3.13
Programming startup protection
Introduction
Initiating a STOP state, e.g. using PG/PC operator action, mode switch, communication
function or "STP" instruction - as well as maintaining a STOP state - are not safety relevant. This
STOP state can be very simply (also inadvertently) withdrawn, e.g. with an appropriate
operator action at the PG/PC.
When an F-CPU is switched from STOP to RUN mode, the standard user program starts up in
the usual way. When the safety program is started up, all F-DBs are initialized with the values
from the load memory - as is the case with a cold restart. This means that saved error
information is lost. The F‑system automatically reintegrates the F‑I/O. If your process does not
allow such a startup, you must program a restart/startup protection in the safety program: The
output of process data must be blocked until manually enabled. It is only permissible to issue
the enable after process values can be output without incurring any risk, and faults have been
removed.
Example of restart/startup prevention
In order to implement a restart/startup prevention, it must be possible to detect a startup. To
detect a startup, in an F‑DB declare a variable, data type BOOL with start value "TRUE".
Block the output of the process values if this variable has the value "1", e.g. by passivating F-
I/O using variable PRESS_ON in the F-I/O DB.
To manually enable the output of process data, you reset this tag by means of a user
acknowledgment.
Additional information
Additional information is provided in the help for SIMATIC STEP 7 Safety Advanced in the
following chapters:
● F-I/O DB
● Implementing a user acknowledgment
Safety program of the F-PLC
3.13 Programming startup protection
Safety Integrated (with SINAMICS S120)
86
Commissioning Manual, 02/2020, A5E46305916B AB