards, the specifics above just came from wikipedia)
I'm not nearly as familiar with the rules on the process side, it is possible that the term E Stop isn't as meaningful there. It's possible things are exactly the same. But if we're going to have a meaningful discussion, then we at least need to be doing it based on the right sources.
Here's the thing: If you look at each of those links/standards, they very clearly apply to safety of MACHINERY. Those links, and the discussion around them are excellent for the case where machinery is under discussion.
However: OP was clearly asking a question about PROCESS safety, which is covered under different standards. If you build a machine to a particular SIL then you are might be following IEC 62061 which has "Safety of Machinery" (Functional safety) in the title. However, it has a sister standard IEC 61511, for Process Safety (Safety Instrumented Systems). They are both industry specific implementations of IEC 61508.
(Note: I don't claim to be an expert on standards, the specifics above just came from wikipedia)
I'm not nearly as familiar with the rules on the process side, it is possible that the term E Stop isn't as meaningful there. It's possible things are exactly the same. But if we're going to have a meaningful discussion, then we at least need to be doing it based on the right sources.
1) See my other post discussing the fact that Machine safety and Process safety are not the same thing.
2) The safety system should not be able to be compromised by the original need for the Estop. This is the whole point of having redundancy, doing a risk assessment for possible hazards, and designing a safety system that prevents/detects various possible faults.
In a simple Machine safety application, we do this with dual channel safety inputs (estops/lightcurtains/etc) and dual contactors on the motor. If either channel fails, the other channel is still there as backup.
In the process world, the safety system is often a parallel set of hardware intended for use only in an emergency. It means an extra valve to close off a pipe, or an extra pipe to carry off liquid if the first pipe gets clogged/broken/whatever. The valves are usually specifically selected to fail open or fail closed in the event of an event.
Gomez_
Lifetime Supporting Member
I think you might be missing an often overlooked bit of text usually found in these standards.
For Example NFPA 79 9.2.5.4.1.1 emphasis mine:
In addition to requirements for stop, the emergency stop shall have the following requirements:
(1) It shall override all other functions and operations in all modes.
(2) Power to machine actuators, which cause a hazardous condition(s), shall be removed as quickly as possible without creating other hazards
It even says it in your links:
An emergency stop needs to put the machine in the safest possible state, and sometimes that means cutting all power, and sometimes it doesn't. Ultimately a risk assessment will lead the way.
Well said
OSHA has a nifty pamphlet called "Safeguarding Equipment and Protecting Employees from Amputation" that details machine safeguard devices and emergency stop devices.
Its hard for a guy getting pulled into a conveyor belt to go over to the HMI and hit the stop button, but if trips the e-stop cable pull that runs the length of the belt he'll only get in trouble, maybe fired, not killed in gruesome fashion.
There are a lot of regulations defining the who/what/where/why/how of e-stops. Not knowing the process involved in this case its hard to say, is it a mixing vat, a conveyor belt, a press, rotating machinery.... there is a lot that goes into e-stops and satisfying local, state, and federal regs.
Its hard for a guy getting pulled into a conveyor belt to go over to the HMI and hit the stop button, but if trips the e-stop cable pull that runs the length of the belt he'll only get in trouble, maybe fired, not killed in gruesome fashion.
There are a lot of regulations defining the who/what/where/why/how of e-stops. Not knowing the process involved in this case its hard to say, is it a mixing vat, a conveyor belt, a press, rotating machinery.... there is a lot that goes into e-stops and satisfying local, state, and federal regs.
I did also try to make that point because it's important.
OP says specialty chemical industry and almost all process industry I've done projects in have both machine safety and process safety to consider. That's because some parts are machines and have to be regarded as such when it comes to safety, while the rest is some kind of process and has other safety concerns.
So just because it's chemical industry we don't know what kind of safety we need to consider. In large plants where I've worked that involves things like extreme temperatures, highly corrosive or explosive media, process control equipment is not involved in the safety aspects at all. Because of it's complexity PLCs would usually only handle machines and DCS systems would be used for all process control and there would be a separate safety system that makes sure non-safe situations is prevented regardless what the control systems or operator tries to do.
I just doubt that it's that kind of safety the OP is asking about. Maybe it's just an e-stop for some mixers, pumps or similar type of equipment.
Some people have not grasped the concept of "AN EMERGENCY STOP"
In an emergency, it is required to kill all power to the field devices. It might be your co-worker being electrocuted, it might be your co-worker being mangled by a machine. It might be your co-worker being sprayed with hazardous chemicals, and so on...
At the time of the event you just need to know that that red button kills everything... motive power, electrical power, etc.
If anything else needs protecting, that must be provided by a backup safety strategy, which will obviously be different for different scenarios. The most important thing that an Emergency Stop does is to totally "disconnect" the field from the devices controlling it, putting absolutely everything into the most safe state the system designers could envisage.
You must never, ever, rely on the "control system" to put the system into a safe state. Emergency Stops must never be intended to cause a controller to instigate a "safe shut-down". It could be the controller itself that has suffered a traumatic condition, that it cannot be relied upon to perform that "safe-shutdown" safely.
As a system designer it is your responsibility to protect human life first of all. If that goes beyond your scope as a PLC programmer, then you have missed the obvious, and important, point of E-Stops.
We can play bat and ball with this 'til the cows come home, but just imagine that your processor faults or dies, removing outputs.... That is the situation you would be in if an E-Stop is actuated.... The plant designers have to deal with that eventuality.
In an emergency, it is required to kill all power to the field devices. It might be your co-worker being electrocuted, it might be your co-worker being mangled by a machine. It might be your co-worker being sprayed with hazardous chemicals, and so on...
At the time of the event you just need to know that that red button kills everything... motive power, electrical power, etc.
If anything else needs protecting, that must be provided by a backup safety strategy, which will obviously be different for different scenarios. The most important thing that an Emergency Stop does is to totally "disconnect" the field from the devices controlling it, putting absolutely everything into the most safe state the system designers could envisage.
You must never, ever, rely on the "control system" to put the system into a safe state. Emergency Stops must never be intended to cause a controller to instigate a "safe shut-down". It could be the controller itself that has suffered a traumatic condition, that it cannot be relied upon to perform that "safe-shutdown" safely.
As a system designer it is your responsibility to protect human life first of all. If that goes beyond your scope as a PLC programmer, then you have missed the obvious, and important, point of E-Stops.
We can play bat and ball with this 'til the cows come home, but just imagine that your processor faults or dies, removing outputs.... That is the situation you would be in if an E-Stop is actuated.... The plant designers have to deal with that eventuality.
I disagree, it might be the electrical power causing the need for someone to "Emergency Stop"....
@Daba, Some of what you say is true and some used to be true but isn't anymore.
"Control system" is ambiguous because nowadays we have safety PLCs that can do both the actual control and the safety functions that safety relays used to do.
So someone could say let's handle the emergency stop in PLC but that would today imply the safety part of the PLC. But it used to mean you didn't know what you were talking about because a standard PLC isn't suitable for safety at all.
And cutting all the power on the e-stop used to be standard but isn't anymore for several reasons. For instance a VFD with STO (safe torque off) means that the motor can't turn when STO is activated. It's equally safe as double contactors but it doesn't cut the power to the drive and it doesn't cut all power to the motor.
Then there is that fact it's quicker to stop a motor with a VFD than it is by removing the power. That's a category 1 emergency stop. So if you have a big cutting saw it's safer for humans to first stop the saw and then turn it off.
Electrical hazards is not usually what the emergency stop is for. That's why it's not allowed to just use the emergency stop to perform electrical work on something. You have to cut the power and measure that it is off.m Lock-out tag out procedure is also used extensively.
A couple of years ago I felt that I wasn't fully aware off all new standards and safety implications. So I took extensive training on the subject to get up to speed again. I recommend that to everybody.
For machines in Europe it's the machinery directive that is signed into every country's law. There are tons of standards but the primary ones are EN 60204-1 for electrical stuff, EN 13849 for safety components, EN 12100 for risk assessment.
There used to be EN 951 that was simple to use but it has been replaced 1 Jan 2012 by EN 13849 which requires calculations to be performed when designing every safety function. I've met a lot of EEs that don't have a clue about current regulation and are essentially breaking the law.
"Control system" is ambiguous because nowadays we have safety PLCs that can do both the actual control and the safety functions that safety relays used to do.
So someone could say let's handle the emergency stop in PLC but that would today imply the safety part of the PLC. But it used to mean you didn't know what you were talking about because a standard PLC isn't suitable for safety at all.
And cutting all the power on the e-stop used to be standard but isn't anymore for several reasons. For instance a VFD with STO (safe torque off) means that the motor can't turn when STO is activated. It's equally safe as double contactors but it doesn't cut the power to the drive and it doesn't cut all power to the motor.
Then there is that fact it's quicker to stop a motor with a VFD than it is by removing the power. That's a category 1 emergency stop. So if you have a big cutting saw it's safer for humans to first stop the saw and then turn it off.
Electrical hazards is not usually what the emergency stop is for. That's why it's not allowed to just use the emergency stop to perform electrical work on something. You have to cut the power and measure that it is off.m Lock-out tag out procedure is also used extensively.
A couple of years ago I felt that I wasn't fully aware off all new standards and safety implications. So I took extensive training on the subject to get up to speed again. I recommend that to everybody.
For machines in Europe it's the machinery directive that is signed into every country's law. There are tons of standards but the primary ones are EN 60204-1 for electrical stuff, EN 13849 for safety components, EN 12100 for risk assessment.
There used to be EN 951 that was simple to use but it has been replaced 1 Jan 2012 by EN 13849 which requires calculations to be performed when designing every safety function. I've met a lot of EEs that don't have a clue about current regulation and are essentially breaking the law.
Last edited:
Gomez_
Lifetime Supporting Member
Which standard are you referencing? "field device" is a pretty ambiguous term to me, does that include sensors?
I essentially said it depends on the machine, I'm not sure what you mean by this.
For example, fume exhaust blowers are something we typically don't kill power to in my industry.
Similar Topics
Hello, I have plc Schneider TM241CE40T with the hmi HMIS5T.
Do you have idea how to disable a button after an emergency stop to vijeo designer ...
Dear colleagues
I am learning to program siemens plc.
I have a problem with how to solve the problem with a power outage and emergency STOP...
Hi,
I would like some recommendations/advice on wiring of a dual channel Emergency Stop for a 240V AC motor (single phase), I have 3 options in...
Hi,
We have a machine that we wan't to restart after power on if the emergency stop is OK. But if the emergency stop is tripped with the button...
I'm working on a project that has e-stop pull cords around the full length of a conveyor system which is about 750 feet long and it has 16 e-stop...