When working with Siemens safety CPUs, the concepts of "passivation" and "depassivation" are frequently encountered.
So, what are passivation and depassivation?
When does passivation occur?
What is the difference between channel passivation and module passivation?
How can one determine if a module has undergone passivation?
How does one depassivate?
01
Passivation
Passivation describes a state where a fault-safe signal module or an individual channel within the module, when passivated, automatically substitutes the process value with a fault-safe value (0). Put simply, in a passivated state, the output module does not produce any output, even if the output address in the safety program is still set. Similarly, the input module does not register any input (instead, it provides a substitute value of "0" to the safety program), even if the actual signal state is energized (1).
Input Passivation:
Taking an emergency stop signal as an example, under non-passivated conditions, if the emergency stop button is not pressed, the emergency stop signal state is 1. However, under passivated conditions, even if the emergency stop button is not pressed, the emergency stop signal state becomes 0, triggering an emergency stop alarm on the line.
Output Passivation:
Taking the example of a safety power supply signal, under non-passivated conditions, if the output signal is 1, the output module would provide 24V. However, under passivated conditions, even if the output signal is 1, the output module would not provide any 24V output.
Depassivation
Depassivation, as the term suggests, refers to the elimination of the passivated state.
02
When does passivation occur?
• During the startup phase of the fault-safe system's CPU until the CPU enters the "RUN" mode.
• When a PROFIsafe communication error occurs between the fault-safe CPU and the fault-safe signal module.
• When a fault occurs in the fault-safe signal module or its channel (e.g., broken wire, crossed wiring, etc.).
• When the parameter PASS_ON is set to 1 within the Data Block (DB) of the fault-safe signal module.
03
What is the difference between channel passivation and module passivation?
Under the properties of a safety module, it can be configured whether to passivate the entire module or just a single channel when an abnormality occurs in one of the channels.
04
How can one determine if a module has undergone passivation?
During the hardware configuration compilation, the safety system automatically creates an F-IO Data Block (DB) for each F-IO module. The variables PASS_OUT and QBAD within this DB can be evaluated in the program. If the F-I/O undergoes passivation, the variables PASS_OUT and QBAD will both equal 1. The following figures illustrate the states of the F-IO DB variables PASS_OUT and QBAD when an ET200S 4/8 F-DI module encounters a fault and enters a passivated state in STEP7 and TIA Portal software, respectively.
05
How to Depassivate?
After the error that caused the fault-safe signal module to passivate disappears, the user needs to confirm the module's status. This confirmation operation is referred to as depassivation (reintegration). Once depassivation is completed, the module switches from providing the fault-safe value (0) to the process value, and the output state is once again controlled by the process image area address, with the input process image area address providing the actual signal status.
Request for Depassivation:
After the fault that caused the safety module to passivate is repaired, the request-acknowledge signal ACK_REQ in the corresponding F-IO DB changes to 1, indicating that the fault has been resolved and a request for depassivation has been made.
Depassivation:
Depassivation can be achieved simply by pulsing the variable ACK_REI in the F-IO Data Block (DB) to set it, thereby providing an acknowledgement signal.
