03/2006 6 Programming the control

6.3 Protection level concept

Range of values Indicates the input limits. If no range of values is specified, the data type deter-
mines the input limits and the field is identified with “∗∗∗”.
A detailed explanation of the machine data and a list of all the machine and set-
ting data can be found in the following documentation:
Reference material: /LIS1/ Lists

6.3 Protection level concept

Protection levels In SINUMERIK 840D there is a protection level concept to enable data areas.
Protection levels range from 0 to 7, 0 representing the highest and 7 the lowest
level.
The lock for protection levels
6
0 to 3 is set with a password in the “Start-up”
operating area.

4 to 7 is set directly with key switch positions 3 to 0

on the machine control panel (MSTT).
Protection level 4 (key switch position 3) and higher is required to display
machine data.
The appropriate protection level must generally be enabled by means of pass-
word “EVENING” to start up the system.

Table 6-2 Protection level concept with the relevant data areas

Protection level Locked by data areas

0 Password Siemens
1 Password: SUNRISE (default) Machine manufacturer
2 Password: EVENING (default) Commissioning engineer,
Service
3 Password: CUSTOMER (default) End user
4 Key switch position 3 Programmer, machine setter
5 Key switch position 2 Qualified operator
6 Key switch position 1 Trained operator
7 Key switch position 0 Semi-skilled operator

Protection levels Protection levels 0 to 3 require a password to be entered. The password for
0–3 level 0 provides access to all data areas. For protection levels 1 to 3, default
passwords are defined when the system is powered up in start-up mode (NCK
start-up switch in position 1). To guarantee secure access, these default pass-
words MUST be changed once they have been activated. If, for example, the
passwords have been forgotten, then the system must be reinitialized (NCK
general reset). This resets all passwords to the standard of this software
version.

 Siemens AG 2006 All Rights Reserved

SINUMERIK 840D/810D Start-Up Guide (IADC) – 03/2006 Edition 6-53
 6 Programming the control 03/2006
6.3 Protection level concept

In the Start-up area “Start-up”, you can change the set password using a soft
key. The password remains valid until it is reset with the soft key DELETE
PASSWORD. A POWER ON does not reset the password.
Reference material: /BAD/ HMI Advanced User Guide
BEM/ HMI Embedded User Guide

Protection level Protection levels 4 to 7 each require a different key switch position on the ma-
4–7 key switch chine control panel. Three keys of different colors are provided for this purpose.
Each of these keys is capable of providing access to particular data areas.

Table 6-3 Meaning of key switch positions

Key color Switch position Protection level

(no key inserted) 0 = Remove key position 7
6 Black 0 and 1 6–7
Green 0 to 2 5–7
Red 0 to 3 4–7

Note
The associated interface signals can be found in DB10, DBX56.4–7, see
Reference material: /FB1/ A2, Basic machine function guide,
Various NC/PLC interface signals,
Section: Key switch position

Redefining protec- The user can modify the protection levels for reading and writing data. This pre-
tion levels vents display and input of certain data. Only protection levels of lower priority
can be assigned to the machine data, setting data can also be assigned protec-
tion levels of higher priority. The commands APR and APW are used to change
the protection levels.
The protection levels of individual machine or setting data can be changed in
the SGUD.DEF file.
Example SGUD.DEF file:
%_N_SGUD_DEF
;$PATH=/_N_DEF_DIR
REDEF $MA_CTRLOUT_SEGMENT_NR APR 2 APW 2 (APR ... read rights)
REDEF $MA_ENC_SEGMENT_NR APR 3 APW 2 (APW ... write rights)
REDEF $SN_JOG_CONT_MODE_LEVELTRIGGRD APR 7 APW 2
M30
The file becomes active when the next _N_INITIAL_INI is read in. Different pro-
tection levels are specified for writing (changing) or reading (part program or
PLC).
Example:
MD 10000 is protected by levels 2/7, i.e. writing requires protection level 2
(corresponding to password) and reading requires protection level 7. To be able
to enter the machine data area you need at least key switch position 3.
Reference material: /PGA/ Programming Guide: Preparing for work
/FB1/ A2, “Various interface signals”

 Siemens AG 2006 All Rights Reserved

6-54 SINUMERIK 840D/810D Start-Up Guide (IADC) – 03/2006 Edition
03/2006 6 Programming the control
6.3 Protection level concept

6.3.1 Protection levels for NC language commands (REDEF)

Access rights to The existing protection level concept for accessing machine and setting data
execute NC and GUDs has been extended to include executing certain part program com-
commands mands and write access to system variables. Individual part program com-
mands are thus associated with a corresponding right of use.
The default setting for the current right of use corresponds to the access right
that is active on the control, i.e. to key switch position 0 to 3 or passwords for
end users through to Siemens, as shown in Table 6-2.
To allow the programs stored in the cycle directories to be used via a range of
commands that are independent of the rights of use of a particular operator, the
right of use is implicitly modified while these programs are running. To do this,
when programs are called from the cycle directories, the right of use is set to the
values stored in machine data MD 11160 to MD 11162, provided that a higher
access right has not already been set on the control by key switch or password.
6
Table 6-4 Modifying rights of use for the cycle directories

Assign defined rights of use to the cycle directory

MD 11160: ACCESS_EXEC_CST /_N_CST_DIR (standard cycles)
MD 11161: ACCESS_EXEC_CMA /_N_CMA_DIR (manufacturer’s cycles)
MD 11162: ACCESS_EXEC_CUS /_N_CUS_DIR (user cycles)

Allocation of pro- NC language commands are assigned protection levels using the REDEF com-
tection levels with mand. The following language constructs may be protected:
REDEF command
G codes (list of G functions/preparatory functions)

Predefined procedures and functions (predefined subprograms)

“DO” instructions for synchronous actions only

Write or read access to machine and setting data

Write access to system variables (part program and synchronous actions)

Cycle identifiers (PROC instruction)

Language commands that were generated via the compile cycle interfaces.
Once the part program commands have been activated, they are not executed
unless the relevant right of use exists. If this is not the case, then processing of
the part program is canceled and alarm 14018 is output.

Activating the As with the GUD definitions, separate definition files are provided for program-
protection levels ming the REDEF instruction:
Siemens system applications /_N_DEF_DIR/_N_SACCESS_DEF,
Machine manufacturer /_N_DEF_DIR/_N_MACCESS_DEF and
End user /_N_DEF_DIR/_N_UACCESS_DEF

 Siemens AG 2006 All Rights Reserved

SINUMERIK 840D/810D Start-Up Guide (IADC) – 03/2006 Edition 6-55
 6 Programming the control 03/2006
6.3 Protection level concept

When the control is powered up, these are evaluated in order, from
/_N_DEF_DIR/_N_SACCESS_DEF to /_N_DEF_DIR/_N_UACCESS_DEF.
Protection levels can only be allocated in these definition files. Apart from these
files, processing of the REDEF command is rejected and alarm 14018 is output.

Defining write To be able to check whether the REDEF instructions programmed in the defini-
protection for tion files are correct, the write protection for each definition file is evaluated. It
definition files must be equal to or greater than the
protection level specified in the REDEF command and the protection level cur-
rently assigned to the part program command or the machine or setting data.
Alarms 7500 and 15180 are triggered if these conditions are not fulfilled.
The write protection for the definition files is set via MD 11170 to MD 11172. Va-
lues between –1 and 7 are possible. If the value is –1, the value currently set in
the relevant definition file is retained.
6
Table 6-5 Setting write protection for the definition files

Machine data Associated definition directories

MD 11170: ACCESS_WRITE_SACCESS /_N_DEF_DIR/_N_SACCESS_DEF
MD 11171: ACCESS_WRITE_MACCESS /_N_DEF_DIR/_N_MACCESS_DEF
MD 11172: ACCESS_WRITE_UACCESS /_N_DEF_DIR/_N_UACCESS_DEF

Subprograms may be called in the above definition files. They must have the
extension _SPF or _MPF and be located in the search path for subprogram
calls or be called with the absolute path. They inherit the write protection of the
definition files set with MD 11170-11172: ACCESS_WRITE_xACCESS. For the
REDEF command,
see Reference material: /PGA/ Programming Guide for Work Preparation,
Section: 3

Defining write To ensure that the implicit right to use the cycle directories is not misused, write
protection for protection for these directories can be matched to the specific right of use with
cycle directories MD 11165-11167.

Table 6-6 Setting the write protection for cycle directories

Machine data Associated cycle directories

MD 11165: ACCESS_WRITE_CST /_N_CST_DIR (standard cycles)
MD 11166: ACCESS_WRITE_CMA /_N_CMA_DIR (manufacturer’s cycles)
MD 11167: ACCESS_WRITE_CUS /_N_CUS_DIR (user cycles)

 Siemens AG 2006 All Rights Reserved

6-56 SINUMERIK 840D/810D Start-Up Guide (IADC) – 03/2006 Edition
03/2006 6 Programming the control
6.3 Protection level concept

Note
The data back-up ensures that the protection levels set for the definition files
and cycle directories are also backed up and can be restored during standard
system start-up. See section 11 “Data back-up” and
Reference material: /BAD/ User Guide,
Section: Services area, Start-up functions
/BEM/ User Guide,
Section: Services area , Standard system start-up

6.3.2 Configurable parameter areas for GUD blocks

Configuring Individual GUD blocks can be supplemented with the following machine data to
6
parameter areas provide additional, channel-specific parameter areas:
MD 18660: MM_NUM_SYNACT_GUD_REAL[index] = <value>
MD 18661: MM_NUM_SYNACT_GUD_INT[index] = <value>
MD 18662: MM_NUM_SYNACT_GUD_BOOL[index] = <value>
Fields are created with the following properties:

Synact GUD of data type REAL, INT or BOOL with predefined names
SYG_....

The field size corresponds to the <value> of the relevant machine data

The new parameters may be read and written to both by the part program
and via synchronous actions. Once the relevant machine data has been set,
they are available the next time the control is powered up, and thus behave
like R parameters.

Table 6-7 Configuring additional parameter areas

$MN_MM_NUM_SYNACT_GUD Supplements
MD 18660 MD 18661 MD 18662 GUD block
REAL[0]=<value> INT[0]=<value> BOOL[0]=<value> SGUD block
REAL[1]=<value> INT[1]=<value> BOOL[1]=<value> MGUD block
REAL[2]=<value> INT[2]=<value> BOOL[2]=<value> UGUD block
REAL[3]=<value> INT[3]=<value> BOOL[3]=<value> GUD4 block
REAL[4]=<value> INT[4]=<value> BOOL[4]=<value> GUD5 block
REAL[5]=<value> INT[5]=<value> BOOL[5]=<value> GUD6 block
REAL[6]=<value> INT[6]=<value> BOOL[6]=<value> GUD7 block
REAL[7]=<value> INT[7]=<value> BOOL[7]=<value> GUD8 block
REAL[8]=<value> INT[8]=<value> BOOL[8]=<value> GUD9 block

 Siemens AG 2006 All Rights Reserved

SINUMERIK 840D/810D Start-Up Guide (IADC) – 03/2006 Edition 6-57
 6 Programming the control 03/2006
6.3 Protection level concept

Table 6-8 Predefined names for the additional parameters

Predefined names for Synact_GUD of type Real, Int Synact-GUD in

and Bool
SYG_RS[ ] Real SYG_IS[ ] Int SYG_BS[ ] Bool SGUD block
SYG_RM[ ] Real SYG_IM[ ] Int SYG_BM[ ] Bool MGUD block
SYG_RU[ ] Real SYG_IU[ ] Int SYG_BU[ ] Bool UGUD block
SYG_R4[ ] Real SYG_I4[ ] Int SYG_B4[ ] Bool GUD4 block
SYG_R5[ ] Real SYG_I5[ ] Int SYG_B5[ ] Bool GUD5 block
SYG_R6[ ] Real SYG_I6[ ] Int SYG_B6[ ] Bool GUD6 block
SYG_R7[ ] Real SYG_I7[ ] Int SYG_B7[ ] Bool GUD7 block
SYG_R8[ ] Real SYG_I8[ ] Int SYG_B8[ ] Bool GUD8 block
SYG_R9[ ] Real SYG_I9[ ] Int SYG_B9[ ] Bool GUD9 block

6
Access, display The new parameters are
and operation
displayed in the “Parameter area” on the HMI. Even if no GUD definition files
are effective, the new parameters are still available in the relevant GUD
block.

Deletion is handled as follows:

If the content of a certain GUD definition file is reactivated, then the old GUD
data block in the active file system is first deleted. The new parameters are
also reset.
If this operation takes place via the HMI in the “Services area” under Ma-
nage data using the Define and Activate user data (GUD), then the contents
of the variable are saved to INI files and are restored at the end of the ope-
ration.

Keywords The protection level assignments that are possible using the APR and APW
keywords in a GUD definition file continue to relate only to the GUDs defined in
this GUD definition file.
Protection levels for Synact GUDs are assigned via the REDEF command.

Values assigned The protection levels assignments take effect when the power up is complete.
with checksums If, during a standard system start-up, for example, it should be possible to run
initialization files with value assignments on protected variables without having
to modify the access right, then the value assignments must be protected by
checksums.
This method is already used when initializing machine data, setting data and
GUDs. Setting Bit0 in MD 11230: MD_FILE_STYLE means that, when initializa-
tion files are generated, a checksum is generated for each value assignment in
these files.

Note
From software version 7.1 onwards, this checksum is generated for all data to
be protected via initialization files.
Exception: R parameters.

 Siemens AG 2006 All Rights Reserved

6-58 SINUMERIK 840D/810D Start-Up Guide (IADC) – 03/2006 Edition
03/2006 6 Programming the control
6.3 Protection level concept

Example of a value assignment with checksum:

N18120 $MN_MM_NUM_GUD_NAMES_NCK=20 ’620c
(Checksum 620c preceded by an apostrophe)
When the initialization file is downloaded, there is a check to ensure that the
checksum is valid. If this is the case, the associated value assignment is execu-
ted, even if the access right set on the control is not sufficient.

Complete start-up The complete start-up procedure for the function is as follows:
1. Create the definition files
/_N_DEF_DIR/_N_SACCESS_DEF Siemens system applications
/_N_DEF_DIR/_N_MACCESS_DEF Machine manufacturer or
/_N_DEF_DIR/_N_UACCESS_DEF End user
2. Set the write protection for the definition files to the value required for
redefinition as follows using the machine data:
MD 11170: ACCESS_WRITE_SACCESS
MD 11171: ACCESS_WRITE_MACCESS
Siemens system applications
Machine manufacturer and
6
MD 11172: ACCESS_WRITE_UACCESS End user
3. Modify the rights to use the cycle directories as follows if the protected
commands are to be permitted there.
_N_CST_DIR, _N_CMA_DIR and _N_CUS_DIR
via machine data:
MD 11160: ACCESS_EXEC_CST Standard cycles
MD 11161: ACCESS_EXEC_CMA Manufacturer’s cycles and
MD 11162: ACCESS_EXEC_CUS User cycles
4. Modify the write protection for the cycle directories to the right to use set
above as follows so that the implicit right to use the cycle directories cannot
be misused.
_N_CST_DIR, _N_CMA_DIR and _N_CUS_DIR
via machine data:
MD 11165: ACCESS_WRITE_CST Standard cycles
MD 11166: ACCESS_WRITE_CMA Manufacturer’s cycles and
MD 11167: ACCESS_WRITE_CUS User cycles

Examples Machine data

Right to use cycle directories: ;
MD 11160: ACCESS_EXEC_CST = 2 ; Machine manufacturer
MD 11161: ACCESS_EXEC_CMA = 2 ; Machine manufacturer
MD 11162: ACCESS_EXEC_CUS = 3 ; End user
Write protection for cycle directories: ;
MD 11165: ACCESS_WRITE_CST = 2 ; Machine manufacturer
MD 11166: ACCESS_WRITE_CMA = 2 ; Machine manufacturer
MD 11167: ACCESS_WRITE_CUS = 3 ; End user
Write protection for definition files: ; set to value
MD 11171: ACCESS_WRITE_MACCESS = 1 ; Machine manufacturer
MD 11172: ACCESS_WRITE_UACCESS = 3 ; End user

 Siemens AG 2006 All Rights Reserved

SINUMERIK 840D/810D Start-Up Guide (IADC) – 03/2006 Edition 6-59
 6 Programming the control 03/2006
6.3 Protection level concept

Definition file for the machine manufacturer

%_N_MACCESS_DEF File for machine manufacturer
;$PATH=/_N_DEF_DIR
; Write protection for file is set to value 1 for machine manufacturer.
N010 ; Predefined procedures:
N020 REDEF CONTPRON APX 1 ; Record preparation for cutting cycle,
; Protection level: Machine manufacturer
N030 REDEF GEOAX APX 3 ; Geo axis assignment,
; Protection level: End user
N110 ; Predefined functions:
N120 REDEF INTERSEC APX 1 ; Point of intersection calculation
; Protection level: Machine manufacturer
; Write access to
6 N110 ; System variables:
N120 REDEF $P_CHBFR APW 3 ; Write basic frame
N130 REDEF $TC_MAP1 APW 3 ; Magazine data for tool management
; Write protection level: End user
N210 ; Synchronous actions
N220 REDEF DO APX 2 ; Protection level: Start-up engineer, Service
; Machine data
; $MC_GCODE_RESET_VALUES for
N310 ; Protection level: Enable key switch 0
N320 REDEF $MC_GCODE_RESET_VALUES APR 7 APW 7
M17

Definition file for the end user

%_N_UACCESS_DEF File for end user
;$PATH=/_N_DEF_DIR
; Write protection for file is set to value 3 for end user.
; Protection level for writing
; $MC_GCODE_RESET_VALUES for
; set end user
N510 REDEF $MC_GCODE_RESET_VALUES APR 7 APW 3
M17

 Siemens AG 2006 All Rights Reserved

6-60 SINUMERIK 840D/810D Start-Up Guide (IADC) – 03/2006 Edition