Safety of machinery - Emergency stop function - Principles for design
1 Scope
This document specifies functional requirements and design principles for the emergency stop function on machinery, independent of the type of energy used.
The requirements for this document apply to all machines, with exception to:
——machines where an emergency stop would not reduce the risk;
——hand-held or hand-operated machines.
It does not deal with functions such as reversal or limitation of motion, deflection of emissions (e.g. radiation, fluids), shielding, braking or disconnecting, which can be part of the emergency stop function.
Note: The requirements for the realization of the emergency stop function based on electrical/electronic technology are described in IEC 60204-1.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 15706-2012 Safety of machinery - General principles for design - Risk assessment and risk reduction (ISO 12100:2010, IDT)
ISO 4413 Hydraulic fluid power - General rules and safety requirements for systems and their components
ISO 4414 Pneumatic fluid power - General rules and safety requirements for systems and their components
ISO 13849-1 Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design
IEC 60204-1:2005 Safety of machinery - Electrical equipment of machines - Part 1: General requirements
IEC 60947-5-5:2005 Low-voltage switchgear and controlgear - Part 5-5: Control circuit devices and switching elements - Electrical emergency stop devices with mechanical latching function
IEC 62061 Safety of machinery - Functional safety of safety- related electrical, electronic and programmable electronic control systems
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 15706-2012 and the following apply.
3.1
emergency stop(E-stop)
emergency stop function
function which is intended to
——avert arising or reduce existing hazards to persons, damage to machinery or to work in progress, and;
——be initiated by a single human action.
[Source: GB/T 15706-2012, 3.40]
3.2
emergency stop equipment
safety related parts of a control system which perform the emergency stop function
Note: Typically emergency stop equipment is divided into input, processing and output elements.
3.3
emergency stop device
manually actuated control device used to initiate an emergency stop function
[Source: IEC 60947-5-5:2005, 3.2]
3.4
machine actuator
power mechanism of the machine used to effect motion
Note: Example of machine actuators are motor, solenoid, pneumatic or hydraulic cylinder.
3.5
safety function
function of a machine whose failure can result in an immediate increase of risk(s)
[Source: GB/T 15706-2012,3.30]
3.6
span of control of emergency stop device(s)
predetermined section of the machinery under control of specific emergency stop device(s)
3.7
protective shroud
mechanical measure provided to reduce the possibility of unintended actuation of an emergency stop device
3.8
emergency situation
hazardous situation needing to be urgently ended or averted
Note: An emergency situation can arise during normal operation of the machine (for example due to human interaction or as a result of external influences) or as a consequence of a malfunction or failure of any part of the machine.
[Source: GB/T 15706-2012, 3.38, modified]
3.9
operator control station
assembly of one or more control actuators fixed on the same panel or located in the same enclosure
Note: Actuator is a part of a device to which an external manual action is to be applied (see IEC 60204-1:2005, 3.1).
[Source: IEC 60204-1:2005, 3.13, modified]
4 Safety requirements
4.1 General
4.1.1 Emergency stop function
4.1.1.1 The purpose of the emergency stop function is to avert actual or impending emergency situations arising from the behaviour of persons or from an unexpected hazardous event.
The emergency stop function is to be initiated by a single human action.
4.1.1.2 The emergency stop function shall be available and operational at all times. It shall override all other functions and operations in all operating modes of the machine without impairing other protective functions (e.g. release of trapped persons, fire suppression).
When the emergency stop function is activated:
——it shall be maintained until it is manually reset;
——it shall not be possible for any start command to be effective on those operations stopped by the initiation of the emergency stop function.
The emergency stop function shall be reset by intentional human action. Resetting of the emergency stop function shall be operated by disengagement of an emergency stop device (see 4.1.4). The reset shall not initiate machine start up.
Note: The emergency stop function cannot be considered as measure of prevention of unexpected start up as described in GB/T 15706-2012.
4.1.1.3 The emergency stop function is a complementary protective measure and shall not be applied as a substitute for safeguarding measures and other functions or safety functions.
4.1.1.4 The emergency stop function shall not impair the effectiveness of other safety functions.
Note: For this purpose, it can be necessary to ensure the continuing operation of auxiliary equipment such as magnetic chucks or braking devices.
4.1.1.5 The emergency stop function shall be so designed, that after actuation of the emergency stop device, hazardous movements and operations of the machine are stopped in an appropriate manner, without creating additional hazards and without any further intervention.
Note: An "appropriate manner" can include:
——choice of an optimal deceleration rate taking into account the necessary design restraints of the machine;
——selection of the stop category (see 4.1.3);
——necessity for a predetermined shutdown sequence.
Depending on the machine and the specific risks, the emergency stop function can initiate other functions other than stopping to minimize the risk of harm (e.g. reversal or limitation of motion, rate of braking) which can be part of the emergency stop function but not dealt with in this Standard.
4.1.1.6 The emergency stop function shall be so designed that a decision to activate the emergency stop device does not require the consideration of the resultant effects.
4.1.2 Span of control of emergency stop device(s)
The span of control of each emergency stop device shall cover the whole machine. As an exception, a single span of control may not be appropriate when, for example, stopping all linked machinery could create additional hazards or unnecessarily affect production.
Each span of control can cover section(s) of a machine, an entire machine or a group of machines (see Figure 1).
Different spans of control may overlap.
The assignment of spans of control shall be determined taking into account the following:
a) the physical layout of the machine, based on the visible area of the machine;
b) the possibility to recognize hazardous situations (e.g. visibility, noise, odour);
c) any safety implications relating to the production process;
d) the foreseeable exposure to hazards;
e) the possible adjacent hazards.
4.1.2.1 More than one span of control can be applied, if the following requirements are met:
——the spans of control shall be clearly defined and identifiable;
——emergency stop devices shall be readily associated with the hazard requiring an emergency stop;
——the span of control of an emergency stop device shall be identifiable at the operating position of each emergency stop device (see also 4.1.1.6).
Note: The clear identification could be realized by pictogram or by the location itself. Reading text or instructions associated to the emergency stop device or requiring prior knowledge should be avoided.
Example: Such pictogram could be place next to an emergency stop device and would indicate the span of control of the device itself.
——actuation of an emergency stop device shall not create additional hazard(s) or increase the risk(s), in any span of control;
——actuation of an emergency stop device in one span of control shall not prevent the initiation of an emergency stop function in another span of control;
——information for use of the machine shall include information on the span of control of emergency stop device.
So far as practicable, emergency stop devices with different spans of control shall not be located near each other.
Key:
1——emergency stop device;
2——span of control;
3——section of machine or machine.
Figure 1 Examples demonstrating the concept of span of control
4.1.3 Stop categories
The emergency stop shall function in accordance with either of the following stop categories (see also IEC 60204-1). The relevant stop category shall be selected by the risk assessment.
Stop category 0
Stopping by immediate removal of power to the machine actuators.
Note 1: Additional braking can be necessary.
Examples of stop category 0 are:
——switching off the electrical power to the electric motor(s) of the machine by electromechanical switching devices;
——mechanical disconnection (declutching) between the hazardous elements and their machine actuator(s);
——blocking the fluid power supply to the hydraulic/pneumatic machine actuators;
——removing the power needed to generate a torque or force in an electrical motor using the Safe torque off (STO) function of a power drive system in accordance with IEC 61800-5-2.
Stop category 1
Stopping movements and operations with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved.
Examples of stop category 1 are:
——deceleration of motion then removal of the electrical power to the motor(s) when motion has ceased by electromechanical switching devices;
——using the Safe stop 1 (SS1) function of a power drive system in accordance with IEC 61800-5-2.
Note 2: For removal of power, it can be sufficient to remove the power needed to generate a torque or force. This can be achieved by declutching, disconnecting, switching off, or by electronic means (e.g. a Power Drive System (PDS) in accordance with IEC 61800-5-2), without necessarily performing isolation.
4.1.4 Disengagement (e.g. unlatching) of the emergency stop device
The effect of an activated emergency stop device shall be sustained until the actuator of the emergency stop device has been disengaged. This disengagement shall only be possible by an intentional human action on the device where the command has been initiated. The disengagement of the device shall not restart the machinery but only permit restarting.
The instructions for use of the machine shall state that, after actuation and before disengaging the device(s), the machinery shall be inspected in order to detect the reason for actuation.
Foreword I
Introduction III
1 Scope
2 Normative references
3 Terms and definitions
4 Safety requirements
4.1 General
4.2 Operating conditions, environmental influences
4.3 Emergency stop device
4.4 Use of wires or ropes as actuators
4.5 Prevention of unintended actuation of an emergency stop device
4.6 Portable operator control stations
Bibliography