Manual reset using an HMI

Update: Things have changed a bit since this post was first published in 2021. There are now some safety-rated HMIs available from big controls companies like Siemens, so if you are considering this approach, consult with your controls vendor to see if their HMIs can meet the requirements of ISO 13849-1. Ed. – 2022-05-10

---

Question: Can a safety-related stop function, for example, be reset via a graphical object representing a reset button on an HMI?

The short answer: No, with an exception. Read on if you’d like to know more.

If you’re interested in knowing more about the manual reset function, see our previous post on the manual reset function.

Why not?

Why can’t manual reset actuators appear on HMI screens? There are a few reasons for this.

First, ISO 13849-1 [1] requires that manual reset actuators be separate control devices connected to the SRP/CS. The point could be made that an HMI is a separate device; however, as of this writing, no HMIs are designed to connect to a Safety PLC.

Second, [1] requires that components used for the manual reset function not reduce the Performance Level (PL) of the safety function. Since there are no safety-rated HMIs, the only structural category that could be assigned to an HMI-PLC combination is Category B, a single-channel architecture using components rated for the circuit conditions. This structural category limitation means that the highest PL that could be assigned would be PL=b. Emergency stop functions must provide at least PL=c performance according to ISO 13850, so an HMI-based reset cannot be used with emergency stop functions. In addition, most industrial machines will require at least PL=c, d or e for their safety-related interlocks, so an HMI-based manual reset cannot be used to reset an interlock stop function.

Finally, the large controls component manufacturers, like Rockwell Allen-Bradley, Omron, Pilz, Schmersal, Siemens, Telemecanique, etc., do not recommend the practice for the reasons discussed.

PS – I mentioned in the video that rising edge signals are not used for the Manual Reset Function – in truth, rising edges are not used for safety-related signals. Rising edges can occur more readily due to electrical faults, while falling edges are much less likely. For example, a falling edge generated by an electromechanical push button requires that the button be pushed and released, which helps avoid intentional defeat through a “tie-down” button.

Courses

If you are unsure how to proceed with functional safety or ISO 13849, check out our FS101 course. This course will teach you how to proceed:

• with a review of machinery risk assessment
• developing the Safety Requirement Specifications
• analyzing your design
• developing the validation documentation, and
• developing the validation test procedure

This course is suitable for control systems designers and engineers. If you have a CMSE designation or equivalent, and you’re still not feeling confident about how to use ISO 13849, this course will work for you too. The course includes a review of machinery risk assessment according to ISO 12100. Our RA101 course will give you the needed expertise if you have never had risk assessment training.

---

References

[1] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO 13849-1. International Organization for Standardization (ISO), Geneva. 2015.

[2] Safety of machinery — Emergency stop function — Principles for design, ISO 13850. International Organization for Standardization (ISO), Geneva. 2015.

[3] Realizing Reset Function in Safety Related Parts of Control Systems, 1st ed. Hoofddorp, Netherlands: OMRON Europe B.V., 2015.

© 2021 – 2022, Compliance inSight Consulting Inc.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.