Safety · E-Stop · IEC 60947-5-5

Emergency Stop Circuit Design

⚙ Safety

The emergency stop (E-stop) circuit is the safety function that brings an industrial machine to a safe state as quickly as possible when a hazard is identified by the operator. In industrial machine design, an E-stop is not just a red mushroom button wired to a coil — it is a safety function with a defined stop category (0 or 1), a required Performance Level (typically PLc or PLd under ISO 13849), a specific circuit architecture (Category 1, 3, or 4), and a documented validation test. A non-compliant E-stop circuit is the most frequently cited non-conformity in CE technical file audits and the most common cause of machine directive rejection.

Where this is used in real machines

SPMs with rotating or moving hazards: E-stop buttons at each operator station and at each machine access point, wired in series through a safety relay that de-energises all motion contactors and hydraulic/pneumatic supply valves on actuation.
Multi-station assembly lines: Zone-based E-stop architecture where each station has an independent E-stop zone with its own safety relay, preventing a single operator E-stop from stopping the entire line unless a safety-rated E-stop bus is used.
Collaborative zones: Light curtains and safety mats acting as E-stop triggers in addition to manual buttons — all wired into the same safety relay chain and achieving the same PLr as the manual E-stop.
Machines with long stopping distances: Stop Category 1 E-stop, where a controlled stop (VFD or servo deceleration) is performed before power is removed — requiring a safety relay with a timed output or a safety PLC with controlled stop logic.

Technical context

E-stop design is governed by IEC 60947-5-5 (E-stop device requirements) and ISO 13849-1 (safety function reliability). Stop categories per IEC 60204-1: Category 0 — immediate removal of power to all drives and actuators (uncontrolled stop); Category 1 — controlled deceleration to standstill, then power removal; Category 2 — controlled stop with power maintained (used only when required by the process, less common). The E-stop circuit architecture must achieve the PLr determined by the risk assessment. For most SPMs, PLc (Cat 1 single-channel with monitoring, or Cat 3 dual-channel) is the minimum; machines with irreversible injury risk require PLd (Cat 3 with high MTTFd) or PLe (Cat 4). Safety relay selection: dual-channel monitored safety relays (e.g., Pilz PNOZ, Schmersal SRB, Siemens 3SK) detect welded contacts, cable breaks, and simultaneous actuation of both channels — required for Cat 3 and Cat 4 architectures. The safety relay output contacts must directly interrupt the power to all hazardous actuators — not via a standard PLC output, which is not rated as a safety-grade interruption device.

Common mistakes engineers make

⚠ Engineer Errors — What Goes Wrong

Wiring the E-stop button through a standard PLC digital input and relying on a PLC program output to stop the machine — this is not a hardware safety function and cannot achieve PLc or above.
Using a single-channel E-stop circuit (one wire from button to relay) for a machine that requires PLd — single-channel circuits cannot achieve PLd because a single wiring fault can prevent the safety function from operating.
Installing an E-stop button that is not IEC 60947-5-5 compliant (no direct opening action, or not colour-coded red on yellow) — non-compliant devices are a CE certification failure.
Not validating the E-stop response time against the stopping distance — if the machine cannot stop within the safety distance before an operator can reach the hazard zone, the E-stop is not effective regardless of PLr.
Failing to document the E-stop safety function in the CE technical file — the machine may function correctly but cannot be certified without a written safety function specification, architecture diagram, and PL calculation.

How engineers currently solve this

Define E-stop zones and stop category

Identify all operator stations and access points. Determine whether stop Category 0 or Category 1 is appropriate for each machine motion.

Determine PLr from risk assessment

Using ISO 13849-1 Annex A: assess severity (S), frequency (F), and avoidance (P) for the E-stop hazard. PLr is typically PLc or PLd for industrial machines.

Select safety relay and architecture

Choose a dual-channel monitored safety relay. Select Category 3 or 4 architecture based on PLr. Verify MTTFd of E-stop buttons from manufacturer datasheets.

Design and draw the E-stop circuit

Draw the full E-stop circuit in the electrical schematic: buttons in series, safety relay input channels, monitored feedback loop, output contacts wiring to contactors/drives.

Calculate PL achieved

Use SISTEMA or manual ISO 13849-1 calculation: Category + MTTFd + DCavg → PL. Verify PL ≥ PLr. Document in safety function data sheet.

Validate and document

Test: actuate each E-stop button, verify machine stops within declared time, verify safety relay output de-energises, verify reset is required to restart. Record results. Include in CE technical file.

How ClusterVise improves this

✓ ClusterVise — What Changes

ClusterVise generates the safety I/O architecture for E-stop circuits as part of the standard design documentation — specifying safety relay type, dual-channel input wiring, output contact assignments to contactors and drives, and the monitored feedback loop. The safety function register output includes a PLr mapping and architecture category selection based on the declared hazard parameters, giving the safety circuit designer a pre-validated starting point for the ISO 13849 calculation rather than building the analysis from scratch.