Siemens Safety PLC De-passivation Method

Posted by on

 An engineer friend told me:

“Over the weekend, one of my colleagues encountered a passivation issue with a safety module at a project site. I helped him remotely and made a brief summary afterward. I’m sharing it with you in case it helps more people.”

Cause Analysis

1. Concept of Passivation:
To achieve functional safety, the fail-safe signal module adopts a redundant design using two processors inside the module. These two processors monitor each other, automatically test the I/O circuits, and set the fail-safe signal module to a safe state (passivation) when a fault occurs.

2. Passivation State:
When passivated,

  • The output module forcibly cuts off the physical output (equivalent to output = 0).

  • The input module provides the safety program with a predefined substitute value (0 or SUBS_V).

There are four main types of triggering conditions:

  1. System startup phase: From the CPU startup phase until the fail-safe CPU enters the “RUN” mode.

  2. Communication fault: A PROFIsafe communication error occurs between the fail-safe CPU and the fail-safe signal module.

  3. Hardware fault: A fault occurs in the fail-safe signal module or channel (for example, wire break, cross wiring, etc.).

  4. Parameter configuration trigger: The parameter PASS_ON = 1 is set in the fail-safe signal module DB.

De-passivation Solution

First, check the PROFIsafe network connection quality, power supply voltage, hardware wiring, and the hardware quality of the module itself.
After repairing the hardware fault, perform software de-passivation as follows:

1. Concept of De-passivation:
When the error causing the fail-safe signal module passivation disappears, the user needs to confirm the module status. This confirmation operation is called de-passivation (re-integration).
After de-passivation, the module switches from providing the fail-safe value (0) to the process value. The output state is again controlled by the process image address, and the input process image address provides the actual signal state.

2. How to Read the Module Passivation Status:
When compiling the hardware configuration, the safety system automatically creates an F-IO DB for each F-IO module.
In the program, you can evaluate the variables PASS_OUT and QBAD. If F-I/O passivation occurs, the variables PASS_OUT = 1 and QBAD = 1, as shown in the figure:


How to De-passivate

When the fault that caused the safety module to become passivated has been corrected, the corresponding request/acknowledge signal ACK_REQ in the F-IO DB changes to 1, indicating that the fault has been cleared and a de-passivation request has been issued, as shown in the figure:



  1. Use the Safety instruction ACK_GL in TIA Portal to perform a batch reset.


  2. Trigger the ACK_REI pulse signal in the safety program.



Recommendations and Notes

  1. Set ACK_NEC = 0 to avoid manual acknowledgment when a channel disconnection occurs.

  2. Set SUBS_ON = 1 so that the F-AI module uses substitute values instead of holding values.

  3. The de-passivation logic should be written inside the safety program, preferably in MAIN_FFB.

Summary:
Outstanding engineers are always good at learning and summarizing!