Is manual reset a safety function?

In several applications, the reset is a Safety Function and therefore it cannot be routed through the Automation PLC.

The EN ISO 13849-1: 2023 lists the Manual Reset Function among the safety functions:

[ISO 13849-1: 2023] 5.2.2 Requirements for specific safety functions

5.2.2.3 Manual reset Function. The re-establishment of the safety function by resetting of the safeguard cancels the stop command.

If indicated by the risk assessment, this cancellation of the stop command shall be confirmed by a manual separate and intended action (manual reset).

A situation whereby the risk assessment may indicate that the Reset is a Safety Function is when there is a safeguarded space with a risk of Whole Body Access.
A safeguarded robot area is a typical case.

When the reset of protective devices is considered a safety-related part of the control system, because its function contributes to reducing the risk that a person remains undetected inside a hazardous area, it is important to emphasize that, when an operator activates this function, they must verify that no person is present within the safeguarded space.

There have been real situations in which a person was still inside a dangerous area while a colleague closed the access gate and restarted the machine. In those few cases reported to us, no injury occurred, but such “near-miss” events can easily result in serious accidents.

For this reason, the instruction manual should clearly highlight this risk and inform any operator working on the production line that, before resetting a safety barrier (AOPD), for example, they must ensure that no one is present inside the safeguarded space.

To reinforce this safety requirement, we recommend placing a warning label next to each Reset Button whenever it performs a safety function.

Since the pushbutton used for the reset function typically has no reliability data available, it is important to minimize the risk of malfunctions. For this reason, especially when the safety function that is reset claims Performance Level (PL) d or PL e, it is essential that the safety system detects a change in the state of the reset button, either from open to closed or, preferably, from closed to open.

This requirement ensures that the reset command is triggered by a deliberate action from the operator and helps prevent faults such as a permanently actuated or short-circuited button.

A requirement of this type is included in the 2026 edition of IEC 62046, which emphasizes the need for state-change detection for manual reset devices used in safety-related control functions.

[IEC 62046: 2026] 6.2.4 Restart interlock

[…] Resetting a restart interlock of a SPE application is always a safety -related function. Measures shall be provided to reduce the probability of the restart interlock being reset by a transient or
steady-state fault condition. Such measures can include, for example, requiring both a rising and falling edge signal within a defined time (e.g. between 150 ms and 4 s) from a manually actuated reset device.

In conclusion, the reset function of protective devices must be treated with particular care when it is part of a safety-related control system. Operators must always verify that no person is present within the safeguarded space before activating the reset function, as failure to do so can lead to hazardous situations and potential accidents. Clear instructions in the user manual and visible warning labels near reset buttons are therefore essential to raise awareness of this risk.

At the same time, the technical implementation of the reset function must ensure an adequate level of reliability. Since reset buttons typically lack reliability data, the safety system should detect a change of state of the reset device to prevent faults or unintended activations.

Therefore, when designing or assembling a control panel on behalf of a machinery manufacturer, it is essential to consult the person responsible for the risk assessment to verify whether the reset buttons must be connected to a Safety PLC. This requirement should never be assumed unnecessary without proper verification.