Siemens SIMATIC User Manual

SIMATIC

SIMATIC WinCC V7.5

Guidelines for Implementing Automation Projects in a GMP Environment

GMP Engineering Manual

Edition 09/2019

Answers for industry.

SIMATIC

SIMATIC WinCC V7.5
GMP Engineering Manual

Guidelines for Implementing Automation Projects in a
GMP Environment

Introduction

Configuring in a GMP
Environment

Requirements for Computer
Systems in a GMP
Environment

1

2

Configuration Manual

System Specification

System Installation and Basic
Configuration

Project Settings and
Definitions

Creating Application Software

Support for Verification

Data Backup

Operation, Maintenance and
Servicing

3

4

5

6

7

8

9

09/2019

A5E47300664-AA

System Updates and
Migration

Abbreviations

10

A

Legal information
Warning notice system

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER

indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING

indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION

indicates that minor personal injury can result if proper precautions are not taken.

NOTICE
indicates that property damage can result if proper precautions are not taken.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be
used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property
damage.

Qualified Personnel

The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified
personnel are those who, based on their training and experience, are capable of identifying risks and avoiding
potential hazards when working with these products/systems.

Proper use of Siemens products

Note the following:

WARNING

Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended or
approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks

All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

Disclaimer of Liability

We have reviewed the contents of this publication to ensure consistency with the hardware and software described.
Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this
publication is reviewed regularly and any necessary corrections are included in subsequent editions.

Siemens AG
Digital Industries
Postfach 48 48
90026 NÜRNBERG
GERMANY

A5E47300664-AA
Ⓟ 09/2019 Subject to change

Copyright © Siemens AG 2019.
All rights reserved

Introduction

Purpose of the manual

This manual contains instructions for system users and configuration engineers for integrating
SIMATIC systems into the GMP environment (GMP = Good Manufacturing Practice). It covers
validation and takes into account special requirements of international regulatory bodies and
organizations, such as 21 CFR Part 11 of the FDA or EU GMP Guide Annex 11.

This manual describes what is required from the pharmaceutical, regulatory viewpoint (in short:
GMP environment), of the computer system, the software and the procedure for configuring
such a system. In the following chapters, practical examples are used to explain the
relationship between requirements and implementation.

To suggest improvements to this document, please use the contact details provided at the back
of this manual.

Target groups

This manual is intended for all plant operators, those responsible for system designs for specific
industries, project managers and programmers, servicing and maintenance personnel who use
the automation and process control technology in the GMP environment.

Basic knowledge required

Basic knowledge of SIMATIC WinCC is required to understand this manual. Knowledge of
GMP as practiced in the pharmaceutical industry is also an advantage.

Validity of the manual

The information in this manual applies to SIMATIC WinCC V7.5. The examined components
are SIMATIC WinCC (Configuration and Runtime) together with the WinCC/Web Navigator,
WinCC/DataMonitor options and the WinCC Premium add-ons PM-CONTROL, PM-QUALITY,
PM-OPEN IMPORT, PM-ANALYZE, and PM-LOGON. Refer to the product catalog or the
compatibility tool for information on the compatibility of the individual components with
SIMATIC WinCC.

● Product catalog CA01 (

● Compatibility tool (http://www.siemens.com/kompatool)

Any questions about the compatibility of the Premium Add-on products should be addressed
directly to the supplier, see here (http://w3.siemens.com/mcms/human-machine-interface/en/

visualization-software/scada/wincc-addons/Pages/Default.aspx).

www.siemens.com/automation/ca01)

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 3

Introduction

Position in the information landscape

The system documentation of the SIMATIC WinCC HMI system is an integral part of the
SIMATIC WinCC system software. It is available to every user as online help (HTML help) or
as electronic documentation in PDF format.

This manual supplements the existing SIMATIC WinCC manuals. It is not only useful as a
guideline during configuration, it also provides an overview of the requirements for
configuration and what is expected of computer systems in a GMP environment.

Structure of this manual

The regulations and guidelines, recommendations and mandatory specifications are
explained. These provide the basis for configuration of computer systems.

All the necessary functions and requirements for hardware and software components are also
described; this should make the selection of components easier.

The use of the hardware and software and how they are configured or programmed to meet the
requirements is explained based on examples. More detailed explanations can be found in the
standard documentation.

Training Centers

Siemens offers a number of training courses to familiarize you with the SIMATIC WinCC
operator control and monitoring system. Please contact your regional training center, or the
central training center in D 90327 Nuremberg, Germany.

Internet (

Siemens on the Internet

You can find a guide to the technical documentation available for the individual SIMATIC
products and systems here at:

SIMATIC HMI technical documentation (https://support.industry.siemens.com/cs/ww/en/view/

109744536)

The online catalog and online ordering system are available at: (http://

mall.industry.siemens.com/)

You can find additional information about the products, systems, and services from Siemens for
the pharmaceutical industry at: (http://www.siemens.com/pharma)

as well as information about the WinCC Premium Add-ons at: (www.siemens.de/process-

management)

You can contact the WinCC Center of Competence in Mannheim by e-mail at
WinCCAddon.automation@siemens.com

http://www.sitrain.com)

Technical support on the Internet

You can find comprehensive information about our Service and Support at: (http://

support.industry.siemens.com)

GMP Engineering Manual

4 Configuration Manual, 09/2019, A5E47300664-AA

Additional support

Introduction

The product support offered there includes:

● Technical specifications and information on the product status

● FAQs and application examples

You can also find on this page:

● Application examples

● Services in a comprehensive overview, e.g. information about on-site service, repairs,
spare parts, and much more

● A bulletin board in which users and specialists worldwide exchange their know-how

● mySupport for personal filters, notifications, support requests, among other things, our
newsletter containing up-to-date information on your products.

If you have any further questions about the use of products described in this manual, and do not
find the right answers there, please contact your local Siemens representative and offices.

Find your personal contact partner at: (http://www.siemens.com/automation/partner)

If you have questions on the manual, please contact:

E-mail: pharma@siemens.com

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 5

Introduction

GMP Engineering Manual

6 Configuration Manual, 09/2019, A5E47300664-AA

Table of contents

Introduction...................................................................................................................................................3

1 Configuring in a GMP Environment ............................................................................................................11

1.1 Regulations and guidelines ....................................................................................................11

1.2 Lifecycle model ......................................................................................................................11

1.3 Responsibilities ......................................................................................................................12

1.4 Approval and change procedure ............................................................................................13

1.5 Risk-based approach .............................................................................................................13

2 Requirements for Computer Systems in a GMP Environment ...................................................................15

2.1 Categorization of hardware and software ..............................................................................15

2.2 Test effort depending on the categorization...........................................................................15

2.3 Change and configuration management ................................................................................16

2.4 Software creation ...................................................................................................................16

2.5 Access control and user administration .................................................................................17

2.5.1 Applying access control to a system ......................................................................................17

2.5.2 Requirements for user IDs and passwords ............................................................................17

2.6 Requirements for electronic records ......................................................................................18

2.7 Electronic signatures..............................................................................................................18

2.8 Audit trail ................................................................................................................................19

2.9 Reporting batch data..............................................................................................................19

2.10 Archiving data ........................................................................................................................20

2.11 Data backup ...........................................................................................................................20

2.12 Retrieving archived data ........................................................................................................21

2.13 Time synchronization .............................................................................................................21

2.14 Using third-party components ................................................................................................21

3 System Specification ..................................................................................................................................23

3.1 Selection and specification of the hardware...........................................................................24

3.1.1 Hardware specification...........................................................................................................24

3.1.2 Selecting the hardware components......................................................................................24

3.2 Security of the plant network..................................................................................................25

3.3 Specification of the basic software.........................................................................................26

3.3.1 Operating system ...................................................................................................................27

3.3.2 Basic software for user administration ...................................................................................27

3.3.3 Software components for engineering ...................................................................................27

3.3.4 Software components for HMI level .......................................................................................28

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 7

Table of contents

3.3.5 Long-term archiving ...............................................................................................................30

3.3.6 Reporting................................................................................................................................31

3.3.7 Availability and plant configuration.........................................................................................32

3.3.8 Interfaces to process data......................................................................................................33

3.4 Application software specification ..........................................................................................34

3.5 Additional SIMATIC software .................................................................................................35

3.5.1 Batch-based control with PM-CONTROL...............................................................................36

3.5.2 Batch-based reporting with PM-QUALITY .............................................................................37

3.5.3 Batch-based long-term archiving with PM-QUALITY .............................................................37

3.5.4 Importing archives with PM-OPEN IMPORT..........................................................................37

3.5.5 Evaluation and analysis of logs with PM-ANALYZE ..............................................................37

3.6 Utilities and drivers.................................................................................................................38

3.6.1 Printer drivers.........................................................................................................................38

3.6.2 Virus scanners .......................................................................................................................38

3.6.3 Image & partition tools ...........................................................................................................38

4 System Installation and Basic Configuration ..............................................................................................41

4.1 Installation of the operating system........................................................................................41

4.2 Installation of SIMATIC components......................................................................................41

4.2.1 SIMATIC WinCC ....................................................................................................................42

4.2.2 SIMATIC Security Controller ..................................................................................................43

4.2.3 SIMATIC WinCC options........................................................................................................44

4.2.4 Setting up long-term archiving ...............................................................................................44

4.3 Setting up user administration................................................................................................44

4.3.1 User administration on the operating system level ................................................................46

4.3.2 Security settings in Windows .................................................................................................47

4.3.3 SIMATIC user groups.............................................................................................................48

4.3.4 Configuration of SIMATIC Logon ...........................................................................................49

4.3.5 Logon via RFID card reader with PM-LOGON.......................................................................51

4.3.6 Monitoring access protection .................................................................................................52

4.3.7 Administration of authorizations .............................................................................................52

4.3.8 Assigning authorizations ........................................................................................................54

4.4 Access control to operating system level ...............................................................................54

4.4.1 Startup characteristics............................................................................................................55

4.4.2 Disabling the operating system level during operation...........................................................57

4.5 Data and information security ................................................................................................59

5 Project Settings and Definitions..................................................................................................................65

5.1 Project setup ..........................................................................................................................65

5.1.1 Creating a project...................................................................................................................65

5.1.2 Multi-user engineering............................................................................................................65

5.2 Object-oriented configuration .................................................................................................66

5.2.1 Faceplate types......................................................................................................................66

5.2.2 User objects ...........................................................................................................................66

5.2.3 Picture window .......................................................................................................................67

5.2.4 Structure tag...........................................................................................................................67

5.2.5 Graphics Designer libraries....................................................................................................68

5.2.6 Project functions in the form of scripts ...................................................................................69

GMP Engineering Manual

8 Configuration Manual, 09/2019, A5E47300664-AA

Table of contents

5.3 Configuring redundancy .........................................................................................................70

5.4 Time synchronization .............................................................................................................71

5.4.1 Time synchronization concepts..............................................................................................71

5.4.2 Time stamping........................................................................................................................72

5.5 Configuration management....................................................................................................74

5.6 Versioning application software .............................................................................................74

5.6.1 Versioning pictures in Graphics Designer ..............................................................................75

5.6.2 Versioning VB / C scripts .......................................................................................................76

5.6.3 Versioning reports ..................................................................................................................78

5.6.4 Versioning of the entire WinCC project ..................................................................................79

6 Creating Application Software ....................................................................................................................81

6.1 Creating the graphic user interface ........................................................................................81

6.1.1 Standardized user interface ...................................................................................................82

6.1.2 Creating process pictures in the Graphics Designer..............................................................83

6.1.3 Password protection for process pictures ..............................................................................83

6.2 Creating operator input messages .........................................................................................84

6.3 Audit trail and change control.................................................................................................88

6.3.1 Audit trail for operator actions ................................................................................................88

6.3.2 Change control for the configuration and project engineering ...............................................92

6.4 Electronic signature................................................................................................................92

6.5 Recording and archiving data electronically...........................................................................95

6.5.1 Determining the data to be archived ......................................................................................96

6.5.2 Setup of process value and message archives......................................................................96

6.5.3 Setting up user archives.........................................................................................................97

6.5.4 Recording and archiving ........................................................................................................98

6.5.5 Long-term archiving ...............................................................................................................98

6.6 Reporting..............................................................................................................................100

6.6.1 Reporting with the WinCC Report Designer.........................................................................100

6.6.2 Batch-based reporting with PM-QUALITY ...........................................................................102

6.7 Monitoring the system ..........................................................................................................103

6.7.1 Evaluation of performance tags ...........................................................................................103

6.7.2 Diagnostics of communication connections .........................................................................103

6.7.3 Diagnostics for SIMATIC S7-1200 / S7-1500 channel .........................................................104

6.7.4 System information channel.................................................................................................105

6.7.5 Lifebeat Monitoring...............................................................................................................106

6.8 Data exchange with the plant control level...........................................................................106

6.9 Connecting via web..............................................................................................................108

6.9.1 Setting up user authorizations on the WinCC server ...........................................................109

6.9.2 Remote access via the network with the Web Navigator .....................................................110

6.9.3 Web access for data display ................................................................................................112

6.9.4 Web access for mobile devices............................................................................................112

6.10 Interfaces to SIMATIC WinCC .............................................................................................113

6.10.1 Interfacing to SIMATIC WinCC ............................................................................................113

6.10.2 Connection to SIMATIC S7 ..................................................................................................114

6.10.3 WinCC Cloud Connector......................................................................................................116

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 9

Table of contents

6.10.4 Interfacing third-party components.......................................................................................117

7 Support for Verification .............................................................................................................................119

7.1 Test planning........................................................................................................................119

7.2 Verification of the hardware .................................................................................................120

7.3 Verification of the software...................................................................................................121

7.3.1 Software categorization according to GAMP Guide.............................................................121

7.3.2 Verification of standard software..........................................................................................122

7.3.3 Verification of application software.......................................................................................124

7.4 Configuration control ............................................................................................................125

7.4.1 Versioning ............................................................................................................................125

7.4.2 Change control.....................................................................................................................127

7.4.3 Write protection ....................................................................................................................127

8 Data Backup .............................................................................................................................................129

8.1 Backup of the system installation.........................................................................................129

8.2 Data backup of the application software ..............................................................................130

9 Operation, Maintenance and Servicing ....................................................................................................133

9.1 Operation and monitoring.....................................................................................................133

9.1.1 Process visualization............................................................................................................133

9.1.2 Audit Trail Review ................................................................................................................133

9.2 Operational change control ..................................................................................................134

9.3 System restoration ...............................................................................................................134

9.4 Uninterruptible power supply................................................................................................136

10 System Updates and Migration ................................................................................................................137

10.1 General procedure ...............................................................................................................137

10.2 Updating the system software..............................................................................................138

10.3 Migration of the application software....................................................................................138

10.4 Validation effort for migration ...............................................................................................139

A Abbreviations............................................................................................................................................141

Index.........................................................................................................................................................143

GMP Engineering Manual

10 Configuration Manual, 09/2019, A5E47300664-AA

Configuring in a GMP Environment

As a prerequisite for configuring computer systems in the GMP environment, approved
specifications must be available. Requirements contained in standards, recommendations,
and guidelines must be observed when creating these specifications and when implementing
and operating computer systems. This chapter deals with the most important sets of
regulations and explains some of the basic ideas.

1.1 Regulations and guidelines

The regulations, guidelines and recommendations of various national and international
authorities and organizations have to be taken into account when configuring computer
systems requiring validation in the GMP environment. Regarding computer systems, the
following are of particular significance:

1

Title
(Author)

21 CFR Part 11
(US Food and Drug

Administration, FDA)
Annex 11 of the EU

GMP Guide
(European Commission)
GAMP 5
(ISPE)

1.2 Lifecycle model

A central component of Good Engineering Practice (GEP) is the application of a recognized
project methodology based on a defined lifecycle. The aim is to deliver a solution known as the
risk-based approach that meets the relevant requirements.

Subtitle Area of application

Electronic Records,
Electronic Signatures

Computerised systems Binding directive within the European Union for

A Risk-Based Approach
to Compliant GxP
Computerized Systems

Law/regulation for manufacturers and importers
of pharmaceutical products for the U.S. market

implementation in relevant national legislation

Guideline with worldwide validity as recommen‐
dation

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 11

Configuring in a GMP Environment

1.3 Responsibilities

GAMP 5 approach

The following figure shows the general approach of GAMP 5 for the development of
computerized systems. It begins with the planning phase of a project and ends with the start of
pharmaceutical production following completion of the tests and reports.

The lifecycle approach illustrated here is known as a generic model in GAMP 5. With this as the
basis, we will introduce several examples of lifecycle models for a variety of "critical" systems
with different stages of specification and verification phases.

Once production has started, the system lifecycle continues until decommissioning.

Siemens Validation Manual

Siemens has produced a "Validation Manual" based on the recommendations of the GAMP
Guide. This provides internal project teams with general information and concrete templates
(document templates) to help specify the validation strategy for a project. There are templates
not only for project planning documents but also for system specification and test
documentation. In contrast to this GMP Engineering Manual, the Siemens Validation Manual is
intended for internal Siemens use only.

1.3 Responsibilities

Responsibilities for the activities included in the individual lifecycle phases must be defined
when configuring computer systems in a GMP environment and creating relevant
specifications. As this definition is usually laid down specific to a customer and project, and
requires a contractual agreement, it is recommended to integrate the definition in the Quality
and Project Plan.

See also

● GAMP 5 Guide, Appendix M6 "Supplier Quality and Project Planning"

GMP Engineering Manual

12 Configuration Manual, 09/2019, A5E47300664-AA

1.4 Approval and change procedure

When new systems requiring validation are set up or when existing systems requiring validation
are changed, the top priority is to achieve or maintain validated status, which means ensuring
the traceability of the steps undertaken.

Before setting up or modifying a system, it is therefore necessary to plan, document and obtain
the customer's or plant operator's approval of the pending steps in terms of functionality and
time.

1.5 Risk-based approach

Both the U.S. FDA ("Pharmaceutical cGMPs for the 21st Century Initiative", 2004) and the
industry association ISPE/GAMP ("GAMP 5" Guide, 2008) recommend a risk-based approach
to the validation of systems. This means that question as to whether or not to validate a system
and the extent a system should be validated depends on its complexity and its influence on the
product quality.

Configuring in a GMP Environment

1.5 Risk-based approach

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 13

Configuring in a GMP Environment

1.5 Risk-based approach

GMP Engineering Manual

14 Configuration Manual, 09/2019, A5E47300664-AA

Requirements for Computer Systems in a GMP Environment

This chapter describes the essential requirements an automated system in the GMP
environment must meet regarding the use of computerized systems. These requirements must
be defined in the specification and implemented during configuration. In case of subsequent
changes or interventions in the system, reliable evidence must be provided at all times,
regarding who, at what time, and what was changed or implemented. The requirements for this
task are implemented in various functions and described in the following chapters.

Note

This chapter describes the general requirements for computerized systems. How to meet these
requirements with a specific system is dealt with starting from chapter "System Specification
(Page 23)“.

2.1 Categorization of hardware and software

Hardware categorization

2

According to the GAMP Guide, hardware components of a system fall into two categories
"standard hardware components" (category 1) and "custom built hardware components"
(category 2).

Software categorization

According to the GAMP Guide, the software components of a system are divided into various
software categories. These range from commercially available and pre-configured "standard"
software products that are merely installed, to configured software products and customized
applications ("programmed software").

2.2 Test effort depending on the categorization

The effort involved in validation (specification and testing) is much greater when using
configured and, in particular, customized products compared to the effort for standard products
(hardware and/or software). The overall effort for validation can therefore be significantly
reduced by extensive use of standard products.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 15

Requirements for Computer Systems in a GMP Environment

2.4 Software creation

2.3 Change and configuration management

All the controlled elements of a system should be identified by name and version and any
changes made to them should be checked. The transition from the project phase to the
operational procedure should be decided in good time.

The procedure includes, for example:

● Identification of the elements affected

● Identification of the elements by name and version number

● Change control

● Control of the configuration (storage, release, etc.)

● Periodic checks of the configuration

See also

● GAMP 5 Guide,
Appendix M8 "Project Change and Configuration Management"

2.4 Software creation

Certain guidelines must be followed during software creation and documented in the Quality
and Project Plan (in the sense of the Good Engineering Practice, in short GEP concept).
Guidelines for software creation can be found in the GAMP Guide as well as the relevant
standards and recommendations.

Use of type/instance concepts and copy templates

While the validation of "standard" software only calls for the software name and version to be
checked, customized software validation requires the entire range of functions to be checked
and a potential supplier audit to be performed.

Therefore, to keep validation work to a minimum, preference should be given to standardized
blocks during configuration (products, in-house standards, project standards). From these,
customized types and templates are created and tested according to the design specifications.

Identification of software modules/types/copy templates

During software creation, the individual software modules must be assigned a unique name, a
version, and a brief description of the module.

Changes to software modules/types/copy templates

Changes to software modules should be appropriately documented. Apart from incrementing
the version identifier, the date and the name of the person performing the change should be
recorded, when applicable with a reference to the corresponding change request/order.

GMP Engineering Manual

16 Configuration Manual, 09/2019, A5E47300664-AA

Requirements for Computer Systems in a GMP Environment

2.5 Access control and user administration

To ensure the security of computer systems in the GMP environment, such systems must be
equipped with an access control system. In addition to physical access control to certain areas,
access-control systems protect computer systems against unauthorized logical access. Users
are assembled into groups, which are then used to manage user permissions. Individual users
can be granted access authorization in various ways:

● Combination of unique user ID and password; see also chapter "Requirements for user IDs

and passwords" (Page 17)

● RFID / smart cards together with a password

● Evaluation of biometrics, e.g. fingerprint scanners

2.5.1 Applying access control to a system

In general, actions that can be performed on a computer system must be protected against
unauthorized access. Depending on a user's particular field of activity, a user can be assigned
various permissions. Access to user administration should only be given to the system owner
or to a very limited number of employees. Furthermore, it is absolutely essential that
unauthorized access to electronically recorded data is prevented.

2.5 Access control and user administration

The use of an automatic logout function is advisable and provides additional access protection.
This does not, however, absolve the user from the general responsibility of logging off when
leaving the system. The automatic logout time should be agreed with the user and defined in
the specification.

Note

Access to PCs and to the computer system must only be possible for authorized persons. This
can be supported by appropriate measures such as mechanical locks and through the use of
hardware and software for remote access.

2.5.2 Requirements for user IDs and passwords

User ID:
The user ID for a system must be of a minimum length defined by the customer and be unique

within the system.

Password:
For creation of passwords, a minimum number of characters and the expiry period of the

password should be defined. In general, a password should comprise a combination of
characters that meet the minimum length requirement as well as at least three of the criteria
listed below.

● Use of uppercase letters

● Use of lowercase letters

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 17

Requirements for Computer Systems in a GMP Environment

2.7 Electronic signatures

● Use of numerals (0-9)

● Use of special characters

See also

● Chapter "Setting up user administration (Page 44)"

2.6 Requirements for electronic records

The following requirements additionally apply to the use of electronic records for relevant data:

● The system must be validated.

● Only authorized persons must be able to enter or change data (access control).

● Changes to data or deletions must be recorded (audit trail).

● Electronic records that are relevant for long-term archiving must be stored securely and kept
available for their retention period.

● The initials and signatures required by the regulations must be implemented as electronic
signatures.

● "Relevant" production steps/processes, "significant" interim stages, and "major" equipment
must be defined in advance by the person responsible from a pharmaceutical perspective.
This definition is often process-specific.

● If an electronic batch production report is used, its structure and contents must match the
structure and contents of the master production record. As an alternative, the master
production record and batch production record can also be combined in one document.

See also

● EU GMP Guide, chapter 4.9 and Annex 11

● 21 CFR Part 11 "Electronic Records, Electronic Signatures", U.S. FDA

2.7 Electronic signatures

Electronic signatures are computer-generated information which acts as a legally binding
equivalent to handwritten signatures.

Regulations concerning the use of electronic signatures are defined, for example, in
21 CFR Part 11 of the US FDA or in EU GMP Guide Annex 11.

Electronic signatures are relevant in practice, for example, for manual data inputs and operator
interventions during runtime, approval of process actions and data reports, and changes to
recipes.

GMP Engineering Manual

18 Configuration Manual, 09/2019, A5E47300664-AA

Each electronic signature must be uniquely assigned to one person and must not be used by
any other person.

Note

During the production of drugs and medical devices, which enter the U.S. market, the FDA
regulations must be met. This is 21 CFR Part 11 with respect to electronic signatures.

Conventional electronic signatures

If electronic signatures are used that are not based on biometrics, they must be created so that
persons executing signatures must identify themselves using at least two identifying
components. This also applies in all cases in which a smart card replaces one of the two
identification components.

These identifying components can, for example, consist of a user ID and a password. The
identification components must be assigned uniquely and must only be used by the actual
owner of the signature.

Requirements for Computer Systems in a GMP Environment

2.9 Reporting batch data

Electronic signatures based on biometrics

An electronic signature based on biometrics must be created in such a way that it can only be
used by one person. If the person making the signature does so using biometric methods, one
identification component is adequate.

Biometric characteristics include fingerprints, iris structure, etc.

2.8 Audit trail

The audit trail is a control mechanism of the system that allows all data entered or modified to
be traced back to the original data. A secure audit trail is particularly important when GMP­relevant electronic records are created, modified or deleted.

Such an audit trail must document all the changes or actions made along with the date and time.
The typical content of an audit trail describes who changed what and when (old value / new
value), as an option it may also include "why".

2.9 Reporting batch data

In the production of pharmaceuticals and medical devices, batch documentation takes on a
special significance. For pharmaceutical manufacturers, methodically created batch
documentation is often the only documented evidence within the framework of product liability.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 19

Requirements for Computer Systems in a GMP Environment

2.11 Data backup

The components of batch documentation are as follows:

● Master production record and batch production record

● Packaging instructions and packaging record (from a pharmaceutical point of view, the
packaging of the finished drug is part of the manufacturing process)

● Test instructions and test report (relating to all quality checks, for example in the chemical
analysis)

The batch production record or packaging record has a central significance here and this is
defined below:

● The batch production record is always both product-related and batch-related.

● It is always based on the relevant parts of the valid master production record.

● It contains all process-relevant measurement and control processes as actual values.

● It also contains deviations from the specified setpoints.

2.10 Archiving data

(Electronic) archiving means the permanent storage of electronic data and records in long-term
storage.

The customer is responsible for defining procedures and controls relating to the storage of
electronic data.

Based on predicate rules (EU GMP Guide, 21 CFR Part 210/211, etc.), the customer must
decide how electronic data is stored and, in particular, which data is affected by this. This
decision should be based on a reasonable and documented risk assessment that takes into
account the significance of the electronic records over the retention period.

If the archived data are migrated or converted, the integrity of the data must be assured over
the entire conversion process.

See also

● GAMP 5 Guide, Appendix O9 "Backup and restore"

2.11 Data backup

In contrast to the archiving of electronic data, data backups are used to create backup copies,
which ensure system restoration if the original data are lost or a system failure occurs.

The backup procedure must include periodic backups of non-retentive information to avoid total
loss of data due to system components failures or inadvertent deletion of data. Backup
procedures must be tested to ensure that data is saved correctly. Backup records should be
labeled clearly and intelligibly and dated.

Data backups are created on external data carriers. The data media used should comply with
the recommendations of the device manufacturer.

GMP Engineering Manual

20 Configuration Manual, 09/2019, A5E47300664-AA

When backing up electronic data, the following distinctions are made

● Backup of the installation, for example partition image

● Backup of the application

● Backup of archive data, for example process data

Here, particular attention is paid to the storage of data backup media (storage of the copy and
original in different locations, protection from magnetic fields, and elementary damage).

See also

● GAMP 5 Guide, Appendix O9 "Backup and restore"

2.12 Retrieving archived data

It must be ensured that archived/backed up data can be read back at any time. If a system
update/migration is to be performed, compatibility of the archived data before the update must
be ensured. If required, the archived data must also be migrated.

See also

● GAMP 5 Guide, Appendix O13 "Archiving and retrieval"

Requirements for Computer Systems in a GMP Environment

2.14 Using third-party components

● GAMP 5 Guide, Appendix D7 "Data migration"

2.13 Time synchronization

A uniform time reference (including a time zone reference) must be guaranteed within a
system, to be able to assign an unequivocal time stamp for archiving messages, alarms etc.

Time synchronization is especially important for archiving data and analysis of faults. UTC
(Universal Time Coordinated, see also ISO 8601) is recommended as the time base for saving
data. The time stamp of messages and values can be displayed in local time with a note
indicating daylight saving time/standard time.

2.14 Using third-party components

When third-party components (hardware and software) are used, their compatibility to other
components in use must be verified. If components specifically "tailored" (customized) to
individual projects are used, a supplier audit should be considered in order to check the supplier
and their quality management system.

See also

● GAMP 5 Guide, Appendix M2 "Supplier Assessment"

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 21

Requirements for Computer Systems in a GMP Environment

2.14 Using third-party components

GMP Engineering Manual

22 Configuration Manual, 09/2019, A5E47300664-AA

System Specification

During the specification phase for a computer system, the system to be built and its functionality
are defined in as much detail as is required for implementation.

Specifications not only represent the basis for a structured and traceable configuration but are
– particularly in the GMP environment – an essential reference for final verification of the
system.

The specification covers the selection of products, product variants, options, and system
configurations, as well as the application software.

3

It is possible to divide the full specification, for example, into:

● Functional specification (FS) as a response to user requirement specifications (URS)

● System specification general (DCS design, general topics)

● Hardware (and network) design specification (HDS)

● Software design specification (SDS)

● HMI design specification

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 23

System Specification

3.1 Selection and specification of the hardware

3.1 Selection and specification of the hardware

With SIMATIC WinCC, you can implement a variety of different system configurations from
single-station system to multi-station system with a server/client structure.

● Single-station system with complete operation control and monitoring of a production
process on one single PC

● Multi-station system consisting of operator stations (WinCC clients) and one or more WinCC
servers that supply the WinCC clients with data

Availability can be increased by setting up redundant systems.

3.1.1 Hardware specification

The Hardware Design Specification (acronym: HDS) describes the hardware architecture and
configuration. The HDS should, for example, define the points listed below. This specification
is used later as a test basis for the verification.

● Hardware overview diagram, system structure and organization

● Control cabinets (control cabinet names, UPS configuration, location), PC station control
cabinets, automation system with CPUs, I/O cards, etc.

● PC components for server and client including their installation instructions

● Network structure for Industrial Ethernet, e.g., switches, names and IP addresses of PC
stations, Ethernet configuration, general network settings

● Time synchronization for hardware

● Field devices

The HDS can be an integral part of an overall specification or be extracted into a separate
document.

Note

The information in the hardware overview diagram and the naming of hardware components
must be unequivocal.

See also

● GAMP 5 Guide, Appendix D3 "Configuration and Design"

3.1.2 Selecting the hardware components

The SIMATIC WinCC software can be installed on any standard PC that meets the minimum
requirements for the hardware and software configuration. You can find details in the current
product catalog.

For production plants in a GMP environment (for example, in food and beverages or
pharmaceutical industry) Siemens has developed particularly rugged panel PCs with touch
screens and stainless steel fronts specially for installation on the shop floor.

GMP Engineering Manual

24 Configuration Manual, 09/2019, A5E47300664-AA

System Specification

3.2 Security of the plant network

The SIMATIC WinCC software is available as a pure software package or together with a Panel
PC as a complete HMI system.

System availability and data security, in particular for PC components with critical functions,
can be increased by using a suitable class of RAID systems and with a redundant system
design. In a redundant WinCC system hardware components such as WinCC server, screen
and operator controls are set up twice. If one WinCC server fails, the other automatically takes
over the functionality.

Note

We recommend using the approved hardware from the current product catalog
(www.siemens.com/automation/ca01). These components have been checked for
compatibility by Siemens in system tests. The use of unreleased configurations requires
additional effort for specification and test phase.

When PCs are placed in control cabinets, make sure that suitable hardware components are
used, for example remote kits.

3.2 Security of the plant network

In modern SCADA systems, the boundaries between the office world and that of automation
are increasingly disappearing. Automation solutions with connected Web clients, MES
connections, customized office networks and their office applications are growing in
importance. To satisfy these demands and ensure as high a level of data security as possible,
the planning and structure of networked WinCC automation solutions are highly important.

Options for improving IT security

SIMATIC offers several options for increasing data and information security and, thus, the
security of a production plant. These include:

● Central user administration, staggered user groups and operator rights

● Safety concepts for network security and limited access to network drives

● SIMATIC Security Controller (SSC), ships with WinCC, see chapter "SIMATIC Security

Controller (Page 43)"

● SIMATIC NET SCALANCE S firewall and VPN modules

See also

● Chapter "Data and information security (Page 59)"

● All-round protection with Industrial Security - Plant Security, online support under

entry ID 50203404 (https://support.industry.siemens.com/cs/ww/en/view/50203404)

● "Security concept PCS 7 and WinCC (Basic)" manual, online support under

entry ID 60119725 (https://support.industry.siemens.com/cs/ww/en/view/60119725)

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 25

System Specification

3.3 Specification of the basic software

3.3 Specification of the basic software

The Software Design Specification (SDS) describes the software’s architecture and
configuration. This describes not only the application software but also the "standard" software
components used in the system, for example by specifying the name, version number, etc. This
description serves as a reference when performing subsequent tests (FAT, SAT, etc.).

Commercially available standard software components include automation software
components as well as software provided by third parties such as the operating system,
Acrobat Reader or MS Office; see also section "Verification of the software (Page 121)".

The following components are described in this manual from the available range of the WinCC
system software including suitable options:

Designation Short description Additional

Configuration Studio Configuration interface for the following editors
Alarm Logging Message archiving
Tag Logging Process value archiving X, if >512
User Administrator User management in WinCC
Tag Management Tag management
WinCC/User Archives Setting up user archives X
Basic Process Control

(OS Project Editor,
Picture Tree Manager,
Time Synchronization, etc.)

Graphics Designer Editor for producing graphics
Project Duplicator WinCC tool for copying / duplicating a WinCC project
Report Designer Production of reports
SIMATIC Logon Interfacing to Windows user administration
SIMATIC Security Controller DCOM and firewall settings
WinCC/Connectivity Pack External access to archives and messages X
WinCC/DataMonitor View of data via the web X
Performance Monitor Analysis and optimization of production on the basis of

WinCC/Redundancy Redundant WinCC server X
WinCC Server For the server in a server/client structure X
WinCC Web Navigator View of data and operation of the WinCC project via the

WinCC/WebUX Mobile operator control and monitoring via the Intranet/

SIMATIC Information Server Open reporting system with access to archived process

SIMATIC Process Historian Long-term archiving of process values and messages X

Overview diagram and screen navigation,
time synchronization

individual performance indicators

web

Internet.

values and messages

license
required

X

X

X

X

GMP Engineering Manual

26 Configuration Manual, 09/2019, A5E47300664-AA

3.3.1 Operating system

Information on the release of SIMATIC WinCC and options with the operating systems (32-bit
and 64-bit) can be found in the:

● Product catalog CA01 (www.siemens.com/automation/ca01)

● Compatibility tool (http://www.siemens.com/kompatool)

● Online help, readme

The security updates and "critical updates" provided by Microsoft for the Windows operating
system are tested by Siemens for compatibility with SIMATIC software and released; see
reference in chapter "Updating the system software (Page 138)".

3.3.2 Basic software for user administration

An essential requirement in particular in the GMP field is the access control to the system;
which is the only way of ensuring secure operation in compliance with regulations (21 CFR
Part 11 and EU GMP Guide Annex 11). Unauthorized access to both the operating and
monitoring system as well as the file system and the folder structures in the operating system
must be avoided. Appropriate planning is required with this in mind:

System Specification

3.3 Specification of the basic software

● Definition of user groups with various authorization levels for operation and maintenance

● Definition of users and assignment to user groups

● Establishing an adapted system structure, including authorizations of storage folders

Access to the SIMATIC WinCC operator stations is controlled by SIMATIC Logon. SIMATIC
Logon supports a user administration system based on Windows mechanisms that can be used
both in a workgroup and in a Windows domain. You can find information on installing and
configuring SIMATIC Logon in the chapter "Configuration of SIMATIC Logon (Page 49)" and
in the SIMATIC Logon Configuration Manual.

3.3.3 Software components for engineering

SIMATIC WinCC is a modular system. Its basic components are the Configuration Software
(CS) and Runtime Software (RT). Both software components are included in the full WinCC
package (RC). The selection of the full package or runtime software (RT) depends on the
number of power tags (external tags) required to interface with the automation level.

The Runtime software (RT) is introduced in chapter "Software components for HMI level
(Page 28)".

The Configuration Software (CS) contains all the basic functions for engineering SIMATIC
WinCC. The central component is the WinCC Explorer in which editors can be opened for
configuring the various functions. Some supplementary functions that are recommended for a
GMP environment are pointed out below.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 27

System Specification

3.3 Specification of the basic software

WinCC Configuration Studio

The WinCC Configuration Studio offers a clear configuration of the WinCC project data. The
user interface is split into a navigation area and a data area oriented on Microsoft Excel.

The WinCC Configuration Studio includes the following editors and functions:

● Tag Management

● Alarm Logging

● Tag Logging

● Text Library

● User Administrator

● User Archive

● Horn

● Picture Tree

● Text and graphic lists

● Menus and toolbars

Tag Management

The external tags (process values) are only maintained in automation systems (PLC) with an
absolute and symbolic address. In the SIMATIC S7-1500 series, the querying of tags and PLC
data types is based on the symbolic name. This optimizes block access and increases the
performance of the S7 program. Tags and PLC data types are transferred to WinCC tag
management with the symbol name. Direct transfer is possible with an existing online
connection to the PLC. Alternatively, the data is exported to the S7-1500 in the TIA Portal to a
file that is loaded in the WinCC tag management. After a change in the PLC in the area of the
tags or PLC data types, the data must be updated in WinCC.

With joint project management for the automation systems (S7-300/400) and SIMATIC WinCC
in SIMATIC Manager, process tags are maintained centrally in the automation system.
SIMATIC WinCC has direct access to the tag symbols in the automation system. The required
tags are selected and mapped for display in SIMATIC WinCC. Integration ensures consistency
within the project.

3.3.4 Software components for HMI level

The runtime software (RT) is used to control and monitor the production process. The functions
for recording and displaying runtime data are described below.

GMP Engineering Manual

28 Configuration Manual, 09/2019, A5E47300664-AA

Alarm Logging

System Specification

3.3 Specification of the basic software

Numerous alarms of varying importance occur in a plant. To guide the user, even in critical
situations, the alarms of the project are grouped in alarm classes. These alarm classes and a
concept for alarm acknowledgment should be defined with the plant operator at the beginning
of the project. The entire message system is configured in "Alarm Logging". This includes
preparation, display, acknowledgment and archiving of process, system and operator input
messages.

Control messages that have been configured in the S7-1500 PLC with message texts and
associated values can be loaded in WinCC Alarm Logging. Messages generated in the PLC are
archived with the original time stamp from the PLC in WinCC Alarm Logging and are displayed
in the WinCC user interface.

With integration of WinCC and the S7-300/400 automation systems in the SIMATIC Manager,
the message texts are maintained in the automation system and taken over by WinCC Alarm
Logging.

See also

● Chapter "Creating operator input messages (Page 84)"

Note

The Alarm Hiding functionality can be used to prevent selected messages from being
displayed, for example during startup. Despite this, the messages are recorded in WinCC
Alarm Logging. More information on this can be found in the WinCC Information System.

Use of this functionality is the responsibility of the system operator and should therefore be
coordinated with him.

Tag Logging

The acquisition and archiving of process data in process value or compression archives is
defined in the Tag Logging. These archives form the basis for the long-term archiving of the
process data (see chapter "Long-term archiving (Page 30)").

See also

● Chapter "Setup of process value and message archives (Page 96)"

WinCC/User Archives

A concept for structuring recipes should be developed if recipe data or equipment data records
are required for ongoing operation. The individual recipe elements can be freely defined for
each recipe. A variety of data records can be stored for a recipe. With the WinCC/User Archives
option, recipe data or machine data records can, for example, be saved in the form of database
tables.

To obtain an overview of the created data records in an archive, the ActiveX control "WinCC
UserArchiveControl" is inserted in a WinCC picture with read access.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 29

System Specification

3.3 Specification of the basic software

Automatic versioning of the data records is not supported with the WinCC/User Archives
option. Versioning can be implemented during configuration. The data records can be exported
manually in CSV format.

For configuration of operator input messages concerning changes in the data records, see
chapter "Setting up user archives (Page 97)".

See also

● WinCC Information System "Options > User Archives"

3.3.5 Long-term archiving

In the regulated environment, relevant production and quality data must be retained in some
cases for 5 or 10 years or even longer. It is essential for these data to be defined, reliably saved,
and transferred to external archives.

The basic package contains configuration options for archiving. The strategy for exporting to
another computer will be defined according to the amount of data accumulated and the
retention period.

Long-term archiving of process values and messages can be set up using a long-term archive
server, for example, or using the SIMATIC Process Historian option. Both concepts are
introduced below.

WinCC long-term archive server

There are options for long-term archiving both in WinCC Tag Logging and in WinCC Alarm
Logging. Apart from the archive size and segment change, the configuration for transfer to
another computer can also be set.

The WinCC/DataMonitor option is used to view the data.

SIMATIC Process Historian

Process values and messages from several WinCC servers (also redundant systems) can be
centrally recorded and archived. Transparent access to the archived data for viewing the
messages and process values in the user interface is handled by the system automatically in
the background. The messages saved in WinCC archives are fully transferred to the Process
Historian. Only those archived process values that are labeled as being "Relevant long term"
are transferred.

If the Process Historian is unobtainable, the completed archives remain on the WinCC servers
and are transferred later when the link to the Process Historian is reactivated. Allowance should
be made for sufficient storage capacity on the SIMATIC WinCC servers. Monitoring of the
network connection may also be advisable.

Defined interfaces provide direct access to archived process values and messages. This
means that important production data is available throughout the company.

See also

● "Process Historian 2014" manual, Online Support under Entry ID 109475338 (https://

support.industry.siemens.com/cs/ww/en/view/109475338)

GMP Engineering Manual

30 Configuration Manual, 09/2019, A5E47300664-AA

Batch-based long-term archiving

For the batch-based recording of product-relevant data such as process values and messages,
the WinCC Premium Add-on PM-QUALITY can be used (see chapter "Batch-based reporting
with PM-QUALITY (Page 37)").

3.3.6 Reporting

For the necessary quality review, a definition is made to establish which production data is
relevant for output in a report. A report may contain messages and alarms, recipe data and
process values in the form of a table or trend.

Report Designer

The WinCC Report Designer continuously reports process data over a defined period of time.
The report output is started via a print job.

The Report Designer is also used for documentation of the configured WinCC project. For this
purpose, ready-to-use report layouts and print jobs are provided with SIMATIC WinCC. Both
pre-configured report layouts and print jobs can be opened in the Report Designer and modified
as required.

System Specification

3.3 Specification of the basic software

Information Server

The SIMATIC Information Server offers the option of reporting on recorded process values and
messages. Both pre-configured and those configured based on Microsoft Reporting Services
can be represented in the web-based interface and exported to various formats. Additional
integration in Microsoft Word, Excel or PowerPoint shows the reports for the archive data in the
familiar office environment.

Batch-based reporting

The WinCC Premium add-on, PM-QUALITY, offers batch-based reporting of recorded data
(see chapter "Batch-based reporting with PM-QUALITY (Page 37)").

Analysis of process values and messages

PM-ANALYZE can carry out evaluations on message traffic concerning number, frequency,
etc., based on PM-SERVER message archives, as well as static evaluations (see chapter
"Evaluation and analysis of logs with PM-ANALYZE (Page 37)").

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 31

System Specification

3.3 Specification of the basic software

3.3.7 Availability and plant configuration

Availability can be increased in an optimum manner by using

● redundant servers

● redundant communications paths

● fault-tolerant controllers

Availability with WinCC/Redundancy

Redundant archiving of the relevant process values, messages and recipes increases the
availability of the data. With the WinCC/Redundancy option, two networked WinCC servers are
run in parallel. Each WinCC server has its own process driver connection and has its own
databases. During operation, both servers function in parallel and independently of one
another and are available to the operator. Process values and messages are sent to each
redundant server and processed there. Internal tags, internal messages (for example message
acknowledgment) and user archives are synchronized directly online.

Once a failed server returns to operation, an automatic archive update is run in the background.
Any gaps that have occurred in the tag, message and user archives are filled and internal tags
calibrated.

GMP Engineering Manual

32 Configuration Manual, 09/2019, A5E47300664-AA

WinCC/PerformanceMonitor

The WinCC/PerformanceMonitor option is used to calculate and analyze plant-specific key
figures for individual devices, machines, or entire production lines.

● OEE (Overall Equipment Efficiency)

● MTBF (Mean Time Between Failures)

● MRT (Mean Repair Time)

● and other "Key Performance Indicators" (KPI)

The following advantages result:

● Complete transparency for all machines as basis for optimizing the plant's productivity, in

other words:

– Avoiding disturbances and bottlenecks

– Increasing availability

● Integration of appropriate display instruments (controls) in WinCC process pictures

● Distribution of evaluations to various people over the web

System Specification

3.3 Specification of the basic software

3.3.8 Interfaces to process data

WinCC/Web Navigator

The WinCC/Web Navigator option is used to set up remote access to the WinCC project. To
view the process pictures, users with the necessary rights must authenticate themselves using
their password. The details are checked by SIMATIC Logon. Working with process pictures is
subject to the access protection defined in the User Administrator in the WinCC project.

WinCC/WebUX

The WinCC WebUX option offers device- and browser-independent remote access to the
WinCC project data. The layout and operation of process pictures is subject to restrictions.
Remote operation is based on the access control defined in the user administration in the
WinCC project. Authorized users must authenticate themselves with a password. The details
are checked by SIMATIC Logon.

WinCC/DataMonitor

WinCC/DataMonitor is a pure display and evaluation system for process data from SIMATIC
WinCC, or data from the WinCC long-term archive server. WinCC/DataMonitor provides a
number of analysis tools for interactive data display and for analysis of current process values
and historical data:

● Excel workbooks

● Published reports

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 33

System Specification

3.4 Application software specification

● Trends & alarms

● Process screens

● WebCenter

WinCC/Connectivity Pack

The WinCC/Connectivity Pack provides interfaces for access to archive data and messages in
WinCC. WinCC provides access to the following process data:

● Alarms and Events (messages), OPC A&E, read and write (acknowledgments only) access

● Process value archives (trends), OPC HDA, (read and/or write access is selected during
installation)

● Process tags (states), OPC DA, read and write access, ships with WinCC system software

● Process values, archive values and messages, OPC UA (Unified Architecture), read and
limited write access (OPC UA Data Access, OPC UA Historical Data, OPC UA Alarm &
Conditions).
Requirement for communication via OPC UA is the authentication of the partners by means
of certificates.

● All archive data, WinCC OLE DB, or WinCC User Archive with Microsoft OLE DB, read-only
access

The WinCC/Connectivity Pack provides standardized access with OPC, with OPC UA including
authentication of certificates, and OLE DB from computer systems at the plant and enterprise
management levels to computer systems at the process level.

3.4 Application software specification

In addition to the definition of the hardware (see chapter "Selection and specification of the
hardware (Page 24)") and the utilized standard software components (see chapter
"Specification of the basic software (Page 26)"), the specification of the application software is
an integral component of the design specification. Together with the functional specification,
the design specification serves as acceptance criteria during system verification (FAT, SAT,
etc.).

The design specification can consist of one or more documents. Additional, separate
documents are often added as supplements, e.g. process tag list, I/O list, parameter list, P&ID,
etc. Like for the other specification documents (URS, FS, DS), the status of these documents
(version, release) must be clearly defined.

See also

● GAMP 5 Guide, Appendix D3 "Configuration and Design"

In addition to the previously mentioned hardware specification, the design specification can be
divided as follows.

GMP Engineering Manual

34 Configuration Manual, 09/2019, A5E47300664-AA

System specification (general)

● System structure, PC profile

● User administration

● Definition of user groups, users, authorizations, local users, configuration of SIMATIC

Logon, WinCC user administration, etc.

● Archive configuration (archives, archive cycles)

● Recipe structure

● Interfaces (S7 connections, OPC, discrete I/O processing)

● Printer configuration

HMI design specification

Examples of the aspects specified for the user interface include the following:

● Screen layout and navigation

● Plant pictures, unit pictures, detail pictures of interfaces

System Specification

3.5 Additional SIMATIC software

● Operator level, access authorizations

● Picture hierarchy

● Screen resolution, picture cycles

● Block icons, graphic elements used

● Alarm classes, priorities, alarm numbering ranges, display

Software design specification

● General information such as name of project, libraries, plant hierarchy

● Software structure, typical and module specification, possibly in a separate document

● Response in the event of power failure and restart

● Time synchronization, specification of time master and slaves

● Description of exceptional states for secure plant operation

● Emergency-off response

3.5 Additional SIMATIC software

This manual introduces the following WinCC premium add-ons:

Designation Short description Additional li‐

cense
required

PM-CONTROL Recipe data management and order planning X
PM-QUALITY Batch-based data acquisition and logging X

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 35

System Specification

3.5 Additional SIMATIC software

Designation Short description Additional li‐

PM-OPEN IMPORT Importing process data X
PM-ANALYZE Evaluation and analysis of process-value logs and alarm

logs

PM-LOGON User logon with RFID card (company ID) using a card read‐erX

WinCC Premium add-ons are enabled with separate licenses.

3.5.1 Batch-based control with PM-CONTROL

The WinCC Premium Add-on PM-CONTROL is a batch-based parameter control for recipe/
product data management. The integrated order control allows flexible handling of production
orders in which the recipe, production location, scalable production quantity and the time of
production can be specified.

The software package is divided into three applications:

cense
required

X

● Topology manager for mapping the process cell topology, creating the required parameters
and configuring the interface to the automation level

● Recipe system for creating and managing recipes / products with automatic versioning

● Order planning and order control, assignment and management of production orders

To achieve a cost-effective solution for both simple and more complex tasks, PM-CONTROL
is available in the "Compact", "Standard" and "Professional" variants.

* = Only in the "Professional chained" operating mode

The use of SIMATIC Logon as central user administration can be set in PM-CONTROL.

GMP Engineering Manual

36 Configuration Manual, 09/2019, A5E47300664-AA

3.5.2 Batch-based reporting with PM-QUALITY

The data recorded in the WinCC Premium Add-on PM-QUALITY can be displayed in trends,
printed as reports on a printer or exported as an HTML file, XML file or in database format.

The software package includes the following applications:

● Topology Manager for mapping the plant topology and specifying the production data to be

acquired such as process values (continuous, snapshot), alarms and operator interventions

● Report Editor for creating the report layout for representation of the acquired data and

displaying batch reports on the screen

● Data Logging, runtime component for acquiring data

● Data View / Export View and various ActiveX Controls for displaying batch data

● Data Center for merging the batch data acquired in parallel in redundant systems

Apart from the automatic acquisition of the configured batch data, manually entered values, for
example laboratory values can be added to a batch report later. It is also possible to use a script
in WinCC to configure an electronic signature of the batch report by the logged-on user and with
it the manual assignment of the batch status (released / locked).

If the batch report has been exported automatically due to the export option setting, no more
changes can be made to the report if the "Complete automatically" option is set.

System Specification

3.5 Additional SIMATIC software

3.5.3 Batch-based long-term archiving with PM-QUALITY

The batch data acquired with PM-QUALITY can be automatically exported in database format,
in HTML format and/or in XML format either to the local system or to a computer in the network.
The PM-QUALITY application Data View (PM-QUALITY Client) can be used to view the batch
data exported in database format. The plug-ins for Microsoft Excel provided by PM-QUALITY
support tracking and evaluation of batch data.

3.5.4 Importing archives with PM-OPEN IMPORT

With PM-OPEN IMPORT, process data (tag and alarm logs) and operator actions (audit trail)
from subsystems are transferred to the databases of WinCC, e.g. archive data from Comfort
Panels and HMI devices with WinCC (TIA) Runtime Advanced. This enables the archive data
to be centrally compiled and archived in a distributed system with multiple HMI devices. The
controls for the trend/table view and alarm view in SIMATIC WinCC are used for viewing the
data.

3.5.5 Evaluation and analysis of logs with PM-ANALYZE

PM-ANALYZE supports the analysis and optimization of the production process. Process
values and messages of the connected HMI devices are recorded in chronological order and
inserted into the alarm and process value archives of the PM-SERVER. These archives form
the database for the evaluations and the analysis functions in PM-ANALYZE.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 37

System Specification

3.6 Utilities and drivers

Convenient filter settings for filtering messages by message content and time range as well as
statistical analyses by volume and frequency reveal errors and weak points. PM-ANALYZE
offers a wide range of charts for displaying logged process values, from dot, stair or curve lines
to bar and pie charts. The special feature of PM-ANALYZE is the parallel display of charts and
messages in a workspace. Alarms in tables and in statistical evaluations parallel to process
values in charts show the range of production data at a glance, even with large amounts of data.

The PM-ANALYZE add-in for Microsoft Excel offers access to process value and message
archives as well as extensive statistical evaluations of the process values.

3.6 Utilities and drivers

3.6.1 Printer drivers

It is advisable to use the printer drivers integrated in the operating system and approved for
WinCC. If external drivers are used, no guarantee of proper system operation can be provided.

3.6.2 Virus scanners

The use of virus scanners is enabled in process mode. The enabled virus scanners can be
accessed via the compatibility tool (http://www.siemens.com/kompatool) in the product
support.

The following settings must be taken into consideration when using virus scanners:

● The real-time search is one of the most important functions. It is sufficient, however, to
restrict the analysis to incoming data traffic.

● Scheduled scans must be deactivated, as they significantly limit system performance in
process mode.

● The manual search may not be run during process mode. It can be performed at regular
intervals, e.g. during maintenance cycles.

These arrangements should be described in the specification and/or where necessary, in a
work instruction (SOP) from the IT department in charge.

3.6.3 Image & partition tools

Supplemental “Imaging” and “Partitioning” software allows you to create a backup of the entire
contents of a hard drive, the so-called image, as well as to partition the hard drives. The image
backed up with such system and user software can be used to quickly restore a system. Backed
up hard drive contents can also be imported to devices of the same type. This facilitates the
replacement of computers.

GMP Engineering Manual

38 Configuration Manual, 09/2019, A5E47300664-AA

System Specification

3.6 Utilities and drivers

Siemens provides the software package "SIMATIC Image and Partition Creator" to perform
these tasks. This is even possible without a separate installation. Administration skills are
required.

Note

The created images are used to restore the installed system, but not to back up online data.

See also

● SIMATIC IPC Image and Partition Creator in Online Support under Entry ID 109766855

(https://support.industry.siemens.com/cs/ww/en/view/109766855)

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 39

System Specification

3.6 Utilities and drivers

GMP Engineering Manual

40 Configuration Manual, 09/2019, A5E47300664-AA

System Installation and Basic Configuration

The WinCC system software is available as a complete package (engineering and runtime
software) or as a pure runtime package. The software is licensed using license keys graduated
according to the number of power tags (external tags) for interfacing to the automation level.

In a multi-station system with server/client structure, the system software with the required
number of power tags and the server option is installed on the WinCC server. The WinCC RT
Client license is suitable for a standard client without a project and with a view of a WinCC
server. In a distributed system configuration clients show the user interface of several WinCC
servers. These clients have their own project and are licensed with the smallest WinCC RT
license.

4.1 Installation of the operating system

Panel PCs are available in different expansion stages with installed operating system. The
hardware and operating system requirements of the SIMATIC HMI software must be taken into
consideration when using standard PCs. Details can be found in the current product catalog.
Current information on the operating system installation can be found in the WinCC Information
System in the chapter "WinCC Installation Notes > Installation Requirements".

4

Note

The computer name must conform to the naming convention of the SIMATIC software
application. You should read the information in the respective installation instructions and
Readme files of the SIMATIC software to be installed on the computer, e.g. SIMATIC Net.

The computer name may no longer be changed after the SIMATIC WinCC system software is
installed. This would require a complete re-installation of the system software.

See also

● WinCC Information System > Working with WinCC > Annex > Impermissible Characters

4.2 Installation of SIMATIC components

SIMATIC WinCC can be installed as a stand-alone component or installed integrated in the
SIMATIC Manager. Both variants have advantages that are described briefly.

The use of the SIMATIC Manager as the central configuration interface unites the automation
level and the HMI system in a common project. This results in the following advantages:

● Simple transfer of tags and texts to the WinCC project

● Direct access to STEP 7 symbols during process connection

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 41

System Installation and Basic Configuration

4.2 Installation of SIMATIC components

● Project-related access protection (STEP7 and WinCC)

● Extended diagnostics support

If redundant systems are used:

● Simple administration for master and standby server

● Complete download and downloading changes online for master and standby server

See also

● System manual "Working with WinCC", Chapter 15 "Integration of WinCC in SIMATIC
Manager", Online Support under Entry ID 109760739 (https://

support.industry.siemens.com/cs/ww/en/view/109760739)

● WinCC Information System > Working with WinCC > Integration in the SIMATIC Manager

The SIMATIC Manager also offers additional helpful options for automation and project
management:

● Programming with CFC, including type/instance concept

● Version Trail for version management of the entire project

● Version Cross Manager for comparing two versions of the automation project

It must be noted that the SIMATIC Manager is only suitable for configuration of the automation
systems SIMATIC: S7-300 and S7-400, however not for the SIMATIC S7-1200/1500 series,
which are configured via the TIA Portal. The S7-1500 in particular also offers the advantages
of integrated engineering which are mentioned in this manual in chapter "Connection to
SIMATIC S7 (Page 114)".

4.2.1 SIMATIC WinCC

Note

WinCC is generally released for operation in a domain or workgroup. Domain group policies
and domain restrictions can, however, hinder the installation. In this case, remove the computer
from the domain prior to installation. After installation, the computer can be returned to the
domain if the group policies and restrictions do not prevent operation of the WinCC software.

Central installation

The record function simplifies the installation of the same WinCC system on multiple
computers. A WinCC installation is performed and recorded in the Ra-Auto.ini control file. Only
the control file is started on the other PCs. The prerequisite is that the computers are equipped
with the same operating system.

See also

● WinCC Information System > WinCC V7.5 Installation Notes / Release Notes > Installation
of WinCC > Configuring Automatic Installation of WinCC

GMP Engineering Manual

42 Configuration Manual, 09/2019, A5E47300664-AA

Service mode

System Installation and Basic Configuration

4.2 Installation of SIMATIC components

The SIMATIC WinCC system software can be operated in service mode if the WinCC Server
is not intended for control of the process in a distributed system with server and clients. This
means that the logon of a Windows user on the WinCC Server is not required but is possible for
service interventions. The WinCC Project that is automatically started and activated when the
computer is started is configured in Autostart.

This mode is suitable for WinCC Servers that are located in a remote server room and/or are
operated in a virtual environment.

Note

The PM products PM-CONTROL, PM-QUALITY, PM-ANALYZE, and PM-LOGON require a
registered Windows user for operation and are therefore not released for service mode.

See also

● WinCC Information System > Configurations > WinCC Service Mode

WinCC in a virtual environment

The SIMATIC WinCC system software is released for operation in a virtual environment. The
approved virtualization systems are listed in the WinCC information system. The specified
entry ID contains additional information.

See also

● WinCC Information System > WinCC V7.5 Installation Notes / Release Notes > WinCC

Installation Notes > Requirements for Installing WinCC > Hardware Requirements for
Installing WinCC

● WinCC Virtualization in Online Support under Entry ID 49368181 (https://

support.industry.siemens.com/cs/ww/en/view/49368181)

4.2.2 SIMATIC Security Controller

During installation of the WinCC system software, default settings in the Windows operating
system must be adapted to the requirements of the WinCC software. For SIMATIC WinCC, the
required settings in the operating system are managed in the SIMATIC Security Controller
application. The application can be opened via Start > Programs > Siemens Automation >
Security Controller and clearly displays the settings that are made. An option for saving and
printing is offered.

The following settings are automatically configured for specific functions:

● Required Windows user groups

● Security-related registry entries

● Configuration of the Windows firewall exception list

● DCOM settings (Distributed Component Object Model)

● File system rights

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 43

System Installation and Basic Configuration

4.3 Setting up user administration

SIMATIC Security Controller is started again automatically if additional settings are needed in
the Windows operating system once WinCC options have been installed, for example the
WinCC/Web Navigator option.

Note

If the WinCC computer is included in another working environment (domain or workgroup), the
settings must be reconfigured by the SIMATIC Security Controller.

The settings are documented in XML format.

4.2.3 SIMATIC WinCC options

Additional WinCC options and WinCC Premium Add-ons are installed only after the WinCC
software has been installed.

4.2.4 Setting up long-term archiving

A separate computer should be set up in the network for the WinCC long-term archive server.
The WinCC File Server is installed on this computer. For Alarm Logging and Tag Logging, the
target paths are configured in such a way that the closed archive files are saved on this
computer (see chapter "Long-term archiving (Page 30)").

See also

● WinCC Information System > Configurations > File Server > File Server Setup

4.3 Setting up user administration

For secure operation in compliance with regulations, controlled access to both the operating
level and configuration level as well as archive data and backup copies is required.

A user-related logon and logoff for operator actions is one of the basic functionalities for
meeting this requirement.

The user management of SIMATIC Logon uses the mechanisms of the Windows operating
system and therefore ensures reliable access protection. For the organization of operating
authorization, the users are assigned their tasks according to various user groups in the
Windows user administration.

GMP Engineering Manual

44 Configuration Manual, 09/2019, A5E47300664-AA

System Installation and Basic Configuration

4.3 Setting up user administration

These user groups are assigned authorizations for the individual operator actions.

Note

The structure of the user groups should already be defined in the specification at the start of the
project and be set up at the start of the configuration phase.

All authorization levels for operator control elements on the visualization interface (faceplates,
input boxes, buttons, etc.) and their assignment to user groups must be set up according to
specifications and tested in the course of the project.

The setup is differentiated in terms of which level the user operates. The affiliation to certain
Windows user groups is therefore required for the start or the configuration of SIMATIC
components such as SIMATIC WinCC or SIMATIC Logon. These user groups are
automatically created in the Windows user administration upon installation of the software
components and must not be deleted.

For the operation of process mode, project-specific user groups are set up which are equipped
with the required operation permissions in the configuration.

The following sequence is recommended when setting up user administration with SIMATIC
Logon and is described in the following chapters:

● Setting up user groups and users at operating system level, see chapter "User

administration on the operating system level (Page 46)"

● Setting up security settings in Windows, see chapter "Security settings in Windows

(Page 47)"

● SIMATIC user groups, see chapter "SIMATIC user groups (Page 48)"

● Setup and configuration of SIMATIC Logon, see chapter "Configuration of SIMATIC Logon

(Page 49)"

● Administration of authorizations for the individual user groups, see chapter "Administration

of authorizations (Page 52)"

● Assignment of the authorizations for individual objects as part of the configuration (picture

windows, input boxes, operating buttons)

Note

The implementation of user management based on SIMATIC Logon and Microsoft Windows
Administration is recommended both in distributed systems (also in conjunction with Panels)
and for single-station systems.

SIMATIC Logon is supplied with the SIMATIC WinCC software.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 45

System Installation and Basic Configuration

4.3 Setting up user administration

4.3.1 User administration on the operating system level

Administration of user permissions using SIMATIC Logon is based on the mechanisms of the
Windows operating system. Two user administration options are available here:

● Centralized administration in a domain structure

● Management on a computer of a workgroup

When using multiple servers or when there are redundant servers, a domain structure must be
set up to ensure that users will still be able to perform operations and log on even if one domain
server fails. However, the domain server functionality may not be installed on the WinCC
system.

Note

The complete name for each user must be entered under "Local users and groups" in the
Windows Computer Management. This name can be used for display in SIMATIC WinCC after
logging on and is required for electronic signatures. The full name must therefore be specified.

See also

● Operating system help of Microsoft Windows or the appropriate Windows manual (for
setting up Windows workgroups and the domain)

● WinCC Information System > Working with WinCC > Setting up User Administration

● System manual "Working with WinCC", chapter 14, Online Support under Entry ID
109760739 (https://support.industry.siemens.com/cs/ww/en/view/109760739)

● "Security Concept WinCC" manual, chapter 4 "User and access management", Online
Support under Entry ID 23721796 (https://support.industry.siemens.com/cs/ww/en/view/

23721796)

● "Security Concept PCS 7 and WinCC (Basic)" manual, chapter 6.4.1, Online Support under
Entry ID 60119725 (https://support.industry.siemens.com/cs/ww/en/view/60119725)

While a user is authenticated for his operator rights in the SIMATIC environment when he logs
on, a "default user" is always logged on to the operating system in parallel and has the

GMP Engineering Manual

46 Configuration Manual, 09/2019, A5E47300664-AA

Windows domain

System Installation and Basic Configuration

4.3 Setting up user administration

permissions required for the operating system level. These should not be higher than required
for operation, see also chapter "Access control to operating system level (Page 54)".

Note

The user logged on to the operating system must be the same throughout the entire system; he
must be logged on automatically when a computer starts up. Excluded are WinCC servers that
are operated in service mode.

The one-time administration of groups and users on a domain server reduces the maintenance
work and provides greater security. All computers in the domain are admitted as members of
the group.

Note

When multiple domain servers are used or when there are redundant servers, the domain
structure ensures that users will still be able to perform operations or log on even if one domain
server fails.

Windows workgroup

In a workgroup, all the groups and users are created and managed on the workgroup, against
which SIMATIC Logon checks the logon data.

Note

To prevent the failure of the central logon server, it is recommended to create the required
Windows groups and Windows users on a second computer (e.g. the local computer). In the
event of an error, the logon computer can be changed in the logon dialog.

4.3.2 Security settings in Windows

Access authorizations as well as settings such as the length, complexity, and validity period of
the password can and should be configured appropriately to increase data security.

When SIMATIC Logon is used, the system administrator configures the following security
settings in Windows under "Control Panel > Administrative Tools > Local Security Policy >
Security Settings > Account Policies / Local Policies" (depending on the Windows operating
system):

● Password policies such as complexity, password length, password aging

● Account lockout policies

● Audit policies (e.g. logon events and logon attempts)

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 47

System Installation and Basic Configuration

4.3 Setting up user administration

Note

After installation of Windows, default parameters are set for the password policies, account
lockout policies and audit policies. These settings must be checked and modified according to
the applicable project requirements.

See also

● Chapter "Disabling the operating system level during operation (Page 57)"

● "PCS 7 Engineering Compendium Part F – Industrial Security" manual, section 7.4
"Password policies", online support under entry ID 109756871 (https://

support.industry.siemens.com/cs/ww/en/view/109756871)

● All-round protection with Industrial Security - Plant Security, online support under entry ID
50203404 (https://support.industry.siemens.com/cs/ww/en/view/50203404)

4.3.3 SIMATIC user groups

SIMATIC WinCC supports the Windows permissions model.

When the WinCC server software is installed, SIMATIC standard user groups with different
permissions are automatically created in the operating system (SIMATIC HMI, etc.). These
must not be changed or deleted. With these user groups, access authorizations for the user
logged on in Windows are controlled by the SIMATIC WinCC system software.

By differentiating between system administrators and users (plant operators) at the Windows
level logon, a logical separation is achieved for the computer access authorization. A simple
Windows user with rights of the "Users" user group is sufficient for operation of SIMATIC
WinCC.

See also

● Chapter "Access control to operating system level (Page 54)"

● WinCC Information System > WinCC V7.5 Installation Notes / Release Notes > WinCC
Installation Notes > Requirements for Installing WinCC > Set Access Authorization in the
Operating System

GMP Engineering Manual

48 Configuration Manual, 09/2019, A5E47300664-AA

4.3.4 Configuration of SIMATIC Logon

SIMATIC Logon serves as an interface between Windows user administration and the
SIMATIC components. It checks the correctness of logon data for a user against the central
user administration. If the logon is valid, the associated user groups are returned to the operator
station. The logon of users for the operation of WinCC options and Premium Add-ons can be
included in the check by SIMATIC Logon.

System Installation and Basic Configuration

4.3 Setting up user administration

The basic use of SIMATIC Logon is activated in the User Administrator properties in the WinCC
Explorer. The WinCC Configuration Studio automatically opens the relevant configuration
interface.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 49

System Installation and Basic Configuration

4.3 Setting up user administration

The basic settings of SIMATIC Logon are made in the "Configure SIMATIC Logon" dialog. The
settings are described in the SIMATIC Logon configuration manual and include, for example:

● The logon of a "default user" after a user logoff

● Logon server ("working environment")

● Automatic logoff on using SIMATIC Logon

Default user after user logs off

In the "General" tab, you can define whether a default user should be logged on after a user logs
off.

Unlike all other users, the "Default User" user does not have to be created as a Windows user.
The "Default user" is a member of the "Default group" or another user group assigned here. The
rights of this group are defined in the WinCC User Administrator.

Caution: In any case, the Default User can carry out the operator actions for which no operator
right has been defined.

GMP Engineering Manual

50 Configuration Manual, 09/2019, A5E47300664-AA

Automatic logoff (Auto Logoff)

To prevent unauthorized accesses from occurring with the logged-on user, the "Auto Logoff"
function should be enabled and a time assigned in the SIMATIC Logon configuration. If the use
of the Default User was enabled, he will then be logged on.

System Installation and Basic Configuration

4.3 Setting up user administration

Note

The "Automatic logoff" function, however, must not be enabled at the operating system level,
as this will close down the user interface completely.

A screen saver must also be disabled when SIMATIC Logon is used. Otherwise, when
unlocking the screen, the system would ask for the password of the Windows user, which the
WinCC operator should not know.

4.3.5 Logon via RFID card reader with PM-LOGON

The Premium Add-on PM-LOGON offers users a secure and convenient logon with the
company ID using a card reader on the HMI device.

Depending on the HMI device, PM-LOGON performs logon through various services (SIMATIC
Logon, WinCCViewerRT or OPC and SOAP Access).

The users and user groups are managed in the Active Directory of a domain or in a Windows
workgroup. The ID of the ID card is stored together with the encrypted password for the user.
Reading the ID on the card reader starts a data query via SIMATIC Logon. The data query
provides the user name with which the PM-LOGON Runtime logs the user on to the HMI device.
The application supports various card readers. The card readers are not included in the scope
of delivery.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 51

System Installation and Basic Configuration

4.3 Setting up user administration

See also

● Information about PM-LOGON on the Internet (https://www.siemens.com/process-

management)

4.3.6 Monitoring access protection

Events, such as successful and failed logons and logoffs or password changes are stored both
in the EventLog database of SIMATIC Logon and in WinCC Alarm Logging. These events can
be viewed and exported via the SIMATIC Logon Eventlog Viewer.

Changes to the user and user group configuration are recorded in the Windows EventLog at
operating system level and can be backed up there.

See also

● Chapter "Audit trail and change control (Page 88)"

4.3.7 Administration of authorizations

The authorizations in the WinCC user interface are always assigned to the project-specific user
groups. For this purpose, the required user groups are created in WinCC Configuration Studio
in the User Administrator view with the same names as the user groups in Windows. Name
matching is required for checking of the logon data by SIMATIC Logon.

GMP Engineering Manual

52 Configuration Manual, 09/2019, A5E47300664-AA

The following procedure must be followed for this:

● Open WinCC project

● Open User Administrator using WinCC Explorer

● Create group(s)

● Assign permissions for each group

System Installation and Basic Configuration

4.3 Setting up user administration

The permissions for the group members are assigned via the user groups in the WinCC project.
Here in the screenshot, for example, the appropriate rights are assigned to users who are
members of the Windows group "Engineer".

See also

● WinCC Information System "Working with WinCC" > Setting up User Administration

● Chapter "Configuration of SIMATIC Logon (Page 49)"

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 53

System Installation and Basic Configuration

4.4 Access control to operating system level

4.3.8 Assigning authorizations

SIMATIC WinCC provides a series of objects for creating the user interface. Objects which offer
operator control in process mode, such as I/O field, button, slider object, bars, controls and
many more can be protected with an authorization. This ensures that only a logged-on user with
the appropriate authorization can perform an operation.

The operation of the WinCC controls can be protected for every button in the toolbar with an
authorization.

Note

It should be ensured that the button for ending process mode (deactivate runtime) can only be
operated by authorized personnel.

4.4 Access control to operating system level

For operation of WinCC Runtime or remote access to a WinCC project, simple user rights are
sufficient for a Windows user logged on in the background. The user must be a member of the
"User" Windows group and the SIMATIC HMI group, see chapter "SIMATIC user groups
(Page 48)".

This ensures that only the SIMATIC WinCC system software has access to the SQL database.
Accesses by the operating system to the SQL database are therefore not possible.

Note

In a distributed system with several operator stations, the same user should be logged on
everywhere in the Windows operating system. This must be taken into account during
automatic startup.

For the plant operator logged on in WinCC Runtime, on the other hand, access to the operating
system level is not required and usually not desired. Additional configuration settings (startup
characteristics, disabling the operating system level) must therefore be made. These settings

GMP Engineering Manual

54 Configuration Manual, 09/2019, A5E47300664-AA

System Installation and Basic Configuration

4.4 Access control to operating system level

avoid unauthorized access from the SIMATIC WinCC user interface to sensitive data of the
operating system.

Note

Access to the operating system level should be reserved exclusively for administrators and
technical maintenance personnel.

See also

● WinCC Information System > WinCC V7.5 Installation Notes / Release Notes > WinCC

Release Notes > Notes on Operation > Notes on the Windows Operating System >
Preventing Access from Windows in Runtime

● Disabling shortcut keys, Online Support under Entry ID 44027453 (https://

support.industry.siemens.com/cs/ww/en/view/44027453)

● Chapter "Security settings in Windows (Page 47)"

4.4.1 Startup characteristics

For the secure start of the operator station, automatic startup is configured until activation of the
user interface. Access to the operating system level is therefore prevented during startup.

The automatic logon (Auto-Logon) in the Windows operating system in a workgroup or domain
is described in the Online Support under Entry ID 23598260 (https://

support.industry.siemens.com/cs/ww/en/view/23598260) as an example.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 55

System Installation and Basic Configuration

4.4 Access control to operating system level

Automatic startup of WinCC Runtime

Automatic startup is organized in the "Autostart" application. This is opened via the Windows
Start menu > Siemens Automation > Autostart.

When the "Autostart active" property is activated, the specified project is opened in WinCC
Explorer when the computer is started up. If the runtime was activated when the project was
exited, it is automatically reactivated. The property "Allow "Cancel" during activation" should
not be selected to ensure that the project start cannot be interrupted.

The services which are required during operation are activated under Computer properties >
Start. Other applications to be started automatically, such as the Premium Add-ons PM­CONTROL or PM-QUALITY, are added under "Additional tasks / Applications".

GMP Engineering Manual

56 Configuration Manual, 09/2019, A5E47300664-AA

System Installation and Basic Configuration

4.4 Access control to operating system level

4.4.2 Disabling the operating system level during operation

Since access to the Windows operating system level should be avoided for security reasons,
additional configuration settings are necessary. These settings avoid unauthorized access
from the process mode of SIMATIC WinCC to sensitive data of the operating system.

Note

Access to the operating system level should only be permitted for administrators or technical
maintenance personnel.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 57

System Installation and Basic Configuration

4.4 Access control to operating system level

Configuration settings in WinCC

To prevent access to the operating system during process mode, all shortcut keys are disabled
in the WinCC project in the "Computer properties" dialog.

Measures must be taken to ensure that ongoing operation can only be deactivated with
appropriate operator authorizations. After deactivation, the operating system can be accessed.

See also

● Disabling key combinations, online support under entry ID 44027453 (https://

support.industry.siemens.com/cs/ww/en/view/44027453)

● WinCC Information System > WinCC V7.5 Installation Notes / Release Notes > WinCC
Release Notes > Notes on Operation > Notes on the Windows Operating System

GMP Engineering Manual

58 Configuration Manual, 09/2019, A5E47300664-AA

Preventing system access during object programming

Make sure that no objects are used in the user interface that permit access to the Windows file
system or to executable programs. This risk exists, for example, with OLE objects, Internet
links, online help system etc.

Configuration settings in Windows

The

Keep the taskbar on top of other windows

In addition, it must be ensured that any shortcut key assignments are deactivated to prevent
access to the operating system interface.

System Installation and Basic Configuration

4.5 Data and information security

setting must be disabled in Windows.

See also

● WinCC Information System > WinCC V7.5 Installation Notes / Release Notes > WinCC

Release Notes > Notes on Operation > Notes on the Windows Operating System >
Preventing Access to Windows in Runtime

4.5 Data and information security

In the regulated environment, production processes and recorded data are subject to control
and secure retention to ensure verification of product quality. The secure handling of data is a
basic requirement for operation in compliance with regulations.

National and international regulations require retention of relevant production data and
operator inputs for many years. For this reason, there are many facets to data and information
security, some of which are described here.

Definition of a suitable system structure

● User administration, see chapter "Setting up user administration (Page 44)"

● Planning of data storage and of input and output devices

● Secure storage of sensitive data with redundancy and access protection

● Using virus scanners, see chapter "Virus scanners (Page 38)"

● For defined behavior on startup and when operating the user interface, see chapter "User

administration on the operating system level (Page 46)"

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 59

System Installation and Basic Configuration

4.5 Data and information security

Organizational measures

● Planning and assignment of the required access permissions

● Supplementation by codes of behavior, e.g., for handling of USB sticks

● Work instructions for archiving, reading back, and possibly data migration

Adapting the operating system settings

When SIMATIC WinCC is installed, settings in the operating system are checked against the
software requirements with SIMATIC Security Controller and adapted, see chapter "SIMATIC
Security Controller (Page 43)".

Plants and terminal bus

Industrial Ethernet offers a comprehensive range of network components for electrical and
optical data transmission technology. In SIMATIC WinCC, you can differentiate between plant
bus and terminal bus. To guarantee a high degree of security and performance, it is advisable
to install these two buses separately.

Industrial Ethernet is used as the plant bus. The automation systems are connected to the
WinCC servers via the plant bus.

WinCC servers, WinCC clients, archive servers and higher-level MES systems, if any,
communicate via the terminal bus.

See also:

● "PCS 7 Compendium Part A" manual, section 4.3.6 "Configuring the terminal bus" or section

4.3.7 "Configuring the plant bus", online support under entry ID 109756485 (

support.industry.siemens.com/cs/ww/en/view/109756485)

SIMATIC NET SCALANCE S

SCALANCE S security modules are at the heart of Siemens' ground-breaking security concept
for protecting networks and data. The SCALANCE S protection function checks all data traffic
to and from the cell.

With a combination of different security measures such as firewall, NAT/NAPT routers and VPN
(Virtual Private Network) over IPsec tunnels, the SCALANCE S devices protect individual
devices or even entire automation cells from:

● Data espionage

● Data manipulation

● Unauthorized access

See also

● Manuals of the SCALANCE family, Online Support under Entry ID 21718449 (https://

support.industry.siemens.com/cs/ww/en/view/21718449)

https://

● Protection of an automation cell by the SCALANCE S security modules via firewall, Online
Support under Entry ID 22376747 (https://support.industry.siemens.com/cs/ww/en/view/

22376747)

GMP Engineering Manual

60 Configuration Manual, 09/2019, A5E47300664-AA

Defense in depth

System Installation and Basic Configuration

4.5 Data and information security

The concept of "Defense in depth" requires measures on various levels to establish plant
security, network security, and system integrity.

The experts of Industrial Security Services (https://new.siemens.com/global/en/products/

services/industry/digital-industry-services/industrial-security-services.html) will gladly support

you in designing your security concept.

See also:

● Comprehensive information on the topic of "Industrial Security", Online Support under Entry

ID 50203404 (https://support.industry.siemens.com/cs/ww/en/view/50203404)

SSL encryption in distributed systems

Communication between WinCC server and WinCC clients in distributed systems is performed
in the network with SSL encryption. For this purpose, the remote connection must be explicitly
enabled in the SIMATIC Shell network administration and a PSK key must be defined on each
computer. Only computers with the same PSK key can communicate with each other.

Different environments in a network can be set up each with its own PSK key.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 61

System Installation and Basic Configuration

4.5 Data and information security

Security by default

As of WinCC V7.5, security in communication is enhanced by default. This applies to new
installations and upgrades.

● In the communication settings under SIMATIC Shell, "Remote Communication" is disabled
and must be actively enabled for redundant systems or multi-station systems. The SSL
encryption is automatically enabled.

● Write access is disabled for shared WinCC project folders.

● The WinCC options WebUX and Cloud Connector support encrypted communication only.

● Improved access protection to the WinCC databases, see WinCC Release Notes

GMP Engineering Manual

62 Configuration Manual, 09/2019, A5E47300664-AA

See also

● WinCC Information System > Getting Started > What's New in WinCC V7 > Function Add-

ons for Safe Operation of the Plant

● WinCC Release Notes, Notes on the Database in chapter 1.2.2.3, Online Support under

Entry ID 109760740 (https://support.industry.siemens.com/cs/ww/en/view/109760740)

Additional security measures

Additional protective measures should be considered when selecting products and systems as
well as when designing production plants. These include:

● Antivirus, see Online Support under

Industrial Security Services (https://support.industry.siemens.com/cs/ww/en/sc/4986)

● Application Whitelisting with McAfee Application Control, Online Support under

Entry ID 88653385 (https://support.industry.siemens.com/cs/ww/en/view/88653385)

● Automation Firewall

● Industrial Anomaly Detection

● Security Awareness Training

System Installation and Basic Configuration

4.5 Data and information security

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 63

System Installation and Basic Configuration

4.5 Data and information security

GMP Engineering Manual

64 Configuration Manual, 09/2019, A5E47300664-AA

Project Settings and Definitions

The SIMATIC WinCC system software allows very flexible configuration of customized process
control and monitoring. A large part of the application software is configured here and extended
functionality can be added with the aid of scripts.

Basic settings and procedures for configuring a WinCC project help to meet the GMP
requirements and to limit the effort required for validating a system.

5.1 Project setup

5.1.1 Creating a project

To create a WinCC project effectively, the project type (single-station or multi-station), project
path and naming conventions are considered in the planning. Defining prefixes for tags,
graphics and functions makes the WinCC project data clearer. A concept for picture selection
and picture navigation should be planned prior to the beginning of the project. This is described
in chapter "Creating the graphic user interface (Page 81)".

5

See also

● WinCC Information System > Working with WinCC > Working with Projects > Creating and

Editing a Project > Preparation to Create a Project

5.1.2 Multi-user engineering

The configuration of extensive WinCC projects can be carried out in parallel by different
computers and different users, with the users editing different resources. Release for multi-user
engineering is activated in a property on the WinCC server. A resource dialog provides an
overview of which resource is in process on which computer.

In contrast to remote configuration via a configuration client, with multiuser engineering the
configuration clients do not have to be entered in the computer list.

See also

● WinCC Information System > Working with WinCC > Working with Projects > Creating and

Editing a project > How to Use Multiuser Engineering

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 65

Project Settings and Definitions

5.2 Object-oriented configuration

5.2 Object-oriented configuration

By using faceplates, picture windows (for example for controlling process units such as valves,
drives or similar) and user objects (for example for uniform visualization of objects), the
configuration can be created object-oriented. The objects are first created for the various
applications and tested with the customer before they are copied or instantiated in the
configuration.

For the dynamization, a structure tag is preferred that bundles the various tag types for a
process unit, for example, a motor, in a self-defined data structure.

5.2.1 Faceplate types

A faceplate is a standardized picture object that is stored centrally as a type in a project. WinCC
saves the faceplate type to an fpt file. This faceplate type is inserted as a faceplate instance in
the process pictures. Subsequent changes to a faceplate type are automatically updated in all
instances.

The faceplate properties are specified individually in a configuration dialog. For dynamization,
the object properties are connected to interface tags or structure elements. When they are
instantiated, the faceplates are connected to the WinCC tag management.

The fpt files are stored in the WinCC project data in the GraCS folder. The Windows copy
function can be used to copy the files to a different WinCC project in the same folder.

See also

● WinCC Information System > Working with WinCC > Creating Process Pictures > Working
with Faceplate Types

5.2.2 User objects

A user object is an object whose graphic representation and dynamic characteristics are
tailored to the requirements of the system. The object properties and the events that cause a
dynamic response in the object are specified individually in a configuration dialog. A change to
the user object properties "Display" and "Operator control enable" can be passed on to all inner
objects.

Structure tags are recommended to make user objects dynamic. Dynamic wizards integrated
in WinCC Explorer support the connection and rewiring of the structure tags.

Reproducing a user object simply involves making copies of them. If any changes are made,
the individual copies need to be updated manually.

User objects are entered in the project library or collected together in a standard picture.

See also

● WinCC Information System > Working with WinCC > Creating Process Pictures > Working
with Objects > Working with Combined Objects > Working with User Objects.

GMP Engineering Manual

66 Configuration Manual, 09/2019, A5E47300664-AA

5.2.3 Picture window

The

picture window

is used, for example, to call a window for controlling a process unit (valve, drive). Such an
operator control picture is configured once for a particular function and then opened as an
instance in a picture window. For dynamization, when a picture is called the tag prefix of a
structure tag is transferred.

See also

● WinCC Information System > Working with WinCC > Creating Process Pictures > Working

with Objects > Working with Smart Objects > How to Insert a Picture Window

5.2.4 Structure tag

Structure tags are used to dynamize picture windows, user objects and faceplate types. A
structure type is defined in WinCC for a process unit, for example, a motor, and contains all tag
types for the motor as structure elements.

Tag structures that have already been defined as PLC data type (UDT) in the S7-1500
automation system can be transferred to WinCC tag management as structure tags. Direct
transfer is possible with an existing online connection between WinCC Runtime and the AS. An
import function is available as an alternative.

Project Settings and Definitions

5.2 Object-oriented configuration

smart object allows a picture to be called within a picture. This functionality

The example shows a simplified form.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 67

Project Settings and Definitions

5.2 Object-oriented configuration

5.2.5 Graphics Designer libraries

The Graphics Designer differentiates between library and SVG library. A large number of
preconfigured graphical objects are available in the global library and the global SVG library.
Graphic objects such as machines and plant components, measuring equipment, operator
control elements and buildings are thematically organized. The library objects can be inserted
in a screen with drag-and-drop and adapted as required. SVG type graphic symbols have
properties that can be dynamized.

To store user-defined objects, object groups or user objects, the project library can be used.
These objects that were developed, tested and qualified individually, are then inserted in the
project library and are available as a project standard for multiple use in process pictures for the
current project.

The project library is stored in the WinCC project in the directory "\library". To allow its use in
other projects, the contents of this directory is copied to the corresponding folder of the
destination project.

Dynamized SVG graphics are inserted with drag-and-drop into a "Project SVG library" created
for the specific project. The SVG libraries are located in a subdirectory of the "\GraCS" folder
in the WinCC project. An export function is used to save the symbols to a zip file. The SVG

GMP Engineering Manual

68 Configuration Manual, 09/2019, A5E47300664-AA

graphics are added to the project SVG library either from a selected folder or by importing from
a previously exported zip file.

Note

To keep the effort for verification of process pictures to a minimum, it is advisable to use
standard symbols whenever possible.

See also

● WinCC Information System > Working with WinCC > Creating Process Pictures > Working

with Objects > Working with the Libraries

● Application example "Basic Process Library", online support under entry ID 109749508

(https://support.industry.siemens.com/cs/ww/en/view/109749508)

5.2.6 Project functions in the form of scripts

C and VB scripts are programs written for customized programs that count as category 5 in the
software categorization. This type of software is developed to meet customer-specific demands
not covered by standard functions.

Project Settings and Definitions

5.2 Object-oriented configuration

If such functions are required more than once in the WinCC project, they should be configured
in the Global Script editor as project functions. The function code is created once in the script,
then tested and qualified. The function is then available throughout the entire project. The
function call is simply programmed in the property for the picture object.

In general with such customized scripts, the calculation should take into account an increased
amount of work for validation in the form of detailed functional and interface descriptions as well
as documented tests.

See also

● WinCC Information System > Working with WinCC > VBS for Creating Procedures and

Actions

● WinCC Information System > Working with WinCC > ANSI-C for Creating Functions and

Actions

● WinCC Information System > Dynamize Process Pictures > Configuration

Recommendations

● WinCC Information System > Smart Tools > WinCC Cross Reference Assistant

● Software categorization, see section "Software categorization according to GAMP Guide

(Page 121)"

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 69

Project Settings and Definitions

5.3 Configuring redundancy

5.3 Configuring redundancy

The configuration dialog is opened using the Redundancy entry in WinCC Explorer.

The settings for the connection to the redundant partner server are configured here.

Selecting the "Activate redundancy" check box enables the data synchronization in redundant
mode.

Synchronization of the internal tags must be configured separately for each tag. This is done by
selecting the "Synchronization" check box in tag management in the properties for tags.

See also

● WinCC Information System > Configurations > Redundant Systems

Interaction with PM-QUALITY

The PM-QUALITY Professional with Data Center variant ensures that batch data is recorded
in full in a redundant WinCC system.

Once a batch has been completed and released, the Data Center application merges the batch
data recorded from two PM-QUALITY runtime databases into one export database. If one

GMP Engineering Manual

70 Configuration Manual, 09/2019, A5E47300664-AA

WinCC server is not available, the Data Center only becomes active when both WinCC servers
are again operating.

See also

● PM-QUALITY on the Internet (www.siemens.com/pm-quality)

5.4 Time synchronization

Time synchronization is an important feature in automated systems in the GMP environment.
When several automation stations (AS) and/or operator stations (WinCC clients) interact,
messages, alarms, trends, and Audit Trail data must be saved with synchronized time stamps.

In SIMATIC WinCC, the time transmitted on the bus as default is the standard world time UTC
(Universal Time Coordinated).

The time stamps are generated in UTC and stored in the archives of the WinCC server. During
plant operation, all the process data stored in the archive (messages and trends) are displayed
converted from UTC to the time zone set in the Windows system (taking the daylight-saving/
standard time setting into account).

Project Settings and Definitions

5.4 Time synchronization

Activating time synchronization in SIMATIC WinCC means that an active time master takes
over the synchronization of all WinCC servers, WinCC clients, automation systems and, if
available, also of the engineering station. To ensure synchronized time, all the stations in the
system must be synchronized so that messages can be processed in the correct chronological
order throughout the plant (archiving of trends, messages, redundancy synchronization of
servers).

Note

The activation of time synchronization is necessary in plants in which GMP is mandatory.

5.4.1 Time synchronization concepts

The structure of the time-of-day synchronization must be carefully planned. Each time-of-day
synchronization in the project is dependent on requirements. The requirements of time
synchronization must be described in the functional specification.

When using the WinCC option "Basic Process Control", which is included in the scope of
delivery of the SIMATIC WinCC system software, time synchronization can be configured in the
Time Synchronization editor. Time synchronization via the terminal bus is preferable to time
synchronization via the plant bus.

Time synchronization in a Windows workgroup

The time in a workgroup should be synchronized via the WinCC server. The time of the WinCC
server can also be synchronized using a time master such as SICLOCK.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 71

Project Settings and Definitions

5.4 Time synchronization

Time synchronization in a Windows domain

If the automation system is operated in a Windows domain, the domain must serve as the time
master. The time of the domain server can also be synchronized using a time master such as
SICLOCK.

Note

The time on the clients in the domain is synchronized using Microsoft system services.

See also

● WinCC Information System > Options > Options for Process Control > Time Synchronization

● WinCC Security Concept chapter 5, Online Support under
Entry ID 23721796 (https://support.industry.siemens.com/cs/ww/en/view/23721796)

● FAQ "Display format of the date", Online Support under
Entry ID 11377522 (https://support.industry.siemens.com/cs/ww/en/view/11377522)

● FAQ "Settings for time synchronization", Online Support under
Entry ID 16622902 (https://support.industry.siemens.com/cs/ww/en/view/16622902)

5.4.2 Time stamping

The specification (URS, FS) of a GMP-compliant plant must describe the way in which time
stamping will be performed. The accuracy necessary for message and process value
acquisition must be checked in detail. The methods of time stamping mentioned below can be
used alongside each other.

WinCC Alarm Logging

Messages archived from the automation system in WinCC Alarm Logging are given the time
stamp either of the WinCC system or of the automation system SIMATIC S7-300/400/1500.

With the bit messaging, the message is detected based on a bit change in the message tag.
Alarm Logging assigns the time stamp of the WinCC system. The time stamp has a certain
inaccuracy due to the acquisition cycle, bus delay time and time required for processing the
message. Messages are lost if they are shorter than the acquisition cycle.

With the limit monitoring of tags in WinCC, a message is generated in Alarm Logging if the
defined limit value is violated. The time stamp is set as in the bit messaging.

GMP Engineering Manual

72 Configuration Manual, 09/2019, A5E47300664-AA

Project Settings and Definitions

5.4 Time synchronization

Note

The bit messaging and limit value monitoring can be used with a single-station system in
WinCC. In redundant systems or WinCC systems with several operator stations, chronological
signaling is used for coordinated acknowledgment and transmission. With this message
procedure, the controller sends a frame with the data of the message. The time stamp is
assigned directly when the message occurs in the controller.

The Program_Alarm instruction in the SIMATIC S7-1500 or the SFCs/SFBs Alarm, Alarm_S/
SQ, Alarm_D/DQ, Alarm_8/8P in the SIMATIC S7-300/400 are used for chronological
signaling.

See also

● WinCC Communication to S7-1500, S7-1200 and ET 200SP, Online Support under Entry ID

101908495 (https://support.industry.siemens.com/cs/ww/en/view/101908495)

● "How do you implement chronological messaging with S7-400 CPUs and WinCC?", Online

Support under Entry ID 23730697 (https://support.industry.siemens.com/cs/ww/en/view/

23730697)

● WinCC Information System > Working with WinCC > Setting up a message system >

WinCC Tag Logging

Process values acquired and evaluated in WinCC Tag Logging are given the time stamp either
with the time they are acquired in WinCC or with the value from the automation system.

To read in the process values cyclically, acquisition cycles are defined. The shortest acquisition
cycle is 500 ms. A time stamp assigned when the process value is acquired includes the
inaccuracy of the configured acquisition cycle.

Process values that receive their time stamp from the automation system are prepared in the
form of a frame on the automation system and transferred as a raw data tag. This also applies
to process values which are to be acquired in a cycle smaller than 500 ms.

See also

● WinCC Information System Working with WinCC > Archiving Process Values > Basics of

● Exchange of large data volumes between S7-300/400/1500 control system and WinCC,

● "How do you use SFB37 (AR_SEND) for process-driven archiving of process values in

Configuring the message system > Working with AS Messages

Archiving Process Values > Process Values and Tags > Structure of a Frame with Raw Data
Tags

Online Support under Entry ID 37873547 (https://support.industry.siemens.com/cs/ww/en/

view/37873547)

WinCC Tag Logging archives?", Online Support under Entry ID 23629327 (https://

support.industry.siemens.com/cs/ww/en/view/23629327)

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 73

Project Settings and Definitions

5.6 Versioning application software

5.5 Configuration management

The configuration of a computer system consists of various hardware and software
components that may vary in complexity and range from commercially available standard
components to specially customized user components. A clear and complete overview of the
current system configuration must always be available. This is achieved by dividing the system
into configuration elements, which can be identified by a unique designation and a version
number and can be distinguished from the previous version.

Defining configuration elements

In the main standard components are used as the hardware, for example PCs, PLCs, monitors,
panels, etc. These are defined and documented with designation, version number, etc. If
customer-specific hardware is used, more work is required; see chapter "Selecting the
hardware components (Page 24)" for more information.

The standard components for software include, for example, the SIMATIC WinCC system
software, its libraries, other options and Premium Add-ons.

The application software is configured and programmed on the basis of standard software. The
individual configuration elements into which the application software should be split cannot be
defined for all cases as it differs depending on different customer requirements and system
characteristics.

Versioning of configuration elements

While the version ID of standard software cannot be changed by the user / configuration
engineer, the issuing of version numbers and a procedure for change control must be defined
in operating instructions etc. for configuring the application software. From when the
application is first created, all configuration elements should be maintained following a defined
procedure for configuration management even if it is only subject to formal change control at a
later stage.

Note

The following chapter "Versioning application software (Page 74)" includes examples of how
individual software elements can be versioned. Always consult the plant operator to agree upon
a procedure for making changes to a plant in ongoing operation. (see chapter "Operational
change control (Page 134)")

See also

● GAMP 5 Guide, Appendix M8
"Project Change and Configuration Management"

5.6 Versioning application software

The project guidelines must define which elements are to be versioned, when versioning is to
take place, and whether a major version or minor version is to be incremented; for example:

GMP Engineering Manual

74 Configuration Manual, 09/2019, A5E47300664-AA

"The major version is set to 1.0 following the FAT and to 2.0 after commissioning. All other
changes are reflected by incrementing the minor version."

Whether the major version or the minor version is to be changed can also depend on the scope
or effect of the change in question.

The following data is specified for the versioning of the application software:

● Name

● Date

● Version number

● Comment on the change

The following chapters show various examples of software element versioning.

5.6.1 Versioning pictures in Graphics Designer

Project Settings and Definitions

5.6 Versioning application software

When the

Graphics Designer

editor is selected in WinCC Explorer, all existing process pictures
are listed in the right window. The properties of every process picture can be displayed using
the shortcut menu. The data shown is generated automatically by the WinCC system.

Additional information on versioning, for example the version ID, date changed and name can
be entered in a static text box. It is practical to place the text boxes for versioning in a separate
picture level that can be shown or hidden as required. The display of the static text box during
process mode is controlled by the Display object property.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 75

Project Settings and Definitions

5.6 Versioning application software

Note

Details of a change can, for example, be described in the relevant validation documents.

5.6.2 Versioning VB / C scripts

VB or C scripts are created to access tags and graphic picture objects during operation and to
trigger actions that are not dependent on pictures.

Scripts are also used to link functions triggered during process mode to individual object
properties in Graphics Designer (for example input using the mouse).

Two different methods of script creation are distinguished in WinCC:

● Picture-dependent VB / C scripts that are linked to the property of an object in the Graphics
Designer WinCC editor. These scripts are part of the picture and are stored with the picture.
Versioning is performed in the picture.

● Non picture-dependent VB / C scripts created in the Global Script WinCC editor.

VB / C scripts created with the Global Script editor provide fields in the Properties > Info dialog
for entering the data Created By, Changed By, Version and Comment. The creation date and
date of change are entered automatically by the WinCC system.

GMP Engineering Manual

76 Configuration Manual, 09/2019, A5E47300664-AA

Project Settings and Definitions

5.6 Versioning application software

An optional password can also be assigned.

Note

If a password is used, this is not checked against the logged-on user. Knowing the password
allows the script to be opened/edited. If the password is forgotten, access to the script is
permanently denied.

It is advisable to maintain a history in the scripts indicating any changes made. The history is
entered as comment before the start of the code. As an alternative, the comment box of the
Properties dialog (see above) can also be used to record the history.

Figure 5-1 Example of recording the history in a C script

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 77

Project Settings and Definitions

5.6 Versioning application software

Figure 5-2 Example of recording the history in a VB script

5.6.3 Versioning reports

The automatic issuing of version IDs in the report layouts is not supported. A static field can be
inserted in the report layout for a version ID allowing manual versioning of different states. The
version ID must be kept up-to-date as specified in the SOP for configuration management. The
following picture shows an example of a report layout footer with a field added for versioning.

GMP Engineering Manual

78 Configuration Manual, 09/2019, A5E47300664-AA

5.6.4 Versioning of the entire WinCC project

Project Settings and Definitions

5.6 Versioning application software

In WinCC Explorer the Project Properties dialog is opened at the top node. The

General

tab
offers fields for entering the data Creator, Version and Comment. All other data is automatically
generated by WinCC. Automatic versioning is not supported.

A history of the version changes, for example, can be maintained in the comment field. This
serves as supplementary information if no additional software for project versioning is used.

See also

● Chapter "Versioning (Page 125)"

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 79

Project Settings and Definitions

5.6 Versioning application software

GMP Engineering Manual

80 Configuration Manual, 09/2019, A5E47300664-AA

Creating Application Software

In a full automation solution, SIMATIC WinCC handles the operator input, monitoring and data
archiving functions. The interface to the automation level is over powerful process links, see
also chapter "Interfaces to SIMATIC WinCC (Page 113)".

This chapter explains tips and recommendations for the configuration of SIMATIC WinCC in a
GMP environment. The configuration of the automation level is not described in this manual.

6.1 Creating the graphic user interface

Both the overview graphics and the operator control philosophy must be described in the
specification (for example URS, FS and P&I) and created accordingly. When completed, these
should be shown in the form of screenshots to the customer for approval.

To visualize the plant or process, process pictures are created to allow operator control and
monitoring according to the specified requirements. Possible elements are described in
chapter "Object-oriented configuration (Page 66)".

In processes with several process pictures, it is advisable to define a system for picture
selection and/or picture navigation. The
options. Picture selection via the runtime system dialogs with selected favorite pictures is
particularly suitable for machine-oriented touch operation.

Menus and Toolbars

6

editor offers flexible design

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 81

Creating Application Software

6.1 Creating the graphic user interface

6.1.1 Standardized user interface

A standardized user interface in which the user-specific process pictures are only embedded
is offered by SIMATIC WinCC with the Basic Process Control module. This module includes
the

OS Project Editor, Picture Tree Manager, Time Synchronization, Horn

Monitoring

editors.

and

Lifebeat

The

OS Project Editor

operator control of the process. Among other things, the monitor layout, monitor resolution,
operating philosophy for the buttons, and message presentation are configured.

Note

The OS Project Editor should be configured before starting to create the process pictures
because the size of the individual process pictures depends on the monitor resolution and
screen layout.

See also

● Chapter "Time synchronization concepts (Page 71)"

82 Configuration Manual, 09/2019, A5E47300664-AA

is used to automatically create the WinCC project for standardized

GMP Engineering Manual

6.1 Creating the graphic user interface

6.1.2 Creating process pictures in the Graphics Designer

The Graphics Designer is a combination of a graphics program and a tool for representing
processes. Based on the Windows standard, the Graphics Designer provides functions for the
creation and dynamic modification of process pictures.

A number of essential elements for configuration are introduced in chapter "Object-oriented
configuration (Page 66)".

Configuration of I/O fields

For display in the process picture, tags can be directly moved to the process picture in a drag­and-drop operation. For this purpose the Graphics Designer has a "Tag" window for selecting
tags. After embedding with drag-and-drop, the process connection is already configured for the
I/O field. Additional object settings can be made.

Output window

The output window in the Graphics Designer shows information, warnings and errors (e.g. on
script functions on objects) after saving the process picture. Double-clicking the error entry
selects the object in question in the picture.

Creating Application Software

Multilingual user interface

The user interface can be configured in several languages. Text and text layout in multiple
languages can be entered directly for the individual objects, e.g., static text. Alternatively, when
the configuration has been completed the texts are exported from the Text Distributor editor
and imported again after the translation.

6.1.3 Password protection for process pictures

For know-how protection of the configuration, in particular for the protection of integrated VBA
scripts, each process picture, and each faceplate type can be protected with a password. For
opening in the Graphics Designer, the defined password must be entered.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 83

Creating Application Software

6.2 Creating operator input messages

6.2 Creating operator input messages

For plants operated in a GMP environment, international regulations such as regulation 21 CFR
Part 11 in the USA or the EU GMP Guide Annex 11 require that operator input to the process
that affects data relevant to GMP can be traced.

GMP-relevant process operator controls which are carried out via the various operating
objects, such as input/output fields, check boxes, radio boxes or buttons, must therefore be
configured in WinCC Graphics Designer so that an operator input message is generated. This
operator input message is recorded in WinCC Alarm Logging with the time stamp, user ID, old
value and new value.

Input/output field

To create an operator input message for an
property must be set to yes. If the
with yes, the system opens a window for entering comments after the value has been applied.
The operator input permission is also set in the object properties for the I/O field using the
"Authorization" attribute. This ensures that only a logged-on user with the appropriate
authorization can perform a value change.

Operator Activities Report

I/O field

object, the

property is also configured

operator input message

The generation of the standard operating message can be activated in this way for all objects
that have the operator message property.

GMP Engineering Manual

84 Configuration Manual, 09/2019, A5E47300664-AA

Operator input messages in conjunction with faceplate types

For input fields that are integrated into faceplate types, the operator input message and/or the
operator activities report are activated in the same way as described above under input/output
field. The authorization for the operation of the input field should also be configured so that only
authorized users can make changes. The operator message shows the value change in the
connected structure or interface tag.

The same procedure also applies to other objects that have the operator message property.

Button

To operate buttons, the standard operator input message is only generated if a direct
connection to a tag has been configured. For this purpose the "Operator input msg." check box
is selected in the configuration dialog. It is not possible to enter an operator input comment here.

Creating Application Software

6.2 Creating operator input messages

Script functions for value changes

If the options described for creating an operator input message for I/O fields and buttons are not
adequate, a user-specific operator input message can be generated using VB or C scripts. A
corresponding example in the form of a project function as a C script is available for download
in the Online Support under Entry ID 24325381 (https://

support.industry.siemens.com/cs/ww/en/view/24325381).

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 85

Creating Application Software

6.2 Creating operator input messages

In VB script, the HMIRuntime.Alarms object is used to create a user-specific operator input
message. User-defined operator input messages generated on the basis of scripts can also be
supplemented with comments.

See also:

● WinCC Information System > Working with WinCC > VBS for Creating Procedures and
Actions > VBS Reference > Objects and Lists > Alarms Object

● WinCC Information System > Working with WinCC > ANSI-C for Creating Functions and
Actions > ANSI-C Function Descriptions > Standard Functions > Alarm >
GCreateMyOperatorMsg

Operator input message in the picture window

In a picture window, the generation of the operator input message for the individual GMP­relevant operator control elements is enabled in the "Operator Input Message" property. A user­specific operator input message can be generated for buttons as an alternative to direct
connection (standard operator input message). The configuration works in all instances. When
the screen window is called in runtime, the appropriate operator input messages are generated.

Operator input message in faceplate type

In a faceplate type, the generation of the operator input message is enabled for GMP-relevant
entries, e.g., in I/O fields. The operator message for buttons in faceplate types cannot be
instantiated. Therefore, the generation of operator input messages for buttons for each
instance must be configured either in direct connection to a tag (standard operator input
message) or via VB script (user-specific operator input message).

Note

In the GMP environment, picture windows are preferred for the operation of units such as
drives, valves, etc. Faceplate types are suitable for the specification and display of values.

See also

● Comparison of picture window and faceplate technologies in WinCC Professional / WinCC
V7.5, Online Support under Entry ID 109764584 (https://support.industry.siemens.com/cs/

ww/en/view/109764584)

GMP Engineering Manual

86 Configuration Manual, 09/2019, A5E47300664-AA

Operator Activities Report / Operator Activities Comment

In Alarm Logging, the comment for the operator input message (operator activities report) is
displayed by a button in a dialog. To prevent a subsequent change to the comment in this dialog
box, the property "Unique user" is activated for the message class

acknowledgment > Operator input message

operator input message and entered the comment may change it. The operator must be logged
in to WinCC Runtime for this purpose.

Creating Application Software

6.2 Creating operator input messages

System, without

. This means that only the user who created the

Acknowledgment of messages as operator input message

Various operator actions (lock, release, hide, show, acknowledge) in the alarm view can be
documented with an operator input message. For example, a system message is generated for
the acknowledgment of a message. This system message receives the time stamp of the
acknowledgment, the logged-on user, and a reference to the acknowledged message.

Acknowledgment of messages with mandatory comment

The traceability of message acknowledgments in GMP-relevant production plants is more
transparent with the input of mandatory comments. In the WinCC user interface, the message
view can be extended by a button which allows the acknowledgment of a message only after
a comment has been entered. An operator input message with the entered comment is
generated for the acknowledged message.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 87

Creating Application Software

6.3 Audit trail and change control

See also

● Acknowledgment of WinCC V7 messages with forced comments, Online Support under
Entry ID 52329908 (https://support.industry.siemens.com/cs/ww/en/view/52329908)

6.3 Audit trail and change control

6.3.1 Audit trail for operator actions

Operator input through input/output fields, buttons or through other objects can be configured
in the WinCC Graphics Designer so that an operator input message is generated by the system.
(For information on configuration see chapter "Creating operator input messages (Page 84)")

In addition to the operator message, login and logout processes can also be archived in WinCC
Alarm Logging. WinCC provides a series of system messages which can be activated for
recording in Alarm Logging, if required.

The message numbers 1012400 and 1012401 are also activated for recording the logon/logoff
processes via a Web client.

The "

Messages

the message number 12508141 is automatically listed.

88 Configuration Manual, 09/2019, A5E47300664-AA

" table shows the "used" system messages. The operator input message with

GMP Engineering Manual

Creating Application Software

6.3 Audit trail and change control

The operator input message is a standardized system message for which the system
automatically enters the old value in process value 2 and the new value in process value 3. We
therefore recommend that you rename process value blocks 2 and 3. The system messages
cannot be configured.

To display operator input messages, the WinCC Alarm Control is dragged from the object
palette to a picture.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 89

Creating Application Software

6.3 Audit trail and change control

A double-click on the control opens the Properties dialog. To ensure that only operator input
messages are displayed in the Alarm Control, a "fixed selection'" is defined in the

Message lists

tab. The criterion Class is selected in the configuration dialog and is equated to the setting
System, without acknowledgment. This means that only operator input messages, including
user-specific operator input messages, as well as login/logout processes are displayed in the
WinCC AlarmControl.

GMP Engineering Manual

90 Configuration Manual, 09/2019, A5E47300664-AA

Creating Application Software

6.3 Audit trail and change control

The audit trail is displayed in the process picture as follows:

The symbol in the Comment column shows that a comment is available. This can be displayed
with the button marked in the screenshot or by double-clicking the column for the selected
message.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 91

Creating Application Software

6.4 Electronic signature

The subsequent change of the comment is only enabled for the WinCC user who entered the
comment. This applies to the automatically generated standard operator input message with
Operator Activities Report (message number 12504181) as well as to user-specific operator
input messages generated by script.

See also

● Chapter "Creating operator input messages (Page 84)"

6.3.2 Change control for the configuration and project engineering

The WinCC configuration, as well as the project engineering (pictures, scripts, etc.), is backed
up and archived together with the overall project. Changes made to individual elements must
be controlled in accordance with the applicable change procedure following their initial release.

6.4 Electronic signature

If electronic signatures are to be used in a computer system instead of handwritten signatures,
certain legal regulations must be complied with, such as those contained in 21 CFR Part 11 of
the U.S. Food and Drug Administration or also Annex 11 of the EU GMP Guide.

Other laws and regulations or the process owner define the actions for which signatures are
required. The process owner is always the one who decides the actions for which signatures
will be provided electronically.

Operator actions in WinCC, for example, input via I/O fields or clicking buttons, can be
configured so that an electronic signature is requested from the logged-on user.

GMP Engineering Manual

92 Configuration Manual, 09/2019, A5E47300664-AA

Example of a simple electronic signature with a separate dialog

A setpoint is to be changed. When the I/O field is clicked, a picture window appears in which the
logged-on user signs electronically by confirming his password. Only then is the setpoint
change carried out. During this operator action, a script with the function
or

AuthenticateUserNoGUI

Service. The function authenticates the logged-on user using the password entered. The
electronic signature is established by an audit trail entry via the call of a user alarm (see chapter
"Creating operator input messages (Page 84)" and chapter "Audit trail for operator actions
(Page 88)").

The picture window for the electronic signature can be designed flexibly. The entry of an
electronic signature during operation could look like this:

is called in the background and activates the SIMATIC Logon

Creating Application Software

6.4 Electronic signature

VerifyUser

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 93

Creating Application Software

6.4 Electronic signature

Example of a simple electronic signature with SIMATIC Logon dialog

SIMATIC Logon offers a dialog to specify an electronic signature. This dialog is opened when
the function
unsuccessful signature and the creation of a user-specific operator input message are also
programmed in the VB/C script.

Show Dialog

is called in a VB script or C script. The reactions to a successful or

See also

● WinCC Information System > Working with WinCC > Setting up User Administration >
Central User Administration with SIMATIC Logon > "Creating an Electronic Signature in a
VBS Action or C Action"

GMP Engineering Manual

94 Configuration Manual, 09/2019, A5E47300664-AA

Example of a multiple electronic signature

An application example for the configuration of several electronic signatures for the same
operator action is available in the Online Support.

Creating Application Software

6.5 Recording and archiving data electronically

See also

● Application example for electronic signatures, Online Support at Entry ID 67688514 (https://

support.industry.siemens.com/cs/ww/en/view/67688514)

6.5 Recording and archiving data electronically

It is very important to provide consistent quality evidence relating to quality-relevant production
data, especially for production plants operating in a GMP environment.

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 95

Creating Application Software

6.5 Recording and archiving data electronically

There are several steps involved in electronic recording and archiving, e.g.:

● Definition of the data to be archived, the archive sizes and the suitable archiving strategy

● Configuration of process value archives for the online storage of selected process values

● Configuration of parameters for exporting the archives to the archive server (time period or
amount of storage space used)

6.5.1 Determining the data to be archived

Various factors must be taken into account when defining the archiving strategy and
determining the required storage space, for example:

● Definition of the data to be archived coming from different sources: process values,
messages, batch data, reports, audit trails, log files, etc.

● Definition of the relevant recording cycles

● Specification of the period of storage online and offline

● Definition of the archiving cycle for transfer to external storage

This data is then stored in various archives:

● Process value archive "Tag Logging fast", archiving of process values <1 min

● Process value archive "Tag Logging slow", archiving of process values >1 min

● Message archive "Alarm Logging"

● PM-QUALITY database

● PM-CONTROL database

● PM-SERVER database for evaluation and analysis in PM-ANALYZE

On top of this, in other parts of the system, additional actions are monitored and recorded in log
files or databases:

● WinCC reports

● SIMATIC Logon database "EventLog.mdb"

● Event Viewer under Windows Computer Management (logon/logoff activities, account
management, permission settings for the file system, etc. according to the corresponding
configuration)

All the files mentioned (and others, if required) must be considered in the archiving concept.

6.5.2 Setup of process value and message archives

Process value archive

A process value archive is used to save process values (analog and binary values) in a
database in the form of a short-term archive.

GMP Engineering Manual

96 Configuration Manual, 09/2019, A5E47300664-AA

Message archive

Creating Application Software

6.5 Recording and archiving data electronically

The configuration is carried out in the "Tag Logging" editor, the following steps are required:

● Creating the required process value archives and selecting the tags that are to be recorded.

● Configuring the properties for each process value archive, such as archive size, storage

location, signing activated, etc.

The archived process values are generally stored in compressed form in the archives. The
"Signing activated" property generates a checksum when the archive segment is swapped out
from the Microsoft SQL Server. For a later view of the data, swapped-out archive segments can
be reconnected to the WinCC Controls. At the same time, the checksum is verified. A message
signals whether a swapped-out archive was manipulated.

If a subsequent change or a new input of process values is to be possible, this can be
implemented via the WinCC OnlineTableControl with corresponding operator authorization
and operator activities report. Otherwise, this function must remain deactivated.

All incoming messages are recorded in WinCC Alarm Logging. These are operating messages,
operator input messages, alarm messages, system messages, control messages, limit
monitoring, etc. The division into different message classes and message types determines the
display and the acknowledgment requirement of the messages.

The settings for the messages, the archive size, and the swapping-out behavior are defined in
the "Alarm Logging" editor in the Configuration Studio. Just like a process value archive, the
message archive also has the "Signing Active" property.

6.5.3 Setting up user archives

The option "WinCC/User Archives" can be used for managing database tables with several
data records, e.g. for simple machine data or small recipes. WinCC UserArchiveControl offers
an overview of the data records created.

To comply with the GMP requirements related to the audit trail for changing critical parameter
data (recipe data/machine data), such data fields are connected to I/O fields in a WinCC
picture. The activated property "Operator input message at I/O field" triggers an operator input
message when a value is entered.

See also

● Chapter "Creating operator input messages (Page 84)"

● WinCC Information System > Options > User Archives

GMP Engineering Manual
Configuration Manual, 09/2019, A5E47300664-AA 97

Creating Application Software

6.5 Recording and archiving data electronically

6.5.4 Recording and archiving

Archiving in WinCC involves two steps. First, messages (Alarm Logging) and process values
(Tag Logging Fast and Slow) are recorded as sequential archives in individual segments.

These short-term archives can be transferred to a long-term archive using a number of different
solutions and can then be stored for a time period specified by the customer.

The size of the Tag Logging database is determined by the number of process value archives
and the process tags contained there. The size of a process value archive depends on the
smallest acquisition cycle for the process tags.

It is advisable to save only values of process tags with the same acquisition cycle (e.g. 500 ms,
1 s, etc.) together in one process value archive. A separate process value archive should be
created for each acquisition cycle required.

See also:

● WinCC Information System > Calculation of Memory Requirements

6.5.5 Long-term archiving

The property "Relevant long term" is activated by default for the process tags. This is a
requirement for the transfer of the recorded process values to the long-term archive or Process
Historian. The messages recorded in WinCC Alarm Logging are always completely swapped
out.

GMP Engineering Manual

98 Configuration Manual, 09/2019, A5E47300664-AA