Most teams misunderstand ISO 13849 before the first wire is landed.
Here is the trap.
They treat “start,” “stop,” and “reset” like three ordinary control-panel verbs, when ISO 13849-1:2023 is actually asking a colder question: which of these actions forms part of a safety function, what Performance Level required — PLr — has the risk assessment assigned, and can the safety-related parts of the control system, the SRP/CS, prove that behavior under fault conditions?
That changes everything, doesn’t it?
ISO’s own page for ISO 13849-1:2023 says the standard covers design and integration of safety-related parts of control systems that perform safety functions, including software, across electrical, hydraulic, pneumatic, and mechanical technologies. It also says something buyers routinely ignore: ISO 13849-1 does not specify the required safety functions or PLr for a given machine. That comes from risk assessment, Type-C standards, machine design, and the actual hazard.
So when someone says, “Does ISO 13849 require a reset button?” my answer is usually: wrong question.
The better question is this: after a protective stop, interlock trip, light curtain interruption, emergency stop, power loss, or fault, can the machine restart in a way that exposes a person to hazardous motion?
If yes, reset is not a polite little button. It is part of the safety argument.
Table of Contents
The Standard Is Not Blessing Your Pushbuttons
I have a strong view here: too many control panels are built like the designer copied an old layout and then sprinkled safety labels over it. Green start. Red stop. Blue reset. Maybe a keyed selector if the budget survived purchasing.
Fine theater.
But ISO 13849 requirements are not about color, label plates, or whether the button cap looks “industrial enough.” The standard cares about the safety function: the sensor input, logic processing, output switching, fault detection, diagnostic coverage, common-cause failure resistance, response time, and validation evidence.
That means a start button is usually not a safety function by itself. A stop function may be. A reset function often becomes safety-related when it restores permission to run after a safety demand.
DGUV’s summary of the fourth edition of EN ISO 13849-1 notes that the safety requirements specification should include items such as safe state, PLr, permitted response time, active operating modes, machine-control interfaces, behavior after energy loss, and the conditions permitting restart after a safety function has been requested. It also states that manual reset now needs a monitored signal change — practically, a rising or falling edge — to reduce foreseeable misuse in the DGUV fourth-edition summary.
That last sentence matters.
A welded reset contact held permanently high should not silently authorize restart. A stuck reset input should not become a magic bridge around a hazard. And a reset station inside the danger zone? I do not care how tidy the wiring diagram looks; that is how bad machines get defended by pretty drawings.
Start, Stop, and Reset: The Table Nobody Wants in the Design Review
Before anyone argues about Category 3 versus Category 4, or PL d versus PL e, force the team to define what each function is actually doing. I’d use this table in the first design review, not the last one.
| Function | What people think it means | What ISO 13849 forces you to ask | Typical design risk | Evidence I would expect |
|---|---|---|---|---|
| Start / Restart | “Run the machine” | Can a start command create hazardous motion after a safety function has been demanded? | Start command doubles as unintended restart permission | Risk assessment, operating-mode logic, restart interlock design, validation test |
| Safety-related stop function | “Stop when unsafe” | What safe state must be reached, within what response time, at what PLr? | Stop path depends on a single unmonitored contactor or valve | PL calculation, stop-time test, DCavg, MTTFD, CCF scoring, fault exclusions |
| Manual reset function | “Clear the alarm” | Does reset restore safety-function readiness without starting hazardous motion? | Reset becomes an indirect start command | Monitored edge reset, external reset location, visibility of hazard zone |
| Emergency stop | “Big red button” | Does it override start and hold stop until deliberate reset/restart sequence? | E-stop reset restarts machine or masks a fault | IEC 60204-1 logic review, validation record, periodic test procedure |
| Light curtain interruption | “Beam broken, machine stops” | Does the OSSD path reach the required PLr and prevent automatic restart? | Protective field clears and machine restarts while a person is still exposed | Safety distance, response time, OSSD wiring, restart interlock |
Short version? No.
A start command is not allowed to become a loophole around a safety demand, and reset is not allowed to act like “start with better manners,” especially on machines where a person may still be inside a safeguarded area, clearing a jam, leaning through a gate, or standing behind a multi-sided access point.
This is where a real machine safety light curtain selection discussion becomes much more than picking beam pitch and protective height. If the device only interrupts motion but the restart logic is sloppy, the optical hardware gets blamed for a controls failure.
The Hard Truth About Safety-Related Stop Functions
A safety-related stop function is not the same thing as pressing stop on the HMI.
It should bring the machine to a defined safe state when the safety function is demanded, and it has to meet the assigned PLr for the risk. That may mean redundant channels, monitored contactors, safety PLC logic, safe torque off, hydraulic dump valves, pneumatic exhaust, mechanical brakes, or a combination of these.
OSHA’s machine safeguarding guide makes the wider point in plainer regulatory language: safeguarding protects workers from hazardous machine areas, and lockout/tagout has to complement safeguarding during servicing and maintenance. That is not ISO terminology, but the practical overlap is obvious. A stop function that works during production may not protect someone during jam clearing, adjustment, cleaning, or maintenance.
I’ve seen the same mistake repeated in incident files: people design for the normal cycle, then act surprised when the injury happens during abnormal work.
Of course it does.
Machines hurt people during clearing, recovery, changeover, bypass, restart, and “just one quick adjustment.” That is exactly why ISO 13849 start stop reset requirements should be tied to operating modes, foreseeable misuse, and maintenance behavior — not just the automatic cycle.
If a guard opens, a light curtain trips, or a safety mat detects presence, the machine should not merely stop. It should stop through a safety-related control path that still behaves under credible faults.
That is the line between an industrial control function and a safety function.
Reset Is Where Bad Designs Hide
Reset looks harmless. It is not.
A manual reset safety function under ISO 13849 should restore the safety function after the cause of the stop has been removed; it should not initiate hazardous motion by itself. I will say that again because it is the line I would put on the wall of every panel shop: reset prepares; start commands.
A proper ISO 13849 reset function usually needs four things:
- The hazardous condition has been cleared.
- The reset device is outside the danger zone.
- The operator can verify the danger zone is clear.
- The reset input is monitored as a deliberate signal change, not a permanently held permissive.
That is why the reset station matters on multi-entry machines. If a person can stand behind the curtain, around the fixture, or inside the cell while another person resets from a blind location, you do not have a reset problem. You have a body-in-zone problem.
For machines with multiple access points, a multi-sided access protection light curtain can reduce blind approach paths, but it still cannot repair bad restart logic. Hardware sees. Logic decides.
And logic is where companies get exposed.
Case Files: The Industry Keeps Relearning the Same Lesson
Let’s stop pretending this is theory.
On August 26, 2022, according to an OSHA accident file on a Sharp Chain Model 3916-001 lumber machine, a 44-year-old worker entered the machine to clear a blockage at a photo-eye lens sensor/profiler head. When the blockage was cleared, the machine activated. He was pinned and crushed between the profiler and frame and died from blade lacerations and blunt-force trauma.
That is start/restart logic written in blood.
On May 9, 2021, OSHA recorded another automatic-restart case where an employee tried to restart an automated mechanical seamer after product misalignment. The light curtain was disabled, the machine reenergized, and the employee’s left hand was caught at the cutting blade, causing an index-finger amputation, according to the OSHA accident detail for the automated mechanical seamer.
Different machine. Same pattern.
And then there is United Hospital Supply. OSHA said supervisors and employees deliberately bypassed a press brake light curtain before a first-day worker suffered three finger amputations. The company faced $498,464 in proposed penalties and was placed in the Severe Violator Enforcement Program, according to OSHA’s May 17, 2023 United Hospital Supply release.
That one should make every “temporary bypass” conversation go quiet.
In 2023, the BLS recorded 226 fatal injuries involving workers struck, caught, or compressed by running powered equipment; 48 of those involved maintenance, cleaning, or testing, and 53 involved workers caught or entangled in running powered equipment in BLS CFOI Table A-9 for 2023. These are not rare edge cases. They are an industrial pattern with invoices, citations, amputations, funerals, and lawyers attached.
ISO 13849 Requirements: What the SRS Should Actually Say
The safety requirements specification — SRS — is where teams either get honest or start building fiction.
For start, stop, and reset functions, I would expect the SRS to define:
- Machine hazard: crushing, shearing, entanglement, cutting, drawing-in, impact, trapped-person exposure.
- Triggering event: guard open, OSSD off, E-stop pressed, pressure loss, servo fault, interlock fault, mode change, power restoration.
- Safe state: STO active, hydraulic pressure removed, pneumatic energy exhausted, brake engaged, motion stopped, tool held, hazardous speed reduced.
- PLr: PL c, PL d, or PL e, based on risk assessment.
- Architecture: Category B, 1, 2, 3, or 4.
- Diagnostic coverage: DCavg value and monitoring method.
- MTTFD assumptions: contactor B10d, valve data, relay data, sensor data, operating cycles.
- CCF score: separation, diversity, protection against contamination, EMC, overvoltage, training, design review.
- Response time: sensor response + safety logic + output device + machine stopping time.
- Reset behavior: edge-triggered, deliberate, visible from safe position, no hazardous motion by reset alone.
- Restart conditions: separate start command, zone clear, all safety functions restored, faults cleared.
This is not paperwork for paperwork’s sake. It is how you stop a design review from becoming opinion wrestling.
If you are specifying optical guarding, start with the risk. Finger protection may push you toward 10 mm or 14 mm resolution. Hand protection may allow wider resolution, depending on the distance and hazard. For smaller access points or precision machinery, a high-precision light curtain discussion may be justified. For presses, hydraulic machinery, and wide access points, a heavy-machine light curtain may fit the mechanical reality better.
But do not confuse product selection with functional safety design.
A Type 4 light curtain wired into a badly designed reset/restart chain is like a helmet with the chin strap cut off. It looks responsible until impact.
The OSSD Detail Procurement Teams Keep Missing
OSSD outputs are not decoration.
A dual OSSD safety light curtain can feed a safety relay or safety PLC with redundant, monitored signals. That matters when the safety function target is high enough to require fault detection and fault tolerance. It is one reason a dual-output safety light curtain with OSSD redundancy belongs in the conversation when the machine risk points toward higher PLr.
But here is the industry’s bad habit: procurement asks for OSSD, then ignores the rest of the SRP/CS.
OSSD alone does not give you PL e. A safety PLC alone does not give you PL e. A relay with a yellow housing does not give you PL e. The full chain matters: input, logic, output, wiring, diagnostics, environmental assumptions, validation, and maintenance discipline.
That is why the site’s own comparison of safety light curtains vs non-safety light curtains is a useful internal link here. The distinction is not cosmetic. One device category is meant to detect things. The other is meant to help keep people out of hazardous motion when properly integrated.
Type 2, Type 4, PLr, and the Cost-Down Lie
Here is my controversial opinion: a lot of Type 2 vs Type 4 debates are not technical debates. They are cost-down pressure wearing an engineering costume.
If the credible injury is slight, the exposure is controlled, and the risk assessment supports it, lower-performance safety functions may be valid. But if the credible injury is amputation, crushing, or death, I want to see a very serious written argument before anyone specs down.
The internal guide on Type 2 and Type 4 safety light curtains fits naturally here because ISO 13849 does not ask, “Which device is cheapest?” It asks whether the safety function achieves the PLr.
And PLr is not a vibe.
It is derived from severity of injury, frequency or duration of exposure, and possibility of avoiding the hazard. Once PLr is set, the SRP/CS design has to reach it through architecture, MTTFD, DCavg, and CCF controls.
That means start, stop, and reset logic cannot be evaluated in isolation. They have to be evaluated as behavior inside the safety function.
What “Really Requires” Means in Shop-Floor Language
So what does ISO 13849 really require for start, stop, and reset functions?
It requires proof, not hope.
For a safety-related stop function, you need a defined safe state and a control architecture that reaches the required PLr. For a manual reset function, you need a deliberate action that restores readiness without initiating hazardous motion. For a start/restart function, you need to prevent unexpected or automatic restart after a safety demand unless the reset and start conditions are intentionally satisfied.
That is the stripped-down version.
The deeper version is uglier: you need to design against the operator who clears a jam at 2:00 a.m., the supervisor who wants the line back up, the technician who tapes a sensor “just for testing,” the integrator who assumes the PLC program is someone else’s problem, and the buyer who thinks the light curtain quotation is the safety plan.
It isn’t.
If your machine can restart after a blockage clears, after power returns, after a guard closes, or after a light curtain field is restored without a deliberate safe sequence, then ISO 13849 is not your biggest problem. Physics is.
FAQs
What are ISO 13849 requirements for start, stop, and reset functions?
ISO 13849 requirements for start, stop, and reset functions are design and validation duties for safety-related control behavior, requiring the machine builder to define each safety function, assign PLr, design the SRP/CS, verify fault response, and prevent reset or restart logic from creating hazardous motion.
In practical terms, the start button should not override a safety demand, the stop function must reach the defined safe state, and reset must restore permission only after the hazardous condition has been cleared.
Is a reset function always safety-related under ISO 13849?
A reset function is safety-related when it restores or enables a safety function after a protective stop, fault, interlock trip, light curtain interruption, or emergency stop, especially where an improper reset could allow hazardous motion or expose a person inside the danger zone.
If reset only clears a non-safety diagnostic message, it may not be part of the SRP/CS. But if reset affects restart permission, treat it with suspicion and document the logic.
Can a machine restart automatically after a light curtain clears?
A machine should not automatically restart after a light curtain clears when a person could still be exposed to hazardous motion, because restart normally requires safe-zone confirmation, restoration of the safety function, and a separate deliberate start action after any required manual reset.
This is the difference between “the beam is clear” and “the machine is safe to run.” Those are not the same sentence.
What is the difference between stop and emergency stop in ISO 13849 design?
A safety-related stop is a defined safety function that brings the machine to a safe state under specified conditions and PLr, while emergency stop is a supplementary protective function intended for urgent human intervention and must not replace proper guarding or normal risk reduction.
In a good design, stop functions override related start functions, but emergency stop should not be used as the main production stop or as compensation for poor safeguarding.
What documents prove ISO 13849 compliance for reset and restart logic?
ISO 13849 compliance for reset and restart logic is normally supported by a risk assessment, safety requirements specification, PLr determination, SRP/CS architecture, component reliability data, diagnostic coverage assumptions, CCF scoring, circuit diagrams, software review, validation tests, and recorded restart-behavior checks.
If the file cannot show how reset behaves after faults, power loss, guard opening, OSSD interruption, and mode changes, it is not finished. It is merely assembled.
Your Next Step Before the Machine Gets a Vote
Do not start by asking for a cheaper light curtain.
Start by writing the safety function.
Define the hazard, safe state, PLr, stop time, reset sequence, restart conditions, operating modes, access points, and proof tests. Then choose the hardware that can support that design: safety relay, safety PLC, contactors, valves, STO drives, OSSD light curtains, interlocks, or multi-sided guarding.
If your team is already reviewing a machine with unclear start/restart behavior, use the internal safety device selection resources and then request an engineering review through Safety Curtain’s contact page. Bring the machine layout, stop-time data, required protective height, resolution, sensing range, output type, voltage, cable requirements, and target market.
Because the blunt truth is simple: ISO 13849 does not care that the machine “usually works.” It cares what happens when the wrong thing happens at the wrong second.