Following the risk assessment, risk reduction is the next step. A safety function is needed to reduce the risk when the control system is called upon. Safety functions are defined in safety requirement specifications. ISO 13849-1:2015 [1] describes some of the more common safety functions. One of the most poorly understood is the manual reset function. This post should help to clear up the confusion.
For more information on conducting ISO 13849 analyses, see our series on How to do a 13849-1 Analysis or Interlock Architectures — Part 1: What do those categories really mean?
What is a safety function?
For the requirements for a manual reset to be considered a safety function, you must first determine if your manual reset function meets the definition of a safety function. The definition of “safety function” is found in [1]:
3.1.20
ISO 13849-1:2015
safety function
function of the machine whose failure can result in an immediate increase of the risk(s)
[SOURCE: ISO 12100:2010, 3.30.]
You will need to perform an FMEA on your design to determine all of the various failure modes and then limit the list to those failure modes that are dangerous failures. If there are no dangerous failures, or if you can determine, perhaps through an FTA, that the probability of the dangerous failures is low enough, then a fault exclusion might be possible.
If you determine after all of this that your manual reset is a safety function, then the requirements for a manual reset safety function will apply.
What is a reset function?
Manual reset functions enable the re-start of a machine following the activation of a safety-related stop, such as a guard interlock, a presence-sensing device stop or an emergency stop. When the event that triggered the safety function is over, activating the manual reset function verifies that all safety inputs conditions are satisfied and any other pre-conditions, e.g., the machine is maintaining zero speed, are met before re-enabling the safety function. Re-enabling the safety function does not re-start the machine; it only permits re-starting.
More on the definition of the reset function in a bit.
Two kinds of manual reset functions
There are two kinds of manual reset functions: those that are safety functions and those that are not. Distinguishing between the two is where all of the confusion arises.
Non-safety reset functions
Non-safety reset functions are those that, when a failure in the reset function occurs, do not cause an immediate increase in risk. Non-safety reset functions can be implemented in a standard PLC since an error in resetting the safety function has a limited negative consequence — i.e., the risk of significant injury is relatively low.
Safety reset functions
Suppose the manual reset function FMEA reveals that there are failure modes that will immediately increase risk. In that case, the manual reset is a safety function, and ISO 13849-1 applies. Since ISO 13849-1 is a type-B1 standard, a machine-specific type-C standard can set different requirements.
Reset function description
The complete manual reset function description is as follows:
5.2.2 Manual reset function
The following applies in addition to the requirements of Table 8.
After a stop command has been initiated by a safeguard, the stop condition shall be maintained until safe conditions for restarting exist.
The re-establishment of the safety function by resetting of the safeguard cancels the stop command. If indicated by the risk assessment, this cancellation of the stop command shall be confirmed by a manual, separate and deliberate action (manual reset).
The manual reset function shall
— be provided through a separate and manually operated device within the SRP/CS,
— only be achieved if all safety functions and safeguards are operative,
— not initiate motion or a hazardous situation by itself,
— be by deliberate action,
— enable the control system for accepting a separate start command,
— only be accepted by disengaging the actuator from its energized (on) position.
The performance level of safety-related parts providing the manual reset function shall be selected so that the inclusion of the manual reset function does not diminish the safety required of the relevant safety function.
The reset actuator shall be situated outside the danger zone and in a safe position from which there is good visibility for checking that no person is within the danger zone.
Where the visibility of the danger zone is not complete, a special reset procedure is required.
NOTE One solution is the use of a second reset actuator. The reset function is initiated within the danger zone by the first actuator in combination with a second reset actuator located outside the danger zone (near the safeguard). This reset procedure needs to be realized within a limited time before the control system accepts a separate start command.
[1, 5.2.2]
Unpacking the requirement
Table 8 reference
The first sentence in the requirement refers to Table 8, which points to IEC 60204?1:2005, 9.2.5.3, 9.2.5.4 [3] for the electrical requirements for the reset function.
In [3, 9.2.5.3], Stop, the requirement for resetting a stopping function is that “The reset of the stop function shall not initiate any hazardous situation.” This requirement parallels the third bullet in the requirement.
[3, 9.2.5.4] provides the requirements for emergency stop equipment. [3, 9.2.5.4.1] includes this requirement:
Once active operation of an emergency stop (see 10.7) or emergency switching off (see 10.8) actuator has ceased following a command, the effect of this command shall be sustained until it is reset. This reset shall be possible only by a manual action at that location where the command has been initiated. The reset of the command shall not restart the machinery but only permit restarting.
It shall not be possible to restart the machinery until all emergency stop commands have been reset. It shall not be possible to reenergize the machinery until all emergency switching off commands have been reset.
[3, 9.2.5.4.1]
Here again, we see that restarting the machine cannot occur until two pre-conditions are met:
- All of the emergency stop commands have been reset – in practical terms, this means ensuring that all of the emergency stop buttons have been pulled out to their “run” position, and
- The emergency stop function is manually reset.
These requirements in [3] have been changed in the current edition of IEC 60204-1 [4]; however, the requirement relating to the resetting of emergency stop functions remains unchanged in clause [4, 9.2.3.4.1].
Maintained condition
The second paragraph in the requirements reads,
After a stop command has been initiated by a safeguard, the stop condition shall be maintained until safe conditions for restarting exist.
This clause sets up the requirement for a manual reset of a safety function to be executed in a safety PLC or other safety-rated controller, including simple safety relays.
Pressing the reset button starts a process in the controller that checks that all the safety-related pre-conditions have been met, i.e., are the inputs to the functions logically TRUE? If this is the case, the safety function can be reset; if not, then the safety function will remain in the STOP condition. This same requirement is seen in [4, 9.2.3.4.1].
Once active operation of an emergency stop (see 10.7) or emergency switching off (see 10.8) actuator has ceased following a stop or switching off command, the effect of this command shall be sustained until it is reset. This reset shall be possible only by a manual action at the device where the command has been initiated. The reset of the command shall not restart the machinery but only permit restarting.
It shall not be possible to restart the machinery until all emergency stop commands have been reset. It shall not be possible to reenergize the machinery until all emergency switching off commands have been reset.
[4, 9.2.3.4.1]
Re-establishment of the safety function
“Re-establishing the safety function” is resetting the safety function into normal operating conditions. Resetting the safety function does not re-start the machine but permits re-starting. Here are the requirements:
The re-establishment of the safety function by resetting of the safeguard cancels the stop command. If indicated by the risk assessment, this cancellation of the stop command shall be confirmed by a manual, separate and deliberate action (manual reset).
The manual reset function shall
— be provided through a separate and manually operated device within the SRP/CS,
— only be achieved if all safety functions and safeguards are operative,
— not initiate motion or a hazardous situation by itself,
— be by deliberate action,
— enable the control system for accepting a separate start command,
— only be accepted by disengaging the actuator from its energized (on) position.
Cancellation of the stop command is fairly obvious, of course, but the requirement for the manual reset is based on the risk assessment. This is where an understanding of the hazards and the exposure of the person to the hazards is needed to determine whether or not the reset function is a safety function.
An example will help to clarify this requirement. Consider a machine with a rotary table fitted with four fixtures. Each fixture has pockets for the parts needed in the assembly process. An operator loads parts to the fixture exposed at the workstation, while the other three fixtures are inside the safeguarded space where the machine can work on the assembly process. A light curtain is fitted across the front of the workstation, so the operator must break the sensing field to place parts in the nest.
The safety function, in this case, is a safety-related stop function [1, 5.2.1]. When the operator’s hands are inside the safeguarded space, a STOP command is generated by the light curtain and the rest of the safety-related parts of the control system, preventing the table from rotating. Once the operator is done loading parts and is ready for the machine to start the next cycle, they press a cycle start button to initiate the table rotation and the next machine cycle.
What is not mentioned in the description of the safety function is that the safety-related stop function must be reset somehow after the sensing field has been broken. This can be done in several ways, the most common being an automatic reset of the stop function. As long as the risk is reasonably low, this might be acceptable. This is not a manual reset function and is therefore outside this discussion; however, it is worth knowing that automatic reset is possible under some circumstances.
Another option is to use a start/restart function [1, 5.2.3]. This is the case where “presence-sensing device initiation” (PSDI) [5, 6.3.2.5.3] or a “control guard” is used [5, 6.3.3.2.5]. In PSDI mode, clearing the light curtain’s sensing field immediately starts the machine cycle. PSDI requires that a timer with a delay-off condition not longer than a machine cycle is used to monitor the time between breaks of the sensing field. If the timer is not reset within one cycle, then a separate cycle-start button must be pressed to start the machine cycle and re-initialize the PSDI mode. Control guards work similarly, with the cycle start signal derived from closing the guard interlock.
The emergency stop function exception
If the risk is greater, automatic reset should not be used but rather a manual reset function. There is one important deviation where the automatic reset is required: emergency stop. ISO 13850:2015 [6] requires that:
4.1.1.2 The emergency stop function shall be available and operational at all times. It shall override all other functions and operations in all operating modes of the machine without impairing other protective functions (e.g. release of trapped persons, fire suppression).
ISO 13850:2015
When the emergency stop function is activated:
— it shall be maintained until it is manually reset;
— it shall not be possible for any start command to be effective on those operations stopped by the initiation of the emergency stop function.
The emergency stop function shall be reset by intentional human action. Resetting of the emergency stop function shall be operated by disengagement of an emergency stop device (see 4.1.4). The reset shall not initiate machine start up.
NOTE The emergency stop function cannot be considered as measure of prevention of unexpected start up as described in ISO 12100.
Since disengagement of the emergency stop device is the action that resets the emergency stop function, any safety device providing logic functions as part of the emergency stop, e.g., an e-stop safety relay or safety PLC, must be configured to automatically reset when the e-stop device is disengaged.
Performance Level requirement
Since the manual reset function can be a safety function, two requirements arise:
- The manual reset function must be identified in the risk assessment relative to the safety-related stop function, i.e., if you identify the need for an interlock on a whole-body access gate into a work cell, then you must also identify the need for a related manual reset function.
- The required Performance Level (PLr) must be identified based on the risk.
The performance level of safety-related parts providing the manual reset function shall be selected so that the inclusion of the manual reset function does not diminish the safety required of the relevant safety function.
[1, 5.2.2]
Since the manual reset function cannot reduce the Performance Level (PL) of the related safety function, you will need to determine the minimum PL for the manual reset function. For example, if the risk assessment identifies the need for an interlocked guard with a PLr = d, then the PL of the manual reset function cannot be less than PL=d according to [1, 6.3] and [1, Table 11].
Location of the reset device
For a safety-related reset function, it has been established that a separate reset device must be connected to the SRP/CS, but the location is not yet clearly established. The last two paragraphs and the following note help clarify this part of the requirement.
The manual reset function shall
— be provided through a separate and manually operated device within the SRP/CS,
The reset actuator shall be situated outside the danger zone and in a safe position from which there is good visibility for checking that no person is within the danger zone.
Where the visibility of the danger zone is not complete, a special reset procedure is required.
NOTE One solution is the use of a second reset actuator. The reset function is initiated within the danger zone by the first actuator in combination with a second reset actuator located outside the danger zone (near the safeguard). This reset procedure needs to be realized within a limited time before the control system accepts a separate start command.
[1, 5.2.2]
When the operator cannot see the complete interior of the work cell from the proposed placement of the reset actuator, there are at least two possibilities you can consider to correct the problem:
- move the reset actuator to a location where the operator can see the complete area, or as suggested by the note,
- add a second reset actuator inside the cell that the worker must press on the way out.
Pressing the first reset starts a countdown timer that enables the second reset button, located on the outside of the cell. A worker would have to press the first button, exit the cell, close the gate, and then press the second actuator to reset the safety function before the countdown ends.
Other concepts could be used under the “special reset procedure” umbrella, so do not feel completely constrained by the note’s text. Remember that in ISO standards, the text of a note is informative, so there are no requirements in notes, only guidance.
[Post edited 2022-07-22 to add clarity about what constitutes a safety function and the emergency stop exception – DN]
Courses
If you are unsure how to proceed with functional safety or ISO 13849, check out our FS101 course. This course will teach you how to proceed:
- with a review of machinery risk assessment
- developing the Safety Requirement Specifications
- analyzing your design
- developing the validation documentation, and
- developing the validation test procedure
This course is suitable for control systems designers and engineers. If you have a CMSE designation or equivalent, and you’re still not feeling confident about how to use ISO 13849, this course will work for you too. The course includes a review of machinery risk assessment according to ISO 12100. Our RA101 course will give you the needed expertise if you have never had risk assessment training.
References
[2] D. Lukac, “Profibus Interface Based Connection and Actuation of the Servo-Electric and Pneumatic 2-Finger Parallel Gripper by Using of the Quick Release Gripper-Change-System Realized for the Fanuc Robot”, Electronics, 2010. Available: https://www.researchgate.net/publication/50392740_Profibus_Interface_Based_Connection_and_Actuation_of_the_Servo-Electric_and_Pneumatic_2-Finger_Parallel_Gripper_by_Using_of_the_Quick_Release_Gripper-Change-System_Realized_for_the_Fanuc_Robot. [Accessed 19-May-2021].
© 2021 – 2022, Compliance inSight Consulting Inc. 
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Hi Doug,
First of all, thanks for the article and for helping myself and others navigate the confusing web of standards and guidelines.
For this statement:
— only be accepted by disengaging the actuator from its energized (on) position.
Is this basically stating that the a reset is only valid on the off-transition of the reset button/actuator? Would this to be protect against a push button that might be stuck in the ON position?
Thanks!
Hi Dennis,
You’re welcome! I’m always glad to help.
Typically, safety functions using any momentary input device-generated signal will sense the state change on a falling or rising edge, depending upon the at-rest state of the circuit. For the emergency stop input(s) to an e-stop function, for example, the at-rest condition is with the channel(s) energized. Pressing the button or cutting the wire results in a falling edge, triggering the function. In the case of a manual reset loop on a safety relay, the reset loop can have normally closed monitoring contacts for each of the connected interposing relays and the normally open manual reset button contacts. The at-rest condition for the loop is de-energized since when the relay is on, the interposing relays are also on, and their respective NC monitoring contacts are OPEN. The manual reset button contacts will also be OPEN. When the button is pressed, assuming both monitoring contacts are closed because the safety is off, a rising edge will trigger the reset. This helps to ensure that the safety relay is reacting to the state change and not a constant state. However, in this example, the manual reset is not considered a separate safety function because its failure does not cause an immediate increase in risk.
The provisions described in the article apply to manual reset functions where the failure results in an immediate increase in risk. In this case, the standard is looking for a falling edge to trigger the reset, so a press-and-release action, so that it is clear that the reset button hasn’t been “tied down” in some way.
Reply feature doesn’t seem to work in my browser, sorry.
Continuation of E-stop reset discussion.
Sorry did not mean to say “circuit” in my last entry, but rather “function” when asking, “why would you want an E-stop circuit to automatically reset.” That is, meant it to read: “why would you want an E-stop function to automatically reset?”
So, yes, discussing the logic/relay/function block resetting automatically, not automatic reset of the E-stop button.
Ok, so if E-stop buttons/devices themselves achieve all the manual resetting requirements, is configuring an E-stop relay for a manual reset explicitly wrong?
I can agree with the benefits of automatic reset you outlined, and might agree that there is aren’t any major gains in safety if you go to a manual reset, but it is very common to see in practice.
So based on your interpretation of 13850, I agree the wording isn’t always plain and can see it both ways, but having a harder time finding the explicit requirement that is must be automatic.
Wording in the IEC 60204 2016 9.2.3.4 is vague as well but in comparison to the earlier version of the standard I can see support for what your saying but still don’t see where it would forbid a manual reset.
So should it be considered wrong, or just unnecessary to use a push button (manual reset) to reset your E-stop relay/function?
Hi Concerned,
There is no requirement that the automatic reset of the relay or function block is automatic. Instead, there is no requirement that an additional manual reset button is provided.
As I said in my last comment, you can provide one if that makes you happy, but there is no need for it. This is compared to other safety functions requiring a separate manual reset, e.g., light curtain safety stops.
So, for emergency stop functions, it’s unnecessary due to the way the estop devices work.
Continuing conversation about auto-resetting the E-stop function.
To “operate” does not directly mean to actuate, one definition of operate is to “control the functioning of” so I’m still of the mind that when 13850 says “operated by the disengagement of an emergency stop device” the intention is to say you cannot reset so long as the device in engaged.
That excerpt follows “when the emergency stop function is activated it must be maintained until manually reset” and “the emergency stop function shall be reset by intentional human action.” In every other interpretation I’ve seen this leads directly to manual reset as defined in 13849, 5.2.2. In A-B literature the resetting of an E-stop is always mentioned under the manual monitored reset option.
So, “qui bono?” Why would you want an E-stop circuit to automatically reset, and how are you drawing this conclusion from the single line “resetting of the emergency stop function must be operated by disengagement of an emergency stop device” which sits among two other lines that seem to contradict it? What benefit is there for the machine user or builder to have the E-stop monitoring relay automatically reset? In what way is this safer or better than a manual reset? Can you provide any additional evidence to support this conclusion?
Hoping this doesn’t come across as disrespectful in any way, I appreciate your blog and agree with almost everything you write, just worried that I can’t rationalize this one requirement.
Hi Concerned,
Questions and requests for clarification are never disrespectful. I welcome them.
I make mistakes too, and I know these concepts can sometimes be pretty challenging. The language used in ISO standards can also add to the confusion because native English speakers do not always write it, and we sometimes compromise on specific words when there is no good translation in other languages. This can damage the precision of the language.
I think you may be misinterpreting something. I am NOT saying that the emergency stop automatically resets. The reset occurs when the estop device is manually reset, satisfying the “when the emergency stop function is activated it must be maintained until manually reset.” requirement. The relay or the function block is configured so that the reset of the device causes the relay or function block to reset.
The advantage is twofold: 1) It saves a step for the operator, and 2) it saves a panel device and the associated wiring, plus the labour to install all of that. IMO, having a reset button that must be pressed after the estop device has been manually reset achieves nothing of value.
I’m not sure I will convince you of this, but as I sit on the committee responsible for the standard I can assure you that this is the intent. If you want to discuss this some more, You can book a free consultation with me and we can debate the ideas for 30 minutes. I’m more than happy to do that if you’re interested. https://complianceinsight.ca/front-page/free-consultations/
I’m not confident in what you’re saying with “the emergency stop function exception”. This is in conflict with any and every wiring example that I’ve ever seen, including from major manufacturers like Allen-Bradley, see the 440r wiring example for the CI relay. If what you are saying is true why would they give this example. In 13849 when the “manual reset” is discussed there is even reference to the falling edge of the reset signal, you wouldn’t get a falling edge if the “reset” was coming from the E-stop plunger. I think you are combining the “resets” and confusing things. “Resetting the emergency stop shall be operated by disengagement of an emergency stop device” has often been taken to mean disengagement is a requirement before a reset is possible. I’m worried there is dangerous misinformation here. Please advise.
Hi Concerned,
Thanks for your comment. In that section of the post, I’ve provided you with the text from ISO 13850 that describes how the reset of the emergency stop must work. So, why did I call this an exception, and how is this met by the typical control system design using a safety relay? Let me see if I can clear up any confusion.
ISO 13850 requires that emergency stop devices require a manual reset. This is accomplished by the typical twist-or-pull-to-release action provided by e-stop push button operators. The act of manually resetting the e-stop device meets the requirement for a manual reset. According to the standard, the accompanying safety function does not REQUIRE a manual reset; resetting the emergency stop safety function only PERMITS restarting. It is not allowed to cause the restart. So, whether you are accomplishing this in a PLC or other control system, the resetting of the emergency stop allows the controller, following a subsequent manual action like pressing a “cycle start” button, to reset, but it does not cause this restarting to occur.
Because the manual reset of the emergency stop device meets the requirement for manual reset of the safety function, the safety relay, or the function block in the safety PLC, can be configured to reset automatically.
Looking at the safety relay example schematics in the application notes, you are not seeing the whole picture. Suppose the design of your machine controls is such that resetting the emergency stop function can cause automatic restarting of hazardous motions. In that case, the rest of the control system design requires modification. Having an additional reset button that a user would have to press does not solve this problem; it just delays the issue for a moment or two.
Keep in mind that the schematics in the application notes show you what can be done. Nothing would prevent you from including an additional reset button in the reset loop for the safety relay or function block, but this is not required by ISO 13850. Furthermore, if you read some of my earlier comments on this article, you will see that the reset loop does not constitute a safety function on its own because no failure in the reset loop can lead to an immediate increase in risk. The immediate increase in risk is required based on the definition of the concept of a safety function.
I hope that helps, but if not, let’s keep this conversation going!
Hi Doug,
About the safety reset PL requirement. After reading this sentence:
“The performance level of safety-related parts providing the manual reset function shall be selected so that the inclusion of the manual reset function does not diminish the safety required of the relevant safety function.”
In my understanding, there are very few designs where the need for the reset to be of the same PL level than the safety function itself and they should be avoid. I’m saying this because a “standard” reset button won’t normally diminish the PL level of a safety function. If, by example, we use an interlocked door with a certain PL required by the safety assessment, when the door is opened and as long as the safety circuit has the same PL, pressing the reset won’t change a thing because your safety rely on the interlock guard. The only moment where the reset button should be of the same PL is if the door closes behind you and the safety design should have found a way to counteract this (safety scanner, safety lock, trap keys, etc.). Because if it happens, a reset button with a high PL won’t stops someone else to press it.
Are there any precedent about this?
Thanks,
Hi François,
Suppose you consider a typical simple guard interlocking relay. In that case, the reset loop on these devices is always a single channel, and the application examples from the manufacturers of these devices never show anything more complex than a simple NO momentary contact push button. So why is this? If the failure of the reset loop does not immediately increase the risk, then the reset loop does not qualify as a safety function. Consider the failure modes in that loop:
The reset loop circuitry is designed to look for a falling edge condition, so the contact failing closed could cause the relay to try to reset itself continuously, but the reset will fail as long as the input channel(s) are open (safe failure). If the contact fails open, then no amount of button pressing will cause the relay to reset (safe failure). Shorted wiring is the same as the contact failing closed (safe failure). Wiring shorted to V+ will not generate a falling edge, which is also a safe failure. Wiring shorted to V- creates a falling edge, but until the input conditions are met, the relay will not reset (safe failure). A short to PE/chassis should be the same as a short to V- unless the DC control supply has been isolated, but in both cases, this is a safe failure. So, no immediate risk increase means this manual reset function is not a safety function.
This will be the case with the reset loop on programmable safety modules and safety PLCs.
As far as precedents are concerned, I can’t specifically cite any. I can say that the standard has been written to allow for situations, likely more common with bespoke safety hardware, where there might be the “immediate increase in risk” scenario. Still, there is nothing to say that this will apply in every case where a manual reset is used. Careful assessment of the failure modes in the reset function is necessary to determine whether or not any dangerous failure modes can occur and how those failures might affect the overall risk related to the safety function being reset.
Really good article! I have a question. Since the manual reset function cannot reduce the Performance Level (PL) of the related safety function, you will need to determine what the minimum PL for the manual reset function can be. In my understanding for PL e we need category 3. which have 2 chanel architecture, but in many example we have 1 channel manual reset. How 1 channel safey manual reset function fit for PL e?
https://download.beckhoff.com/download/Document/automation/twinsafe/applicationguidetwinsafeen.pdf
Hi Norbert,
Great question. The first question that needs to be answered is, “Is this manual reset a safety function?” The definition for what constitutes a safety function is found in ISO 13849-1:2015:
3.1.20
safety function
function of the machine whose failure can result in an immediate increase of the risk(s)
[SOURCE: ISO 12100:2010, 3.30.]
Since the failure modes for manual resets on safety relays and programmable safety devices do not have failure modes that would result in an immediate increase in risk, then they are not safety functions, and the requirements for manual reset do not apply. You can see this in the design of the reset loops on safety relays. Fundamentally, a single channel reset without diagnostics conforms to Category B or 1 architecture depending on the component selected for the reset button/device. Cat. B limits the PL to b at the most, and Cat. 1 to PL=c at the most. These devices could not conform to ISO 13849-1 if the reset loop was considered a safety function.
[Edited 2022-07-22]