AWC and Siemens application engineers recently encountered an interesting scenario in which the failsafe program (F-program) of a failsafe PLC (F-PLC) stopped execution due to an unexpected programming error. The program was accessing the instance data block (IDB) of an IEC timer directly in the F-program, but due to how timers are handled in the S7-1200 and S7-1500 PLCs, this access caused the F-program to fail its consistency check.
It is important to note that IEC timers are updated in S7-1200 and S7-1500 PLCs when (1) the timer is called in a program block or (2) the timer output parameters Q and ET are accessed1. The effect of this behavior can lead to data corruption of the F-program because the output of the IEC timer can change during the F-Runtime Group, which will cause the F-PLC to go into STOP mode. If timer functions are needed for an F-program, make sure to use the appropriate timer functions from the STEP 7 Safety library. The issue can also be addressed by copying the bit from a low priority program block into a data block (DB) and accessing this for enabling the failsafe digital outputs (F-DQ).
To avoid data corruption, Siemens recommends that transfer data blocks are created specifically to store data exchanged between the standard user program and the F-program. This action allows you to decouple the program blocks of the standard and F-programs, ensuring that changes in the standard program do not impact the F-program and vice versa as long as these transfer data blocks are not modified. The below image provides a visual of how these blocks would interact in such a project.
Due to its intermittent nature, this kind of behavior is incredibly hard to pinpoint, and may even go unnoticed until a plant is brought down. For this reason, no instance data block (IDB) of any function block (FB) should ever be accessed directly. If the data contained in the IDB is needed elsewhere in the program, ensure that the data is passed through the interface of the FB.