Safety of Machinery – Over complicating emergency stop design

In the design of emergency stop device or function, there are always arguments on how to implement it. Lots of people argues without any basis at all. This process is making the design complicated and delaying delivery particularly in brown-field scenarios.

A few years back, Iwas again involved in this situation. It was only the way to call a mushroom head latch button its name to prevent breaking the law. This was only flagged during the constructability review but not during the design review process. The law states that emergency stops need to have risk assessment. We did not, so what is the solution? We called it ‘latched stop‘. We have gotten away with the long process of risk assessment. The functionality will remain the same anyway.

ISO 13850:2008 – Safety of machinery – Emergency stop – Principles for design defines emergency stop and emergency stop function as

emergency stop
emergency stop function

function that is intended to
– avert arising, or reduce existing, hazards to persons, damage to machinery or to work in progress,
– be initiated by a single human action

NOTE 1 Hazards, for the purposes of this International Standard, are those which can arise from
– functional irregularities (e.g. machinery malfunction, unacceptable properties of the material processed, human error),
– normal operation.

The emergency stop function shall be designed according to the risk assessment.

4.1.3 The emergency stop function shall be so designed that, after actuation of the emergency stop actuator, hazardous movements and operations of the machine are stopped in an appropriate manner, without creating additional hazards and without any further intervention by any person, according to the risk assessment.

An “appropriate manner” can include
– choice of an optimal deceleration rate,
– selection of the stop category (see 4.1.4), and
– employment of a predetermined shutdown sequence.

The emergency stop function shall be so designed that a decision to use the emergency stop device does not require the machine operator to consider the resultant effects.

Categories of emergency stop functions.

4.1.4 The emergency stop shall function in accordance with either of the following stop categories.

Stop category 0
Stopping by means of
– immediate removal of power to the machine actuator(s), or
– mechanical disconnection (declutching) between the hazardous elements and their machine actuator(s) and, if necessary, braking.

Stop category 1
A controlled stop with power to the machine actuator(s) available to achieve the stop and then removal of power when the stop is achieved.

Examples of the removal of power include
– switching off the electrical power to the electric motor(s) of the machine,
– declutching the movable elements of the machine from the source of mechanical energy, and
– blocking the fluid power supply to the hydraulic/pneumatic machine actuators of the machine.

Risk analysis provides information required for the risk evaluation to determine whether or not risk reduction is required. The decision shall be supported by a qualitative or quantitative estimate of the risk associated with the hazards present on the machinery. A quantitative approach is preferred when useful data is available otherwise a qualitative approach can be utilized. In many applications only qualitative risk estimation will be possible. The risk assessment is required to be documented.