Resetting a Safety Circuit

kku

Member
K
Join Date
May 2013
Location
Toronto
Posts
39
What's the correct practice for resetting a safety circuit? We currently have machines in the plant that has a hard wired reset button. This button must be pushed to reset the safety relay (or safety PLC). I always thought this is best practice.

Now some machine builder and colleagues are bringing machines without this button. Instead they want to use the 'Start' button on the HMI to reset the safety circuit. Is this acceptable? Does the reset has to be a discretely hard wire control button?
 
kku,

i cannot say in regards to Canada, but in the USA, its not allowed. NFPA97 - sorry, but i don't have my book handy.

this is a safety circuit requiring a mechanical reset, not electronic.

what if the start button on the HMI sticks?
Yes, they do stick. i have replaced (2) HMI terminals for that very reason. Where is the safety circuit then?

Just exactly what is this start button they want to use?
the safety circuit stops ALL motion.

you must have a safety evaluation done by the plant safety crew, engineering, maintenance, and workers. thats the starting point.

regards,
james
 
Last edited:
The start buttton on the HMI? I assume you mean a tactil button on the screen or a touch of the panel.

Not only it's more complicated to connect it to the safety relay, but like stated above, it brings way less security.

Still, I have seen some main safety relays with an auto-reset when no emergency button pressed, but there were other secondary safety relays that needed a reset. All safety circuits should need at least a dedicated button to be pressed.
 
I agree that it's traditional to have the Reset pushbutton be a hardwired pushbutton contact. It's also very common to have the Reset pushbutton in series with one or two contacts from the safety contactors, so that a Reset cannot be performed if the safety contactor's external monitoring circuits are not also OK.

I would have three objections to allowing a PLC/HMI to perform a Reset.

1. It's possible for a general-purpose device programming error to perform the Reset.

2. It's possible for a networked device to possibly perform the Reset, when that device is not within eyesight of the machine that is being Reset.

3. If the PLC/HMI can perform the Reset, it's also more likely that the control system can also be programmed to automatically restart the machine as soon as the E-Stop button itself is reset (the twist-to-reset function).

I don't think you will find an explicit prohibition on having a programmable device perform a Reset in iEC 60204-1, or NFPA 79 or ANSI B11.20. But you'll find a lot of references to requiring that the Reset circuit be interlocked with device monitoring contacts, and that the E-Stop buttons require manual resetting.
 
I am not quite familiar with the CSA22.1, however, a truly implemented safety system is entirely and strictly hard wired; a "Safety System RESET" command will be always applied over a dry-contact of the Master Relay; I cannot see how an HMI write command could physically connect the two sides of the Safety Master Relay RESET contact; a physical relay output contact containing the Safety System RESET circuitry will need to change states hence you are relying on the very functionality of a system which needs to be immediately shut down when a Safety System trip will occur.
A Safety System which could be RESET via an HMI application is nothing but a surrogate.
 
Thanks for your feedback on this matter. I think the idea of not using the hardwired reset button is for the system to automatically reset itself. The explanation to me is the system should be able to reset as long as the hazard is no longer present (i.e. all the E-stops are reset, the station doors are all closed, light curtains are not tripped, etc.) Then the station (safety circuit) should be able to go back to the 'normal' state.

We are using the Omron/STI NE1A safety PLC. So every safety device is wired one to one to the safety PLC and it handles the safety logic internally. The difference now is if the HMI button command for a restart going from the HMI to the PLC (over Ethernet) then the PLC going to the safety PLC (over DeviceNet) is OK. I think not but I haven't found anything definitely that says so. I will look into the CSA22.1 a bit closer and also the NFPA97 as well.

The other thing that bothers me is the fact that the HMI button that is used to reset the safety circuit is the machine start button on the HMI. This is weird to me. I am just looking for proof to argue my case.

Thanks.
 
I can only find statements similar to this:

"6.2.5.2.2 Effects of emergency stop and reset commands
Once active operation of the emergency stop device has ceased following an emergency stop command,the effect of this command shall be sustained until the device is reset. This reset shall be possible only at
that location where the emergency stop command has been initiated. The reset of the command shall not restart the machinery but shall only permit restarting."

This excerpt is from CSA Z432-04, safeguarding of machinery.

I can't find a statement that says the reset has to be a discrete and hard wired button.
 
This clears up the "Start" HMI object as being able to "Reset" the Safety circuitry; not permitted.
Back to the CSAZ432-04 excerpt...

"... This reset shall be possible only at
that location where the emergency stop command has been initiated..."

Let's say one of the Operators Stations' EStop push button has been depressed; the Master Safety Relay trips and according to any safety standard, all the system's outputs are being "brought to a safe state" and then "kept there" until "further notice"(such as a successfully performed RESET).
The unsafe condition has been eliminated, the EStop push button returned to the "normal" position and the respective workstation contains an HMI with an "EStop Reset" object.
How are you going to "relate" the change of state of the respective HMI object to the Safety Relay "Reset" circuitry when already in a "Safe State"(Tripped) condition?
Remember, all the system's outputs are in a "Safe State" and not "controllable"; you will not be able to change the state of a system output when the respective output is in a "safe state"!
In my opinion, this demands something other than a system output to be used as a Safety system "Reset" command provider, such as a hard-wired "Reset" push button next to the EStop one.
I am not aware of any Safety Controller that could be "Reset" via communications; this is the very reason Safety Systems were implemented in the first place: to eliminate the slight chance of a virtual data transfer glitch; hard wire electricity is straight physics.
 
kku said:
I can only find statements similar to this:

"6.2.5.2.2 Effects of emergency stop and reset commands
Once active operation of the emergency stop device has ceased following an emergency stop command,the effect of this command shall be sustained until the device is reset. This reset shall be possible only at that location where the emergency stop command has been initiated. The reset of the command shall not restart the machinery but shall only permit restarting."
I believe that the intent here is to say that an e-stop device (i.e. e-stop button) cannot be remotely reset nor will the machine restart when the device is reset.

In other words, the e-stop button must latch ("be sustained"), can only be pulled out ("reset") at that location, and that act alone can not cause the machine to restart.

As counter-intuitive as it may seem, the e-stop device is the push-button not the safety relay (or PLC).

All of this assumes a detailed hazard analysis of the machine.

Your colleagues could set the safety relay to automatically reset when the push button is pulled out as long as the machine does not restart without a separate action by the operator.

Then if it is safe for an HMI to be able to start, it should be able to re-start; no need for a separate hard-wired reset button.

Now, would I be comfortable with this....Without knowing any specifics of the machine, I would argue that having a hard-wired reset button (or at least a specific HMI graphic) in the safety relay's reset circuit would be better as it would cause the operator to do something different for restarting from a safety stop than for a normal restart.
Click to expand...
Click to expand...
 
Besides the safety regulations, resetting the safety circuit and starting the machine are two different functions.

The machines I work on are based on different zones/areas with there own interlocking door system/lightbariers, e-stops and wired safety reset pushbutton. Some custumers require that when an e-stop is pressed in any area, all areas are put in there safe state.

So to permit any area of the line startup again the operator must reset the estop on the area which it was pressed using the dedicated safety reset button of that area. Resetting that area does not mean they want to put it in automatic mode again.
 
Thanks for all your responses. I think I am going to request a separate reset button. I don't think going through the HMI is correct. Also I believe the safety circuit portion of the machine should be a discrete entity and not mixed with the machine control portion. So having a discrete reset button that is wired directly to the safety PLC makes sense to me.
 
we have machines and systems that no one ever goes around but there are e-stop buttons around that machine in case of a problem. The reset for the system is located on the nearest operator terminal. This was wired into an output on the plc which the HMI controls. to get around the "stuck button" problem i oneshotted the pulse from the screen into a 150ms latched timer to the output. so if the button "sticks" then it only resets once and fails every subsequent time after that. This system starts and stops automatically in normal processes. On reset through monitored motor safety contactors it allows normal operation to commence. I'm totally comfortable with this setup because it's not a place where operators are normally and our policy here is that if you are working or around moving parts on a machine you have to have the machine locked and tagged out. Just my two cents to this post.
 
another idea to put out there is that a hardwired reset can and does fail closed all the time just as my output could and probably will fail closed. so would a reset button which failed closed cause an unsafe condition. i agree that the reset shouldn't also START a system with the same signal. but my previous post shows that some machines that are already designed to start automatically could start up after a reset condition. a machine that isn't designed to start automatically is another story i think. again any replies or additional insight is very much welcome. i'm on here a lot to learn just like everyone else. :)
 
On our safety PLC you can configure the reset input to be a pulse (low to high to low) instead of just a rising edge. This is the default setting but apparently you can also set it to rising edge only. I guess this is one good thing about using a safety PLC.
 
Here's a little ammo for your fight. ISO13849-1 5.2.2 states that a manual reset function shall "enable the control system for accepting a separate start command."

Now the truth is this section also says that "If indicated by the risk assessment, [the] cancellation of the stop command shall be confirmed by a manual, separate and deliberate action (manual reset).[emphasis added]"

So, your colleagues can't use the same button for both. However, as I said above, based on the hazard analysis, they could have the safety relay automatically reset when the stop condition is removed.

What is the danger caused by not having a separate manual reset? or better yet, how is safety improved by providing the separate push button?

Example might be Manual Reset button that is placed where cell protected by a light curtain can easily be seen.

BTW, this is the same section that specifies that the reset will occur on the falling edge of the reset signal to prevent
reset because of a stuck button (or failed HMI).
 

Similar Topics

H
Resetting Safety Password S7-317F-2
Hello, I am curious if there is a way to reset a safety password on the CPU mentioned in the title. The previous tech that retired(I took his...
Replies
11
Views
4,150
L D[AR2P#0.0]
L
E
[Rslogix 5000]Does factory resetting 1756-L62S will remove safety lock?
Hi all, I have an issue with 1756-L62S (revision 20.13) safety lock. We can't figure out who put safety lock on our project. Before I try...
Replies
0
Views
1,026
ekdpf0114
E
E
[Rslogix 5000]Does factory resetting 1756-L61S will remove safety lock?
Hi all, I have an issue with 1756-L62S (revision 20.13) safety lock. We can't figure out who put safety lock on our project. Before I try...
Replies
2
Views
2,425
James Mcquade
J
P
Resetting Guardmaster safety relay
Hello, I am new to plc's and related components. i was handed a Guard Master safety relay(GSR SI) and told to reset it to manual and automatic to...
Replies
6
Views
5,594
plcpr
P
L
Resetting old RSLINX Master Disk floppy
Does Rockwell still offer reset codes for old school Master Disk floppy's? In a bind and need to reset the activation disk soon and to be pointed...
Replies
9
Views
230
LMDAVE
L
Back
Top Bottom