Emergency stop requirements

S'mise

Senior Member
Location
Michigan
What power does the emergency circuit need to isolate?
I am working in a European machine that keeps plc outputs to circuits like pneumatic valves and line power to frequency drives.

What does Nfpa79 say?
 

SceneryDriver

Senior Member
Location
New York, NY
You'd need to provide a lot more info regarding the pneumatic valves and how they're wired (probably a schematic) to figure out if what the machine builder is doing is OK. It also has a great deal to do with what those cylinders are doing, and what risk they pose. There's a chance that turning off the valves / dropping air pressure to the cylinders actually may increase the hazard. Only a risk assessment will tell.

As for the VFDs remaining powered, almost all decent VFDs use Safe Torque Off inputs these days, and do not require line power to be removed. Doing so may actually damage the VFDs over time. Further, depending on how the E-stop system is designed, it may rely on the VFDs to actively decelerate the load before stopping (CAT1 E-stop) vs allowing the loads to coast to a stop (CAT0 E-stop). Again, only a risk assessment will tell.


SceneryDriver
 

S'mise

Senior Member
Location
Michigan
Thank you SceneryDriver.
There's no obvious hazard, but in my experience e-stop circuits should kill power to plc outputs and anything that controls motion.

What you say about killing power to drives makes sense but I've also have seen my share of runaway drives.
I like to think when I hit the e-stop and put my lock on it, powered circuits are disabled.
 
I like to think when I hit the e-stop and put my lock on it, powered circuits are disabled.
E-stop should not be used for LOTO, that's what disconnects are for. Scenerydriver mentions safe torque off (STO) and while the STO circuit will safely remove power to the motor, it will not isolate power to the drive, so you would be safe from the motion hazard but not necessarily the electrical, depending on what part of the system you're working on.
 

SceneryDriver

Senior Member
Location
New York, NY
Thank you SceneryDriver.
There's no obvious hazard, but in my experience e-stop circuits should kill power to plc outputs and anything that controls motion.

What you say about killing power to drives makes sense but I've also have seen my share of runaway drives.
I like to think when I hit the e-stop and put my lock on it, powered circuits are disabled.
The STO inputs on VFDs physically disconnect the drive circuitry from the IGBT output transistors. IF STO is off, there can be no power to the motor, and thus no motion. You are not electrically isolated though so beware, depending on what part of the machine you're working on.

*** DO NOT USE EMERGENCY STOPS AS LOTO!!! ***

I think I said that loudly enough.


SceneryDriver
 

petersonra

Senior Member
Location
Northern illinois
Occupation
engineer
Safe torque off only stops the gate circuits from firing the output semiconductors so there is no way that torque can be generated. You can still have voltage there though. But the motor can't develop torque.

A risk assessment is an important part of determining just what you need to do as far as e-stops go. Generally they can't be used as a substitute for normal lockout tag out functions. Most times, when you hit the eStop it is expected that motion will stop and won't restart until you reset. That means that not only do you have to remove electrical power but you also need to vent hydraulic and pneumatic circuits, along with stopping drives. You may also have to lock vertical axes in some way so they can't move because of the force of gravity. Even things like springs have to be considered. As do things like electric heaters. It is something that you have to think about very carefully as part of your risk assessment.

Having said that, I personally think that most people go way overboard with e-stop circuits.
 

S'mise

Senior Member
Location
Michigan
I understand e-stops can't be fully trusted for loto, but it's common practice in many circumstances, at least where I'm at.
In fact Most e-stop buttons on machinery here are designed with a loop to accept a hasp and lock.

If I had to position myself in a potentially dangerous situation, I would certainly turn off the main disconnect or at least isolate power nearby. But honestly, for many simple tasks like adjusting a switch, it's often not feasible to shut off the main disconnect.
To recover some machines from a full power down can often take considerable time with the risk of damaging (as you mentioned) VFDs of other electronics.

Again, I get that emergency circuits can't always be trusted but I aways thought power supplying plc outputs should be removed provided it doesn't cause an additional hazard.

I guess that's not the case.
 

petersonra

Senior Member
Location
Northern illinois
Occupation
engineer
Again, I get that emergency circuits can't always be trusted but I aways thought power supplying plc outputs should be removed provided it doesn't cause an additional hazard.

I guess that's not the case.
It may not ALWAYS be the case. For instance, there is no reason to remove power from PLC outputs that only energize indicator lights. In fact, there may well be very good reasons not to do so.

There may also be no reason to de-energize PLC outputs that control motors IF the estop itself removes power from the motors.

Normally it is easier to disable most or all PLC outputs just kind of on general principles but it is not always required.

The important thing is that when the e-stop is pressed, hazardous motion stops. And keep in mind that normal control circuits are not safety circuits. The output that controls a motor starter is not controlling a safety circuit.
 
Last edited:

paulengr

Senior Member
I understand e-stops can't be fully trusted for loto, but it's common practice in many circumstances, at least where I'm at.
In fact Most e-stop buttons on machinery here are designed with a loop to accept a hasp and lock.

If I had to position myself in a potentially dangerous situation, I would certainly turn off the main disconnect or at least isolate power nearby. But honestly, for many simple tasks like adjusting a switch, it's often not feasible to shut off the main disconnect.
To recover some machines from a full power down can often take considerable time with the risk of damaging (as you mentioned) VFDs of other electronics.

Again, I get that emergency circuits can't always be trusted but I aways thought power supplying plc outputs should be removed provided it doesn't cause an additional hazard.

I guess that's not the case.
Let’s be clear here. Assuming this is US jurisdiction (others may be different) there are quite literally over a dozen “LOTO” regulations put out by OSHA. Most people are familiar with 1910.147 and a lot assume that this is THE LOTO regulation but it’s not. This section requires that you physically disconnect or discharge all energy sources. Disconnecting control power is not enough. The reason is for instance I could (stupidly) jumper out your lock. I have todo this sometimes for electrical testing and it’s far easier to disable controls than most people realize.

Sub chapter O for production really just requires risks assessments and a procedure. You could lock out controls and that’s what safe torque off is all about.

Sub chapter S is the most familiar “electrical” lockout. This is the only regulation that limits and restricts energized work. It requires 147 style lockout plus testing for absence of voltage and sometimes grounding.

1910.269 is for utilities and has 4 different LOTO rules. No restrictions on energized work. One of them only requires tags (no locks).

1926 (construction) only requires tags, no locks. It consists of just 2 sentences.

Don’t forget for instance batteries...you can’t turnoff power and substation (125 VDC) batteries don’t commonly have disconnects and there is no physical way to kill power.

So locking out control power or even the requirement for lockout even within the US depends on what you are working on and where you are and the type of work.

Aside from that keep in mind that OSHA ONLY requires E Stops for a type of metal forming press. There are rules for how to handle E Stops if you have them but no requirement for them. Here is the issue speaking from a safety engineering point of view. Tons of research has shown that under non emergency situations human error rates tend to be roughly 10%. Under emergency conditions this jumps to 40.%. Human error rates are so abysmal they are unreliable for much of anything so E Stops are all but a waste of time. Second issue is that they are abused by management. One use is a catch all...if anything we haven’t thought of happens, use the E Stop. Obviously that just says you didn’t do a proper risk assessment. Even worse is using the E Stop in lieu of ANY risk assessment...if anything goes wrong we just make the operator responsible. Remember...40% error rate. In my mind it’s better to take E Stops off the table and from a safety point of view I treat them as an afterthought. In 30 years of industrial engineering I’ve seen an E stop used as it is intended successfully exactly one time to stop a DC motor that took off as it went into over speed and almost took down a 300 foot long crane boom. That is hardly what I would consider a justification for the hundreds of others where they are used improperly or not at all.
 

S'mise

Senior Member
Location
Michigan
Thank you for shedding light on the subject.

I've been at this nearly 30 years myself and never fully understood some of the rules regarding it.
Reading the various and varying safety documents can be confusing and usually quite boring.

To add to the confusion, Machinery built and appoved to EU standards is often signed off and deemed compliant here in USA dispite having different rules on safety. For instance disconnecting neutral in a disconnect.

As for emergency circuits, following JIC and Nfpa79 rules over the years I've come to expect seeing a master relay that will drop out any motion devices.
More recently they have safety relays (like Pills) to take their place but they act the same way.

My original question question was regarding a machine the leaves power to pneumatic valves after estop is activated (that doesn't pose a threat to de-energize).

So I guess the short answer is It's allowed.
But to me that's a poor design even if the air is disconnected to machine.

Doesn't it seem counter intuitive for manufacturers to make e-stop buttons with a mechanical slide to accept a lock if it isn't allowed for Loto?
 

SceneryDriver

Senior Member
Location
New York, NY
Thank you for shedding light on the subject.

I've been at this nearly 30 years myself and never fully understood some of the rules regarding it.
Reading the various and varying safety documents can be confusing and usually quite boring.

To add to the confusion, Machinery built and appoved to EU standards is often signed off and deemed compliant here in USA dispite having different rules on safety. For instance disconnecting neutral in a disconnect.

As for emergency circuits, following JIC and Nfpa79 rules over the years I've come to expect seeing a master relay that will drop out any motion devices.
More recently they have safety relays (like Pills) to take their place but they act the same way.

My original question question was regarding a machine the leaves power to pneumatic valves after estop is activated (that doesn't pose a threat to de-energize).

So I guess the short answer is It's allowed.
But to me that's a poor design even if the air is disconnected to machine.

Doesn't it seem counter intuitive for manufacturers to make e-stop buttons with a mechanical slide to accept a lock if it isn't allowed for Loto?
It's perfectly acceptable to open the neutral in a disconnect, as long as all phase conductors are simultaneously opened as well. It is in fact a requirement to do so for power that serves certain devices; gas station fuel pumps, for instance.

You can't use an E-stop for LOTO because while it (should) inhibit motion and/or put the machine into a safe state, it does not necessarily remove power source(s) from the machine. LOTO is concerned with removing sources of power than may injure a worker servicing the equipment. As for the E-stops with locations for LOTO, it doesn't matter - they're not acceptable per OSHA for LOTO.


SceneryDriver
 

S'mise

Senior Member
Location
Michigan
Ah, good catch SceneryDriver. I forgot about the exception to 404.2b. Although having witnessed failed contacts in disconnect switches, I still not sure it's wise in unclassified locations.

As for the use of e-stop circuits; I will be more careful and certainly not use it for loto.

In fact I need to have a discussion with safety department because I know people who do just that.

Regards, John
 
Top