Siemens SIMATIC PCS 7 Function Manual

Preface

Basics of Fault Tolerance

SIMATIC

Process Control System PCS 7 Fault-tolerant Process Control Systems (V8.0)

Function Manual

Fault-tolerant Solutions in PCS 7

Advantages of fault-tolerant components

Component Replacement and Plant Changes

Failure, Switchover and Return of Fault-tolerant Components

Diagnostics

03/2012

A5E02779471-02

Legal information Warning notice system

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

DANGER

indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING

indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION

with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.

CAUTION without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.

NOTICE indicates that an unintended result or situation can occur if the relevant information is not taken into account.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

Qualified Personnel

The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems.

Proper use of Siemens products

Note the following:

WARNING

Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks

All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

Disclaimer of Liability

We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

Siemens AG

Industry Sector Postfach 48 48 90026 NÜRNBERG GERMANY

A5E02779471-02 Ⓟ 05/2012 Technical data subject to change

1 Preface.........................................................................................................................................................7

2 Basics of Fault Tolerance...........................................................................................................................13

2.1 Rationale for using fault-tolerant process control systems..........................................................13

2.2 System-wide availability analyses...............................................................................................15

2.3 PCS 7 redundancy concept.........................................................................................................16

2.4 Overview of the PCS 7 redundancy features..............................................................................19

2.5 Features for the configuration phase...........................................................................................20

2.6 Features for the commissioning and operation phases...............................................................20

2.7 Features for servicing and system expansions...........................................................................22

2.8 Definition of availability................................................................................................................23

2.9 Definition of the standby modes..................................................................................................23

2.10 Redundancy nodes......................................................................................................................24

3 Fault-tolerant Solutions in PCS 7................................................................................................................27

3.1 Solutions for the I/O.....................................................................................................................27

3.1.1 Redundant I/O.............................................................................................................................28

3.1.2 Switched I/O................................................................................................................................30

3.1.3 Components in the distributed I/O...............................................................................................32

3.1.3.1 Redundant interface modules in distributed I/O..........................................................................32

3.1.3.2 Redundant I/O modules...............................................................................................................33

3.1.3.3 Redundant actuators and sensors...............................................................................................34

3.2 Solutions for automation systems................................................................................................35

3.2.1 S7-400H hardware components..................................................................................................36

3.2.2 How the SIMATIC S7-400H AS operates....................................................................................39

3.3 Solutions for communication.......................................................................................................39

3.3.1 Network components...................................................................................................................41

3.3.2 Media Redundancy Protocol.......................................................................................................45

3.3.3 Solutions for the terminal bus......................................................................................................46

3.3.3.1 Connecting PC stations to the terminal bus................................................................................46

3.3.3.2 Fault-tolerant terminal bus...........................................................................................................47

3.3.3.3 Redundant, fault-tolerant terminal bus........................................................................................49

3.3.3.4 Redundant, fault-tolerant terminal bus based on the Parallel Redundancy Protocol (PRP).......50

3.3.3.5 Redundant, fault-tolerant terminal bus based on the INTEL TEAM mode..................................52

3.3.4 Solutions for the plant bus...........................................................................................................56

3.3.4.1 Connecting PC stations to the plant bus.....................................................................................56

3.3.4.2 Fault-tolerant plant bus................................................................................................................57

3.3.4.3 Redundant, fault-tolerant plant bus.............................................................................................59

3.3.5 Solutions for the fieldbus.............................................................................................................62

3.3.5.1 Redundant PROFIBUS DP..........................................................................................................62

3.3.5.2 Fault-tolerant fieldbus based on PROFINET...............................................................................64

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 3

Table of contents

3.3.5.3 Gateway between redundant and non-redundant PROFIBUS DP..............................................65

3.3.5.4 Connection of PROFIBUS PA to PROFIBUS DP........................................................................66

3.3.5.5 Fault-tolerant PROFIBUS PA......................................................................................................68

3.3.5.6 Connecting the FOUNDATION Fieldbus to PROFIBUS DP........................................................72

3.3.5.7 Fault-tolerant FOUNDATION Fieldbus........................................................................................74

3.4 Solutions for integrating a PCS 7 plant in a domain....................................................................77

3.5 Solutions for OS servers..............................................................................................................77

3.6 Solutions for OS clients...............................................................................................................81

3.6.1 Additional OS clients...................................................................................................................81

3.6.2 Permanent operability..................................................................................................................81

3.7 Solutions for SIMATIC BATCH....................................................................................................82

3.8 Solutions for Route Control server..............................................................................................85

3.9 Solutions for engineering station.................................................................................................87

3.10 Time synchronization...................................................................................................................88

4 Advantages of fault-tolerant components...................................................................................................89

4.1 Creating and expanding a project with pre-configured stations..................................................89

4.2 SIMATIC H Station......................................................................................................................89

4.2.1 Overview of configuration tasks...................................................................................................89

4.2.2 How to add a SIMATIC H station to your project.........................................................................90

4.2.3 How to insert synchronization modules into the H CPU..............................................................91

4.2.4 How to configure redundant communication processors.............................................................93

4.2.5 How to set the failure reaction of the input/output modules on the CPU.....................................95

4.3 Communication connections.......................................................................................................96

4.3.1 Overview of configuration tasks...................................................................................................96

4.3.2 Configuring the connection to the terminal bus...........................................................................97

4.3.2.1 How to configure the redundant terminal bus on the basis of the Parallel Redundancy Protocol97

4.3.2.2 How to configure the redundant terminal bus on the basis of the INTEL TEAM mode ..............97

4.3.2.3 How to connect singular components to the redundant terminal bus on the basis of the Parallel

Redundancy Protocol................................................................................................................100

4.3.3 How to configure a fault-tolerant plant bus................................................................................100

4.3.4 How to configure a redundant PROFIBUS DP..........................................................................102

4.3.5 How to configure a fault-tolerant fieldbus on the basis of PROFINET.......................................105

4.3.6 How to configure the redundant PROFIBUS PA.......................................................................107

4.4 Distributed I/O............................................................................................................................109

4.4.1 Overview of configuration tasks.................................................................................................109

4.4.2 How to configure the redundant interface for the I/O device.....................................................110

4.4.3 How to configure redundant I/O modules..................................................................................112

4.4.4 How to configure the redundancy for HART field devices.........................................................116

4.4.5 How to configure the Y Link.......................................................................................................119

4.4.6 Configuring DP/PA Link.............................................................................................................122

4.4.7 Configuring FF Link...................................................................................................................124

4.4.8 Configuration of redundant signals............................................................................................126

4.5 Operator stations.......................................................................................................................127

4.5.1 Overview of configuration tasks.................................................................................................127

4.5.2 How to configure an OS server and its redundant OS partner server.......................................127

4.5.3 How to configure a central archive server and its redundant archive partner server................130

Fault-tolerant Process Control Systems (V8.0)

4 Function Manual, 03/2012, A5E02779471-02

Table of contents

4.5.4 How to set the redundancy of the central archive server..........................................................133

4.5.5 How to set the project paths of the destination OS and standby OS........................................134

4.5.6 How to configure a redundant connection between an OS and AS..........................................135

4.5.7 How to configure redundancy for OS servers on the engineering station.................................138

4.5.8 How to set the redundancy connection for OS servers.............................................................141

4.5.9 How to assign an S7 program to an OS....................................................................................142

4.5.10 How to configure an OS client...................................................................................................144

4.5.11 How to configure an OS client for permanent operability..........................................................145

4.5.12 How to download a SIMATIC PCS 7 project to the target systems...........................................148

4.5.13 Evaluating the "@RM_MASTER" Redundancy Variables with Scripts......................................149

4.6 SIMATIC BATCH Stations.........................................................................................................149

4.6.1 Overview of configuration tasks.................................................................................................149

4.6.2 How to configure a BATCH server and its redundant BATCH partner server...........................150

4.6.3 How to configure a BATCH client..............................................................................................152

4.6.4 How to set the redundancy monitoring of BATCH servers........................................................153

4.6.5 How to configure the redundancy connection for BATCH servers on the engineering station..154

4.6.6 How to set the redundancy connection for BATCH servers......................................................155

4.6.7 How to download the target systems for SIMATIC BATCH.......................................................156

4.7 SIMATIC Route Control stations...............................................................................................157

4.7.1 Overview of configuration tasks.................................................................................................157

4.7.2 How to configure a Route Control server and its redundant Route Control partner server.......157

4.7.3 How to configure a Route Control client....................................................................................160

4.7.4 How to configure a redundant connection between a Route Control server and AS................162

4.7.5 How to set the redundancy connection for Route Control servers............................................165

4.7.6 How to set the redundancy of the Route Control servers..........................................................166

4.7.7 How to download the target systems for Route Control............................................................166

5 Component Replacement and Plant Changes.........................................................................................167

5.1 Failure and replacement of bus components............................................................................167

5.1.1 Replacement of SIMATIC components in runtime....................................................................167

5.1.2 Replacement of bus components in runtime.............................................................................168

5.1.3 Replacement of operator stations in runtime.............................................................................169

5.1.4 Replacement of BATCH stations in runtime..............................................................................170

5.1.5 Replacement of Route Control stations in runtime....................................................................171

5.2 Plant changes in runtime...........................................................................................................172

6 Failure, Switchover and Return of Fault-tolerant Components.................................................................175

6.1 I/O..............................................................................................................................................175

6.1.1 Failure of redundant interface modules.....................................................................................175

6.1.2 Failure of redundant I/O modules..............................................................................................175

6.2 Automation system....................................................................................................................177

6.2.1 Failure of the master CPU.........................................................................................................177

6.2.2 Failure of a fiber-optic cable......................................................................................................178

6.3 Communication..........................................................................................................................180

6.3.1 Failure of redundant bus components.......................................................................................180

6.4 OS server..................................................................................................................................181

6.4.1 Failure, failover and restarting of redundant OS servers...........................................................181

6.5 BATCH Server...........................................................................................................................186

6.5.1 Reaction of BATCH servers to failure........................................................................................186

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 5

Table of contents

6.6 Route Control server.................................................................................................................187

6.6.1 Reaction of Route Control servers to failure..............................................................................187

6.7 OS clients..................................................................................................................................188

6.7.1 Failover reactions of OS clients with permanent operability......................................................188

6.8 BATCH clients...........................................................................................................................190

6.8.1 Failover reactions of BATCH clients..........................................................................................190

6.9 Route Control clients.................................................................................................................190

6.9.1 Failover reaction of Route Control clients..................................................................................190

6.10 Guidelines for updating a redundant OS in runtime..................................................................191

6.10.1 Introduction................................................................................................................................191

6.10.2 Overview of the required tasks..................................................................................................193

6.10.3 Phase 1: Updating Server_2......................................................................................................196

6.10.4 Phase 2: Updating OS clients interconnected with Server_2....................................................199

6.10.5 Phase 3: Downloading the connections, gateways and changes to the AS..............................201

6.10.6 Phase 4: Updating the OS clients interconnected with Server_1..............................................202

6.10.7 Phase 5: Updating Server_2......................................................................................................204

6.11 Guide to updating a redundant BATCH server in runtime.........................................................207

6.11.1 Software update (migration)......................................................................................................207

6.12 Guide to updating a redundant Route Control server in runtime...............................................207

6.12.1 Updating a redundant Route Control server in runtime.............................................................207

7 Diagnostics...............................................................................................................................................209

Index.........................................................................................................................................................211

Fault-tolerant Process Control Systems (V8.0)

6 Function Manual, 03/2012, A5E02779471-02

Preface

Purpose of this documentation

This documentation informs you about the following aspects of configuring fault-tolerant systems with the SIMATIC PCS 7 Process Control System:

● The basic solution concepts

● The functional mechanisms

● The most important configurations

It presents the availability solutions on all automation levels (management, process, field).

You will find references to other product manuals containing specific information for working with individual components.

Options for accessing PCS 7 documentation

Note PCS 7 Readme

The information given in the PCS 7 manuals. Please read this and amendments on PCS 7.

● The

● After installation of PCS 7, you can find documents such as Process Control System

As of PCS 7 V8.0, you receive basic PCS 7 system documentation with the

System; SIMATIC PCS 7

The PCS 7 Internet site http:\\www.siemens.com/pcs7-documentation (http:\

\www.siemens.com/pcs7-documentation) provides convenient access to the complete PCS 7

documentation. You can find the following for the latest PCS 7 versions:

PCS 7 Readme

important information regarding PCS 7 and takes precedence over the PCS 7 documentation supplied.

7; PCS 7 Readme

Information > <Language>.

PCS 7 Readme

on the

and

Process Control System; SIMATIC PCS 7

What's New in PCS 7?

DVD.

on the Internet takes precedence over all the

carefully; it contains important information

DVD contains

PCS

via the submenu SIMATIC > Product

Process Control

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 7

Preface

● In the section "Hardware manuals for SIMATIC PCS 7 ..."

– The manuals for components approved for a PCS 7 version

● In the section "Software manuals for SIMATIC PCS 7 ..."

– The complete system documentation

– The separate setup program for PCS 7 documentation and the PCS 7 help system for

download. After the installation of the setup program, you will find the documentation at the following locations on the Engineering Station:

- As online help (CHM file) for the SIMATIC Manager application

- As a PDF file in the Windows Start menu with the SIMATIC documentation

– The complete documentation for PCS 7 as a

Validity of the documentation

This documentation is valid for the software package

PCS 7

, V8.0 or higher.

Required basic knowledge

General knowledge in the area of automation engineering and basic knowledge of PCS 7 is required to understand this documentation. It is also assumed that the reader knows how to use computers or other equipment similar to PCs (such as programming devices) with the Windows operating system.

The configuration manuals and the Getting Started documentation for PCS 7 will provide you with basic information regarding the use of PCS 7.

Position in the information landscape

The following documentation provides more information about fault-tolerant process control systems and the handling of the individual components. This documentation is part of the PCS 7 software.

Manual Collection

Process Control System; SIMATIC

Manual Content Getting Started

System PCS 7; Part 1 - Getting Started

Configuration manual

Control System PCS 7; Engineering System

Process Control

Process

● Creating projects

● Working with the CFC Editor

● Working with the Import/Export Wizard

● Working with the SFC Editor

● Compiling, downloading and testing

● Working with the operator station

● Basics of PCS 7

● Creating projects

● Configuring hardware

● Configuring networks

Fault-tolerant Process Control Systems (V8.0)

8 Function Manual, 03/2012, A5E02779471-02

Preface

Manual Content Configuration manual

Control System PCS 7; Operator Station

Process Control System PCS 7; Maintenance Station

manual

Configuration manual

Manual

WinCC Hardware Options,

Part 3 Redundancy

Manual

Process Control System PCS 7; SIMATIC BATCH

Manual

Process Control System PCS 7; SIMATIC Route Control

Manuals for PCS 7 Software Update ● Updating a PCS 7 Project with and without use of new

Manual

Automation System

S7-400H, Fault-tolerant Systems

Manual

Modifying the System in

Runtime via CiR

Manual

Distributed I/O Device ET

200M

Manual

Distributed I/O Device ET

200iSP

Process

function

WinCC

● Configuring SIMATIC connections

● Interconnecting faceplates

● Configuring operator stations

● Compiling the OS

● Installation guidelines

● Activation of the maintenance functions

● Configuration of redundancy

● Adding the OPC server

● Getting Started

● Operating principle of WinCC redundancy

● User archives

● Creating the "Project_Redundancy_Server" example project

● Description of the WinCC projects

● Server project

● Structure of a redundant WinCC system

● Operating principle of WinCC redundancy

● Configuring the OS server pair

● Guide for setting up a redundant system

● Entering the servers in Windows

● Structure of a redundant BATCH system

● Configuring the BATCH server pair

● Installation guidelines

● Setting up a redundant Route Control system

● Configuring the Route Control server pair

● Installation guidelines

functions

● Upgrading a redundant system during online operation

● Redundant SIMATIC automation systems

● Increasing availability

● System and operating modes of the S7-400H

● Linking and updating

● Modifying standard systems in runtime

● Configuration options

● Mounting

● Wiring

● Commissioning and diagnostics

● Configuration options

● Mounting

● Wiring

● Commissioning and diagnostics

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 9

Preface

Manual Content Operating Instructions

NET; Industrial Ethernet Switches SCALANCE X-200

Operating Instructions

NET; Industrial Ethernet Switches SCALANCE X-400

Manual

SIMATIC NET Industrial Twisted Pair and FiberOptic Networks

Manual

SIMATIC Diagnostic Repeater for PROFIBUS-DP

Manual

SIMATIC DP/PA Coupler, DP/PA Link and

Y Link

Documentation

SIMATIC

Manual

● Configuration options

● Mounting

● Wiring

● Commissioning and diagnostics

● Configuration options

● Mounting

● Wiring

● Commissioning and diagnostics

● Networks with Industrial Ethernet and Fast Ethernet

● Network configuration

● Passive components for electrical and optical networks

● Active components and topologies

● Configuration options

● Mounting

● Wiring

● Commissioning and diagnostics

● Fundamentals of PROFIBUS PA

● DP/PA Coupler

● DP/PA Link

● DP/PA Link in redundant operation with the S7-400H

● Components released for redundancy in PCS 7

PCS 7 - Released Modules

Guide

Conventions

This manual is organized into the following topics:

● Basics of fault-tolerance in PCS 7

● Description of fault-tolerant solutions in PCS 7

● Description of configurations for various redundant components in PCS 7

● Failure scenarios and diagnostic options

● Options for quantitative analysis of fault-tolerant process control systems

● Glossary with important terms for understanding this documentation

● Index of important keywords

In this documentation, the names of elements in the software interface are specified in the language of this documentation. If you have installed a multi-language package for the operating system, some of the designations will be displayed in the base language of the operating system after a language switch and will, therefore, differ from the designations used in the documentation.

Fault-tolerant Process Control Systems (V8.0)

10 Function Manual, 03/2012, A5E02779471-02

Changes compared to the previous version

Below, you will find an overview of the most important changes in the documentation compared to the previous version:

● Using the redundant, fault-tolerant terminal bus For additional information, refer to the section "Solutions for the terminal bus (Page 46)."

● Using the Process Historian and Information Server for central archiving For additional information on this topic, refer to the

Historian

● Using a fault-tolerant fieldbus based on PROFINET For additional information, refer to the section "Fault-tolerant fieldbus based on PROFINET (Page 64)."

● Using the redundant FOUNDATION Fieldbus You can find information about this in the "Fault-tolerant FOUNDATION Fieldbus (Page 74)" section

documentation.

Preface

SIMATIC HMI; SIMATIC Process

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 11

Basics of Fault Tolerance

2.1 Rationale for using fault-tolerant process control systems

Advantages of fault-tolerant components

Process control systems are responsible for controlling, monitoring and documenting production and manufacturing processes. Due to the increasing degree of automation and the demand for improved efficiency, the availability of these systems is playing an increasingly important role.

Failure of the control system or any of its components can lead to costly downtime in production and manufacturing. The expense involved in restarting a continuous process also has to be taken into consideration along with the actual production losses resulting from a failure. In addition, the loss of an entire batch may occur due to lost quality data. If the process is intended to operate without supervisory or service personnel, a process control system must be configured fault-tolerant for all of the components.

You can minimize the risk of a production failure and other detrimental effects by using faulttolerant components in a process control system. A redundant design ensures increased availability of a control system. This means that all components involved in the process have a backup in continuous operation that simultaneously participates in the control tasks. When a fault occurs or one of the control system components fails, the correctly operating redundant component takes over the continuing control task. The ultimate goal is to increase the fault tolerance and fail-safe performance in process control systems.

The following applies to you as the plant operator:

The higher the cost of a production stoppage, the more you need a fault-tolerant system. The higher initial investment usually associated with a fault-tolerant system is soon offset by the savings resulting from decreased production downtimes.

Fault-tolerant PCS 7 process control system

The following components of the PCS 7 process control system allow you to implement faulttolerance at all automation levels in the form and to the degree you require:

● Operator stations, maintenance station, central archive server, BATCH stations, Route Control stations (management level)

● Bus system

● Automation systems (process level)

● Distributed I/O (field level)

The following figure shows an example of a fault-tolerant process control system with PCS 7 components.

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 13

7HUPLQDOEXV

3ODQWEXV

%$7&+FOLHQWV

06VHUYHU

5RXWH&RQWURO

VHUYHU

6HQVRU

26FOLHQWV5RXWH&RQWUROFOLHQWV

26VHUYHU

%$7&+VHUYHU

(QJLQHHULQJ

6WDWLRQ

06FOLHQW

)LHOGEXV

&336&3&3836&3

,036

(70

,036,0

&38

606060606060

6+

&3&3

(70

Basics of Fault Tolerance

2.1 Rationale for using fault-tolerant process control systems

Legend for the above illustration:

Note

The following short designations are commonly used in this documentation.

14 Function Manual, 03/2012, A5E02779471-02

Fault-tolerant Process Control Systems (V8.0)

Basics of Fault Tolerance

2.2 System-wide availability analyses

Short designation Meaning Engineering

Station OS server Operator station, PC project data station in the project form "WinCC Server" OS client Operator station, PC visualization station in the project form "WinCC Client" BATCH server BATCH station, PC recipe and batch data station BATCH client BATCH station, PC recipe creation and batch visualization station Route Control

server Route Control

client Plant bus, terminal

bus S7-400H SIMATIC S7 fault-tolerant automation system, or H system for short PS Power supply CPU Central processing unit CP Communications processor IM Interface module SM Signal module / I/O module in analog or digital form ET 200M Distributed I/O device Fieldbus Fieldbus for distributed I/O Sensor Transmitters, sensors

Engineering station, PC

Route Control station, PC Route Control data station

Route Control station, PC Route Control visualization station

Bus systems for communication over Industrial Ethernet (electrical or optical)

2.2 System-wide availability analyses

Introduction

Availability must be analyzed globally for the system as a whole. Based on the degree of availability needed, each system level, each system and each component within a level should be evaluated. It is important to know the importance of each of these for the availability requirements as well as the ways and means that the required availability will be achieved.

Avoiding repair time

In many industrial processes, it is not enough to simply correct the failure of a component and then continue the process. The repair has to be made without interruption to the continuing production process. The repair time can be considerably reduced by keeping replacement parts in stock on site. The use of fault-tolerant components in the process control system enables you to correct the cause of the system or component failure in runtime. The function of the component is retained if no fault occurs in the remaining active (redundant) components during the time a failed counterpart component is being repaired. That is, the plant continues operation without disruption.

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 15

Basics of Fault Tolerance

2.3 PCS 7 redundancy concept

Avoiding impermissible signal edge transitions

A reserve system with connected backup I/O may not cause an impermissible signal edge transition when a change occurs in the operating state (power on or off) or operating mode (master or slave).

2.3 PCS 7 redundancy concept

Advantages of the PCS 7 redundancy concept

Fault-tolerant process control systems can be realized with SIMATIC PCS 7 at minimal cost in all phases of a system lifecycle:

● Configuration

● Commissioning/operation

● Servicing

● Expansion

PCS 7 offers the following essential advantages:

● It provides you with system-wide scalable solutions based on the PCS 7 modular design. Advantage: The availability can be matched to your requirements. Your process control system can be upgraded with the SIMATIC PCS 7 components that are actually needed.

● Hardware upgrades for fault tolerance do not depend on the software configuration. Advantage: If the user program has been configured with PCS 7, it does not have to be adapted following a hardware upgrade. You only need to download the new hardware configuration into the CPU.

● Fault-tolerant automation system S7-400H with CPU (types: see documentation

Control System PCS 7; Released Modules

locations. Advantage: Protection for the spatially separated CPUs resulting in increased availability in case of fire or explosion, for example.

● The use of redundant components in the process control system means isolated errors are tolerated. Advantage: The entire system does not fail when a single component in the process control system fails. The redundant component takes over its tasks therefore allowing the process to continue.

● Every failure of a redundant component is indicated on the OS clients in the form of a process control message. Advantage: You immediately receive crucial information about the status of your redundant component. Specific components that have failed can be quickly replaced to restore the redundancy.

), whose module racks can be set up in separate

Process

● Software updates on redundant OS servers can be performed without loss of process operability or loss of data.

Fault-tolerant Process Control Systems (V8.0)

16 Function Manual, 03/2012, A5E02779471-02

Overview of the PCS 7 redundancy concept

6HQVRU

DFWXDWRU

6ZLWFK

&OLHQWV26FOLHQWV%$7&+FOLHQWV5RXWH&RQWUROFOLHQWV

</LQN

%$7&+VHUYHU

5HGXQGDQWIDXOWWROHUDQWSODQWEXV5HGXQGDQWIDXOWWROHUDQWSODQWEXV

5HGXQGDQWOLQN

)DXOWWROHUDQWDXWRPDWLRQV\VWHP$6[+

$FWLYHILHOGGLVWULEXWRU

5HGXQGDQWIDXOWWROHUDQWWHUPLQDOEXV5HGXQGDQWIDXOWWROHUDQWWHUPLQDOEXV

&RQQHFWLRQRIQRQUHGXQGDQW

352),%86'3GHYLFHVWR

UHGXQGDQW352),%86'3

5RXWH

&RQWURO

VHUYHU

)DLOVDIH

)LHOGEXV

352),%863$

26VHUYHU

352),%86'3352),%86'3

(70

352),%86'3352),%86'3



















PCS 7 offers you a redundancy concept that reaches all levels of process automation.

Basics of Fault Tolerance

2.3 PCS 7 redundancy concept

Note

The numbering of the components in the illustration relates to the descriptions provided below.

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 17

%XV

26FOLHQW

%XV

</LQN

26FOLHQW

'3EXV

26VHUYHU

%XV

(QFRGHU

3$EXV

'33$/LQN

%XV

'33$/LQN

%XV

&38

Basics of Fault Tolerance

2.3 PCS 7 redundancy concept

Number Description 1 Several clients (OS clients, BATCH clients, Route Control clients) can access data on a

server (OS server, BATCH server, Route Control server).

2 Communication between the operator stations (client and server) and communication with

the engineering station is over a redundant, fault-tolerant terminal bus (Industrial Ethernet). The clients and server are connected to the terminal bus via switches.

3 The servers (OS server, BATCH server, Route Control server, maintenance server, central

archive server) can, when necessary, be set up redundantly.

4 Automation systems communicate with the OS servers/Route Control servers and

engineering stations and among themselves over the redundant, fault-tolerant plant bus (Industrial Ethernet).

The automation systems, server and engineering station are connected to the plant bus via switches.

5 Each part of the redundant, fault-tolerant S7-400H automation systems is connected to the

plant bus with an Ethernet communications processor (CP). Each part of the AS be connected to several PROFIBUS DP chains. The internal PROFIBUS

DP interfaces or additional communications processors are used for the attachment.

6 The redundant connection to the DP master system is achieved using two 153-2 IM modules

in each ET 200M. Equivalent connection via PROFINET - You can find information about this in the section

"Fault-tolerant fieldbus based on PROFINET (Page 64)"

7 Using redundant digital or analog input/output modules, you can evaluate signals from

sensors/actuators. If one of the two redundant modules fails, the input/output signal of the functioning module are evaluated.

8 Fieldbus systems can be connected to the redundant PROFIBUS DP.

The configuration of a redundant fieldbus can be realized with a redundant gateway (for example, PA link). The field devices are connected to the subsystem (for example, PROFIBUS PA) via AFD, active field distributors, (or AFS when ring/coupler redundancy is used).

9 The Y Link allows you to connect non-redundant PROFIBUS distributed I/O devices to a

redundant PROFIBUS DP.

Illustration of fault tolerance using redundancy nodes

Redundancy nodes can be used to provide an overview of the fault tolerance of a process control system. As an introductory example, the following illustration presents the process control system shown above as a block diagram with the individual redundancy nodes.

18 Function Manual, 03/2012, A5E02779471-02

Fault-tolerant Process Control Systems (V8.0)

2.4 Overview of the PCS 7 redundancy features

Introduction

The easiest way to increase availability is to keep replacement parts in stock on site and to have fast service at your disposal to replace defective components.

In this documentation, we provide you with PCS 7 software and hardware solutions that go well beyond fast service and replacement part warehousing. It focuses on "automated faulttolerant process control systems".

System-wide, scalable solutions in PCS 7 available

Plants are divided into the following layers in PCS 7:

● Field layer

● Process layer

● Management level

The components of PCS 7 enable you to implement fault-tolerant solutions at all automation system levels in the form and to the degree you desire. In PCS 7, individual components (such as signal modules), complex systems (such as operator control and monitoring systems) and complete plants can be configured in such a way that one sub-component can automatically take on the function of another sub-component if it fails.

Basics of Fault Tolerance

You decide which components in the plant require increased availability.

The following table lists the fault-tolerant components for the three layers.

Process layer Components Management level OS clients, maintenance clients, BATCH clients, Route Control clients

OS servers, maintenance servers, central archive servers, BATCH servers, Route Control servers

Terminal bus (Industrial Ethernet)

Process layer Plant bus (Industrial Ethernet)

Automation system AS 412H, AS 414H, AS 416H, AS 417H

Field layer Fieldbus PROFIBUS DP, PROFIBUS PA,

Distributed I/O device ET 200M, ET 200iSP S7-300 distributed I/O modules PROFIBUS DP, PROFIBUS PA and HART devices

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 19

Basics of Fault Tolerance

2.6 Features for the commissioning and operation phases

Basics of increased availability

Increased availability in PCS 7 is based on the following principles:

● Duplication of a component Example: Use of duplicate signal modules

● Duplication of a component and a software component that performs an automatic failover from active and passive components when a fault occurs. Example of redundant components: A signal is acquired with two signal modules and the redundancy software. The failure of one module remains non-critical for operation of the plant.

● Technical solutions for configuring components that prevent the failure of a sub-component. Example: Configuration of a network in a ring structure with a component as redundancy manager. If part of the ring is disrupted (by a defective cable, for example), the operation of the network is maintained.

2.5 Features for the configuration phase

Features for the configuration phase

In the configuration phase, PCS 7 provides you with support with the following features.

Feature Meaning Fault prevention through simplified

configuration of the various components

Simple integration of redundant I/O No special knowledge is needed about redundant I/O

The communication links between the system components are configured transparent to the application.

You do not need additional training to configure the redundant components. Configuration can be performed in a similar way as for standard systems.

modules. With the HW Config or NetPro graphical user interface,

the configuration of the communication links is performed transparent to the application.

2.6 Features for the commissioning and operation phases

Features for the commissioning and operation phases

The following table lists the features PCS 7 offers for the commissioning and operation phases.

The redundant components allows the continuation of the process of a component fails. Operator control and monitoring of the process remains unaffected. In addition, the archiving

Fault-tolerant Process Control Systems (V8.0)

20 Function Manual, 03/2012, A5E02779471-02

Basics of Fault Tolerance

2.6 Features for the commissioning and operation phases

of process data is not interrupted during the commissioning phase. Defective components can be replaced in runtime.

NOTICE

If a component fails in a redundant control system, the fault tolerance is lost. This means that another failure could potentially result in the failure of the entire system, although such occurrences are rare (e.g., if both bus lines are severed in the case of a redundant bus system). You can find additional information on this in the section " Redundancy nodes (Page 24) ".

Feature Meaning Possible error / possible reason Toleration of an isolated

error

Ensure uninterrupted operation through redundant components.

Ability of process to continue to be controlled and monitored even when a server switchover occurs.

Display of the master / standby identification of the OS server.

An isolated error is tolerated since the faulttolerant redundant component continues the process.

The system can continue process control without operator intervention.

If an OS server fails, the system switches over to the configured redundant partner server. All OS clients are automatically switched over to the now activate OS partner server. The process can continue to be controlled and monitored through the OS clients even during the failover period.

Information about the master / standby identification of the OS server can be requested and visualized using the OS clients.

Fault or failure of servers and clients Examples:

● Hard disk failure

● Operating system failure

● Connection failure

● Hard disk capacity for archiving exhausted Error or failure of the automation system

Examples:

● Failure of power supply

● Failure of a CPU Error or failure of the communication

Examples:

● Line break

● Electromagnetic compatibility (EMC) Error or failure of central or distributed I/O modules

Example:

● Component failure

● Short circuit Fault in distributed I/O devices

Examples:

● Failure of the power supply (PS)

● Failure of an interface (IM) Failure of an individual component in a fault-

tolerant process control system. Upgrade and expansion of the system. Failure of the OS server Examples:

● Operating system failure

● Hard disk defect

The master / standby identification changes if the active OS server (master) fails.

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 21

Basics of Fault Tolerance

2.7 Features for servicing and system expansions

Feature Meaning Possible error / possible reason No loss of data; gap-free

data archiving. Permanent operability of

the control process by configuring a preferred server for each OS client.

Replacement of faulty components and reconnection to the system in runtime.

Update of faulty component with current system status after being reintegrated into the system.

System upgrades and expansions in runtime

Displays and documentation

The project data are saved according to the interval configured.

The failure of some OS clients can be tolerated if the remaining clients continue to be connected to the process.

The failed components can be replaced without influencing the ongoing process and subsequently reconnected. A redundancy update is then performed.

Redundancy synchronization is performed for all fault-tolerant components, for example, a CPU or a server after return to operation.

Redundantly designed components can be upgraded, expanded or replaced in runtime.

Documentation of availability, for example, testing based on the mean time between failure (MTBF) residual time with optional printout.

Failure of the OS server, for example, due to a hard disk defect.

One or more client operator stations fail, for example, due to a hardware or software error.

Duration of the failover of the OS clients to the redundant OS server

OS client failure: e.g., operating system OS server failure: e.g., network adapter Plant bus failure: e.g., wire break Central rack failure: e.g., PS, CPU, synchronization

line, CP, SM Fieldbus failure: e.g., defective PROFIBUS bus

connector Failure of the distributed I/O device: e.g., PS, IM,

SM Switching on a redundant component after a

redundancy fault. Example: Startup of the module after a CPU is replaced with subsequent data synchronization on the CPU conducting the process.

Copying BIOS versions to redundant PC stations Software updates for redundant PC stations

without utilization of new functions Displays and documentation of a potential

component failure in advance.

2.7 Features for servicing and system expansions

Features for servicing and system expansions

PCS 7 offers the following features for servicing and system expansions:

Feature Meaning Asset management with the maintenance station The maintenance station provides comprehensive

information for servicing and diagnostics of PCS 7 plants.

Integrated diagnostics of components (for example, LEDs) for fast, local error detection.

Faster service from SIEMENS Customer Support. The service is on site within 2 to 48 hours to

Repairs and component expansions (upgrades, conversions and updates) in runtime.

22 Function Manual, 03/2012, A5E02779471-02

Diagnostics of components without an additional programming device (PG).

maintain the availability guarantee. Repair and component expansions can be made in

a fault-tolerant system. System components are installed redundantly so that repairs and expansions can be made in runtime.

Fault-tolerant Process Control Systems (V8.0)

2.8 Definition of availability

Definitions

Availability is usually defined as follows:

Quotient of MTBF and (MTBF + MTTR) or in short form actual operating condition / nominal operating condition.

Whereby:

● MTBF = mean time between two successive error events, repair time excluded

● MTTR = mean time to repair

Increasing the basic availability

Based on this definition, the basic availability of a standard component or a standard system can be increased by the following:

● Reduction of error frequency

Basics of Fault Tolerance

2.9 Definition of the standby modes

● Decreasing the period necessary for repairs

A variety of measures can reduce the repair time:

– Proximity to customer service

– Replacement parts warehousing

– Repairs in runtime or repairs without downtime

With "repairs during ongoing operation", no repair time is needed in the system to correct unscheduled operation disruptions.

2.9 Definition of the standby modes

Introduction

The availability of a system can be increased by additional components in the system (standby components). The operating mode of these components distinguishes them from the components that are active in process mode.

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 23

5HGXQGDQF\QRGHV

(QFRGHU

26FOLHQW

%XV

26VHUYHU

26FOLHQW26VHUYHU

(QFRGHU

&38

%XV

Basics of Fault Tolerance

2.10 Redundancy nodes

Standby operating mode

Operating mode Definition Hot standby Hot standby means the parallel redundant processing of signals in redundant

Warm standby Warm standby means the fast continuation of the aborted function by standby

Cold standby Cold standby means that there is a component of the system available that can

2.10 Redundancy nodes

Functionality

Redundancy nodes provided protection from failure of systems with redundant components. A redundancy node is independent when the failure of one component within the node does not affect the reliability in other nodes or in the entire system.

components. This allows a bumpless failover of the entire system to the standby components.

components at a program continuation point.

be activated if a fault occurs. Following a restart, the newly activated component takes over the function of the previously failed component.

The availability of a complete system is illustrated in block diagrams. In a redundant system, a component in the redundancy node can fail without affecting the operation of the complete system. In the chain of redundancy nodes, the weakest link determines the availability of the entire system.

The block diagrams below present examples to illustrated this point.

Redundancy nodes without fault

The following is a block diagram showing individual redundancy nodes operating without a fault.

24 Function Manual, 03/2012, A5E02779471-02

Fault-tolerant Process Control Systems (V8.0)

Availability of a redundancy node despite faults

6HQVRU

26&OLHQW

266HUYHU

26&OLHQW

6HQVRU

266HUYHU

%XV

&38

6HQVRU

26&OLHQW

266HUYHU

26&OLHQW266HUYHU

6HQVRU

%XV

&38

If a component in a redundancy node fails, the overall system continues to operate.

Total failure of a redundancy node

The following figure shows a complete system that has ceased to operate due to a failure of the "Field bus (PROFIBUS DP)" redundancy node.

Basics of Fault Tolerance

2.10 Redundancy nodes

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 25

Fault-tolerant Solutions in PCS 7

3.1 Solutions for the I/O

Introduction

In this section you will learn about the I/O systems and components that contribute to increasing the availability of your system. This means using the distributed I/O in PCS 7.

Distributed I/O

Distributed I/O refers to modules (input/output modules and function modules) that are used in a modular, distributed I/O device such as the ET 200M or ET 200iSP.

Distributed I/O devices are often spatially separated from the central rack and located in direct proximity to the field devices themselves. This minimizes the requirements for wiring and ensuring the electromagnetic compatibility. Communication connections between the CPU of the automation system and the distributed I/O can be established with the following network types:

● PROFIBUS DP

● PROFINET

In addition to the I/O devices, distributed I/O includes field devices such as actuators, weighing systems, motor protection control equipment and all other field devices that can be integrated in PCS 7 via the bus system.

HART devices are connected and addressed via the corresponding modules in the (ET 200M / ET 200iSP) distributed I/O. HART devices are actuators and sensors that can be configured per HART protocol (HART: Highway Addressable Remote Transducer).

Distributed I/O also includes bus converters such as DP/PA-Link and Y-Link . The DP/PA‑Link enables the connection of a lower-level bus system such as PROFIBUS PA to a redundant PROFIBUS DP.

An AS interface can be connected using AS-Interface master modules (CPs) that are used in the distributed I/O device. This enables the connection of simple sensors and actuators to PCS 7 with AS-Interface. PCS 7 integrates other I/O levels in a project in this way.

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 27

Fault-tolerant Solutions in PCS 7

3.1 Solutions for the I/O

Increasing availability

The availability of the I/O can be increased through the following configuration options:

● Redundant I/O (distributed I/O) The entire signal path up to the sensor/actuator is configured redundantly. Additional information on this topic is available in section "Redundant I/O (Page 28)".

● Switched I/O (distributed I/O) The communication path to the I/O (station) is redundant. There is only one input/output module (SM) for processing a process signal. Additional information on this topic is available in section "Switched I/O (Page 30)"

Modules for the distributed I/O

Note

Information on which modules are released for the distributed I/O in PCS 7 can be found in the documentation Internet at: http:\\www.siemens.com/pcs7-documentation (http:\\www.siemens.com/pcs7-

documentation).

PCS 7 - Released modules.

You will find this documentation on the

3.1.1 Redundant I/O

Redundant I/O

Redundant I/O describes the situation when the I/O modules (SM) for processing a process signal are doubly available and can be addressed by both CPUs. The CPU signal or process signal will continue to be processed by a functioning module even when its partner fails. The

Configuration

entire signal path up to the sensor/actuator is configured redundantly.

Note

With PCS 7, you can determine if errors in redundantly acquired signals will have an effect of a module or channel. You can find information about this in the following sections:

● Section "Redundant input/output modules (Page 33)"

● Section "Failure of redundant input/output modules (Page 175)"

In PCS 7, you can configure redundant I/O with selected S7-300 I/O modules of ET 200M.

Fault-tolerant Process Control Systems (V8.0)

28 Function Manual, 03/2012, A5E02779471-02

(70

[,0

(QFRGHU

5HGXQGDQWLQSXW

PRGXOH

6+

352),%86'3

(70+6\VWHP

%XV

60LQ(70

6HQVRU

%XV

&38,0

&38

&336

Fault-tolerant Solutions in PCS 7

3.1 Solutions for the I/O

The ET 200M distributed I/O device is connected as redundant DP slave to a fault-tolerant automation system operating as the DP master via PROFIBUS DP. A redundant configuration is achieved by installing an additional ET 200M and an additional PROFIBUS DP connection.

Note

Use only active bus modules for the ET 200M in a fault-tolerant system with PCS 7. Active bus modules enable you to plug and pull modules in runtime.

The following figure illustrates this configuration with ET 200M. Signals from redundant sensors can be registered.

Availability

The block diagram shows an example configuration with ET 200M without a fault.

If a fault occurs in a maximum of one signal path per redundancy node (e.g. bus line (bus = PROFIBUS DP) in the first redundancy node and an input module (SM) in the second redundancy node), the overall system remains operable. The connected device continues to supply data to the central device, which remains available. If any other component in the redundancy chain fails, however, the complete system will fail.

Fault-tolerant Process Control Systems (V8.0) Function Manual, 03/2012, A5E02779471-02 29

+6\VWHP

60LQ(70

6HQVRU

%XV

(70

&38,0

&38

&336

Fault-tolerant Solutions in PCS 7

3.1 Solutions for the I/O

Installation rules

The configuration always has to be symmetrical when using redundant I/O. Follow these installation rules:

● Both subsystems of the S7 400H must be configured identically. The same modules are located at the same slots. Example: CPU and CPs are located in both subsystems at the same slot.

● The communication paths and interfaces must be configured the same way in both subsystems. Example: The PROFIBUS cables in both subsystems are connected to the same PROFIBUS DP interface of the CPU 41x-4H.

● Redundant modules are always the same (order number, firmware version)

Configuration rules

● A DP slave must have the same PROFIBUS address in the mutually redundant DP master systems.

Additional information

● Section "Redundant interface modules in distributed I/O (Page 32)"

● Section "Redundant I/O modules (Page 33)"

● Manual

3.1.2 Switched I/O

Switched I/O

Switched I/O describes the situation when there is only one I/O module (SM) for processing a process signal. The communication path to the I/O (station) is redundant. In the event that a communication path fails, the distributed I/O (station) switches to the functioning communication path. The non-redundant I/O modules of the distributed I/O can be addressed via the redundant interface module (DP slave) of both central modules (CPU) of a fault-tolerant system.

Automation System S7-400H; Fault-tolerant Systems

Fault-tolerant Process Control Systems (V8.0)

30 Function Manual, 03/2012, A5E02779471-02

+ 186 hidden pages

Siemens SIMATIC PCS 7 Function Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Table of contents

Preface

Basics of Fault Tolerance

2.1 Rationale for using fault-tolerant process control systems

2.2 System-wide availability analyses

2.3 PCS 7 redundancy concept

2.4 Overview of the PCS 7 redundancy features

2.6 Features for the commissioning and operation phases

2.5 Features for the configuration phase

2.7 Features for servicing and system expansions

2.8 Definition of availability

2.9 Definition of the standby modes

2.10 Redundancy nodes

Fault-tolerant Solutions in PCS 7

3.1 Solutions for the I/O

3.1.1 Redundant I/O

3.1.2 Switched I/O