What should you do if the F-CPU goes into STOP mode and the message "Data corruption in the safety program ..." appears in the diagnostics buffer?
This can happen in the following cases:
The standard user program or an external device (HMI, for example) writes data that is read in the safety program while the safety program is being processed, for example:
Write access to standard data through higher-priority interrupts
Write access to standard data through HMI/communication
Use of clock markers
Update of a partial PII through higher-priority interrupts
- Safety-related parameters are changed in the hardware configuration and then only the hardware configuration is loaded.
- Single F blocks are changed and loaded when safety mode is disabled (applies only for Distributed Safety).
- Retain is enabled in an instance DB of an F FB (applies only for TIA Portal V13 SP1 and lower).
- The safety program is called by multiple OBs (by OB123 and OB35 in migrated projects, for example).
- Obsolete timer instructions are used in the safety program.
The additional information below helps you to identify errors:
Start address of the F IO
Offset of the output
Offset of the output means the offset of the first defective byte beginning with the start address of the module.
Offset = 0 .. n: error in the channels
Offset = n+1: error in the control byte of the module, for example: signals "PASS_ON", "ACK_REQ"
n = number of channels / 8
Start address = "452" and Offset = "0" means that the data corruption is in output byte 452 (for F-DQ: Q452.0 to Q452.7).
Check the complete path that affects the output. The cause might lie several networks previous or even in another block.
In Distributed Safety you can check program-supported access from the standard program to the safety program. This function is available under "Options > Edit safety program > Compile > Check for Accesses from the Standard User Program".
Clear and avoid errors
If data corruption occurs in the safety program or you wish to avoid this happening, you should check the following points:
Applies for STEP 7 V5.x and STEP 7 V1x:
Data that is read in the safety program must not be changed when the safety program is being processed. See next section.
The upper or lower limits of a value range might be exceeded in the result of a mathematical operation (overflow). You should therefore make sure that the permissible range is not exceeded when you create the program.
A library with mathematical operations that intercept overflow is available in the Siemens Industry Online Support: 109482083
With S7-300 and S7-400 you can evaluate the Overflow error bit for this (OV bit in the status word).
For an output parameter of a fail-safe receive block you must not use an actual parameter that is already being used for an input parameter of the same or another F_RCVDP call. If you do not do this, either the F CPU might go into STOP because data corruption is detected or you get the following error message: "F_Receive Block xxx may only be called at the start of the F program block".
Clock markers that you defined when configuring your F CPU (in the Object Properties dialog of the F CPU in the hardware configuration) might change during running of the F runtime group, because clock markers run asynchronously to the F CPU cycle.
Remedy: In a cyclic OB you copy the clock marker to a different byte and then use that byte in the F program.
Applies only for STEP 7 V5.x:
In an F block, the first access to a temporary variable must be a write access. With the operations flip-flop (SR, RS), set output (S) or reset output (R) you cannot initialize any temporary variables.
In an F-FB/F-FC you can only have read access to the input parameters and only write access to the output parameters. Use an InOut parameter for read and write access here.
Automatically generated program segments must not be changed or deleted. In the hardware configuration you must not change or delete blocks reserved for the F CPU in the "F Parameters" tab of the "CPU Properties" dialog.
You must not change safety program data via "Monitor/modify variables".
Data exchange between standard user program and safety program
Proceed as follows to exchange data between the standard user program and the safety program:
Do not use any markers, see Programming Guidelines for S7-1200/S7-1500: 81318674
Concentrate access between the safety program and the standard user program to two standard DBs.
- To prevent an HMI or another external device from changing data during processing of the safety program and thus causing data corruption, do not write directly to the data buffer from an HMI or other external device. Instead, you should copy this data in the standard user program to the data buffer.