0% found this document useful (0 votes)

147 views226 pages

SIMATIC Process Control System PCS 7 V7.0 SP1 Fault-Tolerant Process Control System

Redundancy - S7 400 Fault-tolerant AS - DCS

Uploaded by

Dylan Pozuelo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

147 views226 pages

SIMATIC Process Control System PCS 7 V7.0 SP1 Fault-Tolerant Process Control System

Redundancy - S7 400 Fault-tolerant AS - DCS

Uploaded by

Dylan Pozuelo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 226

1

SIMATIC Process Control System PCS 7 V7.0 SP1 Fault-tolerant Process Control System
______________
Preface

2
______________
Basics of Fault Tolerance

Fault-tolerant Solutions in
3
SIMATIC ______________
PCS 7

Advantages of fault-tolerant
4
Process Control System PCS 7 ______________
components

V7.0 SP1 Component Replacement

5
Fault-tolerant Process Control ______________
and Plant Changes

System Failure, Switchover and

Configuration Manual ______________
6
Return of Fault-tolerant
Components

7
______________
Diagnostics

09/2007
A5E00783452-02
Safety Guidelines
Safety Guidelines
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.

CAUTION
without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.

NOTICE
indicates that an unintended result or situation can occur if the corresponding information is not taken into
account.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.

Qualified Personnel
The device/system may only be set up and used in conjunction with this documentation. Commissioning and
operation of a device/system may only be performed by qualified personnel. Within the context of the safety notes
in this documentation qualified persons are defined as persons who are authorized to commission, ground and
label devices, systems and circuits in accordance with established safety practices and standards.

Prescribed Usage
Note the following:

WARNING
This device may only be used for the applications described in the catalog or the technical description and only
in connection with devices or components from other manufacturers which have been approved or
recommended by Siemens. Correct, reliable operation of the product requires proper transport, storage,
positioning and assembly as well as careful operation and maintenance.

Trademarks
All names identified by ® are registered trademarks of the Siemens AG. The remaining trademarks in this
publication may be trademarks whose use by third parties for their own purposes could violate the rights of the
owner.

Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.

Siemens AG Ordernumber: A5E00783452-02 Copyright © Siemens AG 2007.

Automation and Drives Ⓟ 09/2007 Technical data subject to change
Postfach 48 48
90327 NÜRNBERG
GERMANY
Table of contents
1 Preface ...................................................................................................................................................... 7

2 Basics of Fault Tolerance ........................................................................................................................ 13

2.1 Rationale for using fault-tolerant process control systems ..........................................................13
2.2 System-wide availability analyses................................................................................................17
2.3 PCS 7 redundancy concept .........................................................................................................18
2.4 Overview of the PCS 7 redundancy features...............................................................................22
2.5 Features for the configuration phase ...........................................................................................23
2.6 Features for the commissioning and operation phases...............................................................24
2.7 Features for servicing and system expansions............................................................................26
2.8 Definition of availability ................................................................................................................27
2.9 Definition of the standby modes...................................................................................................28
2.10 Redundancy nodes ......................................................................................................................29

3 Fault-tolerant Solutions in PCS 7............................................................................................................. 31

3.1 Solutions for the I/O .....................................................................................................................31
3.1.1 Solutions for the I/O .....................................................................................................................31
3.1.2 Single-channel switched distributed I/O.......................................................................................33
3.1.3 Redundant I/O..............................................................................................................................35
3.1.4 Redundant interface modules of the distributed I/O ....................................................................37
3.1.5 Redundant I/O modules ...............................................................................................................38
3.1.6 Redundant actuators and sensors...............................................................................................39
3.2 Solutions for automation systems ................................................................................................40
3.2.1 Solutions for Automation Systems...............................................................................................40
3.2.2 S7-400H hardware components ..................................................................................................41
3.2.3 How the SIMATIC S7-400H AS operates ....................................................................................44
3.3 Solutions for communication........................................................................................................45
3.3.1 Solutions for communication........................................................................................................45
3.3.2 Network components ...................................................................................................................47
3.3.3 Fault-tolerant terminal bus ...........................................................................................................50
3.3.4 Redundant, fault-tolerant terminal bus.........................................................................................53
3.3.5 Fault-tolerant plant bus ................................................................................................................56
3.3.6 Redundant fault-tolerant plant bus...............................................................................................59
3.3.7 Redundant PROFIBUS DP ..........................................................................................................62
3.3.8 Gateway between redundant and single-channel PROFIBUS DP ..............................................65
3.3.9 Connection of PROFIBUS PA to PROFIBUS DP ........................................................................66
3.3.10 Redundant PROFIBUS PA ..........................................................................................................68

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 3
Table of contents

3.4 Solutions for integrating a PCS 7 plant in a domain ................................................................... 71

3.4.1 Integrating a PCS 7 plant in a domain ........................................................................................ 71
3.5 Solutions for OS servers ............................................................................................................. 72
3.5.1 Redundant OS servers................................................................................................................ 72
3.6 Solutions for OS clients............................................................................................................... 76
3.6.1 Additional OS clients ................................................................................................................... 76
3.6.2 Permanent operability ................................................................................................................. 77
3.7 Solutions for SIMATIC BATCH ................................................................................................... 78
3.7.1 Redundant BATCH servers......................................................................................................... 78
3.8 Solutions for Route Control server.............................................................................................. 81
3.8.1 Redundant Route Control servers .............................................................................................. 81
3.9 Solutions for engineering station................................................................................................. 83
3.9.1 Engineering station ..................................................................................................................... 83
3.10 Time synchronization .................................................................................................................. 84
3.10.1 Time synchronization .................................................................................................................. 84

4 Advantages of fault-tolerant components................................................................................................. 85

4.1 SIMATIC H Station...................................................................................................................... 85
4.1.1 Overview of configuration tasks .................................................................................................. 85
4.1.2 How to add a SIMATIC H station to your project ........................................................................ 86
4.1.3 How to insert synchronization modules into the H CPU ............................................................. 87
4.1.4 How to configure redundant communications processors .......................................................... 89
4.1.5 How to synchronize the time in automation systems.................................................................. 91
4.1.6 How to set the failure reaction of the input/output modules on the CPU .................................... 95
4.2 Communication connections ....................................................................................................... 97
4.2.1 Overview of configuration tasks .................................................................................................. 97
4.2.2 How to configure a redundant, fault-tolerant terminal bus .......................................................... 98
4.2.3 How to configure a fault-tolerant plant bus ............................................................................... 101
4.2.4 How to configure a redundant PROFIBUS DP ......................................................................... 104
4.2.5 How to configure the redundant PROFIBUS PA....................................................................... 106
4.3 Distributed I/O ........................................................................................................................... 109
4.3.1 Overview of configuration tasks ................................................................................................ 109
4.3.2 How to configure the redundant interface for the I/O device .................................................... 109
4.3.3 How to configure redundant I/O modules ................................................................................. 112
4.3.4 How to configure the Y link ....................................................................................................... 117
4.3.5 How to configure the DP/PA link............................................................................................... 121
4.4 Operator stations....................................................................................................................... 124
4.4.1 Overview of configuration tasks ................................................................................................ 124
4.4.2 How to configure an OS server and its redundant OS partner server ...................................... 125
4.4.3 How to configure an archive server and its redundant archive partner server ......................... 128
4.4.4 How to Set the Properties of the Central Archive Server.......................................................... 131
4.4.5 How to set the project paths of the destination OS and standby OS........................................ 132
4.4.6 How to configure a redundant connection between an OS and AS ......................................... 134
4.4.7 How to assign an S7 program to an OS ................................................................................... 136
4.4.8 How to configure WinCC redundancy....................................................................................... 138
4.4.9 How to configure an OS client .................................................................................................. 141

Fault-tolerant Process Control System

4 Configuration Manual, 09/2007, A5E00783452-02
Table of contents

4.4.10 How to configure an OS client for permanent operability ..........................................................143

4.4.11 How to synchronize the time of day of OS servers with an external time transmitter ...............146
4.4.12 How to synchronize the time of day of OS clients with OS servers...........................................148
4.4.13 How to download a SIMATIC PCS 7 project to the target systems...........................................151
4.4.14 Evaluating the "@RM_MASTER" Redundancy Variables with Scripts......................................151
4.5 SIMATIC BATCH Stations .........................................................................................................152
4.5.1 Overview of configuration tasks .................................................................................................152
4.5.2 How to configure a BATCH server and its redundant BATCH partner server...........................153
4.5.3 How to configure a BATCH client ..............................................................................................155
4.5.4 How to set the redundancy monitoring of BATCH servers ........................................................157
4.5.5 How to set the redundancy of the BATCH servers ....................................................................158
4.5.6 How to download the target systems for SIMATIC BATCH.......................................................160
4.6 SIMATIC Route Control stations................................................................................................161
4.6.1 Overview of configuration tasks .................................................................................................161
4.6.2 How to configure a Route Control server and its redundant Route Control partner server.......162
4.6.3 How to configure a Route Control client ....................................................................................165
4.6.4 How to configure a redundant connection between a Route Control server and AS ................167
4.6.5 How to set the redundancy of the Route Control servers..........................................................169
4.6.6 How to download the target systems for Route Control ............................................................169

5 Component Replacement and Plant Changes ....................................................................................... 171

5.1 Failure and replacement of bus components.............................................................................171
5.1.1 Replacement of SIMATIC components in runtime.....................................................................171
5.1.2 Replacement of bus components in runtime .............................................................................173
5.1.3 Replacement of operator stations in runtime .............................................................................174
5.1.4 Replacement of BATCH stations in runtime ..............................................................................176
5.1.5 Replacement of Route Control stations in runtime ....................................................................177
5.2 Plant changes in runtime ...........................................................................................................178
5.2.1 Plant changes in runtime in redundant process control systems ..............................................178

6 Failure, Switchover and Return of Fault-tolerant Components............................................................... 181

6.1 I/O ..............................................................................................................................................181
6.1.1 Failure of redundant interface modules .....................................................................................181
6.1.2 Failure of redundant I/O modules ..............................................................................................182
6.2 Automation system ....................................................................................................................184
6.2.1 Failure of the master CPU .........................................................................................................184
6.2.2 Failure of a fiber-optic cable.......................................................................................................185
6.3 Communication ..........................................................................................................................188
6.3.1 Failure of redundant bus components .......................................................................................188
6.4 OS server ...................................................................................................................................189
6.4.1 Failure, failover and restarting of redundant OS servers...........................................................189
6.5 BATCH Server ...........................................................................................................................194
6.5.1 Reaction of BATCH servers to failure........................................................................................194

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 5
Table of contents

6.6 Route Control server ................................................................................................................. 195

6.6.1 Reaction of Route Control servers to failure ............................................................................. 195
6.7 OS clients .................................................................................................................................. 196
6.7.1 Failover reactions of OS clients with permanent operability ..................................................... 196
6.8 BATCH clients........................................................................................................................... 198
6.8.1 Failover reactions of BATCH clients ......................................................................................... 198
6.9 Route Control clients................................................................................................................. 199
6.9.1 Failover reaction of Route Control clients ................................................................................. 199
6.10 Guidelines for updating a redundant OS in runtime.................................................................. 200
6.10.1 Introduction ............................................................................................................................... 200
6.10.2 Overview of the required tasks ................................................................................................. 202
6.10.3 Phase 1: Updating Server_2 ..................................................................................................... 205
6.10.4 Phase 2: Updating OS clients interconnected with Server_2 ................................................... 208
6.10.5 Phase 3: Downloading the connections, gateways and changes to the AS............................. 211
6.10.6 Phase 4: Updating the OS clients interconnected with Server_1 ............................................. 213
6.10.7 Phase 5: Updating Server_2 ..................................................................................................... 216

7 Diagnostics ............................................................................................................................................ 219

7.1 Diagnostics for redundant components and systems ............................................................... 219
Index...................................................................................................................................................... 221

Fault-tolerant Process Control System

6 Configuration Manual, 09/2007, A5E00783452-02
Preface 1
Purpose of this documentation
This documentation informs you about the following aspects of configuring fault-tolerant
systems with the SIMATIC PCS 7 Process Control System:
● The basic solution concepts
● The functional mechanisms
● The most important configurations
It presents the availability solutions on all automation levels (management, process, field).
You will find references to other product manuals containing specific information for working
with individual components.

Required basic knowledge

General knowledge in the area of automation engineering and basic knowledge of PCS 7 is
required to understand this documentation. It is assumed that the reader knows how to use
computers or other equipment similar to PCs (such as programming devices) operating
under the Windows operating system.
The configuration manuals and the Getting Started documentation for PCS 7 will provide you
with the basics regarding the use of PCS 7.

Validity of the documentation

This documentation is valid for the software package Process Control System;
PCS 7 Toolset as of V7.0.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 7
Preface

Fault-tolerant Process Control System

8 Configuration Manual, 09/2007, A5E00783452-02
Preface

Manual Content
Manual Distributed I/O Device • Configuration options
ET 200M • Mounting
• Wiring
• Commissioning and diagnostics
Manual Distributed I/O Device • Configuration options
ET 200iSP • Mounting
• Wiring
• Commissioning and diagnostics
Operating Instructions • Configuration options
SIMATIC NET; Industrial Ethernet • Mounting
Switches SCALANCE X-200 • Wiring
• Commissioning and diagnostics
Operating Instructions • Configuration options
SIMATIC NET; Industrial Ethernet • Mounting
Switches SCALANCE X-400 • Wiring
• Commissioning and diagnostics
Manual SIMATIC NET Manual • Networks with Industrial Ethernet and Fast Ethernet
Industrial Twisted Pair and • Network configuration
Fiber-Optic Networks • Passive components for electrical and optical networks
• Active components and topologies
Manual SIMATIC Diagnostic • Configuration options
Repeater for PROFIBUS-DP • Mounting
• Wiring
• Commissioning and diagnostics
Manual SIMATIC DP/PA Link and • Fundamentals of PROFIBUS PA
Y Link Bus Couplings • DP/PA Coupler
• DP/PA Link
• DP/PA Link in redundant operation with the S7-400H
Documentation: • Components released for redundancy in PCS 7
PCS 7 - Released Modules

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 9
Preface

Guide
This manual is organized into the following topics:
● Basics of fault-tolerance in PCS 7
● Description of fault-tolerant solutions in PCS 7
● Description of configurations for various redundant components in PCS 7
● Failure scenarios and diagnostic options
● Options for quantitative analysis of fault-tolerant process control systems
● Glossary with important terms for understanding this documentation
● Index of important keywords

Changes compared with the previous version

Below you will find an overview of the most important changes in the documentation over the
previous version:
● Using the redundant, fault-tolerant terminal bus
You can find information about this in the section "Redundant fault-tolerant terminal bus
(Page 53)"
● Using the redundant PROFIBUS PA
You can find information about this in the section "Redundant PROFIBUS PA (Page 68)"
● Redundancy concept of SIMATIC Route Control
You can find information about this in the section "Redundant Route Control server
(Page 81)"

Conventions
In this documentation the designations of elements of the user interface are specified in the
language of this documentation. If you have installed a multi-language package for the
operating system, some of the designations will be displayed in the base language of the
operating system after a language switch and will, therefore, differ from the designations
used in the documentation.

PCS 7 Glossary
A PCS 7 glossary which defines the key technical terms used in the documentation is
available on the SIMATIC PCS 7; Manual Collection DVD or via the SIMATIC Manager help
menu in the PCS 7 software (menu command Help > Contents > "Glossary" button).

Fault-tolerant Process Control System

10 Configuration Manual, 09/2007, A5E00783452-02
Preface

Further Support
If you have any technical questions, please get in touch with your Siemens representative or
responsible agent.
You will find your contact person at:
http://www.siemens.com/automation/partner
You will find a guide to the technical documentation offered for the individual SIMATIC Products
and Systems at:
http://www.siemens.com/simatic-tech-doku-portal
The online catalog and order system is found under:
http://mall.automation.siemens.com/

Training Centers
Siemens offers a number of training courses to familiarize you with the SIMATIC S7 automation
system. Please contact your regional training center or our central training center in D 90327
Nuremberg, Germany for details:
Telephone: +49 (911) 895-3200.
Internet: http://www.sitrain.com

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 11
Preface

Technical Support

You can reach the Technical Support for all A&D products
• Via the Web formula for the Support Request
http://www.siemens.com/automation/support-request
• Phone: + 49 180 5050 222
• Fax: + 49 180 5050 223
Additional information about our Technical Support can be found on the Internet pages
http://www.siemens.com/automation/service

Service & Support on the Internet

In addition to our documentation, we offer our Know-how online on the internet at:
http://www.siemens.com/automation/service&support
where you will find the following:
• The newsletter, which constantly provides you with up-to-date information on your products.
• The right documents via our Search function in Service & Support.
• A forum, where users and experts from all over the world exchange their experiences.
• Your local representative for Automation & Drives.
• Information on field service, repairs, spare parts and more under "Services".

Fault-tolerant Process Control System

12 Configuration Manual, 09/2007, A5E00783452-02
Basics of Fault Tolerance 2
2.1 Rationale for using fault-tolerant process control systems

Advantages of fault-tolerant components

Process control systems are responsible for controlling, monitoring and documenting
production and manufacturing processes. Due to the increasing degree of automation and
the demand for improved efficiency, the availability of these systems is playing an
increasingly important role.
Failure of the control system or any of its components can lead to costly downtime in
production and manufacturing. The expense involved in restarting a continuous process also
has to be taken into consideration along with the actual production losses resulting from a
failure. In addition, the loss of an entire batch may occur due to lost quality data. If the
process is intended to operate without supervisory or service personnel, a process control
system must be configured fault-tolerant for all of the components.
You can minimize the risk of a production failure and other detrimental effects by using fault-
tolerant components in a process control system. A redundant design ensures increased
availability of a control system. This means that all components involved in the process have
a backup in continuous operation that simultaneously participates in the control tasks. When
a fault occurs or one of the control system components fails, the correctly operating
redundant component takes over the continuing control task. The ultimate goal is to increase
the fault tolerance and fail-safe performance in process control systems.
The following applies to you as the plant operator:
The higher the cost of a production stoppage, the more you need a fault-tolerant system.
The higher initial investment usually associated with a fault-tolerant system is soon offset by
the savings resulting from decreased production downtimes.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 13
Basics of Fault Tolerance
2.1 Rationale for using fault-tolerant process control systems

Fault-tolerant PCS 7 process control system

The following components of the PCS 7 process control system allow you to implement fault-
tolerance at all automation levels in the form and to the degree you require:
● Operator stations, maintenance station, central archive server, BATCH stations, Route
Control stations (management level)
● Bus system
● Automation systems (process level)
● Distributed I/O (field level)

Fault-tolerant Process Control System

14 Configuration Manual, 09/2007, A5E00783452-02
Basics of Fault Tolerance
2.1 Rationale for using fault-tolerant process control systems

The following figure shows an example of a fault-tolerant process control system with PCS 7
components.

%$7&+VHUYHU 26FOLHQWV %$7&+FOLHQWV 5RXWH&RQWUROFOLHQWV

7HUPLQDOEXV

(QJLQHHULQJ 26VHUYHU 06VHUYHU 5RXWH&RQWURO

VWDWLRQ VHUYHU
06FOLHQW

3ODQWEXV

36 &38 &3 &3 &3 36 &38 &3 &3 &3

)LHOGEXV
6+
352),%86'3

36 ,0 ,0 60 60 60 60 60 60

(70
6HQVRU

36 ,0 ,0 60 60 60 60 60 60

(70
6HQVRU

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 15
Basics of Fault Tolerance
2.1 Rationale for using fault-tolerant process control systems

Legend for the above illustration:

Note
The following short designations are commonly used in this documentation.

Short designation Meaning

Engineering Engineering station, PC
Station
OS server Operator station, PC project data station in the project form "WinCC Server"
OS client Operator station, PC visualization station in the project form "WinCC Client"
BATCH server BATCH station, PC recipe and batch data station
BATCH client BATCH station, PC recipe creation and batch visualization station
Route Control Route Control station, PC Route Control data station
server
Route Control Route Control station, PC Route Control visualization station
client
Plant bus, terminal Bus systems for communication over Industrial Ethernet (electrical or optical)
bus
S7-400H SIMATIC S7 fault-tolerant automation system, or H system for short
PS Power supply
CPU Central processing unit
CP Communications processor
IM Interface module
SM Signal module / I/O module in analog or digital form
ET 200M Distributed I/O device
PROFIBUS DP PROFIBUS distributed I/O
Sensor Transmitters, sensors

Fault-tolerant Process Control System

16 Configuration Manual, 09/2007, A5E00783452-02
Basics of Fault Tolerance
2.2 System-wide availability analyses

2.2 System-wide availability analyses

Introduction
Availability must be analyzed globally for the system as a whole. Based on the degree of
availability needed, each system level, each system and each component within a level
should be evaluated. It is important to know the importance of each of these for the
availability requirements as well as the ways and means that the required availability will be
achieved.

Avoiding repair time

In many industrial processes, it is not enough to simply correct the failure of a component
and then continue the process. The repair has to be made without interruption to the
continuing production process. The repair time can be considerably reduced by keeping
replacement parts in stock on site. The use of fault-tolerant components in the process
control system enables you to correct the cause of the system or component failure in
runtime. This eliminates repair time altogether.

Avoiding impermissible signal edge transitions

A reserve system with connected backup I/O may not cause an impermissible signal edge
transition when a change occurs in the operating state (power on or off) or operating mode
(master or slave).

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 17
Basics of Fault Tolerance
2.3 PCS 7 redundancy concept

2.3 PCS 7 redundancy concept

Advantages of the PCS 7 redundancy concept

Fault-tolerant process control systems can be realized with SIMATIC PCS 7 at minimal cost
in all phases of a system lifecycle:
● Configuration
● Commissioning/operation
● Servicing
● Expansion
PCS 7 offers the following essential advantages:
● It provides you with system-wide scalable solutions based on the PCS 7 modular design.
Advantage: The availability can be matched to your requirements. Your process control
system can be upgraded with the SIMATIC PCS 7 components that are actually needed.
● Hardware upgrades for fault tolerance do not depend on the software configuration.
Advantage: If the user program has been configured with PCS 7, it does not have to be
adapted following a hardware upgrade. You only need to download the new hardware
configuration into the CPU.
● The fault-tolerant S7-400 H automation system with the CPUs 414-4H and 417-4H,
whose mounting racks can be spatially separated.
Advantage: Protection for the spatially separated CPUs resulting in increased availability
in case of fire or explosion, for example.
● The use of redundant components in the process control system means isolated errors
are tolerated.
Advantage: The entire system does not fail when a single component in the process
control system fails. The redundant component takes over its tasks therefore allowing the
process to continue.
● Every failure of a redundant component is indicated on the OS clients in the form of a
process control message.
Advantage: You immediately receive crucial information about the status of your
redundant component. Specific components that have failed can be quickly replaced to
restore the redundancy.
● Software updates on redundant OS servers can be performed without loss of process
operability or loss of data.

Fault-tolerant Process Control System

18 Configuration Manual, 09/2007, A5E00783452-02
Basics of Fault Tolerance
2.3 PCS 7 redundancy concept

Overview of the PCS 7 redundancy concept

PCS 7 offers you a redundancy concept that reaches all levels of process automation.

&OLHQWV26FOLHQW%$7&+FOLHQW5RXWH&RQWUROFOLHQW

5HGXQGDQWIDXOWWROHUDQWWHUPLQDOEXV

26VHUYHU %$7&+VHUYHU 5RXWH&RQWURO

VHUYHU

5HGXQGDQWIDXOWWROHUDQWSODQWEXV

6ZLWFK

)DXOWWROHUDQWDXWRPDWLRQV\VWHP$6
+$6+

(70

(70 6HQVRUDFWXD
WRU
(70
)DLOVDIH

5HGXQGDQW'33$/LQN
352),%863$

352),%86'3

$FWLYHILHOGGLVWULEXWRU

</LQN
352),%86'3
S

o CAL oLIM oAR

63,29

36,72
+/- 7 8 9
o CODE

Clear ESC
&RQQHFWLRQRIQRQUHGXQGDQW
352),%86'3GHYLFHVWR
. 4 5 6 Info

0 1 2 3 Enter MEAS

ULTRAMAT 6

UHGXQGDQW352),%86'3

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 19
Basics of Fault Tolerance
2.3 PCS 7 redundancy concept

Note
The numbering of the components in the illustration relates to the descriptions provided
below.

Number Description
1 Several clients (OS clients, BATCH clients, Route Control clients) can access data on a
server (OS server, BATCH server, Route Control server).
2 Communication between the operator stations (client and server) and communication with
the engineering station is over a redundant, fault-tolerant terminal bus (Industrial
Ethernet).
The clients and server are connected to the terminal bus via switches.
3 The servers (OS server, BATCH server, Route Control server, maintenance server, central
archive server) can, when necessary, be set up redundantly.
4 Automation systems communicate with the OS servers/Route Control servers and
engineering stations and among themselves over the redundant, fault-tolerant plant bus
(Industrial Ethernet).
The automation systems, server and engineering station are connected to the plant bus
via switches.
5 Each part of the redundant, fault-tolerant S7-400H automation systems (AS 414H or AS
417H) is connected to the plant bus with an Ethernet communications processor (CP).
Each part of the AS be connected to several PROFIBUS DP chains. The internal
PROFIBUS DP interfaces or additional communications processors are used for the
attachment.
6 The redundant connection to the DP master system is achieved using two 153-2 IM
modules in each ET 200M.
7 Using redundant digital or analog input/output modules, you can evaluate signals from
sensors/actuators. If one of the two redundant modules fails, the input/output signal of the
functioning module are evaluated.
8 The PROFIBUS PA I/O is connected to the redundant PROFIBUS DP using FDC 157-0
DP/PA couplers and two IM 153-2 modules.
A redundant PROFIBUS PA is configured with a redundant DP/PA Link. The field devices
are connected to the PROFIBUS PA via active field distributors (AFD or AFS when
ring/coupler redundancy is used).
9 The Y Link allows you to connect non-redundant PROFIBUS distributed I/O devices to a
redundant PROFIBUS DP.

Fault-tolerant Process Control System

20 Configuration Manual, 09/2007, A5E00783452-02
Basics of Fault Tolerance
2.3 PCS 7 redundancy concept

Illustration of fault tolerance using redundancy nodes

Redundancy nodes can be used to provide an overview of the fault tolerance of a process
control system. As an introductory example, the following illustration presents the process
control system shown above as a block diagram with the individual redundancy nodes.

,0
60
,0
7UDQVPLWWHU
&3 ,0
%XV %XV &38 &3 %XV 60
26FOLHQW 26VHUYHU &3 ,0
%XV %XV
,0
%XV %XV </LQN '3EXV
26FOLHQW 26VHUYHU &3 ,0
%XV %XV &38 &3 %XV
&3 ,0 '33$/LQN
3$EXV
,0 '33$/LQN

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 21
Basics of Fault Tolerance
2.4 Overview of the PCS 7 redundancy features

2.4 Overview of the PCS 7 redundancy features

Introduction
The easiest way to increase availability is to keep replacement parts in stock on site and to
have fast service at your disposal to replace defective components.
In this documentation, we provide you with PCS 7 software and hardware solutions that go
well beyond fast service and local stock. It focuses on "automated fault-tolerant process
control systems".
The PCS 7 process control system fulfills the described requirements for the availability of
process control systems. The components of PCS 7 enable you to implement fault-tolerant
solutions at all automation system levels in the form and to the degree you desire.

System-wide integration of PCS 7

The PCS 7 process control system is a uniform system whose components are tuned to one
another. The complete uniformity of the system, from HMI devices to sensors and actuators,
is self-evident and ensures maximum system performance.

Stepped, scalable availability through redundant components

Availability is increased by using redundancy for all critical PCS 7 components supported by
appropriate software mechanisms. The components of PCS 7 can be divided into the
following:
● Field level
● Process level
● Management level
PCS 7 offers a solution for every component on these levels. The following table lists the
three levels and the corresponding fault-tolerant hardware components.
You can decide where to use redundant components depending on your availability
requirements. In this way, PCS 7 offers you a scalable, uniform, and comprehensive
availability concept.

Process level Components

Management level OS clients, maintenance clients, BATCH clients, Route Control clients
OS servers, maintenance servers, central archive servers, BATCH servers,
Route Control servers
Terminal bus (Industrial Ethernet)
Process level Plant bus (Industrial Ethernet)
Automation system AS 414H, AS 417H
Field level PROFIBUS DP, PROFIBUS PA field bus
Distributed I/O device ET 200M, ET 200iSP
S7-300 distributed I/O modules
PROFIBUS DP, PROFIBUS PA and HART devices

Fault-tolerant Process Control System

22 Configuration Manual, 09/2007, A5E00783452-02
Basics of Fault Tolerance
2.5 Features for the configuration phase

2.5 Features for the configuration phase

Features for the configuration phase

In the configuration phase, PCS 7 provides you with support with the following features.

Feature Meaning
Fault prevention through simplified You do not need additional training to configure the
configuration of the various components redundant components. Configuration can be
performed in a similar way as for standard systems.
Simple integration of redundant I/O No special knowledge is needed about redundant I/O
modules.
The communication links between the With the HW Config or NetPro graphical user interface,
system components are configured the configuration of the communication links is
transparent to the application. performed transparent to the application.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 23
Basics of Fault Tolerance
2.6 Features for the commissioning and operation phases

2.6 Features for the commissioning and operation phases

Features for the commissioning and operation phases

The following table lists the features PCS 7 offers for the commissioning and operation
phases.
The redundant components allows the continuation of the process of a component fails.
Operator control and monitoring of the process remains unaffected. In addition, the archiving
of process data is not interrupted during the commissioning phase. Defective components
can be replaced in runtime.

NOTICE
If a component fails in a redundant control system, the fault tolerance is lost. This means
that another failure could potentially result in the failure of the entire system, although such
occurrences are rare (e.g., if both bus lines are severed in the case of a redundant bus
system).
You will find more information on this topic in the section titled "Redundancy nodes
(Page 29)".

Feature Meaning Possible error / possible reason

Toleration of an isolated An isolated error is tolerated since the Fault or failure of servers and clients
error fault-tolerant redundant component Examples:
continues the process. • Hard disk failure
• Operating system failure
• Connection failure
• Hard disk capacity for archiving exhausted
Error or failure of the automation system
Examples:
• Failure of power supply
• Failure of a CPU
Error or failure of the communication
Examples:
• Line break
• Electromagnetic compatibility (EMC)
Error or failure of central or distributed I/O
modules
Example:
• Component failure
• Short circuit
Fault in distributed I/O devices
Examples:
• Failure of the power supply (PS)
• Failure of an interface (IM)
Ensure uninterrupted The system can continue process control Failure of an individual component in a fault-
operation through without operator intervention. tolerant process control system.
redundant components. Upgrade and expansion of the system.

Fault-tolerant Process Control System

24 Configuration Manual, 09/2007, A5E00783452-02
Basics of Fault Tolerance
2.6 Features for the commissioning and operation phases

Feature Meaning Possible error / possible reason

Ability of process to If an OS server fails, the system switches Failure of the OS server
continue to be controlled over to the configured redundant partner Examples:
and monitored even server. All OS clients are automatically
• Operating system failure
when a server switchover switched over to the now activate OS
occurs. partner server. The process can continue • Hard disk defect
to be controlled and monitored through the
OS clients even during the failover period.
Display of the master / The information about the master / The master / standby identification changes if the
standby identification of standby identification of the OS server can active OS server (master) fails.
the OS servers. be queried and displayed through the OS
clients.
No loss of data; gap-free The project data are saved according to Failure of the OS server, for example, due to a
data archiving. the interval configured. hard disk defect.
Permanent operability of The failure of some OS clients can be One or more client operator stations fail, for
the control process tolerated if the remaining clients continue example, due to a hardware or software error.
through the configuration to be connected to the process. Duration of the failover of the OS clients to the
of a preferred server for redundant OS server
each OS client.
Replacement of faulty The failed components can be replaced OS client failure: e.g., operating system
components and without influencing the ongoing process OS server failure: e.g., network adapter
reconnection to the and subsequently reconnected. A
Plant bus failure: e.g., wire break
system in runtime. redundancy update is then performed.
Central rack failure: e.g., PS, CPU,
synchronization line, CP, SM
PROFIBUS DP failure: e.g., defective
PROFIBUS bus connector
Failure of the distributed I/O device: e.g., PS, IM,
SM
Update of faulty Redundancy synchronization is performed Switching on a redundant component after a
component with current for all fault-tolerant components, for redundancy fault. Example: Startup of the module
system status after being example, a CPU or a server after return to after a CPU is replaced with subsequent data
reintegrated into the operation. synchronization on the CPU conducting the
system. process.
System upgrades and Redundantly designed components can Copying BIOS versions to redundant PC stations
expansions in runtime be upgraded, expanded or replaced in Software updates for redundant PC stations
runtime. without utilization of new functions
Reliability documentation Documentation of availability, for example, Display and documentation of a potential
testing based on MTBF residual time with component failure in advance.
optional printout

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 25
Basics of Fault Tolerance
2.7 Features for servicing and system expansions

2.7 Features for servicing and system expansions

Features for servicing and system expansions

PCS 7 offers the following features for servicing and system expansions:

Feature Meaning
Asset management with the maintenance station The maintenance station provides comprehensive
information for servicing and diagnostics of PCS 7
plants.
Integrated diagnostics of components (for Diagnostics of components without an additional
example, LEDs) for fast, local error detection. programming device (PG).
Faster service from SIEMENS Customer The service is on site within 2 to 48 hours to
Support. maintain the availability guarantee.
Repairs and component expansions (upgrades, Repair and component expansions can be made
conversions and updates) in runtime. in a fault-tolerant system. System components are
installed redundantly so that repairs and
expansions can be made in runtime.

Fault-tolerant Process Control System

26 Configuration Manual, 09/2007, A5E00783452-02
Basics of Fault Tolerance
2.8 Definition of availability

2.8 Definition of availability

Definitions
Availability is usually defined as follows:
Quotient of MTBF and (MTBF + MTTR)
or in short form
actual operating condition / nominal operating condition.
Whereby:
● MTBF = mean time between failure
● MTTR = mean time to repair

Increasing the basic availability

Based on this definition, the basic availability of a standard component or a standard system
can be increased by the following:
● Further increasing the mean time between failure (MTBF)
● Decreasing the period necessary for repairs (MTTR)
A variety of measures can reduce the repair time:
– Proximity to customer service
– Replacement parts warehousing
– Repairs in runtime or repairs without downtime
With "repairs during ongoing operation", no repair time is needed in the system to correct
unscheduled operation disruptions.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 27
Basics of Fault Tolerance
2.9 Definition of the standby modes

2.9 Definition of the standby modes

Introduction
The availability of a system can be increased by additional components in the system
(standby components). The operating mode of these components distinguishes them from
the components that are active in process mode.

Standby operating mode

Operating mode Definition

Hot standby Hot standby means the parallel redundant processing of signals in redundant
components. This allows a bumpless failover of the entire system to the
standby components.
Warm standby Warm standby means the fast continuation of the aborted function by standby
components at a program continuation point.
Cold standby Cold standby means that there is a component of the system available that
can be activated if a fault occurs. Following a restart, the newly activated
component takes over the function of the previously failed component.

Fault-tolerant Process Control System

28 Configuration Manual, 09/2007, A5E00783452-02
Basics of Fault Tolerance
2.10 Redundancy nodes

2.10 Redundancy nodes

Functionality
Redundancy nodes provided protection from failure of systems with redundant components.
A redundancy node is independent when the failure of one component within the node does
not affect the reliability in other nodes or in the entire system.
The availability of a complete system is illustrated in block diagrams. In a redundant system,
a component in the redundancy node can fail without affecting the operation of the complete
system. In the chain of redundancy nodes, the weakest link determines the availability of the
entire system.
The block diagrams below present examples to illustrated this point.

Redundancy nodes without fault

The following is a block diagram showing individual redundancy nodes operating without a
fault.

5HGXQGDQF\QRGHV

&3 ,0
&38 &3 %XV 60 7UDQVPLWWHU
26FOLHQW %XV 26VHUYHU %XV &3 ,0

26FOLHQW %XV 26VHUYHU %XV &3 ,0

&38 &3 %XV 60 7UDQVPLWWHU
&3 ,0

Availability of a redundancy node despite faults

If a component in a redundancy node fails, the overall system continues to operate.

&3 ,0
&38 &3 %XV 60 7UDQVPLWWHU
26FOLHQW %XV 26VHUYHU %XV &3 ,0

26FOLHQW %XV 26VHUYHU %XV &3 ,0

&38 &3 %XV 60 7UDQVPLWWHU
&3 ,0

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 29
Basics of Fault Tolerance
2.10 Redundancy nodes

Total failure of a redundancy node

The following figure shows a complete system that has ceased to operate due to a failure of
the "Field bus (PROFIBUS DP)" redundancy node.

&3 ,0
&38 &3 %XV 60 7UDQVPLWWHU
26FOLHQW %XV 26VHUYHU %XV &3 ,0

26FOLHQW %XV 26VHUYHU %XV &3 ,0

&38 &3 %XV 60 7UDQVPLWWHU
&3 ,0

Fault-tolerant Process Control System

30 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7 3
3.1 Solutions for the I/O

3.1.1 Solutions for the I/O

Introduction
In this section you will learn about the I/O systems and components that contribute to
increasing the availability of your system. This means using the distributed I/O in PCS 7.

Distributed I/O
Distributed I/O refers to modules (I/O modules and function modules) that are used in a
modular, distributed I/O device such as the ET 200M or ET 200iSP.
Distributed I/O devices are often spatially separated from the central rack and located in
direct proximity to the field devices themselves. This minimizes the efforts needed for wiring
and ensuring the electromagnetic compatibility. The high-performance PROFIBUS DP is
used as the communication link between the distributed I/O device and the central rack. An
interface module (IM) in the distributed I/O device serves as the PROFIBUS DP interface.
In addition to I/O devices, distributed I/O also includes field devices such as actuators,
weighing systems, motor protection control devices and all other PROFIBUS-capable field
devices.
HART devices can be directly connected and accessed through appropriate modules in an
ET 200M. HART devices are actuators and sensors that can be configured per
HART protocol (HART: Highway Addressable Remote Transducer).
Distributed I/O also includes bus converters such as DP/PA Links and Y Links. The
DP/PA Link enables the connection of a lower-level bus system such as PROFIBUS PA to a
redundant PROFIBUS DP.
An AS interface can be connected using AS-Interface master modules (CPs) that are used in
the distributed I/O device. This enables the connection of simple sensors and actuators to
PCS 7 with AS-Interface. PCS 7 integrates other I/O levels in a project in this way.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 31
Fault-tolerant Solutions in PCS 7
3.1 Solutions for the I/O

Increasing availability
The availability of the I/O can be increased through the following configuration options:
● Single-channel switched I/O (distributed I/O)
Single-channel switched I/O describes the situation when the input/output module (SM)
used to process a process signal exists only once. The communication path to the single-
channel I/O is redundant and fails over to the functioning communication path if one of
the paths goes down.
● Redundant I/O (distributed I/O)
Redundant I/O describes the situation when the input/output modules (SM) for processing
a process signal are doubly available and can be addressed by both CPUs. This ensures
that the CPU signal or process signal will continue to be processed by a functioning
module even when its partner fails.

Modules for the distributed I/O

Note
You can find which modules are released for the distributed I/O in PCS 7 in the
documentation PCS 7 - Released Modules, which can be accessed with the menu command
Start > SIMATIC > Documentation > English.

Fault-tolerant Process Control System

32 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.1 Solutions for the I/O

3.1.2 Single-channel switched distributed I/O

Single-channel switched configuration

A single-channel switched configuration features an I/O module that can be addressed by
both central processing units (CPUs) of a fault-tolerant system. In a single-channel switched
configuration, there is only one I/O module (single-channel) but it can be accessed over a
redundant PROFIBUS DP slave interface module.

Configuration
A single-channel switched I/O can be set up in PCS 7 with the following distributed
I/O devices:
● ET 200M
For this setup, you require an ET 200M with active backplane bus modules and a
redundant PROFIBUS DP slave IM 153-2 interface module.
● ET 200iSP
For this setup, you require an ET 200iSP and a redundant PROFIBUS DP slave IM 152-1
interface module.
Each subsystem of the S7-400H is connected to one of the two DP slave interfaces of the
interface module via a DP master interface.
The following figure illustrates this configuration for the ET 200M.

6+
352),%86'3

6LQJOHFKDQQHOVZLWFKHG
352),%86'3

,2(70FRQVLVWLQJRI
[,0

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 33
Fault-tolerant Solutions in PCS 7
3.1 Solutions for the I/O

Availability
The block diagram shows the availability of the configuration illustrated above. When both
systems are operating without fault, the block diagram appears as follows:

+6\VWHP (70

&3 &38 &3 %XV ,0

60
&3 &38 &3 %XV ,0

The following figure shows how one component may fail without this affecting the operation
of the complete system.

+6\VWHP (70

&3 &38 &3 %XV ,0

60
&3 &38 &3 %XV ,0

The system remains available even when one component in part of a line of the redundancy
node fails. There is only one I/O module and therefore no corresponding redundancy node. It
is the weakest link in the complete system's chain.

Installation rules
The configuration always has to be symmetrical when using single-channel switched I/O.
Follow these installation rules:
● CPU 41x-4 H and additional DP masters must be located in the same slots of both
redundancy sections (for example, in slot 4 of both redundancy sections)
● The PROFIBUS cable in both redundancy sections must be connected to the same
interface (for example, to the PROFIBUS DP interfaces of the two CPU 41x-4 H)

Configuration rules
● A DP slave in the redundant DP master system pairs must have the same DP address.

Additional information
● Section "Redundant interface modules (Page 37)"
● Manual Automation System S7-400H; Fault-tolerant Systems

Fault-tolerant Process Control System

34 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.1 Solutions for the I/O

3.1.3 Redundant I/O

Redundant I/O
Redundant I/O describes the situation when the I/O modules is doubly available for a
process signal and can be addressed by both CPUs.

Note
With PCS 7, you can determine if errors in redundantly acquired signals will have an effect of
a module or channel. You can find information about this in the following sections:
• Section "Redundant input/output modules (Page 38)"
• Section "Failure of redundant input/output modules (Page 182)"

Configuration
In PCS 7, you can configure redundant I/O with selected S7-300 I/O modules of ET 200M.
The ET 200M distributed I/O device is connected as a DP slave to a fault-tolerant automation
system operating as the DP master via PROFIBUS DP. A redundant configuration is
achieved by installing an additional ET 200M and an additional PROFIBUS DP connection.

Note
Use only active bus modules for the ET 200M in a fault-tolerant system with PCS 7. Active
bus modules enable you to plug and pull modules in runtime.

The following figure illustrates this configuration with ET 200M. Signals from redundant
sensors can be registered.

6+
352),%86'3

(70FRQVLVWLQJRI
[,0DQG[60
352),%86'3

UHGXQGDQW,2
PRGXOH

6HQVRU

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 35
Fault-tolerant Solutions in PCS 7
3.1 Solutions for the I/O

Availability
The block diagram shows an example configuration with ET 200M without a fault.

+6\VWHP

36 &38 %XV 60LQ(70 ,

6HQVRU
36 &38 %XV 60LQ(70 ,,

If a fault occurs in a maximum of one signal path per redundancy node (e.g. bus line
(bus = PROFIBUS DP) in the first redundancy node and an input module (SM) in the second
redundancy node), the overall system remains operable. The connected device continues to
supply data to the central device, which remains available. If any other component in the
redundancy chain fails, however, the complete system will fail.

+6\VWHP

36 &38 %XV 60LQ(70 ,

6HQVRU
36 &38 %XV 60LQ(70 ,,

Additional information
● Section "Redundant interface modules of the distributed I/O (Page 37)"
● Section "Redundant I/O modules (Page 38)"
● Manual Automation System S7-400H; Fault-tolerant Systems

Fault-tolerant Process Control System

36 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.1 Solutions for the I/O

3.1.4 Redundant interface modules of the distributed I/O

Redundant interface modules

By using two interface modules in one distributed I/O device, the following can be
implemented:
● Setup of a single-channel switched distributed I/O
● Setup of a redundant distributed I/O
If the active interface module fails, the passive interface module takes over the relevant
functions without interruption. The active interface is indicated by an illuminated "ACT" LED
on the respective interface module.
Configuration:
The configuration is provided as an example in the section "Redundant I/O (Page 35)".
● ET 200M with redundant IM 153-2
Two IM 153-2 interface modules are mounted on the active bus module in the distributed
I/O device for redundant operation.
● ET 200iSP with redundant IM 152-1
Two IM 152-1 interface modules are mounted on the active TM-IM/IM terminal module in
the distributed I/O device for redundant operation.

Note
The signal modules of the ET 200iSP cannot be used redundantly.

Additional information
● Section "How to configure the redundant interface module for the I/O device (Page 109)"
● Section "Failure of redundant interface modules (Page 181)"
● Manual SIMATIC, Distributed I/O Device ET 200M
● Manual SIMATIC, Distributed I/O Device ET 200iSP
● Manual Automation System S7-400H; Fault-tolerant Systems

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 37
Fault-tolerant Solutions in PCS 7
3.1 Solutions for the I/O

3.1.5 Redundant I/O modules

Redundant I/O modules

Redundant I/O modules enable you to considerably increase the availability in the I/O area.
When redundant I/O modules are used, an application is not disturbed when a signal fails.
The user program continues to work with the redundant signal.
The following configurations are possible with redundant I/O modules:
● Redundant input/output modules in single-channel switched distributed I/O
An example of this configuration is shown in the section "Single-channel switched
distributed I/O (Page 33)"
● Redundant input/output modules in redundant distributed I/O
An example of this configuration is shown in the section "Redundant distributed I/O
(Page 35)"

Note
Refer to the interconnection examples for redundant I/O (redundant input/output
modules) in the manual Automation System S7-400H; Fault-tolerant Systems.

Usable modules
As of PCS 7 V6.0, standard modules can be operated redundantly using the
H CPUs (414-H, 417-H) in both redundant and single mode with the CPU firmware version
V3.1 or later.
Redundant mode is only possible with specific S7-300 I/O modules of the ET 200M
(e.g. digital/analog modules).

Note
Only modules with the same order and release number can be paired together in redundant
configurations.

Required software and configuration

In order for both subsystems of the H system to be able to address redundant input/output
modules, S7 driver blocks from the "Redundant I/O (V1)" library and PCS 7 driver blocks
from the PCS 7 Library V6.0 and higher are required in addition to the necessary hardware.
You select and configure the redundant modules in HW Config.

Configuration in HW Config and CFC

Two identical I/O modules are configured for redundant operation in HW Config. You place a
channel block in the CFC for each signal acquired redundantly. For redundantly registered
signals (e.g. input 1.1 and input 2.1), connect the symbol only with the lowest value address
(e.g. input 1.1). When the AS is compiled, the required driver blocks will be placed,
interconnected and assigned parameters automatically.

Fault-tolerant Process Control System

38 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.1 Solutions for the I/O

Response of input/output modules to a disrupted channel

As of PCS 7 V7.0, you can specify how redundant input/output modules react to a channel
fault (for example, broken wire, short-circuit on the signal line). If a channel fault occurs, the
following reactions can be expected depending on the module used and the configuration:
● The entire module is passivated if a fault occurs (module-based passivation reaction).
● Only the channels on which the fault occurred are passivated (channel-based passivation
reaction).
You can see which modules are approved for the channel-based passivation reaction in the
documentation PCS 7 - Released Modules, which can be accessed with the menu command
Start > SIMATIC > Documentation > English.

Additional information
● Section "How to configure redundant input/output modules (Page 112)"
● Section "Failure of redundant input/output modules (Page 182)"
● Section "How to set the CPU for the failure reaction of the input/output modules
(Page 95)"
● Manual Automation System S7-400H; Fault-tolerant Systems
● Online help for STEP 7

3.1.6 Redundant actuators and sensors

Failure detection
Actuators and sensors on the field level can be configured redundantly for PCS 7.
Depending on the I/O module to which the redundant actuators or sensors are connected,
failure of an actuator or sensor can be detected and reported to the process control system
as an error. If an actuator/sensor fails, the automation system continues to operate with the
intact actuator/sensor. This ensures that the current status of the process values can be read
in or output at any time.

Note
Refer to the product description of the I/O module you are using to see whether it can detect
and report failures of connected actuators and sensors.

Additional information
● Manual Automation System S7-400H; Fault-tolerant Systems

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 39
Fault-tolerant Solutions in PCS 7
3.2 Solutions for automation systems

3.2 Solutions for automation systems

3.2.1 Solutions for Automation Systems

Introduction
This chapter presents solutions that can be used to increase the availability of an automation
system.

S7-400H fault-tolerant programmable controller

Only a fault-tolerant automation system can ensure an extremely short process safety time,
for example, a switchover time in the milliseconds range. PCS 7 enables you to configure
your process control system with redundancy using the S7-400H fault-tolerant
programmable controller.

Functionality
The S7-400H programmable controller and all the other components in the PCS 7
environment are tuned to one another.
With this solution, a second backup CPU, which is event-synchronized to the master CPU,
performs the same processing tasks of the user program as the master. If the active master
CPU fails, the standby CPU continues processing the user program without delay. This type
of standby is referred to as "Hot standby".
There are always two central processing units and power supplies in an S7-400H. The
communications processors and I/O modules are expansion modules.

Fault-tolerant Process Control System

40 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.2 Solutions for automation systems

3.2.2 S7-400H hardware components

Hardware components
The following hardware components are available for the configuration of the fault-tolerant
automation system.

Hardware components
Rack UR2-H
UR2 rack
UR1 rack
CPU 414-3H
CPU 414-4H
CPU 417-4H
Synchronization modules
Synchronization cable (up to 10 km)
CP 443-5 Extended
CP 443-1 communications processor

Structure

0RXQWLQJUDFNV 3K\VLFDOO\VHJUHJDWHGVXEV\VWHP
6+EDVLFV\VWHP

36 &38 V\QF )2FDEOHV 6\QFKURQL]DWLRQOLQHV

PRGXOHV

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 41
Fault-tolerant Solutions in PCS 7
3.2 Solutions for automation systems

Mounting racks
The following three racks are available for installing the S7-400H. The racks are suitable for
installation in 19" cabinets. Normally, the UR2-H rack is used.

Module type Size Special feature

UR2-H 2 x 9 slots Installation of two separate subsystems each with nine
modules. The two subsystems are electrically isolated
(not mechanically).
It is not possible to replace a rack in runtime.
UR1 1 x 18 slots Two racks are required for an S7-400H.
You can replace a rack in runtime.
UR2 1 x 9 slots Two racks are required for an S7-400H.
You can replace a rack in runtime.

Central processing units

The CPU (CPU 414-3H, CPU 414-4H or CPU 417-4H) is duplicated in an H system. The two
CPUs are connected to one another using synchronization modules and fiber-optic cables.

Power supply
A separate power supply module from the S7-400 system series is needed for each
subsystem of the S7-400H. There are power supply modules for 24 V DC nominal input
voltage as well as for 120/230 V AC with output current of 4, 10 and 20 A. Two power supply
modules can be used in each subsystem to increase the availability of the fault-tolerant
system. In this case, use the following power supply module:
● PS407 10AR 120/230 V AC
● PS405 10AR 24 V DC

Synchronization modules
Synchronization modules are used to link the two central processing units. They are installed
in the central processing units and interconnected with fiber-optic cable. Two synchronization
modules are installed in each CPU.
You set the mounting rack number for the H CPU on the synchronization modules or, in the
case of firmware version V4.X or higher, directly on the CPU. The same rack number must
be set on each synchronization module in the CPU.
The front panel of the synchronization modules serves the following purposes:
● It accepts threaded bolts which facilitate exchanging synchronization modules.
● It is used for switching in the supply voltage of the synchronization modules.
This feature is needed to enable replacement of synchronization modules even when the
CPU is supplied with power.
The synchronization modules will not operate without the front panels fastened.

Fault-tolerant Process Control System

42 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.2 Solutions for automation systems

Fiber-optic cables for synchronization

The fiber-optic cables are connected to the synchronization modules and form the physical
connection (redundancy link) between the two automation stations. The synchronization
cables must not be cross-connected.
In addition to the standard lengths of 1 m, 2 m, and 10 m, custom-made synchronization
cables are available in lengths up to 500 m.

Transmission medium
The suitable physical transmission medium depends on the range, resistance to interference
and the transmission rate.
● Industrial Ethernet using fiber-optic cables or triaxial or twisted-pair copper lines can be
used for communication between the automation system and the OS servers.
● PROFIBUS DP with electrical or optical components is used for communication from the
automation system to the distributed I/O devices.
Both the transmission media and the communications processors can be installed
redundantly. If the active communication component (CP, bus) fails, the communication
automatically continues through the redundant connection.
Only Industrial Ethernet can be used as the plant bus for a fault-tolerant system. The fault-
tolerant system also only supports the ISO protocol, not TCP/IP. The choice of the Ethernet
CP is therefore limited. Only ISO or multi-protocol CPs can be used.

Configuration
An existing fault-tolerant Industrial Ethernet can be used for fault-tolerant communication
between two standard CPUs and between two fault-tolerant CPUs. The parameters of the
fault-tolerant S7 connections are set in NetPro.
A variety of communication blocks are available in the PCS 7 Library for data transmission
(measured values, binary values, interlocks). The communication blocks differ in their
transmission mechanism which, for example, may be secured or unsecured.

Additional information
● Section "How to add a SIMATIC H station to your project (Page 86)"
● Section "How to insert synchronization modules into the H CPU (Page 87)"
● Section "How to configure redundant communications processors (Page 89)"
● Section "How to synchronize the time of day in automation systems (Page 91)"
● Manual Automation System S7-400H; Fault-tolerant Systems

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 43
Fault-tolerant Solutions in PCS 7
3.2 Solutions for automation systems

3.2.3 How the SIMATIC S7-400H AS operates

Active redundancy
The automation system consists of two redundantly configured subsystems, which are
synchronized through fiber-optic cables.
The two subsystems form a fault-tolerant automation system that operates with a dual-
channel design according to the principle of active redundancy. Active redundancy, often
referred to as functional redundancy, means that all redundant components are in continual
operation and simultaneously involved in the acquisition of process data. The control task is
the responsibility of the redundancy partner that is active at any given time. The user
programs loaded in both CPUs are fully identical and are run synchronously by both CPUs.
If the active CPU fails, the automation system automatically switches to the redundant CPU
(414-3H, 414-4H, 417-4H). The failover has no effect on the ongoing process because it is
bumpless.

Additional information
● Section "Failure of the master CPU (Page 184)"
● Section "Failure of a fiber-optic cable (Page 185)"
● Manual Automation System S7-400H; Fault-tolerant Systems

Fault-tolerant Process Control System

44 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

3.3 Solutions for communication

3.3.1 Solutions for communication

Introduction
In this section, you will learn about the redundancy concepts for the various levels of the
process control system.

Requirements for communication systems

The availability of a process control system is not only determined by the automation system,
the environment also plays a considerable role. This includes not only the operator control
and monitoring components but also a high-performance communication system that
connects the management level to the process level and the process level to the field level.
Distributed control systems are also needed in the manufacturing and processing
automation. Complex control tasks are broken down into smaller, simpler steps with
distributed form. The demand for communication between distributed systems increases.
High-performance, comprehensive communication system is needed to fulfill this demand.
The communication connections between the systems involved should be redundant.
Local networks (LAN) form the basis of the communication system. The following are options
that can be implemented based on the specific system requirements:
● Electrical
● Optical
● Electrical/optical combination
The communication connections are grouped in three areas:
● Terminal bus
● Plant bus
● Field bus
In PCS 7, we recommend that the bus systems are set up in a ring structure. The ring
structure makes the bus "fault-tolerant", since it can compensate for the failure of a bus line.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 45
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Redundant communication connections

Redundant communication connections can be formed on all levels of the process control
system.
When a communication error occurs, communication automatically switches over from the
active connection to the backup connection. Both connections use the same media and
protocols. The failover has no effect on the user program running in the CPU.

'RXEOHFRPPXQLFDWLRQOLQHV

&RQWUROOD\HU
7HUPLQDOEXV
3&1HWZRUN,QG(WKHUQHW

3URFHVVOD\HU
6\VWHPEXV
,QGXVWULDO(WKHUQHW

)LHOGOD\HU
)LHOGEXV
352),%86'3

Overview of the redundant and fault-tolerant bus systems

In PCS 7 systems, you can configure fully redundant bus systems with redundant
components for the following bus systems:
● Redundant, fault-tolerant terminal bus (Page 53)
● Redundant, fault-tolerant plant bus (Page 59)
● Redundant PROFIBUS DP (Page 62)
Bus systems set up as a ring are fault-tolerant. In ring structures, the signal path remains
intact even if there is a disconnection on the transmission cable at any point in the ring (for
example due to a wire break). The availability is ensured by ring redundancy.
This fault-tolerance is used in the following bus systems:
● Fault-tolerant terminal bus (Page 50)
● Fault-tolerant plant bus (Page 56)
● Redundant PROFIBUS PA (Page 68)
The following sections describe the basics of these communications solutions.

Fault-tolerant Process Control System

46 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

3.3.2 Network components

Introduction
Local networks (LAN) form the basis of the communication system. The following are options
that can be implemented based on the specific system requirements:
● Electrical
● Optical
● Optical/electrical (mixed operation)

Overview of the network components

You can set up bus systems with the following link and switch modules of SIMATIC NET.

Note
OSM and OLM mixed operation is not permitted.

Network component Bus system Application

Switch (from the Terminal bus Type-specific use in network setup
SCALANCE series) Plant bus Selected SCALANCE X components enable the
following:
• Transmission rates up to 1 Gbps
• Media converter (electrical/optical bidirectional)
• Function as redundancy manager (configuration
of ring redundancy)
• Function as standby manager (redundant linking
of networks)
ESM (Electrical Switch Terminal bus Setup of electrical bus systems
Module) Plant bus (suitable for redundancy manager)
OSM (Optical Switch Terminal bus Setup of optical bus systems
Module) Plant bus An optical ring must be configured with at least two
optical switch modules.
(suitable for redundancy manager)
OLM (Optical Link Module) Fieldbus Setup of optical transmission paths
(PROFIBUS DP) Configuration variants:
• DP master (electrical) > OLM > FO > OLM >
interface module (electrical connection)
• DP master (electrical) > OLM > FO > interface
module (optical connection)
AFD (Automatic Field Fieldbus Connection of PA devices with ring redundancy
Distributor) (PROFIBUS PA) • Maximum of 8 AFDs for one redundant DP/PA
coupler
• Maximum of 4 field devices per AFD

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 47
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Network component Bus system Application

AFS (Automatic Field Fieldbus Connection of PA devices with coupler redundancy
Splitter) (PROFIBUS PA) • 1 AFD for one redundant DP/PA coupler
• Maximum of 31 field devices for the AFS

Example of a ring structure with SCALANCE X400 and X200

The SCALANCE X414-3E as the redundancy manager has a gray background in the figure.

Redundancy manager
Certain network components from the SIMATIC NET product range support the redundancy
manager function.
This function enables the configuration of ring redundancy. Network components operating
as the redundancy manager can ensure that the bus connections remain undisturbed if there
is a fault on a bus line (e.g., a cable break).

Standby manager
Switches and data links (network cable) connect the redundant networks. Redundant linking
of networks is only possible if two devices (switches) within a network segment support the
standby manager function. Certain network components from the SIMATIC NET product
range support this function. Within a network segment, both devices are configured for the
standby manager function. Both devices exchange data frames via the bus line, which they
use to synchronize their operating status (one network component acts as the standby
manager (master) and the other one acts as the standby manager (slave)). When everything
is running normally (i.e., error-free status), the data link running between the redundant
networks is only active for the standby manager (master). If this data link fails (e.g., due to a
defective device or cable break), the standby manager (slave) activates its data link while the
fault remains pending.

Fault-tolerant Process Control System

48 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Selected parameters for switches used in PCS 7

Switches Redundancy manager Standby manager Maximum transfer rate

SCALANCE X 414-3E Function available Function available 1 Gbit/s
SCALANCE X 408-2 Function available Function available 1 Gbit/s
SCALANCE X308 Function available Function available 1 Gbit/s
SCALANCE X204-2 Function available Function available 100 Mbit/s
(6GK5 204-2BB10-2AA3)
SCALANCE X 204-2 Not available Not available 100 Mbit/s
(6GK5 204-2BB00-2AA3)

Additional information
● Manual SIMATIC Net Twisted Pair and Fiber-Optic Networks
● Manual SIMATIC NET; Industrial Ethernet OSM/ESM
● Manual SIMATIC Net PROFIBUS Networks
● Manual SIMATIC; Communication with SIMATIC
● Operating Instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-200
● Operating Instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-300
● Operating Instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400
● Configuration Manual SIMATIC NET; Industrial Ethernet Switches; SCALANCE X-300;
SCALANCE X-400

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 49
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

3.3.3 Fault-tolerant terminal bus

Functionality
The terminal bus connects the servers (OS servers, BATCH servers, Route Control servers)
with the clients of the process control system (OS clients, BATCH clients, Route Control
clients).
Fault-tolerant terminal bus can be set up in a ring structure with network components of
SIMATIC NET. The network components enables unrestricted operation of the terminal bus.
For example, a broken cable in the connection between the modules is tolerated and
communication remains uninterrupted.
If the terminal bus experiences problems, no process data are sent from the servers to the
clients.

Fault-tolerant communication solutions

The following solutions are available to guard against failure of the terminal bus:
● Ring structure in an electrical network. The connection to the switches is electrical.
● Ring structure in an optical network with switches and FO cables. The connection to the
switches is electrical or optical.
● Ring structure in a combined network with optical and electrical switches and FO cables.
The connection to the switches is electrical.
● Ring structures as optical, electrical and combined networks with transmission rates up to
1 Gbps based on modular SCALANCE X switches
The following switches can be used:
● Switches of the SCALANCE series
Modules optical or electrical connection are used for the connection
● OSM (optical signal cables)
The connection to the OSMs is electrical or optical.
● ESM (electrical signal cables)
The connection to the ESM is electrical.

Fault-tolerant Process Control System

50 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Configuration
In the following figure, the terminal bus is shown as a ring with switches (OSMs). The
OS servers are connected to the switches in a distributed pattern in order to take optimal
advantage of the switch functionality. The probability of OS server failure due to the failure of
a switch and the bus load are thereby reduced.
The log data of the control process is secured and continuously available if you use two
OS clients each equipped with a line printer for printing the message sequence reports.

Note
If a switch fails, the connection to the associated nodes will also fail. Therefore, redundant
servers must not be connected to the same switch.

/LQHSULQWHUIRUPHVVDJH
VHTXHQFHUHSRUW /LQHSULQWHU

26FOLHQWV

)DXOWWROHUDQW7HUPLQDOEXV
,QGXVWULDO(WKHUQHW

5HGXQGDQW
26VHUYHU 26VHUYHUSDLU

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 51
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Availability
If there is a fault in a ring line, the communication between clients and servers via the
switches remains unaffected. However, if one of the switches fails, the link between the
connected OS servers and the OS clients is interrupted. To increase the fault-tolerance even
more, however, the redundant ring described in the following section can be used.

26FOLHQW
26VHUYHU
26FOLHQW
26VHUYHU
26FOLHQW %XV
26VHUYHU
26FOLHQW
26VHUYHU
26FOLHQW

%XV

Additional information
● Manual SIMATIC Net Twisted Pair and Fiber-Optic Networks
● Operating Instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400
● Operating Instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-300
● Operating Instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-200
● Manual SIMATIC NET; Industrial Ethernet OSM/ESM

Fault-tolerant Process Control System

52 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

3.3.4 Redundant, fault-tolerant terminal bus

Functionality
The terminal bus connects the servers (OS servers, BATCH servers, Route Control servers)
with the clients of the process control system (OS clients, BATCH clients, Route Control
clients).
A redundant fault-tolerant terminal bus is set up using two identical, linked terminal bus rings
(double ring). The network components ensure unrestricted operation of the terminal bus. If
a terminal bus fails, communication remains possible over the second terminal bus.
You will find more information on the switches used with PCS 7 in the section titled "Network
components (Page 47)".

Redundant communication solution

The following solution is available to guard against failure of the terminal bus:
● Redundant electrical or optical network with switches set up as Industrial Ethernet
● Combined redundant network with switches, FO cables and electrical connection
● Redundant linking of network segments with two switches per network segment
● Ring structures can be set up based on switches from the SCALANCE series.
(Can be implemented as optical, electrical and combined networks)
The following switches can be used:
● Switches from the SCALANCE series
Depending on the type, either optical or electrical connections are used.
● OSM (optical signal cables)
Electrical or optical connections can be used for the OSMs.
● ESM (electrical signal cables)
The connection to the ESM is electrical.

Configuration - redundant terminal bus (double ring)

The following two network adapters are used in each server to be connected to the terminal
bus (for example, OS server, BATCH server, domain controller):
● Intel Pro/1000MT server adapter
● Intel Pro/1000GT desktop adapter
These network adapters work in a "team mode" with only one logical network address. Each
network adapter is connected to one of the redundant terminal bus rings. All network
components are redundant.
Clients can also be set up with two network adapters.
A redundancy manager (RM) is configured within each network segment (ring) to enable ring
redundancy.
The link between the redundant network segments (rings) is implemented using two
switches in each network.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 53
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

The following figure shows this configuration.

&OLHQW26 &OLHQW26

6HUYHU$GDSWHU,QWHO
3UR07
'HVNWRS$GDSWHU
,QWHO3UR07

5HGXQGDQF\PDQDJHU
%XV %XV
6WDQGE\PDQDJHUPDVWHU
6WDQGE\PDQDJHUVODYH

5HGXQGDQF\PDQDJHU

6HUYHUB0 6HUYHUB6

Note
Redundant linking of network segments
The redundant linking of two network segments is only possible when the linking switches
are capable of acting as a standby manager (e.g., as in the case of a link based on
SCALANCE X414-3E).

Linking redundant network segments (rings)

Switches and data links (network cable) connect the redundant networks. Redundant linking
of networks is only possible if two devices (switches) within a network segment support the
standby manager function.

Configuration of the switches

You will find details of how to configure switches in the documentation for Industrial Ethernet
Switches SCALANCE X under the following topics:
● Configuration Using Web-based Management and Command Line Interface
● Configuration and Diagnostics over SNMP

Fault-tolerant Process Control System

54 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Availability - redundant terminal bus (double ring)

The entire transmission path can be set up redundantly. A transmission route via a terminal
bus remains operation if any of the network components fails.
During operation, one switch automatically takes over the master role for linking the
networks. In error-free status, the data link to the other network is active only for the master.
If this data link fails (for example, due to a defective cable), the slave activates its data link.

26FOLHQW %XV 26VHUYHU

Additional information
● Section " Network Components (Page 47) "
● Section " How to configure a redundant terminal bus (Page 98) "
● Documentation PCS 7 Released Modules
● Manual SIMATIC Net Twisted Pair and Fiber-Optic Networks
● Operating Instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400
● Configuration manual SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400
● Operating Instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-200

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 55
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

3.3.5 Fault-tolerant plant bus

Functionality
The plant bus connects automation systems with servers (OS server, Route Control server).
The connection to a fault-tolerant plant bus is implemented with Ethernet communications
processors (CPs) that are installed in each subsystem of the automation system and in the
servers.
Fault-tolerant plant bus can be set up in a ring structure with network components of
SIMATIC NET. The network components ensure unrestricted operation of the plant bus. For
example, a broken cable in the connection between the modules is tolerated and
communication remains uninterrupted.
If the plant bus is disrupted, no process data are transferred between the servers and the
automation systems or between the automation systems themselves.

Fault-tolerant communication solutions

The following communication solutions are offered to increase the system availability:
● Ring structure in an electrical network.
The connection to the switches is electrical.
● Ring structure in an optical network with switches and FO cable.
The connection to the switches is electrical or optical.
● Ring structure in a combined network with optical and electrical switches and a FO cable.
The connection to the switches is electrical.
● Ring structures as optical, electrical and combined networks with transmission rates up to
1 Gbps based on modular SCALANCE X switches
The following switches can be used:
● Switches of the SCALANCE series
Modules optical or electrical connection are used for the connection
● OSM (optical signal cables)
The connection to the OSMs is electrical or optical.
● ESM (electrical signal cables)
The connection to the ESM is electrical.

Fault-tolerant Process Control System

56 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Configuration - ring structure

The following figure represents a fault-tolerant plant bus in a ring structure with switches.
The following automation systems can be used:
● AS 412H
● AS 414H
● AS 417H

26VHUYHU
26VHUYHU

5HGXQGDQW26VHUYHUSDLU

6ZLWFKPRGXOH
6&$/$1&(;

)DXOWWROHUDQWSODQWEXV 6ZLWFKPRGXOHDV
,QGXVWULDO(WKHUQHW UHGXQGDQF\PDQDJHU

)DXOWWROHUDQW 3K\VLFDOO\VHJUHJDWHG
DXWRPDWLRQV\VWHP PRGXOHUDFNVHDFKZLWK
6+ WZR&3V

6\QFKURQL]DWLRQOLQHV

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 57
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Availability - ring structure

In this system, one CP 443-1 may fail in each subsystem of the AS without this affecting the
complete system.
The plant bus indicated by the asterisk ( * ) is set up with switches (OSMs) so that it is fault
tolerant and will tolerate a break on the bus cable at any point. One of the two switches to
which the OS servers are connected may fail without this affecting the complete system. If
one switch fails, the redundant OS partner server can continue to communicate using the
operational switch. The same scenario applies to the switches that each have a CP of a
subsystem of the H system connected.
To guard against the failure of all switches, however, the redundant double ring described in
the following section can be used.

+6\VWHP3DUW

&3 %XV &3

266HUYHU &3

&3 &3

266HUYHU &3

3DUW

%XV

Additional information
● Section "How to configure a fault-tolerant plant bus (Page 101)"
● Manual SIMATIC Net Twisted Pair and Fiber-Optic Networks
● Manual SIMATIC NET Industrial Ethernet OSM/ESM Network Management
● Manual SIMATIC; Communication with SIMATIC
● Operating Instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400

Fault-tolerant Process Control System

58 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

3.3.6 Redundant fault-tolerant plant bus

Functionality
The plant bus connects automation systems with servers (OS server, Route Control server).
The connection to a redundant, fault-tolerant plant bus is implemented with Ethernet
communications processors (CPs) that are installed in each subsystem of the automation
system and in the servers.
A redundant fault-tolerant plant bus is set up using two identical, linked plant bus rings
(double ring). The network components ensure unrestricted operation of the plant bus. If a
plant bus fails, communication remains possible over the second plant bus.

Redundant communication solutions

The following communication solutions are offered to increase the system availability:
● Redundant electrical or optical network with switches set up as Industrial Ethernet
● Combined redundant network with switches, FO cables and electrical connection
● Ring structures can be set up based on modular switches from the SCALANCE series.
(Can be implemented as optical, electrical and combined networks)
The following switches can be used:
● Switches of the SCALANCE series
Modules optical or electrical connection are used for the connection
● OSM (optical signal cables)
The connection to the OSMs is electrical or optical.
● ESM (electrical signal cables)
The connection to the ESM is electrical.
You will find more information on the switches used with PCS 7 in the section titled "Network
components (Page 47)".

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 59
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Configuration - redundant plant bus (double ring)

The figure below shows the basic structure of the redundant, fault-tolerant plant bus (double
ring).

26VHUYHU
26VHUYHU

5HGXQGDQW26VHUYHUSDLU
HDFKZLWKWZR&3V

6ZLWFKPRGXOHV
ZLWKLQWHJUDWHGUHGXQGDQF\
SURSHUWLHV
5HGXQGDQWIDXOWWROHUDQWSODQWEXV
,QGXVWULDO(WKHUQHW

)DXOWWROHUDQW 3K\VLFDOO\VHJUHJDWHG
DXWRPDWLRQV\VWHP PRGXOHUDFNVHDFKZLWK
6+ WZR&3V

6\QFKURQL]DWLRQOLQHV

Fault-tolerant Process Control System

60 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Availability - redundant plant bus (double ring)

The block diagram for a plant bus configured as a redundant double ring, with two CPs each
in both OS servers and additional switches, appears as follows:
In this system, a CP 1613 can fail in each OS server or a CP 443-1 can fail in each
subsystem of the AS without this affecting the complete system. There are two plant buses
(busses), each set up with redundant switches. This guards against the failure of the bus and
all components involved (switches).

266HUYHU +6\VWHP3DUW

&3 %XV &3

&3 &3

266HUYHU 3DUW

%XV %XV

Additional information
● Section " Network Components (Page 47) ".
● Section " How to configure a fault-tolerant plant bus (Page 101) "
● Documentation PCS 7 Released Modules
● Manual SIMATIC Net Twisted Pair and Fiber-Optic Networks
● Operating Instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400
● Manual SIMATIC NET Industrial Ethernet OSM/ESM Network Management
● Manual SIMATIC Communication with SIMATIC

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 61
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

3.3.7 Redundant PROFIBUS DP

Functionality
The field bus is used for data exchange between the automation system (AS) and the
distributed I/O. PROFIBUS DP (distributed peripheral)-- the field bus standard for
manufacturing and process automation--is used. PROFIBUS DP includes the specifications
for the following elements:
● Physical bus characteristics
● Access method
● User protocol
● User interface
PROFIBUS DP is suitable for fast, cyclic data exchange with field devices. It is used to
connect distributed I/O, for example, ET 200M, with very fast response times.
It is often advantageous to connect several DP master systems to an automation system in
order to increase the number of I/O components that can be connected. This also enables
segments to be formed, allowing individual production areas to operate independent of one
another.

Fault-tolerant communication solutions

The following fault-tolerant communication solutions are offered for PROFIBUS DP:
● Redundant PROFIBUS DP as an electrical network
● Redundant PROFIBUS DP with OLMs (optical network)

Fault-tolerant Process Control System

62 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Configuration
The S7-400H fault-tolerant automation system features a DP master interface on each CPU
for connecting to PROFIBUS DP. The redundant PROFIBUS DP connects the redundant DP
master to the redundant interface modules of the distributed I/O.
The following figure shows an example for connecting redundant distributed I/O based on
ET 200M to a redundant PROFIBUS DP.

6+
352),%86'3

(70FRQVLVWLQJRI
[,0DQG[60
352),%86'3

UHGXQGDQW,2
PRGXOH

6HQVRU

Availability
If the active PROFIBUS DP fails, sensors and H system can communicate with each other
over the redundant bus connection. The configuration shown in the following figure provides
increased availability due to the redundant interfacing of the distributed I/O.

+6\VWHP 36

&38 &3 %XV ,0 60

,0
(70 ,
6HQVRU
&38 &3 %XV ,0

,0 60

36 (70 ,,

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 63
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Additional information
● Section "How to configure redundant PROFIBUS DP (Page 104)"
● Manual SIMATIC Net PROFIBUS Networks
● Manual SIMATIC; Communication with SIMATIC

Fault-tolerant Process Control System

64 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

3.3.8 Gateway between redundant and single-channel PROFIBUS DP

Y Link
The Y Link consists of two IM 153-2 interface modules and a Y coupler that are
interconnected through the corresponding bus modules (BM IM/IM and BM Y coupler).

Configuration

5HGXQGDQW'3PDVWHUV\VWHP

<FRXSOHU
)'&

[,0 /RZHUOHYHO'3PDVWHUV\VWHP

&RQQHFWLRQRI
GLVWULEXWHG,2
GHYLFHHJ

(76

Functionality
The Y Link creates a gateway from the redundant DP master system of an S7-400H to a
single-sided DP master system. This enables devices with only one PROFIBUS DP interface
to be connected to a redundant DP master system as switched I/O.
The new generation of the Y Link no longer requires a repeater and is capable of forwarding
diagnostics requests from the corresponding function modules or I/O modules to the CPU.
As of PCS 7 Version 6.0, DPV1 slaves can be connected downstream from the Y Link in
addition to the standard PROFIBUS DP slaves.

Additional information
● Section "How to configure the Y Link (Page 117)"
● Manual DP/ PA Link and Y Link Bus Couplings

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 65
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

3.3.9 Connection of PROFIBUS PA to PROFIBUS DP

DP/PA Link
The DP/PA Link allows a connection between PROFIBUS DP and PROFIBUS PA.
The DP/PA Link consists of the IM 153-2 interface module and one or more
FDC 157 DP/PA couplers that are interconnected through the backplane bus.

Configuration

6+
352),%86'3
352),%86'3

'33$/LQN
UHGXQGDQW
FRQILJXUDWRQZLWK
[,0PRGXOHV
352),%863$

Functionality
The DP/PA Coupler is a transceiver that interconnects PROFIBUS DP and PROFIBUS PA
and decouples the various transmission rates. It is a slave on the PROFIBUS DP and a
master on the PROFIBUS PA. Seen from the automation system, the DP/PA Link is a
modular slave. The individual modules of this slave are the field devices that are connected
to the lower-level PROFIBUS PA lines.
In the automation system, data are transmitted via PROFIBUS DP at a maximum speed of
12 Mbps with negligible delay. This is currently the fastest connection between
PROFIBUS DP and PROFIBUS PA and can be used by all automation devices with a
PROFIBUS DP interface.
The DP/PA Link decouples the various transmission rates of the bus systems and brings the
lower-level PA devices together at one PROFIBUS DP address. All DP masters can take
advantage of this feature.

Fault-tolerant Process Control System

66 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

You can connect a PROFIBUS PA to the PROFIBUS DP. The following variants can be
realized:
● Connection to a singular PROFIBUS DP
– Connection via DP/PA Link (1 x interface module, 1 x DP/PA coupler)
– Connection via DP/PA coupler (max. 45.45 Kbits/s on PROFIBUS DP)
– Connecting a redundant PROFIBUS PA:
You can find additional information about this in the section "Redundant PROFIBUS
PA (Page 68)".
● Connection to a redundant PROFIBUS DP
– Connection of a singular PROFIBUS PA via DP/PA Link with redundant
interconnection
(2 x interface module and 1 x DP/PA coupler)
– Connecting a redundant PROFIBUS PA:
You can find additional information about this in the section "Redundant PROFIBUS
PA (Page 68)".

Physical bus characteristics

As a PROFIBUS variant for the process industries, PROFIBUS PA uses a transmission
technology based on IEC 1158-2, in which the transmission rate is specified as 31.25 Kbps.
The application protocols for PROFIBUS DP and PROFIBUS PA are identical. If the DP/PA
coupler is connected directly on PROFIBUS DP, the transfer rate is limited to 45.45 Kbit/s.
This limit is due to the maximum transfer rate supported by PROFIBUS PA.
If you require a higher transfer rate, the DP/PA Link can be used for the connection. The
DP/PA coupler can be operated with SIMATIC S7 automation systems and all DP masters
that support the transmission rate of 45.45 Kbps. A maximum of 10 PA devices can be
connected to the single DP/PA Coupler. The actual number depends on the power
consumption of the connected PA devices.
The DP/PA coupler must be installed in a safe area outside the hazardous zone.
The connected PA cable can be laid in the hazardous zone and satisfies type of protection
EEx ia IIC.

Additional information
● Section "How to configure the DP/PA Link (Page 120)"
● Section "Redundant PROFIBUS PA (Page 68)"
● Section "How to configure redundant PROFIBUS PA (Page 106)"
● Manual DP/ PA Link and Y Link Bus Couplings

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 67
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

3.3.10 Redundant PROFIBUS PA

Functionality
PROFIBUS PA allows the connection of PA devices. A redundant PROFIBUS PA is
connected to redundant FDC 157-0 DP/PA couplers. The network components ensure
unrestricted operation of PROFIBUS PA. If a communication path fails, the communication
path is preserved as far as the spur line to the field devices.

Redundant communication solutions

The following communication solutions are offered to increase the system availability:
● Ring redundancy with AFD (Active Field Distributor)
● Coupler redundancy with AFS (Active Field Splitter)
The DP/PA coupler can be used stand-alone or in the DP/PA Link.
Only 1 redundant DP/PA coupler pair can be connected for each DP/PA link. In mixed
configurations, you can operated up to 3 additional non-redundant DP/PA couplers.

Connecting the redundant PROFIBUS PA to PROFIBUS DP

You can connect a redundant PROFIBUS PA to the PROFIBUS DP. The following variants
can be realized:
● Connection to a singular PROFIBUS DP
– Connection of a redundant PROFIBUS PA via DP/PA link with redundant coupler pairs
(1 x interface module and 2 x DP/PA coupler)
– Connection of a redundant PROFIBUS PA with redundant FDC 157 coupler pairs
(2 x DP/PA coupler directly on the PROFIBUS DP)
● Connection to a redundant PROFIBUS DP
– Connection of a redundant PROFIBUS PA via redundant DP/PA link
(2 x interface module and 2 x DP/PA coupler)
We recommend the following configuration limits apply when connecting PA devices using
AFD or AFS in PCS 7:
● With the aim of increasing availability when using ring redundancy, connect a maximum
of 4 field devices (one field device per spur line) on an active field distributor AFD
(maximum 8 AFD to a redundant DP/PA coupler). You can connect a total of 31 field
devices.
● With coupler redundancy, connect a maximum of 31 field devices on an active field
distributor (AFS) to a redundant DP/PA coupler).

Fault-tolerant Process Control System

68 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Configuration
The connections of the field devices via AFD and AFS are shown in the following figure. The
connection to PROFIBUS DP is shown as a redundant link.

'33$/LQNZLWKUHGXQGDQW
,0DQGUHGXQGDQW
'33$FRXSOHU)'&

5HGXQGDQW
$)' $)'
352),%863$
352),%86'3

352),%86'3

0D[$)'

0D[

'33$/LQNZLWKUHGXQGDQW
,0DQGUHGXQGDQW
'33$FRXSOHU)'&

5HGXQGDQW
$)6
352),%863$

0D[

Transmission rate
You have two interfacing options for the gateway between PROFIBUS DP and
PROFIBUS PA. These result in different transmission rates on PROFIBUS DP.
● If you connect the DP/PA couplers via a DP/PA Link, a transmission rate of up to 12
Mbps is possible on PROFIBUS DP.
● If you connect the DP/PA couplers directly, the transmission rate on PROFIBUS DP is
45.45 Kbps.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 69
Fault-tolerant Solutions in PCS 7
3.3 Solutions for communication

Availability - redundant interfacing

In a redundant system, we recommend that you implement the interface to PROFIBUS DP
redundantly (redundant IM 153-2).
If a PA bus cable, an IM 153-2 or a DP/PA coupler fails, the communication connection to
the field devices is retained. The AFD or AFS automatically switches the connection to the
available signal path.

352),%86'3 352),%863$
PD[0ESV .ESV
&38 &3 %XV ,0 '33$FRXSOHU

&38 &3 %XV ,0 '33$FRXSOHU $)' $)' $)'

3$GHYLFH 3$GHYLFH 3$GHYLFH

Additional information
● Section " Connection of PROFIBUS PA to PROFIBUS DP (Page 66)"
● Section "How to configure redundant PROFIBUS PA (Page 106)"
● Operating Instructions SIMATIC; DP/PA Coupler, DP/PA Link and Y Link Bus Couplers

Fault-tolerant Process Control System

70 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.4 Solutions for integrating a PCS 7 plant in a domain

3.4 Solutions for integrating a PCS 7 plant in a domain

3.4.1 Integrating a PCS 7 plant in a domain

Recommendation
If a PCS 7 plant is integrated in a domain, we recommend you use redundant domain
controllers.

Additional information
Recommendations and information Process Control System; PCS 7 Security Concept

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 71
Fault-tolerant Solutions in PCS 7
3.5 Solutions for OS servers

3.5 Solutions for OS servers

3.5.1 Redundant OS servers

Redundant OS Server
PCS 7 enables you to configure two OS servers redundantly for fault-tolerant operation. This
ensures that you can monitor and control your process at all times. The solution represents
the entry level into fault-tolerant process control systems.

Example for a plant with redundant central archive servers

26FOLHQWV
PD[LQ0XOWL&OLHQW$UHD
$UFKLYHVHUYHU

7HUPLQDOEXV,QGXVWULDO(WKHUQHW

26VHUYHU
PD[UHGXQGDQW

3ODQWEXV,QGXVWULDO(WKHUQHW

Functionality
Redundant OS servers monitor each other in runtime in order to detect the failure of an
OS partner server as early as possible.
If one of the two OS server fails, the OS partner server takes over the process. The interface
between OS clients and the automation system remains available.
The OS clients are automatically switched to the redundant OS partner server. This means
that the OS clients always remain available for the control and monitoring of the process.
During the failure period, the redundant OS partner server continues to archive all messages
and process data in the WinCC project. Once the failed OS server comes back online, the
contents of all the message, process value and user archives are automatically copied to the
returning OS server. This copy process is referred to as redundancy synchronization.
Redundancy synchronization fills the gaps in the various archives that result from failures.
During the failure period, the internal master/standby identification changes from the failed
OS server to its OS partner server. The master identification remains with the OS partner
server even when the failed OS server comes back online.

Fault-tolerant Process Control System

72 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.5 Solutions for OS servers

Configuring the archives

Tag logging and alarm logging have to be configured functionally identical for redundant
OS servers. Functionally identical configuration means the same archives, whereby
extensions in the form of additional measuring points and archives are permitted.
Functionally identical configuration is ensured by configuring the OS partner servers
(OS_Stby) in the SIMATIC Manager and then selecting the menu command
PLC > Download.

Redundant central archive server

PCS 7 allows you to configure two central archive servers with redundancy functionality for
fault-tolerant operation. The data are archived in parallel with a redundant archive server.
This allows you to record and evaluate all the archive information from your controlled
process.

Note
Failure of the archive server in a configuration with redundant archive servers:
If the archive server fails, the data is only archived on the redundant archive server. When
the failed archive server comes back online, the data of the archive servers are
synchronized.

A central archive server does not require a connection to the plant bus.

Redundant maintenance station

PCS 7 allows you to configure two maintenance servers with redundancy functionality for
fault-tolerant operation.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 73
Fault-tolerant Solutions in PCS 7
3.5 Solutions for OS servers

Configuration
The following configuration shows the basic operating principle of redundant OS servers.

Note
You need to connect the redundant PC stations through a redundancy connection. This
connection offers security against problematic behavior during communication between the
OS servers.

&RQQHFWLRQWRWKHWHUPLQDOEXV

5HGXQGDQW26VHUYHUSDLU

:LQ&& :LQ&&
SURMHFW$ SURMHFW%

26 26
6HUYHU 6HUYHU

$UFKLYH $UFKLYH

1XOOPRGHPFDEOH

&RQQHFWLRQWRWKHSODQWEXV

Redundancy connection
You need the following components to make the redundancy connection, depending on the
distance to be bridged:

Maximum distance Required components Connection

100 m Crossover network cable Ethernet connections
3000 m FOC cable Ethernet connections
Per server:
• A free network connection (desktop adapter
Intel Pro/1000GT or on-board network
connection)
• 1 Ethernet cable
• 1 media converter
(e.g. SCALANCE X101-1)
10 m Null modem cable Serial connection

Fault-tolerant Process Control System

74 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.5 Solutions for OS servers

Availability
The availability of the complete system is ensured even if one of the two OS servers fails
because the two OS servers form an independent redundancy node.

266HUYHU
%XV %XV
266HUYHU

Note
The buses marked with * (terminal bus and plant bus) can be configured redundantly with
optical or electronic switch modules.

Additional information
● Section "How to configure an OS server and its redundant OS partner server (Page 124)"
● Online help for WinCC; WinCC Redundancy
● Section "How to configure an archive server and its redundant archive partner server
(Page 127)"

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 75
Fault-tolerant Solutions in PCS 7
3.6 Solutions for OS clients

3.6 Solutions for OS clients

3.6.1 Additional OS clients

Additional OS clients
OS clients are PC stations that are used for control and monitoring of an automation
process. They are connected to the OS servers through the terminal bus. The OS servers
form the process connection to the automation system.
An OS client has its own WinCC project and visualizes the process data generated on an
OS server.
If an OS client fails, this does not disrupt the overall process because the automation
program in the CPU continues to control the process and the OS servers continue to process
and archive the process data. However, the visualization of the process is lost and you can
only influence the process through the OS servers. You should therefore protect against
such failure by integrating additional OS clients.
By specifying a preferred server, you can distribute multiple OS clients between the
redundant OS servers. The automation process can therefore be operated continuously,
even during a failover from the active OS to its OS partner server

Additional information
● Section "How to configure an OS client (Page 140)"
● Online help for WinCC

Fault-tolerant Process Control System

76 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.6 Solutions for OS clients

3.6.2 Permanent operability

Permanent operability
"Permanent operability" in a redundant environment is the unrestricted ability to influence the
system at any time even when confronted with the failure of one of the redundant OS
servers. It is the most important safety characteristic for plants with critical operations.
This function is important in all systems in which the ability to handle failure of an OS server
in a redundant configuration is not enough and in which continuous control of a process must
be maintained. In the event of an OS server failure, all OS clients connected to the failed
server will temporarily lose their connection to the process while they switch over. In order to
ensure that the OS clients can control and monitor the automation process continuously, the
OS clients are distributed between the redundant OS servers with specification of a preferred
OS server. The failure of some OS clients can therefore be tolerated because the other
clients remain connected to the process.

Preferred server
A "preferred server" is an OS server in the redundant OS server pair that the OS client
connects to preferentially. A preferred server can be defined separately for each OS client in
order to ensure permanent operability. The distribution of the OS clients between the OS
servers distributes the loads and increases the performance of the system as a whole.

Operating principle
If the active OS server fails, the process values on all of the connected OS clients are no
longer updated and there is no operator control on these OS clients during the failover. Other
OS clients that are connected in parallel to the redundant OS partner server are not affected
by this. The plant operator can therefore change to these OS clients if needed.
Generally, the following applies: The OS clients always connect to the specified preferred
server if it is available. If it is not available, the OS clients automatically connect to its
redundant OS partner server. If you do not specify a preferred server for an OS client, it will
connect to the OS server that has the master identification.
When the failed OS server comes online again, the OS client reconnects to its preferred
server. The master identification of the OS server does not change even when the failed OS
server comes back online.

Additional information
● Section "How to configure an OS client for permanent operability (Page 142)"
● Online help for WinCC

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 77
Fault-tolerant Solutions in PCS 7
3.7 Solutions for SIMATIC BATCH

3.7 Solutions for SIMATIC BATCH

3.7.1 Redundant BATCH servers

Redundant BATCH servers

SIMATIC BATCH enables you to configure two BATCH servers redundantly for fault-tolerant
operation. This ensures that you can monitor and control your batch process at all times.

Functionality
Redundant BATCH servers monitor each other in runtime in order to detect the failure of a
BATCH server as early as possible.
If one of the two BATCH servers fails, the process can be controlled over the second
BATCH server after the failover.
● The interface for message processing between the active BATCH server and the
OS server remains available.
● The BATCH clients automatically fail over to the functioning (active) BATCH server. After
the failover, it is possible to control and monitor the process from all BATCH clients.
In SIMATIC BATCH, the consistency of the databases is achieved by data replication. In this
solution, each of the BATCH servers of a server pair has its own database in which the batch
data stored. The two databases are continuously synchronized.

Configuration
The following configuration shows the basic operating principle of redundant BATCH
servers. BATCH servers are only connected to the terminal bus.

&RQQHFWLRQWRWKHWHUPLQDOEXV

5HGXQGDQW%$7&+VHUYHUSDLU

3URMHFW$ 3URMHFW%

%$7&+ %$7&+
6HUYHU 6HUYHU
'DWDEDVH
$UFKLYH
V\QFKURQL]DWLRQ
$UFKLYH )DXOWWROHUDQW
UHSOLFDWLRQVROXWLRQ
1XOOPRGHPFDEOH

Fault-tolerant Process Control System

78 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.7 Solutions for SIMATIC BATCH

Redundancy connection
You need the following components to make the redundancy connection, depending on the
distance to be bridged:

Maximum distance Required components Connection

Note
When a redundant server pair is used as an OS server and BATCH server, the redundancy
connection must be configured via the Ethernet connection.
Serial linking of the server pair is not possible in PCS 7.

Availability
The following two block diagrams of fully operational systems illustrates the availability of the
BATCH clients and BATCH servers. All BATCH components form an independent
redundancy node since they are redundant. This ensures the independence of the
subsystem.

Note
Only the BATCH components and the terminal bus are shown in the block diagrams. The
terminal bus marked with * can be configured redundantly with switch modules.

%$7&+ %$7&+
FOLHQW VHUYHU
%XV
%$7&+ %$7&+
FOLHQW VHUYHU

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 79
Fault-tolerant Solutions in PCS 7
3.7 Solutions for SIMATIC BATCH

The communication between BATCH clients and BATCH servers is performed over the
terminal bus.

%$7&+
FOLHQW

%$7&+
VHUYHU

%$7&+
VHUYHU 26VHUYHU
%XV

26FOLHQW 26VHUYHU

26FOLHQW

The BATCH servers also communicate with OS servers over the terminal bus. The OS
servers are connected to the automation system over the plant bus.

Additional information
● Section "How to configure a PC station for a redundant BATCH server (Page 152)"
● Section "How to configure a PC station for a redundant BATCH client (Page 154)"
● Manual and online help for SIMATIC BATCH

Fault-tolerant Process Control System

80 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.8 Solutions for Route Control server

3.8 Solutions for Route Control server

3.8.1 Redundant Route Control servers

Redundant Route Control servers

SIMATIC Route Control allows you to implement two Route Control servers with redundancy
functionality for fault-tolerant operation. This ensures that you can monitor and control your
route control at all times.

Functionality
The Route Control software automatically takes over the monitoring of the redundancy. The
redundant Route Control servers monitor each other in runtime.
If the active Route Control servers fails, the process can be controlled via the second Route
Control server following failover.
The Route Control clients automatically fail over to the functioning (active) Route Control
server.
When the faulty Route Control server resumes normal service, it retrieves the current
process image from the automation systems.
During the failure, the functioning Route Control server automatically receives the internal
Master ID. If the active master server failed, the master ID is passed from the failed Route
Control server to its Route Control partner server.
When the failed Route Control server becomes available again, it is given the standby ID.
The master ID remains with the Route Control partner server.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 81
Fault-tolerant Solutions in PCS 7
3.8 Solutions for Route Control server

Configuration
The following configuration shows the basic operating principle of redundant Route Control
servers.

&RQQHFWLRQWRWKHWHUPLQDOEXV

5HGXQGDQW5&VHUYHUSDLU

3URMHFW$ 3URMHFW$v

5& 5&
6HUYHU 6HUYHU

$UFKLYH $UFKLYH

&RQQHFWLRQWRWKHSODQWEXV

Availability
The availability of the complete system is also ensured even if one of the two Route Control
servers fails because the two Route Control servers form an independent redundancy node.

5&6HUYHU
%XV %XV
5&6HUYHU

Note
The buses marked with * (terminal bus and plant bus) can be configured redundantly with
optical or electronic switch modules.

Additional information
● Section "How to configure PC stations for a redundant Route Control server (Page 161)"
● Manual Process Control System PCS 7; SIMATIC Route Control

Fault-tolerant Process Control System

82 Configuration Manual, 09/2007, A5E00783452-02
Fault-tolerant Solutions in PCS 7
3.9 Solutions for engineering station

3.9 Solutions for engineering station

3.9.1 Engineering station

Engineering station
The engineering station (ES) serves as a central configuration station.
There are no redundant engineering stations in PCS 7.
The ES is generally used to make changes in the configuration data of project components
such as AS, OS and BATCH and to then download the changes to the target systems. This
makes PCS 7 configuration centralized and transparent.

Configuration
In order to use an ES as an OS client, you need to configure a PC station in the PCS 7
project for the ES. This PC station is configured and downloaded the same way as an
operator station with regard to hardware (Station Configuration Editor), networks and
connections (NetPro). The ES is displayed in NetPro.
If you specify permanently configured connections under "Named Connections", the
following rules apply:
● When configuring the connections for the ES, you must configure a connection for every
AS. This will ensure that a connection can be established to every AS regardless of which
WinCC project is loaded.
● For connections from the individual PC stations (OS servers and ES) to the automation
systems, the following rules apply:
– All connections within an AS must have the same name.
– Two connections must be configured for each OS server and the ES: one in AS 1 and
one in AS 2.
– The connections to AS 1 and the connections to AS 2 must always have the same
name.

Backing up configuration data

The configuration data should always be backed up following a change in the configuration.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 83
Fault-tolerant Solutions in PCS 7
3.10 Time synchronization

3.10 Time synchronization

3.10.1 Time synchronization

Introduction
Time synchronization in a PCS 7 plant is of utmost importance for synchronizing, tracing,
documenting and archiving all time-critical processes. Time synchronization is particularly
important for the redundancy functions in PCS 7 such as the redundancy synchronization
between OS servers or BATCH servers.
Time synchronization exists when all time-dependent individual components of the PCS 7
system have the identical date and identical time of day.
To allow this, one component in the PCS 7 system must take over the role of time master so
that all other time-dependent components receive the time of day from this time master.

Time synchronization within a Windows network

In PCS 7, the frames for time synchronization are sent over Industrial Ethernet.
You can choose between the following time masters:
● A stand-alone time server ((S)NTP server) with connected clock and time stamp receiver
module
● Separate clock and time signal receiver modules at the points to be synchronized (OS
server/domain controller)
● Combination of these two options
The information necessary for planning and setting up time synchronization within a
Windows network can be found in the following documentation:
● Manual Process Control System PCS 7; PCS 7 Security Concept; Recommendations and
Notes
● Configuration manual Process Control System PCS 7; Operator Station
● Configuration manual Process Control System PCS 7, Engineering System
● Operating instructions GPS Converter GPSDEC/GPSCOM
● Operating instructions SICLOCK Time Transmitter

Additional information
● Section "How to synchronize the time of day in automation systems (Page 91)"
● Section "How to synchronize the time of day of OS servers with an external time
transmitter (Page 145)"
● Section "How to synchronize the time of day of OS clients with OS servers (Page 147)"

Fault-tolerant Process Control System

84 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components 4
4.1 SIMATIC H Station

4.1.1 Overview of configuration tasks

Overview of configuration tasks

You configure the redundancy functionality of the SIMATIC fault-tolerant station (H station)
by performing the following steps:

Step What?
1 Inserting a SIMATIC H station in a project (Page 86)
2 Inserting synchronization modules in the H_CPU (Page 87)
3 Configuring redundant communications processors (Page 89)
4 Setting time synchronization (Page 91)
5 Setting the CPU for the error response of input/output modules (Page 95)

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 85
Advantages of fault-tolerant components
4.1 SIMATIC H Station

4.1.2 How to add a SIMATIC H station to your project

Introduction
The SIMATIC H station is contained in the hardware catalog of HW Config as a stand-alone
station type. This station type is required if you want to configure two central racks each with
an H CPU, thereby configuring your process control system with redundancy.

Procedure
1. Open your PCS 7 project in SIMATIC Manager.
2. Open the component view with the menu command View > Component View.
3. In the component view, select the project and select the menu command
Insert > Station > SIMATIC H Station.

Result
The configuration in the SIMATIC Manager appears as follows:

Additional information
● Manual Automation System S7-400H; Fault-tolerant Systems

Fault-tolerant Process Control System

86 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.1 SIMATIC H Station

4.1.3 How to insert synchronization modules into the H CPU

Arranging components on the rack

The AS is arranged the same way as in the configuration:
● Rack (9 or 18 slots for redundant and, in some cases, remote configuration)
● Power supply modules (in some cases redundant configuration)
● H CPU with sync modules in slots "IF1" and "IF2"
● Communication processors (CP 443-1, CP 443-5 Extended)

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● HW Config is open.
● The rack has been inserted according to the configuration in HW Config.
● Each rack has been fitted with an H CPU in HW Config.

Procedure
1. In HW Config, select the menu command View > Catalog.
2. In the hardware catalog, double-click the H CPU you are using. Within the active tree
view, double-click on the version of the H CPU you have selected.
The H sync module is located below the version folder, e.g., V4.0.
3. Select the H Sync Module and drag it onto slots "IF1" and "IF2" of each H CPU.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 87
Advantages of fault-tolerant components
4.1 SIMATIC H Station

Result
The following figure shows the configured subsystems of the fault-tolerant station in
HW Config:

Additional information
● Documentation Process Control System PCS 7; PCS 7 Released Modules
● Manual Automation System S7-400H; Fault-tolerant Systems

Fault-tolerant Process Control System

88 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.1 SIMATIC H Station

4.1.4 How to configure redundant communications processors

Introduction
Two CPs are needed for each H subsystem in a redundant plant bus design.

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● HW Config is open.
● The UR2-H rack has been inserted twice in HW Config.
● In HW Config, each rack has been fitted with an H CPU and the required synchronization
modules.

Procedure
1. In the hardware catalog, double-click the "SIMATIC 400" folder. Then double-click the
"CP-400" folder and finally the "Industrial Ethernet" folder.
2. Select the CP you are using and drag it to a free slot on the rack.

Note
When using a multi-protocol communications processor, make sure that the ISO interface
is configured for the "Fault-tolerant S7 connection" in the "Parameters" tab of the
"Properties - Ethernet Interface CP 443-1" dialog box.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 89
Advantages of fault-tolerant components
4.1 SIMATIC H Station

Result
The following figure shows the configuration in HW Config:

Additional information
● Manual Automation System S7-400H; Fault-tolerant Systems

Fault-tolerant Process Control System

90 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.1 SIMATIC H Station

4.1.5 How to synchronize the time in automation systems

Introduction
During the configuration phase, settings must be made in two dialog boxes in order to
synchronize the time in automation systems.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● Two communications processors, for example, CP 443-1 Industrial Ethernet, have been
configured in HW Config.
● An external time transmitter, such as SICLOCK TM, has been integrated in the Ethernet.

Configuring in the "Properties - CPU ..." dialog box

1. In the component view, select the SIMATIC H station.
2. Double-click the "Hardware" object in the detail window.
HW Config opens.
3. Select the CPU you are using.
4. Select the menu command Edit > Object Properties.
The "Properties - CPU ..." dialog box opens.
5. Select the "Diagnostics/Clock" tab.
6. In the "Clock" area, select the type of synchronization "As slave" for synchronization in
the automation system.
This means that the automation system receives its time from an external master time
source.
7. Click "OK".

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 91
Advantages of fault-tolerant components
4.1 SIMATIC H Station

Result
The following figure shows "Diagnostics/Clock" tab:

Fault-tolerant Process Control System

92 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.1 SIMATIC H Station

Configuring in the "Properties - CP ..." dialog box

1. In the component view, select the SIMATIC H station.
Double-click the "Hardware" object in the detail window.

2. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
3. Select the first CP you are using on a slot of the interface module rack.
4. Select the menu command Edit > Object Properties.
The "Properties - CP ..." dialog box opens.
5. Open the "Time Synchronization" tab.
6. In the "SIMATIC Mode" group, check the "Enable time-of-day synchronization in
SIMATIC Mode" box.
If a SIMATIC H station contains multiple CPs that are connected to the same network,
time synchronization may only be activated for one of these CPs (see table below titled
"Setting Time Synchronization").
7. Click "OK".
8. Repeat these settings for all CP 443-1s.

Setting time synchronization

Bus CPU 1/rack 1 CPU 2/rack 2

Plant bus1 CP 1/1 Time synchronization CP 2/1 Time synchronization
enabled disabled
Plant bus2 CP 1/2 Time synchronization CP 2/2 Time synchronization
disabled enabled

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 93
Advantages of fault-tolerant components
4.1 SIMATIC H Station

Result
The following figure shows "Time Synchronization" dialog box:

Additional information
● Online help for STEP 7

Fault-tolerant Process Control System

94 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.1 SIMATIC H Station

4.1.6 How to set the failure reaction of the input/output modules on the CPU

Introduction
In the properties of the CPU (H parameters), you can specify how the redundant input/output
modules react to channel faults. The setting affects the entire redundant I/O connected to a
CPU.

Setting the passivation response

You set the reaction of the input/output modules to faults using the "passivation response"
parameter:
● Module-based
The module is passivated if a fault occurs.
● Channel-based
Only the channels on which the fault occurred are passivated.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● An H-CPU is configured in HW Config.
● If channel-based passivation is needed, the following requirements must be fulfilled:
– Suitable modules must be used.
● The following driver blocks are in the AS-specific library:
– S7 driver blocks from the "Redundant I/O (V1)" library
– PCS 7 driver blocks from the PCS 7 library as of V6.0

Note
You can see which modules are approved for the channel-based passivation reaction
in the documentation PCS 7 - Released Modules, which can be accessed with the
menu command Start > SIMATIC > Documentation > English.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 95
Advantages of fault-tolerant components
4.1 SIMATIC H Station

Procedure
1. In the component view, select the SIMATIC H station.
2. Double-click the "Hardware" object in the detail window.
HW Config opens.
3. Select the CPU you are using on slot 3.
4. Select the menu command Edit > Object Properties.
The "Properties - CPU ..." dialog box opens.
5. Select the "H Parameters" tab.
6. Please make a note of which data blocks in the "Data block no." input box are defined as
standard transmitters so that you do not use them in your configuration.
7. Select the required setting for the passivation behavior from the "Passivation behavior"
list in the "Redundant I/O" area.
8. Click "OK".

Fault-tolerant Process Control System

96 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.2 Communication connections

4.2 Communication connections

4.2.1 Overview of configuration tasks

Introduction
After you have inserted all of the components (AS, OS and ES) in your project, you can use
NetPro to configure the network connections between the SIMATIC components. When the
configuration of the connections and network is complete, the configuration needs to be
compiled, saved and downloaded to the CPU of the automation system.

Downloading connection configurations

Connection configurations can be downloaded to the CPU in RUN mode. To do this, select
the connection to be downloaded in NetPro and transfer it to the CPU by selecting menu
command Target systems > Download > Selected Connections. Process interfacing for
operation stations is not possible until the connections are made known to the AS.
You edit and adapt the MAC addresses in the properties dialog box for the individual
operator stations in NetPro. The configuration has to be compiled and downloaded in NetPro
each time it is changed.

Overview
This section describes the configuration steps for the following topics:
● Configuring a redundant, fault-tolerant terminal bus (Page 98)
● Configuring a fault-tolerant plant bus (Page 101)
● Configuring a redundant PROFIBUS DP (Page 104)
● Configuring a redundant PROFIBUS PA (Page 106)

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 97
Advantages of fault-tolerant components
4.2 Communication connections

4.2.2 How to configure a redundant, fault-tolerant terminal bus

Introduction
The NetPro and HW Config programs do not support configuration of the terminal bus.
SIMATIC NET offers several solutions for a redundant terminal bus. The PC stations are
connected to the redundant terminal bus over network adapters capable of redundancy.
The section below describes how you install and configure the drivers for network adapters
of these PC stations.

Requirements
● The following two network adapters should be installed in each PC that is to be
connected to the terminal bus (e.g., OS server, OS client, domain controller):
– Intel Pro/1000MT server adapter
– Intel Pro/1000GT desktop adapter
● The "ProSet" configuration tool from Intel is installed.
You can find the drivers for the redundant network adapters used with PCS 7 on the
PCS 7 Toolset DVD as of Version 6.1 SP1 in the following folder:
Additional_Products > Drivers > NETWORK > Intel > ProSet.

Procedure – installing and configuring drivers

1. Install the drivers for the network adapter:
Double-click on the "Autorun.exe" file (in the root directory of the storage medium, for
example D:\Autorun.exe).
The drivers for network adapters are installed.
2. Select the menu command Start > Settings > Control Panel > Administrative Tools >
Computer Management > Device Manager > Network Adapters.
3. Select the internal network adapter of the PC station and disable it in the shortcut menu.
4. Select the server adapter "Inter® PRO/1000 MT Server Adapter" and then select the
menu command Properties in the shortcut menu.
5. Select the "Team with other adapters" check box in the "Teaming" tab and click the
"New Team" button.
The "New Team Wizard" dialog box opens.
6. Click "Finish".
The "Welcome to the Inter® PRO Adapter New Team Wizard" dialog box opens.
7. Enter a name for the team (for example "terminal bus Team #0") and click "Next".
8. Select the "Switch Fault Tolerance" entry in the "Select a team mode" list and click
"Next".
9. In the "Select the adapters to include in this team:" list, activate the check box for the
network adapters through which a server should be connected to the redundant terminal
bus.
10.Click "Continue".
The wizard closes. The team (for example, "Terminal Bus Team #0") is entered in the
"Properties" dialog box of the network adapter.

Fault-tolerant Process Control System

98 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.2 Communication connections

11.Click "Properties".
The "Team: <Team name> Properties" dialog box opens (in the example, "Team:
Terminal bus team #0 Properties".
12.Open the "Advanced" tab.
13.Select "enabled" in the "Value" list.
14.Go to the "Settings" tab and click the "Modify Team" button.
15.In the "Adapters" tab, select the network adapter (Server Adapter Intel Pro/1000MT) on
the preferred terminal bus. Click the "Set Primary" button.
16.Select the network adapter (Intel Pro/1000GT desktop adapter) on the redundant terminal
bus and click the "Set Secondary" button.
17.Click "OK".
The "Team: <Team name>" dialog box closes.
The two network adapters and their team affiliation are now entered in the device
manager.

18.Open the "Properties" dialog box of the network adapter.

19.Open the "General" tab.
In the "Make connection using:" group the entry is: "TEAM: <Team name> (for example,
TEAM : Terminal bus team #0).
20.Select the "Show icon in information area when connection is made" check box.
21.Click "OK" to close the dialog box.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 99
Advantages of fault-tolerant components
4.2 Communication connections

Result
In the System > Device Manager folder, you will find three entries with the name "TEAM".
● Two entries each with information on one network adapter
● One entry with information on the virtual network adapter

Additional information about configuration

● Manual SIMATIC Net Twisted Pair and Fiber-Optic Networks
● Operating Instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400
● Configuration manual SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400
● Manual SIMATIC Net PROFIBUS Networks
Refer to the following Internet address to obtain more information about specific
SIMATIC NET products and their configuration:
http://www.siemens.com/automation/service&support

Fault-tolerant Process Control System

100 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.2 Communication connections

4.2.3 How to configure a fault-tolerant plant bus

Introduction
You configure the communication connections for the plant bus with NetPro. Industrial
Ethernet is used for the plant bus.

Fault-tolerant plant bus

You can set up a fault-tolerant plant bus with a ring structure. The components of the
process control system are connected to the plant bus using switch modules.
The degree of availability you require determines whether or not you should use additional
CPs in the OS servers and in each subsystem of the automation system.
This section describes the procedure for a fault-tolerant plant bus (ring) with switch modules
without additional CPs.

Redundant, fault-tolerant plant bus

To configure a redundant, fault-tolerant plant bus, two CPs each have to be physically
present in the OS servers that will be connected redundantly and in each H subsystem and
they must be configured in NetPro. Two networks must also be configured in NetPro.
The procedure is identical to the procedure for the fault-tolerant plant bus. This procedure
must be performed for one CP per bus and subsystem (H system or PC station on the plant
bus).

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● In HW Config, one 443-1 type CP has been configured in each H subsystem.
● Two SIMATIC PC stations each with one CP 1613 have been configured in HW Config.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 101
Advantages of fault-tolerant components
4.2 Communication connections

Procedure
1. Open NetPro in SIMATIC Manager with the menu command Options > Configure
Network.
2. Select the menu command Insert > Network Objects to open the hardware catalog.
3. In the hardware catalog, click the plus sign to open the submenu containing the subnets.
4. Double-click the Industrial Ethernet subnet to insert it into the network view.

Note
To drag subnets into the NetPro project window, click the network, hold down the left
mouse button and drag it to the desired location. If you cannot place the object where you
want it, you may need to move other objects to make the necessary space.

5. In the left subsystem of the SIMATIC H station, select the interface icon for the CP 443-1
and drag a connection to the Industrial Ethernet subnets.
Repeat the procedure for the CP of the right subsystem.
6. Follow the same procedure for the CPs in both OS servers.
7. Save your configuration.

Fault-tolerant Process Control System

102 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.2 Communication connections

Result
The following figure shows the resulting configuration:

Additional information
● Online help for STEP 7

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 103
Advantages of fault-tolerant components
4.2 Communication connections

4.2.4 How to configure a redundant PROFIBUS DP

Introduction
The following section describes how to create and connect a redundant PROFIBUS DP.

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● HW Config is open.
● The UR2-H rack has been inserted twice in HW Config.
● In HW Config, each mounting rack has been fitted with an H CPU in slot 3 and the
required synchronization modules.

Procedure

Note
Steps 1 through 4 are necessary only when a CP 443-5 Extended is used for the connection
to the redundant PROFIBUS.

1. In HW Config, select the menu command Insert > Hardware Components.

2. In the hardware catalog, double-click the "SIMATIC 400" folder. Then double-click the
"CP-400" folder and finally the "PROFIBUS" folder.
3. Select the version of the CP 443-5 Extended you are using and drag it to a free slot on
the module rack.
The "Properties - PROFIBUS Interface CP 443-5 Ext ..." opens.
4. Click "OK".
5. Select the slot on the rack for which you want to specify a redundant
PROFIBUS interface:
– Slot X2 to use the CPU's own PROFIBUS interfaces
– Slot of the CP 443-5 Extended to use the CP PROFIBUS interfaces
6. Select the menu command Edit > Object Properties > Insert.
The "Properties - PROFIBUS Interface CP 443-5 Ext..." dialog box opens.

Note
When inserting the DP master system for the redundant PROFIBUS interface, the entry
"Redundant subnet ..." is displayed below the "Subnet" list.

7. Click "New".
The "New Subnet" dialog box opens.
8. Make any necessary system-specific settings in the "New Subnet ..." dialog box (for
example, bus name, transmission rates, etc.).
9. Click "OK".
The new DP master system is entered in the "Subnet" list.

Fault-tolerant Process Control System

104 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.2 Communication connections

10.Click "OK".
11.Repeat steps 1 to 10 for the redundant rack.

Result
The figure below shows the result of the configuration process in HW Config. Here, a
distributed I/O has already been assigned to the DP master systems for the purpose of
illustrating the redundancy principle:

Additional information
● STEP 7 Online Help

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 105
Advantages of fault-tolerant components
4.2 Communication connections

4.2.5 How to configure the redundant PROFIBUS PA

Introduction
Below, you will find a description of how to configure a redundant PROFIBUS PA that is
connected to a redundant PROFIBUS DP.

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● Two DP master systems are configured for the SIMATIC H station in HW Config and
these are used as connection paths for the redundant interface.
● For commissioning: The PROFIBUS addresses are set with the DIL switches on the
FDC 157-0 DP/PA couplers.

Example configuration
The following figure shows the configuration of the redundant PROFIBUS PA using the
DP/PA Link.

'33$/LQNZLWKUHGXQGDQW
,0DQGUHGXQGDQW
'33$FRXSOHU)'&

5HGXQGDQW
$)' $)'
352),%863$
352),%86'3

352),%86'3

0D[$)'

0D[

'33$/LQNZLWKUHGXQGDQW
,0DQGUHGXQGDQW
'33$FRXSOHU)'&

5HGXQGDQW
$)6
352),%863$

0D[

Fault-tolerant Process Control System

106 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.2 Communication connections

Hardware setting on the DP/PA coupler

Note
The redundancy mode set on the DP/PA coupler (DIL switch bit 7) must match the
configured redundancy mode:
• OFF: coupler redundancy (default setting)
• ON: ring redundancy (line redundancy)
If there is a discrepancy between the set redundancy mode and the configured redundancy
mode, a diagnostic message is generated.

Configuring PA field devices

Note
If you use several FDC 157-0 DP/PA couplers in a link, a topological assignment in HW
Config is not possible. You can, however, check the assignment in the local lifelist online.

Procedure
1. In the component view, select the SIMATIC H station and double-click the "Hardware"
object in the detail window.
HW Config opens.
2. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
3. In the current PCS 7 profile, double-click "PROFIBUS DP" and then "DP/PA Link".
4. Select the FDC 157-0 DP/PA coupler and drag it onto one of the two PROFIBUS DP
lines.
5. Enter the PROFIBUS DP address in the "Properties - PROFIBUS Interface FDC 157-0"
dialog box.
6. Set the redundancy mode of the FDC 157-0 DP/PA coupler and click "OK".
7. Select the menu command General > Properties > Network Settings > User-defined >
Bus Parameters.
8. Enter the value 3 for the "Retry Limit" parameter.
9. Repeat steps 1 to 8 for the second DP/PA coupler for coupler redundancy.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 107
Advantages of fault-tolerant components
4.2 Communication connections

Result
The following figure shows the resulting configuration in HW Config:

Additional information
● Section "Redundant PROFIBUS PA (Page 68)"
● Manual SIMATIC DP/PA Link and Y Link Bus Couplings

Fault-tolerant Process Control System

108 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.3 Distributed I/O

4.3 Distributed I/O

4.3.1 Overview of configuration tasks

Introduction
The following sections describe configuring redundancy of the individual components of the
distributed I/O.

Overview
This section describes the configuration steps for the following topics:
● Configuring the redundant interface for the I/O device (Page 109)
● Configuring redundant input/output modules (Page 112)
● Configuring the DP/PA Link (Page 120)
● Configuring the Y Link (Page 117)

4.3.2 How to configure the redundant interface for the I/O device

Introduction
Once you have integrated the interface module (IM 153-2 for ET 200M, IM 152-1 for
ET 200iSP) as hardware in the distributed I/O device, the component is made known to the
system in SIMATIC Manager with HW Config or NetPro.

Requirement
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● A redundant DP master system is configured for the SIMATIC H station in HW Config.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 109
Advantages of fault-tolerant components
4.3 Distributed I/O

Procedure
1. In the component view, select the SIMATIC H station and double-click the "Hardware"
object in the detail window.
HW Config opens.
2. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
3. Double-click on "PROFIBUS DP" in the current PCS 7 profile.
4. Double-click the I/O device you want to connect:
– ET 200M
– ET 200iSP
5. Select the interface module:
– For ET 200M: IM 153-2 in the hardware catalog.
– For ET 200iSP: IM 152-1 whose hardware catalog description is "..., can be used
redundantly in the H system".
6. Drag the interface module to one of the two PROFIBUS DP lines.
The connection to the redundant line is established automatically.
7. Enter the PROFIBUS address in the "Properties - PROFIBUS Interface IM..." dialog box
and click "OK".

Fault-tolerant Process Control System

110 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.3 Distributed I/O

Result
The following figure shows the resulting configuration in HW Config:

Additional information
● Function manual Process Control System PCS 7; Highly Accurate Time Stamps
● Manual DP/PA Link and Y Link Bus Couplings

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 111
Advantages of fault-tolerant components
4.3 Distributed I/O

4.3.3 How to configure redundant I/O modules

Introduction
You configure the redundant I/O modules using HW Config.

Note
Redundant operation is possible only with certain S7-300 I/O modules of the ET 200M. For
additional information, please refer to the following documents:
• Documentation PCS 7 - Released Modules
(via menu command Start > SIMATIC > Documentation > English)
• Manual Automation System S7-400H; Fault-tolerant Systems

Note
Only identical I/O modules having the same order number in analog or digital form can be
used.
You can set channel-based redundancy for the channels of redundant modules as of
PCS 7 V7.0 SP1 for selected modules.

Assignment of redundant modules

Redundant modules can be assigned to each other for the ET 200M as follows:
● The modules are located in two different ET 200M stations on the same redundant
PROFIBUS DP (see sample configuration).
● The modules are located in two different ET 200M stations on different redundant
PROFIBUS DPs.
● The modules are located in the same ET 200M station.

Setting the passivation response

Note that you must also set the passivation behavior of the redundant I/O in the properties of
the CPU (H parameters) in addition to the following procedure.
You can find additional information about this in the section "How to set the CPU for the
reaction of the input/output modules to channel faults (Page 95)".

Fault-tolerant Process Control System

112 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.3 Distributed I/O

Example configuration
The figure below shows the setup for redundant input modules in a switched distributed
configuration.

352),%86'3 5HGXQGDQWVZLWFKHG,2
(70FRQVLVWLQJRI[
352),%86'3

,0DQG[60

6LJQDOPRGXOH
6LJQDO(

5HGXQGDQW6LJQDOPRGXOH
6LJQDO(

Method of operation in the example configuration

"Signal Module 1" is configured redundantly to "Redundant Signal Module 1". As a result,
Signals E1.1 and E10.1 are redundant to one another.
If an error is detected in "Signal Module 1", "Signal Module 1" is passivated and only the
signals from "Redundant Signal Module 1" are processed. The user program, therefore, still
operates with the address E1.1, but the signal is coming from E10.1.
The user program does not see an error since the signal status is still correct. The
passivated module generates a diagnostic message.

Requirements
● The PCS 7 project involving an H CPU must have been created and opened in
SIMATIC Manager.
● A redundant DP master system is configured for the SIMATIC H station in HW Config.
● The interface modules for ET 200M (IM 153-2) on the redundant PROFIBUS DP are
configured in HW Config.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 113
Advantages of fault-tolerant components
4.3 Distributed I/O

Procedure
1. In the component view, select the SIMATIC H station and double-click the "Hardware"
object in the detail window.
HW Config opens.
2. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
3. Select the IM 153-2 (ET 200M) in which you want to configure the redundant module.
The module overview is displayed in the lower window pane.
4. Select a signal module that supports redundancy in the hardware catalog.
Drag the signal module to a free slot in the IM 153-2 (lower window pane).
5. Repeat steps 3 and 4 for the second signal module.
The modules for which redundancy is to be configured are inserted.
6. Select the first IM 153-2 again.
7. Double-click on the inserted signal module in the module overview.
The "Properties ..." dialog box for this module opens.
8. Open the "Addresses" tab.
9. Select the process image partition from the "Process image" drop-down list.
10.Select the "Redundancy" tab.

Fault-tolerant Process Control System

114 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.3 Distributed I/O

11.Select the entry "2 modules" in the "Redundancy" list.

12.Click "Find".
The "Find Redundant Module" dialog box opens.

13.Select the DP master system in which the redundant signal module is configured in the
"Subsystem" list.
All the available PROFIBUS addresses in this DP master system are displayed in the
"PROFIBUS address" box.
14.From the "PROFIBUS address" box, select the IM 153-2 in which the redundant signal
module is configured.
The signal modules in this IM 153-2 capable of redundancy and for which no redundancy
has yet been configured are displayed in the "Redundant module" list.
15.Select the signal module you want to use as a redundant signal module in the
"Redundant module" list.
16.Click "OK" to close the dialog box.
17.In the "Additional parameters" area, make any additional settings required for input
modules.
18.Click "OK" to apply the settings.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 115
Advantages of fault-tolerant components
4.3 Distributed I/O

Additional information
● Online help for STEP 7
● Documentation Process Control System PCS 7; PCS 7 Released Modules
● Manual Automation System S7-400H; Fault-tolerant Systems

Fault-tolerant Process Control System

116 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.3 Distributed I/O

4.3.4 How to configure the Y link

Introduction
The Y Link consists of two IM 153-2 interface modules and a Y coupler. The Y Link creates a
gateway from a redundant DP master system to a single-sided DP master system.
The following describes how to install and configure the Y Link.

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● A redundant DP master system is configured for the SIMATIC H station in HW Config.

Example configuration
The following figure shows how the Y Link is used.

6+
352),%86'3

<FRXSOHU
352),%86'3

6,02&2'(
0RWRUVWDUWHU
352),%86'3 6LQJOH

60
)0

(76
)0
60

'3$6L/LQN

$6L%86

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 117
Advantages of fault-tolerant components
4.3 Distributed I/O

Procedure
1. In the component view, select the SIMATIC H station and double-click the "Hardware"
object in the detail window.
HW Config opens.
2. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
3. In the current PCS 7 profile, double-click "PROFIBUS DP" and then "DP/PA Link".
4. Select the IM 153-2 interface module whose hardware catalog description is "Y Link".
5. Drag the IM 153-2 interface module to one of the two PROFIBUS DP lines.
6. Enter the PROFIBUS address in the "Properties - PROFIBUS Interface IM 153-2" dialog
box and click "OK".
7. Click on "Interface module for PROFIBUS DP" in the "Define Master System" dialog box
and click "OK".

Fault-tolerant Process Control System

118 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.3 Distributed I/O

Result
The resulting configuration in HW Config appears as follows:

Additional information
● Manual DP/ PA Link and Y Link Bus Couplings

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 119
Advantages of fault-tolerant components
4.3 Distributed I/O

4.3.5 How to configure the DP/PA link

Functionality
The DP/PA Link consists of two IM 153-2 interface modules and one or more
DP/PA couplers. The DP/PA coupler is used to build a gateway between a redundant
PROFIBUS DP subnet and a non-redundant PROFIBUS PA subnet. When configuring in
HW Config in SIMATIC Manager, you can only select the IM 153-2 interface modules and
not the DP/PA coupler.
The DP/PA coupler is transparent in regard to addressing and communication. It does not
have its own bus address and simply forwards message frames. The field devices connected
to the PROFIBUS PA are addressed directly from the automation device.
The DP/PA coupler can be reconfigured in runtime but it cannot be replaced.

Note
A list of PA slaves that can be connected is available in the Y Link manual. Please note that
PCS 7 driver blocks are not available for all of the devices listed. Contact the PCS 7 Support
Center to check if such a driver block is available for the device you have selected.

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● A redundant DP master system is configured for the SIMATIC H station in HW Config.

Fault-tolerant Process Control System

120 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.3 Distributed I/O

Example configuration
The following figure shows how the DP/PA Link is used.

'33$/LQN
352),%86'3 GHVLJQHGUHGXQGDQWO\

UHGXQGDQW
GHVLJQZLWK
[,0
[)'&

7HPSHUDWXUH
352),%863$ 6LQJOH

WUDQVPLWWHU

3UHVVXUH
WUDQVPLWWHU

Procedure
Configure the DP/PA Link in same way as described in the section "How to configure the
Y link (Page 117)".
The DP/PA Coupler does not appear in the hardware catalog for the configuration of the bus
system.
When configuring in HW Config, you only need to set the transmission speed for the
selected PROFIBUS DP network in the "Network Settings" tab of the "Properties PROFIBUS
dialog box.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 121
Advantages of fault-tolerant components
4.3 Distributed I/O

Result
The following figure shows the resulting configuration in HW Config:

Additional information
● Manual SIMATIC DP/PA Link and Y Link Bus Couplings

Fault-tolerant Process Control System

122 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

4.4 Operator stations

4.4.1 Overview of configuration tasks

Introduction
The following sections describe how to configure redundancy for operator stations.

Overview of configuration tasks

You configure the redundancy functionality of the operator stations by performing the
following steps:

Step What?
1 Configuring the PC stations for a redundant OS server pair (Page 124)
2 Configuring a central archive server and it redundant archive partner server (Page 127)
3 Setting the properties of the central archive server (Page 130)
4 Setting the project path for destination OS and standby OS (Page 131)
5 Creating a redundant connection between OS and AS (Page 133)
6 Specifying which S7 programs you want to assign to which OS (Page 135)
7 Configuring WinCC redundancy (Page 137)
8 Downloading the SIMATIC PCS 7 project to the target systems (Page 150)
9 Configuring an OS client (Page 140)
10 Configuring an OS client for permanent operability (Page 142)
11 Synchronizing the time of day of OS clients with OS servers (Page 147)
12 Synchronizing the time of day of OS servers with an external time transmitter (Page 145)

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 123
Advantages of fault-tolerant components
4.4 Operator stations

4.4.2 How to configure an OS server and its redundant OS partner server

Introduction
The following describes the individual steps involved in installing the OS server and its
redundant OS partner server.
In the following example, both OS servers of the server pair are connected redundantly to
the plant bus (two CP 1613s per server).

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● Each PC has two CP 1613s for connection to the plant bus.
● The ISO protocol is set as the communication protocol on the plant bus.
● Each PC has a standard network adapter for connection to the terminal bus.

Procedure

Note
Steps 1 to 11 of this procedure have already been performed if an OS server was created in
the project.

1. In the component view of SIMATIC Manager, select the project where you want to add
the operator station.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, OS server).
4. Enter the Windows name of the computer to be used as the OS server in the "Computer
name" box.
5. In the component view, select the SIMATIC PC station and double-click the
"Configuration" object in the detailed view.
The hardware configuration of the SIMATIC PC station opens.
6. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
7. In the hardware catalog under "SIMATIC PC Station > HMI...", select the
"WinCC application" and drag it to the configuration table.
8. In the hardware catalog under SIMATIC PC Station > CP Industrial Ethernet, select the
CP 1613 communications processor and drag it to the PC station.
The "Properties - Ethernet Interface" dialog box opens.
9. Set the required address on the bus for the CP.
Select the "Set MAC address/Use ISO protocol" check box and click "OK".

Fault-tolerant Process Control System

124 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

10.Repeat steps 8 and 9 for the second CP 1613.

11.Select the menu command File > Save, exit HW Config and change to
SIMATIC Manager.
12.In the component view of SIMATIC Manager, select the project where you want to insert
the redundant operator station.
13.Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
14.Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, OS partner server).
15.Enter the Windows name of the computer to be used as the OS partner server in the
"Computer name" box.
16.In the component view, select the SIMATIC PC station and double-click the
"Configuration" object in the detail window.
The hardware configuration of the SIMATIC PC station opens.
17.If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
18.In the hardware catalog under "SIMATIC PC Station > HMI...", select the
"WinCC application (stby)" and drag it to the configuration table.
19.In the hardware catalog under SIMATIC PC Station > CP Industrial Ethernet, select the
CP 1613 communications processor and drag it to the PC station.
The "Properties - Ethernet Interface" dialog box opens.
20.Set the required address on the bus for the CP.
Select the "Set MAC address/Use ISO protocol" check box and click "OK".
21.Repeat steps 19 and 20 for the second CP 1613.
22.Select the menu command File > Save and exit HW Config.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 125
Advantages of fault-tolerant components
4.4 Operator stations

Result
You project should now correspond to the project shown in the following figure. You can
change the names of the components as you wish.

Additional information
● Online help for STEP 7

Fault-tolerant Process Control System

126 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

4.4.3 How to configure an archive server and its redundant archive partner server

Introduction
The following describes the individual steps involved in creating the archive server and its
redundant archive partner server.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● Each PC has a standard network adapter for connection to the terminal bus.

Procedure

Note
Steps 1 to 10 of this procedure have already been performed if an archive server was
created in the project.

1. In the component view of the SIMATIC Manager, select the project into which you want to
add the redundant central archive server.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Mark the SIMATIC PC station and select the menu command Edit > Object Properties.
4. In the "Name:" input box, enter the desired name.
The name "CAS Server" is entered in the example.
5. Enter the Windows name of the computer in the "Computer Name" input box.
6. Click "OK".
7. Mark the SIMATIC PC station in the component view and open HW Config by
double-clicking on the "Configuration" object in the detail view.
The hardware configuration of the SIMATIC PC station opens.
8. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
9. Select the "WinCC CAS Appl." WinCC application in the hardware catalog under
"SIMATIC PC Station > HMI..." and insert it in the configuration table per drag-and-drop.
10.Select the menu command File > Save, exit HW Config and change to
SIMATIC Manager.
11.In the component view of the SIMATIC Manager, select the project into which you want to
add the redundant central archive server.
12.Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
13.Mark the SIMATIC PC station and select the menu command Edit > Object Properties.
14.In the "Name:" input box, enter the desired name.
The name "CAS Partner Server" is entered in the example.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 127
Advantages of fault-tolerant components
4.4 Operator stations

15.Enter the Windows name of the computer to be used as the archive partner server in the
"Computer name" box.
16.Click "OK".
17.In the component view, select the SIMATIC PC station and double-click the
"Configuration" object in the detail window.
The hardware configuration of the SIMATIC PC station opens.
18.If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
19.Select the "WinCC CAS Appl. (stby)" WinCC application in the hardware catalog under
"SIMATIC PC Station > HMI..." and insert it into the configuration table per drag-and-
drop.
20.Select the menu command File > Save and exit HW Config.

Result
You project should now correspond to the project shown in the following figure. You can
change the names of the components as you wish.

Fault-tolerant Process Control System

128 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

Additional information
● Online help for STEP 7

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 129
Advantages of fault-tolerant components
4.4 Operator stations

4.4.4 How to Set the Properties of the Central Archive Server

The properties of the central archive server can only be set for the the archive server with
the "WinCC application CAS".

Procedure
1. In the tree of the component view, select the "[OS]" object underneath the archive
server's SIMATIC PC station.
2. Select the menu command Edit > Object Properties.
The "Properties - OS:[Name of OS]" dialog box opens.
3. Open the "CAS – Central archive server options" tab. Activate the check box in
accordance with your archiving requirements:
– All
– TagLogging Fast
– TagLogging Slow
– AlarmLogging
– Reports (OS reports and Batch reports from SIMATIC BATCH)
4. Make the following settings in the "Archive size" group:
– In the "Time period for all segments" input box, enter the entire period of time during
which archives are to be created.
– In the "Max. size for all segments" input box, enter the maximum time period for all
segments combined. This imposes a limit in terms of the memory requirements.
These settings will depend on the maximum amount of storage space that is available
for your archives.
– In the "Time period for a single segment" input box, enter the period of time during
which archive data are to be archived in a single segment.
– In the "Max. size of a single segment" input box, enter the maximum size for a single
segment.
Depending on which parameter is satisfied first, the single segment is closed and a
new single segment created.
5. Specify the "Time of first segment change".
6. Click "OK".

Fault-tolerant Process Control System

130 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

4.4.5 How to set the project paths of the destination OS and standby OS

Introduction

Note
The procedure described in this section applies to the following servers:
• OS server
• Maintenance server
• Central archive server
The description for the OS server is used here.

The OS servers of an OS server pair must be made known to each other. You do this by
making the following settings for the SIMATIC PC stations:
● For both OS servers: "Target OS Computer"
● On the "master OS": OS name of the redundant OS server "Standby OS"
The target OS computer is the Windows name of the PC in the Windows network to which
the server data (configuration data) for an OS server of an OS server pair was downloaded.
Master OS and standby OS mean the OS servers that make up an OS server pair.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● Two SIMATIC PC stations have been configured in HW Config as an OS server and OS
partner server.

Procedure
1. In the component view, select the OS that you want to specify as the master OS.
2. Select the menu command Edit > Object Properties.
The "Properties - [name of the OS]" dialog box opens.
3. Select the "Destination OS and Standby OS" tab.
4. Click the "Browse" button next to the "Path to destination OS computer" box and enter the
path to the MCP file of the destination OS.
The destination OS computer is the computer where the project is to run.
The mcp file is generated automatically when you create the OS.

NOTICE
Enter the network path for the target OS using UNC (Universal Naming Convention)
notation: \\Server name\Share name\Directory name

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 131
Advantages of fault-tolerant components
4.4 Operator stations

5. Select the OS that you want to use as the standby OS from the "Standby OS" list.
All of the standby operator stations that you have created in SIMATIC Manager are
displayed in this drop-down box.
6. Click "OK" to save your entries.
You have now completed all the settings for the master OS.
7. In the component view, select the OS that you want to use as the standby OS.
8. Select the menu command Edit > Object Properties.
The "Properties - [name of the OS]" dialog box opens.
9. Select the "Destination OS and Master OS" tab.
10.Click the "Browse" button next to the "Path to destination OS computer" box and enter the
path to the MCP file of the destination OS.
The destination OS computer is the computer where the project is to run.
The mcp file is generated automatically when you create the OS.
11.Click "OK" to save your entries.
You have now completed all the settings for the standby OS.

Additional information
● Online help for STEP 7

Fault-tolerant Process Control System

132 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

4.4.6 How to configure a redundant connection between an OS and AS

Introduction
To complete the configuration of the OS server and its redundant OS partner server, you
need to create the fault-tolerant network connections to the AS in NetPro.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● Two SIMATIC PC stations have been configured in HW Config as an OS server and
OS partner server each with two CP 1613.
● The redundant plant bus has been configured.

Procedure
1. Open NetPro in SIMATIC Manager with the menu command Options > Configure
Network.
2. Select the interface icon in the first CP 1613 of the OS server and drag a connection to
Ethernet(2).
The CP 1613 is now connected to the Ethernet(2).
3. Connect the second CP of the OS server to Ethernet(1) in the same way.
4. Connect both CPs of the OS partner server with the two Ethernet networks in the same
way.
5. Select the WinCC application of the OS server for which you want to configure a
fault-tolerant network connection.
The connection table is displayed in the lower window pane.
6. Select the first empty row in the connection table and select the menu command
Insert > New Connection.
The "New Connection" dialog box opens.
7. Select the desired connection partner in the tree.
8. Select the connection type "S7 connection fault-tolerant" in the "Connection" box.
9. "Show properties" before inserting.
This allows you to make settings or changes to the connection.
10.If redundant CPs for the plant bus are configured in the SIMATIC S7 stations, activate the
check box "Enable max. CP redundancy (with 4 connection paths)" in the "Redundancy"
group.
11.Click "OK" to save your entries.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 133
Advantages of fault-tolerant components
4.4 Operator stations

Result
The following figure shows the redundant network connection of the two OS servers to the
SIMATIC H station in NetPro:

Additional information
● Section "How to configure a fault-tolerant plant bus (Page 101)"
● Online help for STEP 7

Fault-tolerant Process Control System

134 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

4.4.7 How to assign an S7 program to an OS

Introduction
The AS-OS assignment of a hierarchy folder in the plant view of SIMATIC Manager results in
the following in the component view:
● All CFC and SFC charts inserted in the plant view are stored in the chart folder of the
assigned AS.
● All pictures and reports inserted in the plant view are stored in the folder of the assigned
OS.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● The plant view is activated.

Procedure
1. Select the hierarchy folder for which you want to make the AS-OS assignment in the plant
view.
2. Select the menu command Edit > Object Properties and change to the "AS-OS
Assignment" tab.
3. From the "Assigned AS" list, select the S7 program that you want to assign to the
selected hierarchy folder.
4. Select the "Pass on selected assignment to all lower-level objects" check box if you want
all lower-level objects to have the same assignment.

Note
The "Pass on selected assignment to all lower-level objects" check box is only active if
the lower-level objects have another assignment or no assignment.

5. From the "Assigned OS" list, select the operator station you want to assign to the
selected hierarchy folder.
6. If the lower-level objects have another assignment but you prefer all lower-level objects to
have the same assignment, select the "Pass on selected assignment to lower-level
objects" check box.

Note
If you select "Area oriented" as the compilation mode, the OS assignment can only be
changed for PH folders of the OS area level.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 135
Advantages of fault-tolerant components
4.4 Operator stations

7. Click "OK" to save your entries.

The AS-OS assignment is accepted and the lower-level objects are passed on or not
passed on according to your setting.

Note
If you have divided up the projects so that there is only one OS or one AS in a project,
you do not need to make an AS-OS assignment.

Additional information
● STEP 7 Online Help

Fault-tolerant Process Control System

136 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

4.4.8 How to configure WinCC redundancy

Introduction

Note
The procedure described in this section applies to the following servers:
• OS server
• Maintenance server
• Central archive server
The description for the OS server is used here.

WinCC redundancy is used to implement redundancy between an OS server and its OS

partner server. WinCC redundancy must first be configured in WinCC Explorer on the OS
server for this purpose.

Note
Make sure that only one of the two OS servers is the "default master" and that this option is
not selected for both of the OS servers in the "Redundancy" dialog box. Problems may
otherwise occur during redundancy failover of OS clients.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● Two SIMATIC PC stations have been configured in HW Config as an OS server and
OS partner server, each with two CP 1613 communications processors.
● The OS server and OS partner server are connected by a redundancy cable.
You can use the following as the redundancy cable:
– Network cable on an additional network adapter
– Null modem cable on the COM port
● The connection to the redundant partner has been set (COM1 on the screenshot below).
You will find information on setting communications modules in the manual titled
Process Control System PCS 7; PC Configuration and Authorization.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 137
Advantages of fault-tolerant components
4.4 Operator stations

Procedure

Note
Settings in steps 5 and 6: The settings are adopted automatically from the configuration in
SIMATIC Manager. It may be necessary to adapt settings if projects have been copied or if
you configure in a different order from the one recommended for PCS 7.

1. In the component view of SIMATIC Manager, select the OS in the OS server and select
the menu command Edit > Open Object.
The WinCC Explorer opens.
2. In WinCC Explorer, select the menu command Editor > Redundancy > Open.
The "Redundancy" application opens.
3. Select the "Activate redundancy" check box.
4. In the "General" tab, select the "Default Master" check box if you want to set the OS
server as the default master.
5. In the "Redundant Partner Server" field, enter the computer name of the redundant OS
server. You can also use the “Browse” button to select an appropriate server from the
network.
6. Select the following check boxes as required:
– Synchronization of Tag Logging after the partner server comes back online
– Synchronization of Alarm Logging after the partner server comes back online
– Online synchronization for Alarm Logging
– Synchronization after process connection error
– WinCC client failover if the process connection is disrupted
7. For more information about the "General" and "User Archive" tabs refer to the Online help
for WinCC.
8. Click "OK".

Fault-tolerant Process Control System

138 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

Result
The "General" tab in the "Redundancy" dialog can be configured as follows:

Additional information
● Online help for WinCC

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 139
Advantages of fault-tolerant components
4.4 Operator stations

4.4.9 How to configure an OS client

Introduction
The following section illustrates how to configure two OS clients that can be interconnected
with a redundant pair of OS servers.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● Each PC has a standard network adapter for connection to the terminal bus.

Procedure
1. In the component view of SIMATIC Manager, select the project in which you want to
configure the OS clients.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name.
4. In the component view, select the SIMATIC PC station and double-click the
"Configuration" object in the detail window.
The hardware configuration of the SIMATIC PC station opens.
5. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
6. In the hardware catalog under "SIMATIC PC Station > HMI...", select the "WinCC
application client" and drag it to the configuration table.
7. Save your current settings. Close the hardware catalog.
8. Repeat steps 2 to 7 for the second OS client.

Fault-tolerant Process Control System

140 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

Result
Your project now looks like the one in the following figure. You can rename the components
any way you please.

Using reference clients

You can set up additional monitoring stations using reference clients. They use configured
OS clients as a basis.
Refer to the configuration manual Process Control System PCS 7; Operator Station for more
information.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 141
Advantages of fault-tolerant components
4.4 Operator stations

4.4.10 How to configure an OS client for permanent operability

Introduction
A minimum of two OS clients are required for permanent operability. A preferred server is
specified separately for each client, thus distributing the OS clients to the redundant OS
servers. This ensures that the process is continuously available even during a failover from a
faulty OS server to the redundant OS partner server.

Requirements
● The redundant OS server pair has been configured in SIMATIC Manager.
● WinCC redundancy is configured for the OS server (master).
● The OS server (master) has been compiled such that the server data have been
generated.
● Two OS clients have been configured in SIMATIC Manager.
● The server data of the OS server (master) has been assigned to the client project.

Procedure
1. Open the WinCC project of the first OS client in the component view in
SIMATIC Manager.
2. In project navigation window in WinCC Explorer, right-click the "Server Data" editor and
then "Configure".
3. In the "Configure Server Data" dialog box, click the cell "No preferred server in the
""Preferred server" column.
A drop-down box appears. The preferred servers available for selection depend on the
redundancy configuration of the OS servers and are transferred to the OS client with the
server data.
4. In the drop-down box, click on the OS server you want to designate as the preferred
server for the OS client.
5. Close the dialog box.
6. Repeat steps 1 to 4 for the second OS client. Note that you must set the redundant OS
partner server as the preferred server for the second OS client.
7. Select the first OS client and select the menu command Edit > Object Properties.
The "Properties [name of OS]" dialog box opens.
8. Select the "Destination OS" tab.
9. Click the "Browse" button next to the "Path to target OS computer" box and enter the path
to the MCP file of the OS client.
The mcp file is generated automatically when you create the OS.
10.Repeat steps 7 to 9 for the second OS client.

Fault-tolerant Process Control System

142 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

Result
The "Configure server data" dialog boxes on both OS clients appear as follows:
● Dialog box on OS client 1:

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 143
Advantages of fault-tolerant components
4.4 Operator stations

● Dialog box on OS client 2:

Using reference clients

You can set up additional monitoring stations using reference clients. They use configured
OS clients as a basis.

Additional information
● Online help for WinCC
● Configuration manual Process Control System PCS 7; Operator Station

Fault-tolerant Process Control System

144 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

4.4.11 How to synchronize the time of day of OS servers with an external time transmitter

Introduction
The procedure described here relates to OS servers in a domain that are connected to a
redundant plant bus (Industrial Ethernet). This means that both of the redundant OS servers
must have two CP 1613 communications processors. "SICLOCK TM" is used as the external
time transmitter.

Note
All the OS servers used (including both OS servers of a server pair) must be set as
described below.

Requirements
● Two CP 1613s are configured for each OS server of a server pair in HW Config.
● An external time transmitter, such as SICLOCK TM, has been integrated in the Industrial
Ethernet.
● The WinCC project is open on an OS server.

Procedure
1. In WinCC Explorer, select the menu command Editor > Time Synchronization > Open.
The "Time Synchronization" dialog box opens.
2. Select the "Synchronization via system bus (master, slave)" check box.
3. In the "Access point 1" list, select the required CP.
This drop-down box displays all CPs that are available in the OS server.
You must select the CP for which you have activated time synchronization in the
configuration console.
4. Activate the "Master" check box.
The OS server is now specified as the time master.
5. Select the required redundant CP for "Access point 2" and activate the "Master" check
box.
This specifies a redundant CP for the time-of-day synchronization, which will provide the
connection to the plant bus in case the first CP fails.
6. Click "OK" to save your entries.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 145
Advantages of fault-tolerant components
4.4 Operator stations

Result
The "Time Synchronization" dialog box can be configured as follows:

Additional information
● Online help for WinCC
● Online help for STEP 7
● Operating instructions GPS Converter GPSDEC/GPSCOM
● Operating instructions SICLOCK Time Transmitter

Fault-tolerant Process Control System

146 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

4.4.12 How to synchronize the time of day of OS clients with OS servers

Introduction
The WinCC "Time Synchronization" editor is used for time synchronization.

Note
The settings described below must be made on all the OS servers in use.

Requirements
● The WinCC project is open on an OS client.
● OS clients communicate with the OS servers over the terminal bus.

Procedure
1. In WinCC Explorer, select the menu command Editor > Time Synchronization > Open.
The "Time Synchronization" dialog box opens.
2. Select the "Synchronization via terminal bus (slave)" check box. There are two ways to
synchronize the OS clients with OS servers over the terminal bus.
– If you select the "Use the time from a connected WinCC server" check box, , the time
of day on the OS client is synchronized with that of an OS server from which the
OS client has downloaded the server data. This option provides failure security when
the server data of at least two OS servers must be loaded.
– If you select the "Use the time from a specific computer" check box, you need to
specify the computer name under "Computer 1". You can also specify a second
computer under "Computer 2". In this case there is an automatic failover to
Computer 2 if Computer 1 fails.
3. Click "OK".

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 147
Advantages of fault-tolerant components
4.4 Operator stations

Result
The "Time Synchronization" dialog box may be configured as follows:

Note
Client time synchronization via the connected server will not be fail-safe if the client only has
the server data from one server. In all other cases, it will be fail-safe.

Fault-tolerant Process Control System

148 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.4 Operator stations

Additional information
● Online help for WinCC

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 149
Advantages of fault-tolerant components
4.4 Operator stations

4.4.13 How to download a SIMATIC PCS 7 project to the target systems

Introduction
You can download a PCS 7 project that you created in SIMATIC Manager along with the
components of the project (AS, OS, BATCH server/client) to the various target systems in a
single step with the menu command PLC > Compile/Download Programs.
You can also download the various components individually to the PLCs using the menu
command PLC > Download.

Requirements
● All of the required SIMATIC PC stations have been configured in SIMATIC Manager.
● The master OS/standby OS assignment has been made.
● The destination paths from the ES to the individual target systems have been configured.
● The AS and all of its components (synchronization modules, CPs, etc.) have been
configured.
● All network connections have been configured, saved and compiled in NetPro.
● The destination computer is already equipped with an operating system, a network
connection and WinCC.
● The PCS 7 project is open in SIMATIC Manager.

Procedure
1. Select the project in the component view of SIMATIC Manager.
2. Select the menu command PLC > Compile and Download Objects.
The "Compile and Download Objects" dialog box opens.
3. Check whether all components in the project have been configured for complete
compilation/downloading.
4. Click "Start".
This starts the compilation and download operation.

Additional information
● STEP 7 Online Help

4.4.14 Evaluating the "@RM_MASTER" Redundancy Variables with Scripts

Recommendation
If you decide to evaluate the "@RM_MASTER" tag with scripts, you should program an
operator button that can deactivate this part of the scripts. This way, you will not have to
change and reload scripts each time the software is updated.

Fault-tolerant Process Control System

150 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.5 SIMATIC BATCH Stations

4.5 SIMATIC BATCH Stations

4.5.1 Overview of configuration tasks

Introduction
The following sections describe how to configure redundancy for SIMATIC BATCH stations.

Overview of configuration tasks

You configure the redundancy functionality of the BATCH stations by performing the
following steps:

Step What?
1 Configuring the PC Stations for a redundant BATCH server pair (Page 152)
2 Configuring the PC station for a BATCH client (Page 154)
3 Setting the network adaptor for redundancy monitoring of BATCH servers (Page 156)
4 Setting redundancy of the BATCH servers (Page 157)
5 Downloading the target systems for SIMATIC BATCH (Page 159)

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 151
Advantages of fault-tolerant components
4.5 SIMATIC BATCH Stations

4.5.2 How to configure a BATCH server and its redundant BATCH partner server

Introduction
The following describes how to configure a redundant BATCH server.

Note
A redundant BATCH server cannot be used simultaneously as a shared server for PCS 7 OS
and SIMATIC BATCH.

Requirements
● The SIMATIC BATCH software package (BATCH Engineering) has been installed in
addition to the PCS 7 software.
● The PCS 7 project is open in SIMATIC Manager.

Procedure
1. In the component view of SIMATIC Manager, select the project into which you want to
insert the BATCH server.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, BATCH server).
4. Enter the Windows name of the computer to be used as the BATCH server in the
"Computer name" box.
5. In the component view, select the SIMATIC PC station and double-click the
"Configuration" object in the detailed view.
The hardware configuration of the SIMATIC PC station opens.
6. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
7. In the hardware catalog under "SIMATIC PC Station > BATCH...", select the "BATCH
application" and drag it into the configuration table.
8. Select the menu command File > Save, exit HW Config and change to SIMATIC
Manager.
9. In the component view of SIMATIC Manager, select the project into which you want to
insert the redundant BATCH server.
10.Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
11.Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, BATCH partner server).
12.Enter the Windows name of the computer to be used as the BATCH partner server in the
"Computer name" box.

Fault-tolerant Process Control System

152 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.5 SIMATIC BATCH Stations

13.In the component view, select the SIMATIC PC station and double-click the
"Configuration" object in the detail window.
The hardware configuration of the SIMATIC PC station opens.
14.If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
15.In the hardware catalog under "SIMATIC PC Station > BATCH...", select the "BATCH
application (stby)" and drag it into the configuration table.
16.Select the menu command File > Save and exit HW Config.

Result
The following figure shows the SIMATIC PC station with BATCH application (stby)
configured in HW Config:

Additional information
● Manual Process Control System PCS 7; SIMATIC BATCH

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 153
Advantages of fault-tolerant components
4.5 SIMATIC BATCH Stations

4.5.3 How to configure a BATCH client

Introduction
A BATCH client and a OS client are often run together on one SIMATIC PC station. You
configure both client applications in HW Config in a SIMATIC PC station.

Requirements
● The SIMATIC BATCH software package (BATCH Engineering) has been installed in
addition to the PCS 7 software.
● The PCS 7 project is open in SIMATIC Manager.

Procedure
1. In the component view of SIMATIC Manager, select the project into which you want to
insert the BATCH client.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name.
4. Enter the name of the computer to be used as the BATCH client in the "Computer name"
box.
5. In the component view, select the SIMATIC PC station and double-click the
"Configuration" object in the detailed view.
The hardware configuration of the SIMATIC PC station opens.
6. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
7. Under "SIMATIC PC Station > BATCH..." in the hardware catalog, select the "BATCH
application client" and drag it into the configuration table.
8. Save your current settings and close HW Config.

Fault-tolerant Process Control System

154 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.5 SIMATIC BATCH Stations

Result
The following figure shows the SIMATIC PC station with BATCH application client configured
in HW Config:

Additional information
● Manual Process Control System PCS 7; SIMATIC BATCH

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 155
Advantages of fault-tolerant components
4.5 SIMATIC BATCH Stations

4.5.4 How to set the redundancy monitoring of BATCH servers

Introduction
A local Ethernet network needs to be built in PCS 7 for redundancy monitoring of redundant
BATCH servers.

Requirements
● A network adapter for the local Ethernet network is available for redundancy monitoring
on each BATCH server of a server pair (referred to below as the 3rd network adapter).
● All software components have been installed on the BATCH servers.

Procedure
1. Open the network connections with the menu command Start > Settings > Control Panel
> Network Connections.
The "Network Connections" dialog box opens.
2. Select the menu command Advanced > Advanced Settings.
3. The terminal bus must be at the top of the list for the connections. Set the 3rd network
adapter in the list under the terminal bus.
4. Deactivate the options "Client for Microsoft Networks" and "File and Printer Sharing ..." in
the "Network Adapters and Bindings" tab for the 3rd network adapter.
5. Click "OK".
6. In the "LAN or High-speed Internet" list of the "Network Connections" dialog box, select
the 3rd network adapter and then select the menu command File > Properties.
7. Check the "Internet Protocol (TCP/IP)" box and deactivate all other elements.
8. Select "Internet Protocol (TCP/IP)". Click "Properties".
The "Properties of Internet Protocol (TCP/IP)" dialog box opens.
9. Set the "local" IP address in the "General" tab.

Note
Enter different IP addresses for the master server and standby server from a private
subnet range (e.g., subnet 192.168.0.0) that cannot be routed to the WAN.

10.Click "OK".

Fault-tolerant Process Control System

156 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.5 SIMATIC BATCH Stations

4.5.5 How to set the redundancy of the BATCH servers

Introduction
Additional tasks must be performed in the engineering and for setting up the PC stations for
redundant BATCH servers:
● On the engineering station: The default engineering settings must be checked
● On each BATCH server: The network adapter must be set for redundancy monitoring

Time needed for ending process mode of a BATCH server

The time needed for ending process mode of a BATCH server depends on the size of the
SIMATIC BATCH configuration. The redundancy partner reports a fault on the BATCH
server after the configured time. This time is set for redundant BATCH servers so that it is
slightly longer than the time the BATCH server needs to normally end process mode in this
plant.

Requirements
● The SIMATIC BATCH software package (BATCH Engineering) has been installed in
addition to the PCS 7 software.
● The PCS 7 project is open in SIMATIC Manager.
● The configuration of the server pair for BATCH server in HW Config is completed.
● A network adapter is set up for redundancy monitoring via an Ethernet connection on
each BATCH server.

Checking the configuration settings

1. Select the project in the component view of SIMATIC Manager.
2. Select the menu command Options > SIMATIC BATCH.
The "Plant Data" dialog box opens.
3. Select the project in the tree view.
4. Open the "Distribution" tab. Click "Update". Check the displayed settings.
5. Open the "OS Objects" tab. Click "Update". Check the selected message OS.
6. Open the "System Response" tab. Click "Update".
7. Check the displayed settings in the "Startup response" group.
You can find additional information about this in the manual
Process Control System PCS 7; SIMATIC BATCH.
8. In the "Times" group, enter the required time in the "End" input box.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 157
Advantages of fault-tolerant components
4.5 SIMATIC BATCH Stations

Setting redundancy monitoring

1. Open the Windows Explorer on the BATCH server.
2. Select the folder Workstation > Simatic Shell in the tree view.
3. Select the shortcut menu command Redundancy Settings.
The "Redundancy Settings" dialog box opens.
4. In the drop-down list of the "Network Adapter" group, select the network adapter through
which the redundancy communication to the partner server should be established.
5. Perform steps 1 to 4 for each partner server.

Additional information
● Manual Process Control System PCS 7; SIMATIC BATCH

Fault-tolerant Process Control System

158 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.5 SIMATIC BATCH Stations

4.5.6 How to download the target systems for SIMATIC BATCH

Requirements
● The PCS 7 project is open in the Component view in the SIMATIC Manager.
● The SIMATIC BATCH configuration is completed.
● The Batch plant is compiled.

Downloading via SIMATIC BATCH

1. Select the menu command Options > SIMATIC BATCH.
The "Plant Data" dialog box opens.
2. Select the plant object in the tree view.
3. Click "Download".
In the "Download from <plant>" dialog box, all PC stations for BATCH servers (single,
redundant), DB servers and BATCH clients are displayed with information about their
download status.
4. Click "Start".
The plant object is downloaded.

Additional information
● Manual Process Control System PCS 7; SIMATIC BATCH

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 159
Advantages of fault-tolerant components
4.6 SIMATIC Route Control stations

4.6 SIMATIC Route Control stations

4.6.1 Overview of configuration tasks

Introduction
The following sections describe how to configure redundancy for SIMATIC Route Control
stations.

Overview of configuration tasks

You configure the redundancy functionality of the SIMATIC Route Control stations by
performing the following steps:

Step What?
1 Configuring the PC stations for a redundant Route Control server pair (Page 161)
2 Configuring the PC station for a Route Control client (Page 164)
3 Creating a redundant connection between Route Control server and AS (Page 166)
4 Creating a Route Control server (Page 168)
5 Downloading the target systems for Route Control (Page 168)

Fault-tolerant Process Control System

160 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.6 SIMATIC Route Control stations

4.6.2 How to configure a Route Control server and its redundant Route Control partner
server

Introduction
The following describes how to configure a redundant Route Control server.
In the following example, the Route Control server is connected redundantly to the plant bus
(two CP 1613s per server).

Requirements
● The SIMATIC Route Control software package (Route Control Engineering) has been
installed in addition to the PCS 7 software.
● The PCS 7 project is open in SIMATIC Manager.

Procedure
1. In the component view of SIMATIC Manager, select the project into which you want to
insert the Route Control server.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, Route Control server).
4. Enter the Windows name of the computer to be used as the Route Control server in the
"Computer name" box.
5. In the component view, select the SIMATIC PC station and double-click the
"Configuration" object in the detailed view.
The hardware configuration of the SIMATIC PC station opens.
6. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
7. Under "SIMATIC PC Station > Route Control ..." in the hardware catalog, select "RC
application" and drag it to the configuration table.
8. In the hardware catalog under SIMATIC PC Station > CP Industrial Ethernet, select the
CP 1613 communications processor and drag it to the PC station.
The "Properties - Ethernet Interface" dialog box opens.
9. Set the required address on the bus for the CP.
Select the "Set MAC address/Use ISO protocol" check box and click "OK".
10.Repeat steps 8 and 9 for the second CP 1613.
11.Select the menu command File > Save, exit HW Config and change to SIMATIC
Manager.
12.In the component view of SIMATIC Manager, select the project into which you want to
insert the redundant Route Control server.
13.Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 161
Advantages of fault-tolerant components
4.6 SIMATIC Route Control stations

14.Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, Route Control partner server).
15.Enter the Windows name of the computer to be used as the Route Control partner server
in the "Computer name" box.
16.In the component view, select the SIMATIC PC station and double-click the
"Configuration" object in the detail window.
The hardware configuration of the SIMATIC PC station opens.
17.If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
18.Under "SIMATIC PC Station > Route Control ..." in the hardware catalog, select "RC
application (stby)" and drag it to the configuration table.
19.Select the menu command File > Save and exit HW Config.

Result
The following figure shows the SIMATIC PC station with Route Control application (stby)
configured in HW Config:

Fault-tolerant Process Control System

162 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.6 SIMATIC Route Control stations

Additional information
● Manual Process Control System PCS 7; SIMATIC Route Control

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 163
Advantages of fault-tolerant components
4.6 SIMATIC Route Control stations

4.6.3 How to configure a Route Control client

Introduction
A Route Control client and an OS client are often run together on one SIMATIC PC station.
Both client applications must be configured in HW Config on a SIMATIC PC station.

Requirements
● The SIMATIC Route Control software package (Route Control Engineering) has been
installed in addition to the PCS 7 software.
● The PCS 7 project is open in SIMATIC Manager.

Procedure
1. In the component view of SIMATIC Manager, select the project into which you want to
insert the Route Control client.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name.
4. Enter the name of the computer to be used as the Route Control client in the "Computer
name" box.
5. In the component view, select the SIMATIC PC station and double-click the
"Configuration" object in the detailed view.
The hardware configuration of the SIMATIC PC station opens.
6. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
7. Under "SIMATIC PC Station > Route Control ..."in the hardware catalog, select
"RC application client" and drag it into the configuration table.
8. Save your current settings and close HW Config.

Fault-tolerant Process Control System

164 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.6 SIMATIC Route Control stations

Result
The following figure shows the SIMATIC PC station with Route Control application client
(RC application client) configured in HW Config:

Additional information
● Manual Process Control System PCS 7; SIMATIC Route Control

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 165
Advantages of fault-tolerant components
4.6 SIMATIC Route Control stations

4.6.4 How to configure a redundant connection between a Route Control server and AS

Introduction
The redundant connections between the Route Control server and the AS are created in
NetPro using SIMATIC Route Control wizards.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● Two SIMATIC PC stations have been configured in HW Config as an Route Control
server and Route Control partner server each with two CP 1613 (or IE General).
● The AS is connected to the plant bus in NetPro.
● The plant bus has been configured.

Procedure
1. In the SIMATIC Manager, select the menu command Options > SIMATIC Route Control >
Wizard.
2. In the "Introduction" dialog box of the wizard, click "Next".
The "What do you want to do?" dialog box opens.
3. In the "Generate S7 connections" group, activate the check box "AS-Server connection
information". Click "Continue".
4. Make the settings according to the plant configuration.
The RC wizard automatically creates a fault-tolerant connection when a fault-tolerant
system is the connection partner.
5. When the Route Control server and SIMATIC H station are each connected to the plant
bus with two CPs, the following additional tasks need to be performed:
– Open NetPro in SIMATIC Manager with the menu command Options >
Configure Network.
– Select the Route Control application of the Route Control server for which you want to
configure a fault-tolerant network connection.
The connection table is displayed in the lower window pane.
– Select the connection to the SIMATIC S7 station (SIMATIC S7 H Station) in the
connection table.
– Select the menu command Edit > Object properties.
The "Properties... S7 connection" dialog box opens.
– Select the "General" tab.
– To use 4-way redundancy, activate the check box "Enable max. CP redundancy
(with 4 connection paths)".
– Click "OK".

Fault-tolerant Process Control System

166 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.6 SIMATIC Route Control stations

Result
The following figure shows the redundant network connection to the SIMATIC H station for
both Route Control servers in NetPro:

Additional information
● Section "How to configure a fault-tolerant plant bus (Page 101)"
● You can find information about the Route Control wizards in the manual Process Control
System PCS 7; SIMATIC Route Control.
● Online Help for STEP 7

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 167
Advantages of fault-tolerant components
4.6 SIMATIC Route Control stations

4.6.5 How to set the redundancy of the Route Control servers

Introduction
You only have to configure the PC stations in the SIMATIC Manager for redundant
Route Control servers.
In the object properties of the PC station, the computer name must be configured or
"Computer name identical to PC station name" the check box must be activated.

Additional information
● Section "How to configure a Route Control server and its redundant Route Control
partner server (Page 161)"

4.6.6 How to download the target systems for Route Control

Introduction
For Route Control plants with redundant Route Control servers, you should always download
the Route Control configuration to the Route Control server and the Route Control clients.

Additional information
● You can find information about downloading the Route Control server in the manual
Process Control System PCS 7; SIMATIC Route Control.
● You can find information about downloading the configuration to the Route Control client
in the manual Process Control System PCS 7; SIMATIC Route Control.

Fault-tolerant Process Control System

168 Configuration Manual, 09/2007, A5E00783452-02
Advantages of fault-tolerant components
4.6 SIMATIC Route Control stations

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 169
Component Replacement and Plant Changes 5
5.1 Failure and replacement of bus components

5.1.1 Replacement of SIMATIC components in runtime

Continuous operation
A crucial factor for continuous operation of fault-tolerant process control systems is the
replacement of faulty or failed components in runtime. Replacement of defective components
is only possible if fault-tolerant components are used. The redundant components continue
to operate and supply the function until the replacement is made. The system is no longer
fault-tolerant in this condition.

Which components can be replaced in central controllers?

The following components in a redundantly configured automation system can be replaced in
runtime:
● Central processing units (e.g., CPU 417-4H)
● Power supply modules (e.g., PS 405, PS 407)
● Communication modules
● Synchronization modules and fiber-optic cables
● Interface modules (e.g., IM 460, IM 461)

Which components of the distributed I/O can be replaced?

The following components in a redundantly configured distributed I/O system can be
replaced in runtime:
● DP master (CPU or CP in the AS)
● DP slaves (for example, ET 200M, ET 200iSP)
● Redundant interface modules (for example, IM 153-2 and IM 152-1)
● Input/output modules
● PROFIBUS DP cables

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 171
Component Replacement and Plant Changes
5.1 Failure and replacement of bus components

Additional information
You can find detailed, step-by-step instructions on the procedure for replacing components
in runtime in the manual Automation System S7-400H; Fault-tolerant Systems.
The following table is an overview of the descriptions:

For the procedure used to .... refer to the manual Automation System S7-400H; Fault-tolerant
replace components ... Systems in section ...
Central racks Failure and replacement of a CPU (redundant CPU)
Failure and replacement of a power supply module
Failure and replacement of a communication processor
Failure and replacement of a synchronization module or FO cable
Failure and replacement of an IM 460 and IM 461 interface module
Distributed I/O Failure and replacement of distributed I/O components
Failure and replacement of an input/output or function module
Failure and replacement of a PROFIBUS DP master
Failure and replacement of a redundant PROFIBUS DP interface
module
Failure and replacement of a PROFIBUS DP slave
Failure and replacement of PROFIBUS DP cables

Fault-tolerant Process Control System

172 Configuration Manual, 09/2007, A5E00783452-02
Component Replacement and Plant Changes
5.1 Failure and replacement of bus components

5.1.2 Replacement of bus components in runtime

Introduction
The information in this section relates to the following bus components
● Bus cable
● Switches, hubs, bridges

Failure and replacement of bus components

Components of a bus system (plant bus, terminal bus, PROFIBUS) can be replaced when
there is no risk of accidentally affecting other components as a result of the replacement.
Before making a replacement, the following aspects must be taken into consideration:
● Bus topology (for example ring structure, spur lines, redundancy connections, disrupted
bus cable)
● Connection of the bus system to "master systems":
– The assignment of clients to servers
– The connection to time master systems
– The connection to domain controllers
– For PCS 7 OS: The setting of preferred servers
● Other disrupted components

Recommended procedure
If a bus component is partially functional, we recommend the following procedure:
● If repairs are necessary, first replace the defective bus cable.
● Insert a new bus component into the existing system before you remove the old bus
component completely.
● Avoid the occurrence of double faults.
● Replace the connection to the connected components in series (not at the same time).

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 173
Component Replacement and Plant Changes
5.1 Failure and replacement of bus components

5.1.3 Replacement of operator stations in runtime

Replacement of operator stations

When replacing operator stations, a distinction must made between:
● Replacing an OS server
● Replacing an OS client

Note
Information on updating operator stations with redundant OS servers in runtime can be
found in "guidelines on updating a redundant OS in runtime (Page 200)".

Requirements
● The new PC contains the same hardware components.
● An image of the PCs to be replaced is used for the installation.
● The name of the replaced PC is used for the new PC.
● The same IP address is used for the new PC.
● The MAC address is adapted in the project.

Replacing an OS server
Follow the steps below to replace an OS server:

Step What?
1 Switch OS clients over to the server that will be remaining in operation.
2 Deactivate and replace the OS server,
3 Check the network addresses and download the configuration data.
4 On the engineering station: Download OS server data (and automatic redundancy update).
5 Start WinCC.
6 Activate process mode.
7 Activate or switch over assigned OS clients.

Fault-tolerant Process Control System

174 Configuration Manual, 09/2007, A5E00783452-02
Component Replacement and Plant Changes
5.1 Failure and replacement of bus components

Replacing an OS client
Follow the steps below to replace an OS client:

Step What?
1 Deactivate process mode.
2 Deactivate and replace the OS client.
3 Check the network addresses and download the configuration data.
4 On the engineering station: Download target system (OS client).
5 Activate process mode.

Changing to a new PCS 7 version

You can find information on how to convert all operator stations of a redundant system to a
new PCS 7 version in the manual Process Control System PCS 7; Software Update without
Utilization of New Functions

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 175
Component Replacement and Plant Changes
5.1 Failure and replacement of bus components

5.1.4 Replacement of BATCH stations in runtime

Replacement of BATCH stations

When replacing BATCH stations, a distinction must made between:
● Replacing a BATCH server
● Replacing a BATCH client

Replacing the BATCH server

Follow the steps below to replace a BATCH server:

Step What?
1 Replace the BATCH server.
2 On the engineering station: Open the BATCH configuration dialog, select PCell, download
BATCH server.
3 Start the BATCH server (BATCH server starts up as standby server).

Replacing the BATCH client

Follow the steps below to replace a BATCH client:

Step What?
1 Close the BATCH Control Center.
2 Replace the BATCH client.
3 On the engineering station: Open the BATCH configuration dialog, select PCell, download
BATCH client.
4 Open the BATCH Control Center.

Fault-tolerant Process Control System

176 Configuration Manual, 09/2007, A5E00783452-02
Component Replacement and Plant Changes
5.1 Failure and replacement of bus components

5.1.5 Replacement of Route Control stations in runtime

Replacement of Route Control stations

When replacing Route Control stations, a distinction must made between:
● Replacing a Route Control server
● Replacing a Route Control client

Replace the Route Control server.

Follow the steps below to replace a Route Control server:

Step What?
1 Replace the Route Control server.
2 On the engineering station: Open Route Control Engineering and download the Route
Control server
3 Start Route Control (Route Control starts as standby server).
4 Update the Route Control servers using the Route Control Center, so that both Route
Control servers operate with the same database.

Replacing the Route Control client

Follow the steps below to replace a Route Control client:

Step What?
1 Close the Route Control Center.
2 Replace the Route Control client.
3 On the engineering station: Download Route Control client from the SIMATIC Manager.
4 Open the Route Control Center.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 177
Component Replacement and Plant Changes
5.2 Plant changes in runtime

5.2 Plant changes in runtime

5.2.1 Plant changes in runtime in redundant process control systems

Plant changes in runtime

In addition to the options for replacing failed components in runtime as described in the
section titled "Failure and replacement of components in runtime", the CPU (412-3H, 414-4H
or 417-4H) also supports a plant change without interrupting the running of the program.

Requirements
● The relevant hardware components are suitable for insertion and removal under voltage.
● Fault-tolerant system with CPU (412-3H, 414-4H or 417-4H) with firmware version V2.0.0
or later is available.

Use cases for plant changes

A plant change in which the hardware of the plant is changes occurs in the following cases:
● Hardware components of a fault-tolerant system are removed.
● Hardware components of a fault-tolerant system are added.
● Hardware components of a fault-tolerant system are replaced by non-identical
components.
A plant change always signifies a software change since the modified hardware is first
configured in HW Config and then downloaded to the CPU. The modified hardware is then
physically replaced, removed or added.
Similar to the events that occur when components are replaced, when the system is modified
in runtime, the functions of the modified components are taken over by the corresponding
redundant components. The running program is not interrupted.

Fault-tolerant Process Control System

178 Configuration Manual, 09/2007, A5E00783452-02
Component Replacement and Plant Changes
5.2 Plant changes in runtime

Which components can be changed?

changes Possible modifications

Changes in the CPU • Editing CPU Parameters
• Changes to the memory components of the CPU
Adding for removing modules in central • Communication modules
racks • Interface modules (for example, IM 460, IM 461), only
in no-voltage condition
Adding or removing modules • DP slaves with redundant interface modules (for
components in distributed I/O modules example, ET 200M, DP/PA Link, Y Link)
• Single-sided DP slaves in any DP master system
• Modules in modular DP slaves
• DP/PA Coupler
• PA devices (process automation)
• Use of a free channel or reassignment of a utilized
channel on an existing module
Changing the parameters settings for a • Changing parameters
module

Additional information
You can find detailed, step-by-step instructions on the procedure for plant changes in
runtime in the manual Automation System S7-400H; Fault-tolerant Systems.

Note
Refer to the procedure described for PCS 7 in the manual Automation System S7-400H;
Fault-tolerant Systems, section "Modifications to the System During Operation".
If you violate one or more rules in this procedure, the fault-tolerant system may respond in
ways that restrict its availability, up to and including failure of the entire process control
system.

The following table is an overview of the descriptions. The procedures described for making
changes in runtime assume that the system is designed redundantly and that your aim is to
achieve this again.

For the procedure used to ....refer to the manual Automation System S7-400H; Fault-tolerant
replace components ... Systems in section ...
Components Adding Components in PCS 7
Removing Components in PCS 7
Changes to the memory components of the CPU
Parameter Editing CPU Parameters
Changing the parameters settings for a module

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 179
Component Replacement and Plant Changes
5.2 Plant changes in runtime

Fault-tolerant Process Control System

180 Configuration Manual, 09/2007, A5E00783452-02
6
Failure, Switchover and Return of Fault-tolerant
Components

6.1 I/O

6.1.1 Failure of redundant interface modules

Functionality
Interface modules can be configured redundantly in the distributed I/O device (ET 200M, ET
200iSP). The interface modules provide the interface to the automation system through the
PROFIBUS DP. When there are two interface modules, in other words, the system has been
configured with "Redundancy", if one of the two modules fails, the other interface module
takes over the automation process without interruption.

Failure
If the active interface module fails, there is a bumpless failover to the redundant interface
module. In the failover, the master identification changes from the failed interface module to
the interface module that is now active.
If the redundant interface module fails, the master identification does not change.

Hot restart
When the failed interface module restarts, the redundant interface module keeps the master
identification. The master identification changes back to the now replaced or repaired
module only if the redundant interface module fails.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 181
Failure, Switchover and Return of Fault-tolerant Components
6.1 I/O

6.1.2 Failure of redundant I/O modules

Functionality
As soon as an error occurs in one of the redundantly configured modules, there is a
bumpless failover to the second module, which then takes over the signal processing.

Failure scenarios
The following faults may occur in a module:
● Hardware or power failure in the module
● Detected signal interference (e.g. wire break, discrepancy)
● Fault on the assigned bus line to an interface module
The driver blocks detect a disturbance:
● At the input signals:
The disturbed input module or, when channel selectivity is configured, the disturbed
channel is passivated and only the signal of the redundant modules is evaluated. A
module or channel is passivated when the function blocks can no longer access the
respective module or channel.
● At analog output modules:
Only analog output modules with power outputs can be operated redundantly
(0 to 20 mA, 4 to 20 mA). The value to be output is halved and each module outputs one
half of the value. If one module fails, the redundant module outputs the entire value.

Discrepancy with input modules

A discrepancy error at the input value occurs when there is a non-tolerated difference
between the input values after the configured discrepancy time has expired. The following
parameters should be set to configure the discrepancy:
● For digital input modules:
– Discrepancy time (maximum allowed time that the redundant input signals can differ)
● For analog input modules:
– Tolerance window (configured by the percent of the end value of the measuring range)
Two analog values are the same if they are within the tolerance window.
– Discrepancy time (maximum allowed time that the redundant input signals are outside
the tolerance windows)
– Value applied
The value applied is one of the two analog input values that is transferred in the user
program.
With discrepancy, information is entered in the diagnostics buffer and a corresponding
message is generated.

Fault-tolerant Process Control System

182 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.1 I/O

Depassivation
Passivated modules or, when channel selectivity is configured, passivated channels are
depassivated with the following events:
● When the H system starts up
● When operating state of the H system changes to "Redundant"
● Following a system modification in runtime
● Following depassivation via the maintenance station
● Following a prompt from the user program via an acknowledgement signal, for example,
on an OS with a "Depassivation" button at the block
● After pulling/plugging a module
● Following a diagnostic interrupt (e.g. wire break, measured value)

Additional information
● Online Help for STEP 7
● Manual Automation System S7-400H; Fault-tolerant Systems
● Manual Process Control System PCS 7; PCS 7 OS Process Control

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 183
Failure, Switchover and Return of Fault-tolerant Components
6.2 Automation system

6.2 Automation system

6.2.1 Failure of the master CPU

Functionality
The initial situation is that the S7-400H is in "Redundant" system mode. The processing of
the user program is synchronized on both CPUs of the H system and, for example, CPU0 is
the master CPU and CPU1 is the backup CPU. Event-driven synchronization ensures that
the backup CPU will always continue processing without interruption if the master CPU fails.

Example: Failure of the master CPU

If CPU0 fails, for example, the following LEDs light up on CPU1:
● REDF = Redundancy loss
● IFM1F = Interface fault interface module 1
This indicates the first fiber-optic cable of the synchronization line.
● IFM2F = Interface fault interface module 2
This indicates the second fiber-optic cable of the synchronization line.
The H system switches to "Solo" system mode. CPU1 ensures uninterrupted processing of
the user program. CPU1 is now the master CPU. The H system is no longer in "Redundant"
system mode. If CPU1, now operating in solo mode, fails, the entire system goes down.

Example: Reintegration of the failed master CPU

When the failed CPU0 is reintegrated, it does not become the master CPU. The master CPU
always performs the link-up and update of the reintegrated CPU0. Both processes are
necessary in order to check and synchronize the data in the memory of the master CPU and
the backup CPU. CPU0 then goes to RUN mode. Now the system is once again in
"Redundant" mode.

Fault-tolerant Process Control System

184 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.2 Automation system

6.2.2 Failure of a fiber-optic cable

Requirements for the example

● The S7-400H is in "Redundant" system mode in the starting scenario.
● The CPU in Rack 0 is the Master CPU and the CPU in Rack 1 is the backup CPU.
● The mode selectors of both CPUs are set to RUN or RUN P.

Example: Failure of a fiber-optic cable

If a fiber-optic cable fails, the REDF LED and the IFM1F or IFM2F LED light up on the two
CPUs depending on the location of the fiber-optic cable failure. The H system goes to "Solo"
system mode and the user program continues to be processed by the master CPU used up
to this point (CPU0).

Example: Reintegration of the CPU in rack 1

Once the defective fiber-optic cable has been replaced and connected to both CPUs, you
must restart the backup CPU that is in STOP mode, i.e., CPU in Rack 1.
There are several options available to you:
● You have access to the automation system:
Turn the key switch on the failed CPU from its current position to STOP and then to the
most recent setting (RUN, RUN-P).
● You have an MPI connection to the H system:
In the "Operating Mode" dialog box, restart the CPU in Rack 1, which is in STOP mode.
– Open the PCS 7 project on an ES and select a CPU in the right window pane.
– Open the shortcut menu with a right click and open the "Operating Mode" dialog box
with the menu command PLC > Operating Mode.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 185
Failure, Switchover and Return of Fault-tolerant Components
6.2 Automation system

● You have an Industrial Ethernet connection to the H system:

In the "Operating Mode" dialog box, restart the CPU in Rack 1, which is in STOP mode.
– Open the PCS 7 project on an ES, click the "Online" icon in the task bar of SIMATIC
Manager and select a CPU in the right window pane.
– Open the shortcut menu with a right click and open the "Operating Mode" dialog box
with the menu command PLC > Operating Mode.

● Select the CPU in Rack 1 and click "Warm restart".

The CPU in Rack 1 links up again and performs an update. The system is then in
"Redundant" mode again.

Fault-tolerant Process Control System

186 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.2 Automation system

Result
When the CPU in Rack 1 is back online, the "Operating mode" dialog box appears as
follows:

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 187
Failure, Switchover and Return of Fault-tolerant Components
6.3 Communication

6.3 Communication

6.3.1 Failure of redundant bus components

Functionality
As soon as a fault occurs on a transmission path, the second transmission path takes over
and forwards the signals.

Failure scenarios
The following problems can occur on a bus component:
● Defective bus component (e.g., CP, coupler, AFD, AFS, cable)
● Problem on a bus line (e.g., overload, wire break)

Fault-tolerant Process Control System

188 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.4 OS server

6.4 OS server

6.4.1 Failure, failover and restarting of redundant OS servers

Introduction
This section describes the criteria by which the master/standby identification of an OS server
changes. Examples are given to illustrate how the system reacts to failures.

Note
Information on updating operator stations with redundant OS servers in runtime can be found
in "guidelines on updating a redundant OS in runtime (Page 200)".

Fault scenarios
● The project is not activated on the redundant OS partner server.
● The network connection from the OS server to the redundant OS partner is disrupted.
● The network connection to the OS clients is disrupted.
● The process connection to the AS is disrupted.

Reaction of WinCC redundancy to possible faults

WinCC redundancy can react to faults, errors or error messages in the following ways:
● By saving events and the time they occurred
● By synchronizing the archives of the process data (Tag Logging), the message data
(Alarm Logging) and the user data (User Archives) with the archive data of the active OS
server when the failed server comes back online.
● By changing the system tags "@RM_MASTER" and "@RM_MASTER_NAME" according
to the situation.
● By automatically interconnecting the OS clients to the preferred server or to the available
OS server with master identification. The "@RM_SERVER_NAME" tag on an OS client
indicates the OS server to which this OS client is currently connected.
● By generating process control messages in the message list.
The fault scenarios listed above and the resulting reactions by WinCC Redundancy are
described in the following.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 189
Failure, Switchover and Return of Fault-tolerant Components
6.4 OS server

Example configuration

26&OLHQWV

7HUPLQDOEXV

:LQ&& :LQ&&5HGXQGDQF\ :LQ&&

SURMHFW SURMHFW
$UFKLYH
V\QFKURQL]DWLRQ
26 ZKHQ 26
VHUYHU SDUWQHU
VHUYHU
'DWD EDFNRQOLQH 'DWD
EDVH EDVH

0DVWHU,' 0DVWHU,'
WDJ#50B0DVWHU WDJ#50B0DVWHU

5HGXQGDQWSODQWEXV

Fault-tolerant Process Control System

190 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.4 OS server

Startup of an OS server pair

Generally, the following applies: An OS server pair consists of the OS server and its
OS partner server. The two PCs are configured with WinCC Redundancy in a redundant
grouping.
When the OS server pair starts up, WinCC Redundancy first checks which of the two
OS servers is to be assigned the master identification. This depends on which OS server
starts up first.
● If one OS partner server is active already when the other comes online, the second
OS server receives the standby identification.
● If no other OS server is active when an OS server starts up, it is assigned the master
identification.
The internal WinCC tag @RM_MASTER is set to identify the master OS server. The internal
WinCC tag @RM_MASTER is reset to identify the standby OS server.
The "@RM_MASTER_NAME" tag contains the name of the OS server, for example,
"Server 1". You can display this tag, for example, in an I/O field of a Graphics Designer
picture. Other applications or scripts can also evaluate these tags. The "@RM_MASTER" tag
can also be changed.

WinCC project is deactivated

A functionally equivalent WinCC project is activated on both OS servers. If the WinCC
project is deactivated on OS Server 1 (master identification), WinCC Redundancy triggers
the following reactions:
● OS Server 2 (standby identification) saves the time of the failure (date and time of day) of
OS Server 1 (master identification).
● OS Server 2 reports the failure of OS Server 1 with a process control message in the
process control list.
● OS Server 2 now takes over the role of the master by setting the @RM_MASTER tag.
The @RM_MASTER_NAME tag is changed accordingly.
● If the WinCC project is activated again on OS Server 1, OS Server 1 is set as the standby
and the @RM_MASTER tag is reset. The @RM_MASTER_NAME tags are changed
accordingly.
Gaps in the archive data occur on OS Server 1 during the time it is inactive. As soon as
OS Server 1 returns, the gaps in the data are remedied by the following measures:
● OS Server 2 saves the date and the time of day, marking the return of OS Server 1.
● OS Server 2 reports the return of OS Server 1 with a process control message in the
message list.
● The data gaps in the message, process data and user archives of OS Server 1 are filled
by the data from the OS Server 2 memory. Conditions: The options "Synchronization of
Tag Logging after the partner server comes back online" and "Synchronization of Alarm
Logging after the partner server comes back online" must be enabled in the
"Redundancy" dialog box for this.
● The @RM_MASTER tags remain unchanged in both servers
– OS Server 2 keeps the master identification.
– The @RM_MASTER tag remains set.
– The @RM_MASTER tag for OS Server 1 is reset.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 191
Failure, Switchover and Return of Fault-tolerant Components
6.4 OS server

Disrupted network connection to the OS partner server

A disrupted network connection is only detected in the redundancy scheme when:
● There is a fault in the spur line.
● There is a defective connector or network adapter.

3&VWDWLRQ

6WXE
6ZLWFK

1HWZRUNFDUG

%XV %XV

The terminal bus as a whole and the communication between the AS and OS servers
remains unaffected.
Both OS servers are started and begin processing an activated WinCC project. If a
disruption in the network connection to the OS partner server occurs in this situation,
WinCC Redundancy reacts as follows:
● Both OS servers save the date and time of day of the failure.
● Both OS servers report the failure with a process control message in the message list.
● If the disrupted OS server is a master, the master/standby identification changes.
During the connection failure no online synchronization for alarm logging, operation
messages and user archives can be performed between the two OS servers. As soon as the
connection is restored, this is remedied by following actions:
● Both OS servers save the date and time of day of the restored connection.
● Both OS servers report the return with a process control message in the message list.
● Data from the alarm logging, tag logging and the user archives accumulated during the
connection failure are transmitted to the returning OS server.
● The @RM_MASTER and @RM_MASTER_NAME tags remain unchanged in both
servers.

Fault-tolerant Process Control System

192 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.4 OS server

Disrupted network connection between the OS client the OS server

An OS server and the OS client connected to it are processing an activated WinCC project.
A redundant OS partner server has been configured for the OS server in WinCC
Redundancy. The OS server is defined as the preferred server for the OS client. A disrupted
network connection to the OS server may result from a broken cable in the spur line from the
network to the OS client. The terminal bus as a whole remains unaffected.
If a connection failure occurs between the OS client and the OS server, WinCC Redundancy
triggers the following reactions:
● The OS client is automatically switched over from the failed OS server to its redundant
OS partner server because the preferred server specified for the OS client is not
available.
● When the failed OS server is available once again to the OS client, the OS client
automatically switches back to its preferred server.

Disrupted network connection to the AS

If a fault occurs on the plant bus connection between the OS server and the AS,
WinCC Redundancy reacts as follows:
● The disruption of the plant bus connection is reported to the OS partner server.
● The OS partner server receives the message that the OS server has failed.
● The OS partner server saves the date and the time of day of the OS server failure.
● An OS client is automatically switched over from the failed OS server to its redundant
OS partner server. Condition: The "WinCC client switch in case of a process connection
error" option must be selected in the "Redundancy" dialog box for this.
When the process connection to the OS server is restored, the missing data in the archive of
the OS server is updated by the procedure described below. Condition: The
"Synchronization after process connection error" option must be selected in the "General"
tab of the "Redundancy" dialog box for this.
● The OS partner server saves the date and the time of day marking the return of the
OS server.
● The data gaps in the archives of the failed OS server are updated by the data from the
memory of the OS partner server. The process data of all automation systems (even
those that have not failed) are synchronized.
● When the process connection is restored, this is announced by a process control
message in the message list.

Additional information
● Online help for WinCC

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 193
Failure, Switchover and Return of Fault-tolerant Components
6.5 BATCH Server

6.5 BATCH Server

6.5.1 Reaction of BATCH servers to failure

Functionality
BATCH applications and any configured WinCC applications are active on BATCH servers.
A BATCH client visualizes the batch data of the BATCH server to which it is connected.

Failure of the master BATCH server

If the master BATCH server fails, for example, due to an operating system failure or an
application error, the standby BATCH server detects that the master is no longer available
based on redundancy mechanisms and takes over the master role. The BATCH clients are
then automatically switched over from the master BATCH server to the standby
BATCH server.
The running BATCH program is automatically resumed after the failover to the redundant
BATCH server. The status is synchronized between the active BATCH server and the AS.
You have to manually trigger the BATCH program to continue if communication errors have
occurred.
In a replication solution, the databases on the master BATCH server and the standby
BATCH server are continually synchronized. If the BATCH servers switch over, the new
active BATCH server always has access to the latest BATCH data.

NOTICE
Data reliability
During the failover from the failed BATCH server to its redundant BATCH server, no
automation process data are visualized on a BATCH client. Operator inputs are also lost
during this brief period.

Additional information
● Manual Process Control System PCS 7; SIMATIC BATCH

Fault-tolerant Process Control System

194 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.6 Route Control server

6.6 Route Control server

6.6.1 Reaction of Route Control servers to failure

Functionality
Route Control applications and any configured WinCC applications are active on Route
Control servers. A Route Control client visualizes the route list of the Route Control server to
which it is interconnected.

Failure of the master Route Control server

If the master Route Control server fails, for example, due to failure of the operating system or
failure in an application, the standby Route Control server recognizes that the master is no
longer available based on redundancy mechanisms and takes over the role of master. The
Route Control clients then fail over automatically from the master Route Control server to the
standby Route Control server.
The running Route Control program is automatically resumed after the failover to the
redundant Route Control server. The current route requests are then taken over by the
redundant Route Control server and the visualization of the Route Control functions is
continued on the clients.
The status is synchronized between the active Route Control server and the AS. If
communication errors occurred, the Route Control program can only be continued manually.

NOTICE
Data reliability
During the failover from the failed Route Control server to its redundant Route Control
server, no data from the automation process is visualized on a Route Control client.
Operator inputs during this failover time are neither accepted nor executed.
The route can be controlled from a Route Control faceplate during the switchover of a
Route Control server.

Activating process mode of Route Control servers

Note
Please note that you need to activate process mode for redundant Route control servers one
after the other.

Additional information
● Manual Process Control System PCS 7; SIMATIC Route Control

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 195
Failure, Switchover and Return of Fault-tolerant Components
6.7 OS clients

6.7 OS clients

6.7.1 Failover reactions of OS clients with permanent operability

Functionality
If the network for the configured OS server is interrupted, the process values on the OS
clients are no longer updated and process control is no longer possible. Other OS clients
connected to the redundant OS partner server are not affected by this. The plant operator
can therefore switch to these OS clients, if needed.

Example configuration

3HUPDQHQW
26 26
RSHUDELOLW\
&OLHQW &OLHQW

7HUPLQDOEXV

5HGXQGDQW26 5HGXQGDQW26
26 6HUYHU VHUYHUSDLU
6HUYHU

3ODQWEXV

$XWRPDWLRQV\VWHPV

Fault-tolerant Process Control System

196 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.7 OS clients

Permanent operability
If OS Server 1 fails, OS Client 1 is connected to redundant OS Server 2. The identity of the
redundant partner server of OS Server 1 comes from the downloaded server data on the
OS client. OS Client 1 is not available during the failover to redundant OS Server 2.
However, if redundant OS Server 2 is specified as the preferred server for OS Client 2, you
can continue to operate the plant during the failover from the failed OS Server 1 to redundant
OS Server 2.
Once OS Server 1 becomes available again, OS Client 1 is connected to the returning
OS Server 1 because it is the configured preferred server.
Permanent operability is restored after the failover is complete. OS Client 1 is not available
for the duration of the failover to OS Server 1. OS Client 2 remains operable.
The status of the "@RM_Master" redundancy tag does not apply to the OS client with
preferred server configuration. The @RM_SERVER_NAME tag indicates the OS server to
which this OS client is currently connected.

Note
Information on updating operator stations with redundant OS servers in runtime can be found
in "guidelines on updating a redundant OS in runtime (Page 200)".

Reaction of an OS client without a preferred server

If no "preferred server" is configured for the OS client in the "Configure Server Data" dialog
box, the OS client connects to the OS server of a redundancy configuration for which the
"@RM_Master" redundancy tag is set.
If the active OS server fails, its redundant OS partner server becomes the master server.
You can recognize which of the two redundant OS servers is currently acting as the master
server by the status of "@RM_Master" redundancy tag. You can trigger a manual switchover
by setting or resetting this tag. All OS clients then connect to the "new" master server.

Failover criteria of the OS client

The following faults trigger an OS client failover. It is not relevant here whether or not a
preferred server has been configured.
● The network connection to the redundant OS server is disrupted.
● The redundant OS server fails, e.g., due to power loss.
● The WinCC project of the redundant OS server is deactivated.
● A disruption of the network connection between OS server and AS, when the option
"WinCC client switch in case of a process connection error" is selected in the
"Redundancy" dialog box.

Additional information
● Online help for WinCC

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 197
Failure, Switchover and Return of Fault-tolerant Components
6.8 BATCH clients

6.8 BATCH clients

6.8.1 Failover reactions of BATCH clients

Functionality
If the master BATCH server fails, the BATCH clients automatically switch to the redundant
BATCH server.

Reactions during failover

During a failover, a message window is displayed on the screen of the BATCH client
indicating the failover. The BATCH client cannot be operated during this time. The message
window closes and the BATCH client can be operated only when the failover from the failed
BATCH server to the redundant BATCH server is complete.

Additional information
● Manual Process Control System PCS 7; SIMATIC BATCH

Fault-tolerant Process Control System

198 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.9 Route Control clients

6.9 Route Control clients

6.9.1 Failover reaction of Route Control clients

Functionality
If the master Route Control server fails, the Route Control clients are automatically switched
over to the redundant Route Control server.

Reactions during failover

During a failover, a message window is displayed on the screen of the Route Control client
indicating the failover. The Route Control client cannot be operated during this time. The
message window closes and the Route Control client can be operated again only when the
failover from the failed Route Control server to the redundant Route Control server is
complete.

Note
The route can be controlled from a Route Control faceplate during the switchover of a Route
Control server.

Additional information
● Manual Process Control System PCS 7; SIMATIC Route Control

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 199
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

6.10 Guidelines for updating a redundant OS in runtime

6.10.1 Introduction

Introduction
Below, you will find guidelines for updating a redundant OS in runtime. This means that the
operation of the PCS 7 system is not disrupted, the AS does not change to STOP mode and
the automation process can continue to be operated and monitored.
The redundant OS is made up of the following components:
● Redundant OS server
● OS clients

Rules

CAUTION
Make sure that you keep to the described order to avoid disrupting operation of the PCS 7
system.

Note
Perform the steps described from Phase 1 to Phase 5 without extended interruptions.

Checking time synchronization

To avoid any jumps in time (UTC/local standard time) when "updating redundant systems in
runtime", check the time synchronization of the OS in the updated PCS 7 project on the ES:
1. Open SIMATIC Manager.
2. Select the OS in the component view.
3. Select the menu command Edit > Open Object.
WinCC Explorer opens.
4. Click the "Computer" object in the tree view.
5. Select the menu command Edit > Properties.
The "Computer Properties" dialog box opens.
6. Select the "Parameters" tab.
7. Select "The PLC is set to coordinated world time (UTC)" check box in the "PLC clock
setting" area.

Fault-tolerant Process Control System

200 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

Objectives of the update

● The automation system remains uninterrupted in RUN mode.
● The process remains controllable at all times.

Sequence of the Update

Updating involves five phases:

Phase Action
Phase 1 Updating Server_2 (Page 205)
Phase 2 Updating the OS clients interconnected with Server_2 (Page 208)
Phase 3 Downloading the connections, gateways and changes to the AS (Page 211)
Phase 4 Updating the OS clients interconnected with Server_1 (Page 213)
Phase 5 Updating Server_1 (Page 216)
The procedure described below must be repeated for all client-server relationships in the
system, as appropriate.
● If you have several redundant OS servers, first update only the OS clients interconnected
with the standby server that has already been updated or that have defined it as their
preferred server.
● Then update the OS clients that are interconnected with the master server or that have
defined it as their preferred server.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 201
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

6.10.2 Overview of the required tasks

Introduction
You update the redundant OS in runtime in five phases. Each phase is broken down into
individual steps.
The section shows you an overview of the steps required in the five phases. You will find
more detailed instructions for each phase in the following sections.

Initial situation
● Server_1 is master server.
● Server_2 is standby server.
● OS Client_1 is connected to Server_1. OS Client_1 represents all OS clients connected to
Server_1.
● OS Client_2 is connected to Server_2 because this is configured as its preferred server.
OS Client_2 represents all OS clients connected to Server_2.

Requirements
● The updating of the PCS 7 project for the ES has been completed and all settings for the
configured mode have been made. The configuration data have been loaded on the ES
from NetPro.
● All OS servers and all OS clients are running PCS 7 V6.x or higher.

Overview of the required tasks

CAUTION
Make sure that you keep to the described order to avoid disrupting operation of the PCS 7
system.

Note
Perform the steps from Phase 1 to Phase 5 without interruptions.

Fault-tolerant Process Control System

202 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

Phase Phase
Phase 1: 1. Server_2: Deactivate and exit WinCC
Updating 2. Server_2:
Server_2 Back up PCS 7 project
Back up the operating system and PCS 7 software installation (if you are
updating the PCS 7 software)
3. Server_2: Install server operating system, PCS 7 installation "OS Server"
(if you are updating the PCS 7 software)
4. Server_1 and Server_2: Deactivate applications, evaluate @RM_MASTER
5. ES: Download OS connection data and target system
6. Server_2: Start WinCC
7. Server_2: Check and save the “Redundancy“ dialog box
8. Server_2: Check and save the “Time Synchronization“ dialog box
9. Server_2: Activate WinCC Runtime
10. Other redundant OS server pairs: Perform steps 1 through 9
Phase 2: 1. OS Client_2: Deactivate and exit WinCC
Updating the 2. OS Client _2:
OS clients Back up PCS 7 project
interconnected Back up the operating system and PCS 7 software installation (if you are
with Server_2 updating the PCS 7 software)
3. OS Client _2: Install server operating system, PCS 7 installation "OS Client"
(if you are updating the PCS 7 software)
4. ES: Download to OS target system
5. OS Client _2: Activate
Phase 3: 1. ES: Download NetPro connections and gateways to the AS
Downloading 2. ES: Download CFC charts to the AS
the
connections,
gateways and
changes to the
AS
Phase 4: 1. OS Client _1: Deactivate and exit WinCC
Updating the 2. OS Client _1:
OS clients Back up PCS 7 project
interconnected Back up the operating system and PCS 7 software installation (if you are
with Server_1 updating the PCS 7 software)
3. OS Client _1: Install server operating system, PCS 7 installation "OS Client"
(if you are updating the PCS 7 software)
4. ES: Download of OS target system

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 203
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

Phase Phase
Phase 5: 1. Server_1: Deactivate and exit WinCC
Updating 2. OS Client _1: Activate
Server_2 3. Server_2: Reactivate applications, evaluate @RM_MASTER
4. Server_1:
Back up PCS 7 project
Back up the operating system and PCS 7 software installation (if you are
updating the PCS 7 software)
5. Server_1: Server operating system, PCS 7 installation "OS Server"
(if you are updating the PCS 7 software)
6. ES: Download OS connection data and OS target system
7. Server_1: Start WinCC
8. Server_1: Check and save the "Redundancy" dialog box
9. Server_1: Check and save the "Time Synchronization" dialog box
10. Server_1: Activate WinCC Runtime
11. Server_1: Reactivate applications, evaluate @RM_MASTER
12. Other redundant OS server pairs: Perform steps 22 through 32

Result
When you have completed all the steps, your system has the following status:
● Updated Server_1 is standby server.
● Updated Server_2 is master server.
● Updated previous OS Client_1 is connected to its preferred server Server_1.
● Updated previous OS Client_2 is connected to its preferred server Server_2.
The updating of your redundant operator stations is complete.

Fault-tolerant Process Control System

204 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

6.10.3 Phase 1: Updating Server_2

Introduction
In the first phase, you update redundant Server_2. In this way, you avoid an unnecessary
failover for OS clients that have no preferred server configured.
You can find additional information about redundancy synchronization in WinCC Information
System > Configurations > Redundant Systems.
During the steps involved in Phase 1, your system continues to work with only one server.
The system remains controllable from the OS clients that have not yet been updated. If this
server fails, the automation system can no longer be controlled.

CAUTION
Make sure that you keep to the described order to avoid disrupting operation of the system.

Note
Perform the steps from Phase 1 to Phase 5 one after the other.

Initial situation before phase 1

● Server_1 is master server.
● Server_2 is standby server.
● OS Client_1 is connected to Server_1.
● OS Client_2 is connected to Server_2 because this is configured as its preferred server.

Requirements
● The PCS 7 project you are updating has already been updated on the ES.
● When using an archive server:
– If you are using "StoragePlus", make sure that it is not swapped out and finished.
We recommend that you change over to a central archive server.
– Synchronization of the archive must be complete to ensure that the process data
(RT data) are consistent.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 205
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

Procedure - Phase 1
Note that you will need to work alternately on Server_1 and Server_2.
1. Server_2: Deactivate and exit WinCC
● Deactivate WinCC Runtime and exit WinCC on the standby Server_2.
The system reacts as follows:
– OS Client_1 remains interconnected with Server_1.
– OS Client_2, which has Server_2 configured as the preferred server, changes over to
Server_1.
– Server_1 detects a failure due to Server_2 being deactivated. If you have configured
system messages, Server_1 generates a process control message to this effect.
2. Server_2: Back up the PCS 7 project, back up the operating system and PCS 7 software
installation
● Back up your previous operating system, the previous PCS 7 software installation (if you
are updating PCS 7 software) and your current PCS 7 project as a fallback strategy.
3. Server_2: Install server operating system, PCS 7 installation "OS Server"
(if you are updating the PCS 7 software)
● Install the server operating system (you can find information about this in the manual
Process Control System PCS 7; PC Configuration and Authorization).
An OS server operates only with the following server operating system:
– Windows Server 2003
● Install the necessary PCS 7 components.
In the PCS 7 Setup, select the "OS Server" check box in the "Program Packages" dialog
box.
● Make the necessary settings.
Note that Windows administration of PCs should be performed by a Windows administrator.
You can find a detailed description of the PCS 7 installation and the required PCS 7-specific
settings for PC stations in the manual Process Control System PCS 7; PC Configuration and
Authorization.
4. Server_1 and Server_2: Deactivate applications, evaluate @RM_MASTER
If you decide to evaluate the status of the redundant OS server in the updated PCS 7 project
via the @RM_MASTER system tag, you will need to deactivate the relevant applications and
scripts on both redundant OS servers.
If the previous standby server Server_2 is activated, it becomes the master server in the
updated PCS 7 project. This would result in two master servers in the system, so that the
@RM_MASTER system variable cannot be evaluated unequivocally.
5. ES: Download OS connection data and OS target system
● Open NetPro and download the connection data from the ES to Server_2.
● Right-click on the OS to be transferred in the open PCS 7 project below the WinCC
application. Select the menu command PLC > Download to Current Project > Selected
Station in the shortcut menu.
This starts the transfer from the ES to Server_2.
6. Server_2: Start WinCC
● Start WinCC on Server_2.

Fault-tolerant Process Control System

206 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

7. Server_2: Check and save the "Redundancy" dialog box

● Open the "Redundancy" editor and check the settings in the dialog box. Click "OK" to exit
the dialog box even if you have made no changes.

8. Server_2: Check and save the "Time Synchronization" dialog box

● Open the "Time Synchronization" editor and check the settings in the dialog box. Click
"OK" to exit the dialog box even if you have made no changes.

9. Server_2: Activate WinCC Runtime

● Activate WinCC Runtime on Server_2.
The system reacts as follows:
– There is no server failover. Depending on the configuration, the activated Server_2
becomes the standby or master server.
– All OS clients still receive their visualization data from OS server Server_1, which has
not yet been updated.
10. Other redundant OS server pairs: Repeat steps 1 to 9
● If you are using more than one redundant OS server pair, you must first update standby
server Server_2 for each.
● Perform steps 1 through 9 for each Server_2.

Result after Phase 1

● Server_2 is updated and not connected to any OS clients.
● Server_1 is the master server in the PCS 7 project being updated.
● Server_2 can be either master or standby depending on the configuration.
● The archives will be synchronized between Server_1 and Server_2.
● OS Client_1 is connected to Server_1.
● OS Client_2 is connected to Server_1. An OS client_2 cannot access the upgraded
Server_2 as the preferred server.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 207
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

6.10.4 Phase 2: Updating OS clients interconnected with Server_2

Introduction
In Phase 2, you update the OS clients that were interconnected with Server_2.
The system can be controlled at all times using OS Client_1, which is interconnected with the
not-yet-updated Server_1.
The same PCS 7 version is running on the active OS server Server_1 and on OS Client_1.
Mixed operation between OS clients and OS servers of different PCS 7 versions is not
possible.
Archive data and messages that have accrued on OS server Server_1 during the update
process only become available on OS server Server_2 once the archives of the two servers
have been synchronized. The archives can only be synchronized after both OS servers have
been updated and have the same PCS 7 version.

CAUTION
Make sure that you keep to the described order to avoid disrupting operation of the system.

Note
Perform the steps from Phase 1 to Phase 5 one after the other.

Initial situation before phase 2

● Server_1 is master server in the PCS 7 project.
● Depending on the configuration, updated Server_2 is master or standby in the updated
PCS 7 project.
● OS Client_1 is connected to Server_1.
● OS Client_2 is connected to Server_1. An OS client_2 cannot access the upgraded
Server_2 as the preferred server.

Requirement
The PCS 7 project you are updating has already been updated on the ES.

Fault-tolerant Process Control System

208 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

Procedure - Phase 2
11. OS Client_2: Deactivate and exit WinCC
● Deactivate WinCC Runtime and exit WinCC on OS Client_2.
12. OS Client_2: Back up the PCS 7 project, back up the operating system and PCS 7
software installation
● Back up your previous operating system, the previous PCS 7 software installation (if you
are updating PCS 7 software) and your current PCS 7 project as a fallback strategy.
13. OS Client_2: Install server operating system, PCS 7 installation "OS Client"
(if you are updating the PCS 7 software)
● Install the server operating system (you can find information about this in the manual
Process Control System PCS 7; PC Configuration and Authorization).
An OS client can only run with the following operating systems:
– Windows XP Professional
– Windows Server 2003
● Install the necessary PCS 7 components.
In the PCS 7 Setup, select the "OS Client" check box in the "Program Packages" dialog
box.
● Make the necessary settings.
Note that Windows administration of PCs should be performed by a Windows administrator.
You can find a detailed description of the PCS 7 installation and the required PCS 7-specific
settings for PC stations in the manual Process Control System PCS 7; PC Configuration and
Authorization.
14. ES: Download to OS target system
● Right-click on the OS to be transferred in the open PCS 7 project below the WinCC
application. Select the menu command PLC > Download in the shortcut menu. This
downloads the project for OS Client_2 from the ES to the relevant OS.
15. OS Client_2: Activate
● Start WinCC on OS Client_2.
● Activate WinCC Runtime.
The system reacts as follows:
● OS Client_2 connects with the upgraded Server_2.
● As soon as Server_2 is standby, it becomes the master.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 209
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

The system reacts as follows:

● As soon as Server_2 is standby, it becomes the master.

Result after Phase 2

● OS Client_1 remains connected to Server_1.
● Updated OS Client_2 is connected to its preferred server Server_2.
● The system can be controlled from all OS clients.
● Server_2 is master.

Fault-tolerant Process Control System

210 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

6.10.5 Phase 3: Downloading the connections, gateways and changes to the AS

Introduction
In Phase 3, connections, gateways and CFC charts are downloaded to the AS from NetPro
by downloading changes only.

Initial situation before phase 3

● Server_2 is updated and WinCC Runtime has been started.
● The updated OS Client_2 is connected to updated Server_2 and WinCC Runtime is
activated.
● The system can be controlled from all clients.

Requirement
The PCS 7 project you are updating has already been updated on the ES.

Procedure - Phase 3
16. ES: Transfer NetPro connection data and gateways to the AS
● Open NetPro and select your AS. Select the menu command PLC > Download to Current
Project > Connections and Gateways.
● Select the CPU you want to download to in the "Select Target Module" dialog box and
exit the dialog box by clicking "OK".
17. ES: Download CFC charts to the AS
If there was no download to the AS during the project update, you will now need to download
to the AS.
● Select an AS in SIMATIC Manager.
● Select the menu command CPU > Download.
● Select the "Changes only" check box.

Note
If you select the "Include user data blocks" check box, the user data blocks on the AS are
overwritten. You can find additional information in the online help for the "S7 Download"
dialog box.

● Close the dialog box by clicking "OK".

Repeat the steps for downloading to the AS for each AS in the project.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 211
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

The system reacts as follows:

● The system can be controlled and monitored from all clients.

Result after Phase 3

● OS Client_1 remains connected to Server_1.
● Updated OS Client_2 is connected to its preferred server Server_2.
● The system can be controlled from all updated servers/clients.

Fault-tolerant Process Control System

212 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

6.10.6 Phase 4: Updating the OS clients interconnected with Server_1

Introduction
In Phase 4, you update the OS clients that are interconnected with master server Server_1.
The system can be controlled at all times using OS Client_2, which is interconnected with
Server_2 (the updated previous standby server). The same PCS 7 version is running on
active Server_2 and on OS Client_2.

CAUTION
Make sure that you keep to the described order to avoid disrupting operation of the system.

Note
Perform the steps from Phase 1 to Phase 5 one after the other.

Initial situation before phase 4

● OS Client_1 is connected to Server_1.
● Updated OS Client_2 is connected to its preferred server Server_2.

Requirement
The PCS 7 project you are updating has already been updated on the ES.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 213
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

Procedure - Phase 4

Note
The procedure in phase 4 is essentially the same as in phase 2. In phase 4, however, OS
Client_1 is updated.

18. OS Client_1: Deactivate and exit WinCC

● Deactivate WinCC Runtime and exit WinCC on OS Client_1.
19. OS Client_1: Back up the PCS 7 project, back up the operating system and PCS 7
software installation
● Back up your previous operating system, the previous PCS 7 software installation (if you
are updating PCS 7 software) and your current PCS 7 project as a fallback strategy.
20. OS Client_1: Install server operating system, PCS 7 installation "OS Client"
(if you are updating the PCS 7 software)
● Install the server operating system (you can find information about this in the manual
Process Control System PCS 7; PC Configuration and Authorization).
An OS client can only run with the following operating systems:
– Windows XP Professional
– Windows Server 2003
● Install the necessary PCS 7 components.
In the PCS 7 Setup, select the "OS Client" check box in the "Program Packages" dialog
box.
● Make the necessary settings.
Note that Windows administration of PCs should be performed by a Windows administrator.
You can find a detailed description of the PCS 7 installation and the required PCS 7-specific
settings for PC stations in the manual Process Control System PCS 7; PC Configuration and
Authorization.
21. ES: Download to OS target system
● Right-click on the OS to be transferred in the open PCS 7 project below the WinCC
application.
● Select the menu command PLC > Download in the shortcut menu. This downloads the
project for OS Client_1 from the ES to the relevant OS.

Fault-tolerant Process Control System

214 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

The system reacts as follows:

● Single Client_1 is connected to Server_2 or deactivated.

Result after Phase 4

● Server_1 is master server.
● Updated Server_2 is master server.
● Updated OS Client_2 is connected to its preferred server Server_2.
● Updated OS Client_1 is deactivated.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 215
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

6.10.7 Phase 5: Updating Server_2

Introduction
In Phase 5, you update Server_1. Server_2 becomes the new master server because
redundancy is activated in the "Redundancy" dialog box but no partner server is available.
While you perform the steps in phase 5, your system runs only with Server_2. The system
remains controllable from the OS clients that were updated in phases 2 and 4.

CAUTION
Make sure that you keep to the described order to avoid disrupting operation of the system.

Note
Make sure that at least one updated OS client is interconnected with Server_2. If no OS
client is interconnected with Server_2, your system is not controllable while you are updating
Server_1.
Perform the steps from Phase 1 to Phase 5 one after the other.

Initial situation before phase 5

● Server_1 is master server.
● Updated Server_2 is master server.
● Updated OS Client_1 is deactivated.
● Updated OS Client_2 is connected to its preferred server Server_2.

Requirements
● The PCS 7 project you are updating has already been updated on the ES.
● If you are using storage (StoragePlus), make sure that storage is not swapped out and
finished.

Fault-tolerant Process Control System

216 Configuration Manual, 09/2007, A5E00783452-02
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

Procedure - Phase 5
22. Server_1: Deactivate and exit WinCC
● Deactivate WinCC Runtime on Server_1 (master server).
● Exit WinCC on Server_1.
23. OS Client_1: Activate
● Start WinCC on OS Client_1.
● Activate WinCC Runtime.
24. Server_2: Reactivate applications, evaluate @RM_MASTER
If you evaluate the status of the redundant OS servers in the updated PCS 7 project using
the @RM_MASTER system variable, you can reactivate the relevant applications on the
updated Server_2.
Within the system, the Server_2 is still the only master server.
25. Server_1: Back up the PCS 7 project, back up the operating system and PCS 7 software
installation
● Back up your previous operating system, the previous PCS 7 software installation (if you
are updating PCS 7 software) and your current PCS 7 project as a fallback strategy.
26. Server_1: Install server operating system, PCS 7 installation "OS Server"
(if you are updating the PCS 7 software)
● Install the server operating system (you can find information about this in the manual
Process Control System PCS 7; PC Configuration and Authorization).
An OS server operates only with the following server operating system:
– Windows Server 2003
● Install the necessary PCS 7 components.
In the PCS 7 Setup, select the "OS Server" check box in the "Program Packages" dialog
box.
● Make the necessary settings.
Note that Windows administration of PCs should be performed by a Windows administrator.
You can find a detailed description of the PCS 7 installation and the required PCS 7-specific
settings for PC stations in the manual Process Control System PCS 7; PC Configuration and
Authorization.
27. ES: Download OS connection data and OS target system
● Open NetPro and download the connection data from the ES to Server_1.
● Right-click on the OS to be transferred in the open PCS 7 project below the WinCC
application. Select the menu command PLC > Download in the shortcut menu. This starts
the transfer from the ES to Server_1.
28. Server_1: Start WinCC
● Start WinCC on Server_1.
29. Server_1: Check and save the "Redundancy" dialog box
● Open the "Redundancy" editor and check the settings in the dialog box. Click "OK" to exit
the dialog box even if you have made no changes.

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 217
Failure, Switchover and Return of Fault-tolerant Components
6.10 Guidelines for updating a redundant OS in runtime

30. Server_1: Check and save the "Time Synchronization" dialog box
● Open the "Time Synchronization" editor and check the settings in the dialog box. Click
"OK" to exit the dialog box even if you have made no changes.
31. Server_1: Activate WinCC Runtime
● Activate WinCC Runtime on Server_1.
32. Server_1: Reactivate applications, evaluate @RM_MASTER
If you evaluate the status of the redundant OS servers in the updated PCS 7 project using
the @RM_MASTER system variable, you can reactivate the relevant applications on the
updated Server_1.
Within the system, the Server_2 is still the only master server.
33. Other redundant OS server pairs: Perform steps 22 through 32
If you are using more than one redundant OS server pair, repeat steps 22 through 32 for
each Server_1.

The system reacts as follows:

● Server_1 becomes standby server.

Result after Phase 5

● Updated Server_1 is standby server.
● Updated Server_2 is master server.
● Updated OS Client_1 is connected to its preferred server Server_1.
● Updated OS Client_2 is connected to its preferred server Server_2.
The updating of your redundant operator stations is complete.

Fault-tolerant Process Control System

218 Configuration Manual, 09/2007, A5E00783452-02
Diagnostics 7
7.1 Diagnostics for redundant components and systems

Introduction
This chapter describes the testing and diagnostics features. You can use these features to
perform diagnostics for individual redundant components.

Diagnostics using software programs

PCS 7 offers the following diagnostic features:

Program/Application Component/Diagnostic Feature

Maintenance Station The maintenance station of PCS 7 enables optimized asset
(Asset Management) management.
Central monitoring of all PCS 7 components with diagnostics
capability:
• Operator control and monitoring stations (server and clients)
• Automation systems (CPU, CPs, input/output modules, etc.)
• Distributed I/O (ET 200M, ET 200iSP, etc.)
• Bus components (switches, repeaters, CPs)
• Diagnostics of redundant channels
• Master-standby configurations
• Communication connections
Diagnosing hardware • Reading out of the diagnostic buffer of the CPU and modules
capable of diagnostics
• Communication properties, for example, CPs
• Displays of incoming process control messages in plain text
WinCC diagnostics • Status of logical connections
• Status of tags
• WinCC Channel Diagnostics
Lifebeat monitoring Monitoring of all
• OS-Server
• OS clients
• Automation systems
Task bar on the BATCH • Status of redundant BATCH servers
server • Status of the data replication on the standby server
Task bar on the Route • Status of the redundant Route Control servers
Control server

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 219
Diagnostics
7.1 Diagnostics for redundant components and systems

Diagnostics using LEDs

The LED displays on the various redundant components enable you to determine the status
of the components on the spot.

Redundant Hardware Diagnostic Feature

PS (power supply) LEDs
CPU (central processing unit) LEDs
CP (communication processor) LEDs
IM, interface module (DP interface module) LEDs
SM, signal module (digital/analog I/O module) LEDs

Additional information
● Manual Process Control System PCS 7; Service Support and Diagnostics

Fault-tolerant Process Control System

220 Configuration Manual, 09/2007, A5E00783452-02
Index

A C
Actuators, 39 Central processing units, 41
Adding, 178 Changes in the CPU, 178
Components of the distributed I/O, 178 Channel-based, 95
Modules in central and expansion racks, 178 Client, 76, 141
Advantages of fault-tolerant components, 85 Configuring, 141
Note, 85 Communication connections, 97
Requirements, 85 Configuring, 97
Area of validity, 7 Communication lines, 45
Asset management, 219 Communication modules, 41
Assigning, 136 Communication processor, 89
S7 program to OS, 136 Inserting, 89
Automation system, 40, 41, 44, 91 Requirements, 89
Components, 41 Communication solutions, 45, 50, 53, 56, 59, 62
Hardware components, 41 Fault-tolerant plant bus, 56
How the S7-400H Operates, 44 Fault-tolerant terminal bus, 50
Operating principle, 44 Redundant field bus, 62
Synchronize time, 91 Redundant terminal bus, 53
Availability, 27, 62, 72 Redundant, fault-tolerant plant bus, 59
Field bus, 62 Compile/download program, 151
OS server, 72 Components, 50, 53, 56, 59, 62
Fault-tolerant plant bus, 56
Fault-tolerant terminal bus, 50
B Fieldbus, 62
Redundant terminal bus, 53
Basic knowledge, 7
Redundant, fault-tolerant plant bus, 59
Required, 7
Components of S7-400H, 41
BATCH, 157
Configuration, 101, 125
Monitoring, 157
Batch client, 155
Network adapter, 157
Bus interface IM 153-2, 109
Redundancy, 157
Cross-project, 83
Batch client, 198
Download to target system, 151
Failover characteristics, 198
DP/PA Coupler, 121
Batch process, 78
Engineering station, 83
Batch server, 194
OS clients, 141
Response to failure, 194
OS clients for permanent operability, 143
BATCH Server, 78
Plant bus, 101
Bumpless continuation, 17
Redundant BATCH servers, 153
Bus coupler, 66
Redundant field bus, 104
DP/PA Link, 66
Redundant OS server, 125
Bus interface IM 153-2, 109
Terminal bus, 98
Configuring, 109
WinCC Redundancy, 138
Requirement, 109
Y Link, 117

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 221
Index

Configuration notes, 85 Failover criteria, 196

Configuring redundant BATCH servers, 153 OS client, 196
Configuring the Batch client, 155 Failover reaction of Route Control clients, 199
Continuation, 17 Failure of redundant bus components, 188
Bumpless, 17 Fault, 189
CP, 89 Network connection from the OS client to the OS
CPU settings, 95 server, 189
Creating, 125, 134 Network connection to the AS, 189
OS, 125 Network connection to the OS partner server, 189
Redundant connection between AS and OS, 134 Fault tolerance with redundancy nodes, 18
Display, 18
Fault-tolerant automation system, 40
D Fault-tolerant process control systems, 13
Fault-tolerant terminal bus, 50
Deactivating, 189
Availability, 50
WinCC project, 189
Components, 50
Definition, 27
Structure, 50
Availability, 27
Features for commissioning, 24
Definition of the standby modes, 28
Features for servicing, 26
Depassivation, 182
Features for system extension, 26
Redundant I/O modules, 182
Features for the configuration phase, 23
Design, 59, 72
Features for the operation phase, 24
OS server, 72
Fiber-optic cable, 41, 185
Redundant I/O modules, 112
Response to failure, 185
Redundant plant bus, 59
Field bus, 104
Diagnostics, 219
Configuring, 104
Redundant components and systems, 219
Fieldbus, 62
With LEDs, 219
Availability, 62
With software programs, 219
Components, 62
Discrepancy time, 182
Structure, 62
Download target systems, 151
DP/PA Coupler, 121
DP/PA Link, 66, 121
H
Configuring, 121
H station, 86
Inserting, 86
E Requirement, 86
Hardware components, 41
Electrical ring, 45
S7-400, 41
Engineering station, 83
Hot restart, 181
Configuring, 83
Redundant interfacing, 181
Textual reference, 83
How to configure a PC station for a redundant Route
ES, 83
Control server, 162
ESM, 45
How to configure a PC station for a Route Control
ET 200M, 109
client, 165
Configuring bus interface, 109
How to configure a redundant connection between a
External time transmitter, 146
Route Control server and AS, 167
How to configure an archive server and its redundant
archive partner server, 128
F
How to configure the redundant PROFIBUS PA, 106
Failover characteristics, 196, 198 How to download a SIMATIC Batch project to the
Batch client, 198 target systems, 160
OS clients, 196 How to set the redundancy of the BATCH servers, 158

Fault-tolerant Process Control System

222 Configuration Manual, 09/2007, A5E00783452-02
Index

How to set the redundancy of the Route Control Redundant I/O modules, 112
servers, 169 S7-400H, 44
Optical PROFIBUS, 62
Optical ring, 45
I Optical/electrical ring, 45
OS client, 76, 77, 141
I/O, 31, 33, 35, 39
Additional, 76
Central, 31
Configuring, 141
Distributed, 31
Permanent operability, 77
DP/PA Link, 66
OS clients, 196
Redundant, 35
Failover characteristics, 196
Redundant Actuators and Sensors, 39
OS server, 125
Redundant I/O modules, 38
Availability, 72
Redundant interfacing, 37
Configuration, 125
Single-channel switched distributed I/O, 33
Creating, 125
Y Link, 65
Design, 72
IM 153-2, 109
Operating principle, 72
Increasing availability, 40
OS terminal, 76
Automation system, 40
OSM, 45
Input/output module, 112
OS-Server
Configuring, 112
Failure, failover and restart, 189
Operating principle, 112
Time synchronization, 84
Structure, 112
Overview of configuration tasks, 109, 124, 152, 161
Inserting, 86, 89
Overview of features, 22
Communication processor, 89
PCS 7, 22
H station, 86
Inserting a SIMATIC H station, 86
Inserting sync modules, 87
P
Interfacing, 37
Passivation reaction, 95
PC station, 83
M PCS 7 overview of features, 22
Features for commissioning, 24
Master CPU, 184
Features for servicing, 26
Reintegration, 184
Features for the configuration phase, 23
Response to failure, 184
Features for the operation phase, 24
Module-based, 95
Permanent operability, 77
Modules, 178
Operating principle, 77
Adding, 178
Plant bus, 101
Removing, 178
Configuring, 101
Mounting racks, 41
Plant bus, fault-tolerant, 56
S7-400H, 41
Availability, 56
Multiproject engineering, 83
Components, 56
Structure, 56
Plant bus, redundant fault-tolerant, 59
N
Availability, 59
Network components, 47 Components, 59
Design, 59
Plant changes in runtime, 178
O Power supply, 41
S7-400H, 41
Operating principle, 44, 72, 77, 112
Preface, 7
OS server, 72
Preferred server, 77
Permanent operability, 77

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 223
Index

Process control system PCS 7, 13 Repair time, 17

PROFIBUS PA, 68 Replacement of BATCH stations in runtime, 176
redundant, 68 Replacement of bus components in runtime, 173
Project path, 132 Replacement of operator stations in runtime, 174
Setting, 132 Replacement of Route Control stations in runtime, 177
Replacement of SIMATIC components, 171
Replication, 78
Q Requirement, 104, 112, 121
Configuring redundant I/O modules, 112
Quick guide, 202, 205, 211, 216
Configuring the DP/PA coupler, 121
Updating redundant systems, 202, 205, 211, 216
Configuring the the redundant field bus, 104
Requirements, 101, 125, 178
Advantages of fault-tolerant components, 85
R
Configuring OS clients for permanent
Reaction of Route Control servers to failure, 195 operability, 143
Redundancy, 45 Configuring redundant BATCH servers, 153
With electrical ring, 45 Configuring the Batch client, 155
With optical ring, 45 Configuring the OS client, 141
Redundancy Concept, 18 Configuring the redundant plant bus, 101
Redundancy monitoring, 157 Configuring the Y Link, 117
BATCH, 157 Configuring WinCC redundancy, 138
Network adapter, 157 Creating OS servers, 125
Redundancy nodes, 29 Inserting a communication processor, 89
Availability without fault, 29 Inserting synchronization modules, 87
Total failure, 29 Plant changes in runtime, 178
without fault, 29 Redundant connection between AS and OS, 134
Redundant BATCH servers, 78 Setting the project path for OS servers, 132
Redundant communication connections, 97, 98, 101, Synchronizing the time on OS clients / OS
104 servers, 148
Configuring the plant bus, 101 Synchronizing the time on OS servers, 146
Configuring the terminal bus, 98 Response to failure, 181, 182, 184, 185, 189, 194
Configuring the the field bus, 104 Batch server, 194
Redundant communication processors, 89 Fiber-optic cable, 185
Redundant connection between OS and AS, 134 Master CPU, 184
Creating, 134 Redundant I/O modules, 182
Redundant double ring, 56, 59 Redundant interfacing, 181
Redundant I/O, 35 Redundant OS server, 189
Redundant interfacing, 181 Ring, 47
Hot restart, 181 Ring structure, 47
Response to failure, 181 Route Control, 169
Redundant OS server, 72, 125 Target systems, 169
Creating, 125
Redundant OS Server
Configuration, 125 S
Redundant Route Control servers, 81
S 7 programs, 136
Redundant systems, 200
Assigning, 136
Updating, 200
S7 network components, 45
Redundant, fault-tolerant terminal bus, 53
For redundant ring structure, 45
Reintegration, 184
S7-400H, 41, 44
Master CPU, 184
Hardware components, 41
Removing, 178
Mounting racks, 41
Components of the distributed I/O, 178
Operating principle, 44
Modules in central and expansion racks, 178

Fault-tolerant Process Control System

224 Configuration Manual, 09/2007, A5E00783452-02
Index

Power supply, 41 Terminal bus, 50, 53, 98

Synchronization modules, 41 Configuring, 98
Sensors, 39 Fault-tolerance, 50
Server, 72 Redundant, fault-tolerant, 53
Setting, 132 Textual reference, 83
Project path, 132 Time synchronization, 84, 91, 146, 148
Short designations of components, 13 3rd party, 84
Signal module, 112 Automation system, 91
Signal Module, 112 Use cases, 84
SIMATIC PC station, 125, 132, 134, 136, 138, 141, Via external receiver, 84
143, 146, 148, 151, 153, 155 Via LAN with connected WinCC server, 84
Configuring OS clients for permanent Via LAN with specified computer, 84
operability, 143 Via plant bus, 84
Configuring redundant BATCH servers, 153 Time transmitter, 146
Configuring the Batch client, 155 Total failure, 29
Configuring WinCC redundancy, 138 Redundancy nodes, 29
Creating redundant OS servers, 125
OS compilation, 136
Redundant connection between AS and OS, 134 U
Setting the project path, 132
Update
Synchronizing the time on OS clients/OS
Redundant system, 200
servers, 148
Updating, 200
Synchronizing the time on OS servers, 146
Updating a redundant system in runtime, 200
SIMATIC PCS 7 overview of features, 22
Updating redundant systems, 202, 205, 211, 216
For commissioning, 24
Phase 2, 208
For servicing and system expansion, 26
Phase 4, 213
For the configuration phase, 23
Quick guide, 202, 205, 211, 216
For the operation phase, 24
SIMATIC PCS 7 redundancy concept, 18
Single-Channel Switched Distributed I/O, 33
W
Solutions for integrating a PCS 7 plant in a domain, 71
Solutions for the I/O, 31 WinCC client, 76
Structure, 56, 62, 112, 117, 121 WinCC project, 189
Fieldbus, 62 Deactivating, 189
Redundant plant bus, 56 WinCC Redundancy, 138
With DP/PA coupler, 121 Configuring, 138
With Y Link, 117 WinCC Server, 72
Synchronization module, 41, 87 Windows domain synchronization, 84
Inserting, 87
Requirements, 87
Synchronization modules, 41 Y
S7-400H, 41
Y Link, 65, 117
Synchronizing, 146, 148
Configuring, 117
Time on OS clients / OS servers, 148
Design, 117
Time on OS servers with external time
Requirements, 117
transmitter, 146

T
Target system, 151
Target systems, 169
Downloading Route Control, 169

Fault-tolerant Process Control System

Configuration Manual, 09/2007, A5E00783452-02 225
Index

Fault-tolerant Process Control System

226 Configuration Manual, 09/2007, A5E00783452-02

PCS 7 V8.2 PC Configuration and Authorization - 03 - 2016
No ratings yet
PCS 7 V8.2 PC Configuration and Authorization - 03 - 2016
156 pages
Process Control System PCS 7 High Availability Process Control System v9
No ratings yet
Process Control System PCS 7 High Availability Process Control System v9
252 pages
S7 Hvsysb
No ratings yet
S7 Hvsysb
418 pages
PCS 7 V7.1 Engineering System - 03 - 2009
No ratings yet
PCS 7 V7.1 Engineering System - 03 - 2009
746 pages
ps7slf B en-US
No ratings yet
ps7slf B en-US
146 pages
SIMATIC Fault-Tolerant Systems S7-400H
No ratings yet
SIMATIC Fault-Tolerant Systems S7-400H
378 pages
Pcs7 Compendium Part B en US en-US
No ratings yet
Pcs7 Compendium Part B en US en-US
148 pages
PCS 7 - PCS 7 PC Configuration
No ratings yet
PCS 7 - PCS 7 PC Configuration
156 pages
S7 Failsafe Safety Config and Prog
No ratings yet
S7 Failsafe Safety Config and Prog
334 pages
Ps7red B en-US
No ratings yet
Ps7red B en-US
252 pages
PCS 7 Process Control System OpenPCS 7
No ratings yet
PCS 7 Process Control System OpenPCS 7
96 pages
ps7pck B PDF
No ratings yet
ps7pck B PDF
168 pages
Open PCS7 PDF
No ratings yet
Open PCS7 PDF
114 pages
PCS7 Basic Lib PDF
No ratings yet
PCS7 Basic Lib PDF
376 pages
PCS7 Basic Lib
No ratings yet
PCS7 Basic Lib
376 pages
PCS 7 V9.0 SP1 Basic Library - 12 - 2017
No ratings yet
PCS 7 V9.0 SP1 Basic Library - 12 - 2017
498 pages
Ps7opc B en-US
No ratings yet
Ps7opc B en-US
116 pages
S7 Distributed Safety Configuring and Program Min en US en-US
No ratings yet
S7 Distributed Safety Configuring and Program Min en US en-US
334 pages
s7jbl82b en US
No ratings yet
s7jbl82b en US
384 pages
PCS 7 - Configuration Manual Operator Station
No ratings yet
PCS 7 - Configuration Manual Operator Station
326 pages
Simatic Process Control System PCS 7 Operator Station (V8.0 SP1)
No ratings yet
Simatic Process Control System PCS 7 Operator Station (V8.0 SP1)
326 pages
Ps7phesb en-US
No ratings yet
Ps7phesb en-US
688 pages
PCS 7 - Configuration Manual Engineering System
No ratings yet
PCS 7 - Configuration Manual Engineering System
656 pages
Ps7opc B en-US
No ratings yet
Ps7opc B en-US
118 pages
P7il81b en Us
No ratings yet
P7il81b en Us
572 pages
Ps7opc B en-US
No ratings yet
Ps7opc B en-US
104 pages
pcs7 Compendium Part B en-US en-US
No ratings yet
pcs7 Compendium Part B en-US en-US
188 pages
Process Control System PCS 7 Industry Library (V9.0)
No ratings yet
Process Control System PCS 7 Industry Library (V9.0)
1,264 pages
pcs7 Compendium Part A en-US en-US
No ratings yet
pcs7 Compendium Part A en-US en-US
302 pages
CFC For S7 e
No ratings yet
CFC For S7 e
132 pages
Siemens Safety Engineering in SIMATIC S7 PDF
100% (1)
Siemens Safety Engineering in SIMATIC S7 PDF
162 pages
Ps7phosb en US
No ratings yet
Ps7phosb en US
310 pages
S7 400H
No ratings yet
S7 400H
504 pages
1 2 3 4 5 6 Simatic: Manual
No ratings yet
1 2 3 4 5 6 Simatic: Manual
79 pages
ProcessControl en-US PDF
No ratings yet
ProcessControl en-US PDF
346 pages
Safety F F-H Conf Progr
No ratings yet
Safety F F-H Conf Progr
338 pages
pcs7 Readme - en US PDF
No ratings yet
pcs7 Readme - en US PDF
78 pages
WinCC ProcessControl en-US en-US
No ratings yet
WinCC ProcessControl en-US en-US
316 pages
PCS 7 V70 PC Configuration and Authorization - 11 - 2006
No ratings yet
PCS 7 V70 PC Configuration and Authorization - 11 - 2006
190 pages
Pcs7 Compendium Part B en-US en-US
No ratings yet
Pcs7 Compendium Part B en-US en-US
186 pages
PCS 7 Architectures V10 en
No ratings yet
PCS 7 Architectures V10 en
169 pages
ps7slf - B - en-US - Service Support and Diagnostics V9.0 SP1SP2 PDF
No ratings yet
ps7slf - B - en-US - Service Support and Diagnostics V9.0 SP1SP2 PDF
164 pages
S7 Distributed Safety - Configuring and Programming
No ratings yet
S7 Distributed Safety - Configuring and Programming
318 pages
S7jcfcab en-US
No ratings yet
S7jcfcab en-US
338 pages
SIMATIC Process Control System PCS 7 V7.0
No ratings yet
SIMATIC Process Control System PCS 7 V7.0
648 pages
ps7pck B en-US
No ratings yet
ps7pck B en-US
156 pages
Simatic Hmi Wincc V7.2 Wincc/Options For Process Control: A5E32315704-Aa
No ratings yet
Simatic Hmi Wincc V7.2 Wincc/Options For Process Control: A5E32315704-Aa
380 pages
PCS7 Modbus Advanced CMPTP V 301 202310
No ratings yet
PCS7 Modbus Advanced CMPTP V 301 202310
84 pages
p7IL91b en US
No ratings yet
p7IL91b en US
1,374 pages
s7cfcs7b en US
No ratings yet
s7cfcs7b en US
494 pages
S7 400 H en en-US
No ratings yet
S7 400 H en en-US
476 pages
Simatic Fault-Tolerant Systems S7-400H
No ratings yet
Simatic Fault-Tolerant Systems S7-400H
476 pages
CPU 410 en-US en-US
No ratings yet
CPU 410 en-US en-US
422 pages
PCS 7 V7.1 Basic Library - 03 - 2009
No ratings yet
PCS 7 V7.1 Basic Library - 03 - 2009
350 pages
How to Use the Snap-On SOLUS
From Everand
How to Use the Snap-On SOLUS
Mandy Concepcion
No ratings yet
Stress Free Maintenance Solutions
From Everand
Stress Free Maintenance Solutions
Ron Mueller
No ratings yet
Strategies to the Prediction, Mitigation and Management of Product Obsolescence
From Everand
Strategies to the Prediction, Mitigation and Management of Product Obsolescence
Bjoern Bartels
No ratings yet
ISA/IEC 61511 Safety Instrumented Systems (SIS) Fundamentals - Study Notes
From Everand
ISA/IEC 61511 Safety Instrumented Systems (SIS) Fundamentals - Study Notes
Steve Brown
No ratings yet
Practical, Made Easy Guide To Building, Office And Home Automation Systems - Part One
From Everand
Practical, Made Easy Guide To Building, Office And Home Automation Systems - Part One
Kerwin Mathew
No ratings yet
EC|Council Disaster Recovery Professional Exam Practice Questions and Dumps Exam Guidebook and Updated Questions for DRP
From Everand
EC|Council Disaster Recovery Professional Exam Practice Questions and Dumps Exam Guidebook and Updated Questions for DRP
Byte Books
No ratings yet
SANS MGT414 10 Course Book
No ratings yet
SANS MGT414 10 Course Book
100 pages
The Threats To The Objectivity in Internal Auditing
No ratings yet
The Threats To The Objectivity in Internal Auditing
2 pages
Lecture 1a
No ratings yet
Lecture 1a
22 pages
Werner 2018 Geographies of Production I Global Production and Uneven Development
No ratings yet
Werner 2018 Geographies of Production I Global Production and Uneven Development
11 pages
Satyam Cnlu Torts Roughdraft
No ratings yet
Satyam Cnlu Torts Roughdraft
4 pages
Sessional Marks (Theory)
0% (1)
Sessional Marks (Theory)
1 page
Diagnostic Report: ENGINE #1 - J1939 Active Fault Codes
No ratings yet
Diagnostic Report: ENGINE #1 - J1939 Active Fault Codes
4 pages
SCM 100 Review
No ratings yet
SCM 100 Review
23 pages
India Patent Form 21
No ratings yet
India Patent Form 21
1 page
Action Reesearch Webinar CPD Certificate April 2025
No ratings yet
Action Reesearch Webinar CPD Certificate April 2025
5 pages
Chapter 08 - Sampling Methods and The Central Limit Theorem
No ratings yet
Chapter 08 - Sampling Methods and The Central Limit Theorem
16 pages
Soil Mechanics Formula 1700830319
No ratings yet
Soil Mechanics Formula 1700830319
3 pages
Fee Structure Agm Current
No ratings yet
Fee Structure Agm Current
2 pages
En Entl Encl1106 (Подъемники)
No ratings yet
En Entl Encl1106 (Подъемники)
2 pages
6 Month MCQs (Oct To May 25) English
No ratings yet
6 Month MCQs (Oct To May 25) English
197 pages
Briandavidphillips - Core Skills Hypnosis DVD Course
No ratings yet
Briandavidphillips - Core Skills Hypnosis DVD Course
6 pages
Internship Report
No ratings yet
Internship Report
10 pages
Insurance Awareness Handouts - Basics of Insurance
No ratings yet
Insurance Awareness Handouts - Basics of Insurance
8 pages
Problem Set 1 - Simple Interest
50% (2)
Problem Set 1 - Simple Interest
2 pages
Effect of Feed Rate On The Generation of Surface Roughness in Turning
No ratings yet
Effect of Feed Rate On The Generation of Surface Roughness in Turning
7 pages
Chapter 12.2 - Financial Statements
No ratings yet
Chapter 12.2 - Financial Statements
10 pages
Graphing Motion
No ratings yet
Graphing Motion
30 pages
Answers To The First General Quick TEST UTME
No ratings yet
Answers To The First General Quick TEST UTME
22 pages
Data (Prod & Admin) - July 2023 - August
No ratings yet
Data (Prod & Admin) - July 2023 - August
332 pages
Medical Appointment Application: Acta Electronica Malaysia (AEM)
No ratings yet
Medical Appointment Application: Acta Electronica Malaysia (AEM)
5 pages
A CMOS Self-Regulating VCO With Low Supply Sensitivity 4
No ratings yet
A CMOS Self-Regulating VCO With Low Supply Sensitivity 4
7 pages
Divinity Activation Mantras Empowerment
0% (2)
Divinity Activation Mantras Empowerment
2 pages
Ict2611 Octnov24
No ratings yet
Ict2611 Octnov24
15 pages
Engo
No ratings yet
Engo
33 pages
UEFA Euro 2020 Case Study
No ratings yet
UEFA Euro 2020 Case Study
3 pages

SIMATIC Process Control System PCS 7 V7.0 SP1 Fault-Tolerant Process Control System

Uploaded by

SIMATIC Process Control System PCS 7 V7.0 SP1 Fault-Tolerant Process Control System

Uploaded by

1

V7.0 SP1 Component Replacement

System Failure, Switchover and

Siemens AG Ordernumber: A5E00783452-02 Copyright © Siemens AG 2007.

2 Basics of Fault Tolerance ........................................................................................................................ 13

3 Fault-tolerant Solutions in PCS 7............................................................................................................. 31

Fault-tolerant Process Control System

3.4 Solutions for integrating a PCS 7 plant in a domain ................................................................... 71

4 Advantages of fault-tolerant components................................................................................................. 85

Fault-tolerant Process Control System

4.4.10 How to configure an OS client for permanent operability ..........................................................143

5 Component Replacement and Plant Changes ....................................................................................... 171

6 Failure, Switchover and Return of Fault-tolerant Components............................................................... 181

Fault-tolerant Process Control System

6.6 Route Control server ................................................................................................................. 195

7 Diagnostics ............................................................................................................................................ 219

Fault-tolerant Process Control System

Required basic knowledge

Validity of the documentation

Fault-tolerant Process Control System

Other related documentation

Fault-tolerant Process Control System

Fault-tolerant Process Control System

Changes compared with the previous version

Fault-tolerant Process Control System

Fault-tolerant Process Control System

Service & Support on the Internet

Fault-tolerant Process Control System

Advantages of fault-tolerant components

Fault-tolerant Process Control System

Fault-tolerant PCS 7 process control system

Fault-tolerant Process Control System

%$7&+VHUYHU 26FOLHQWV %$7&+FOLHQWV 5RXWH&RQWUROFOLHQWV

(QJLQHHULQJ 26VHUYHU 06VHUYHU 5RXWH&RQWURO

36 ,0 ,0 60 60 60 60 60 60

36 ,0 ,0 60 60 60 60 60 60

Fault-tolerant Process Control System

Legend for the above illustration:

Short designation Meaning

Fault-tolerant Process Control System

2.2 System-wide availability analyses

Avoiding repair time

Avoiding impermissible signal edge transitions

Fault-tolerant Process Control System

2.3 PCS 7 redundancy concept

Advantages of the PCS 7 redundancy concept

Fault-tolerant Process Control System

Overview of the PCS 7 redundancy concept

26VHUYHU %$7&+VHUYHU 5RXWH&RQWURO

o CAL oLIM oAR

Fault-tolerant Process Control System

Fault-tolerant Process Control System

Illustration of fault tolerance using redundancy nodes

Fault-tolerant Process Control System

2.4 Overview of the PCS 7 redundancy features

System-wide integration of PCS 7

Stepped, scalable availability through redundant components

Process level Components

Fault-tolerant Process Control System

2.5 Features for the configuration phase

Features for the configuration phase

Fault-tolerant Process Control System

2.6 Features for the commissioning and operation phases

Features for the commissioning and operation phases

Feature Meaning Possible error / possible reason

Fault-tolerant Process Control System

Feature Meaning Possible error / possible reason

Fault-tolerant Process Control System

2.7 Features for servicing and system expansions

Features for servicing and system expansions

Fault-tolerant Process Control System

2.8 Definition of availability

Increasing the basic availability

Fault-tolerant Process Control System

2.9 Definition of the standby modes

Standby operating mode

36 &38 %XV 60LQ(70 ,

36 &38 %XV 60LQ(70 ,

36 &38 V\QF )2FDEOHV 6\QFKURQL]DWLRQOLQHV