Security information 1

Preface 2

Basics of high availability 3

SIMATIC
High availability solutions in
PCS 7 4
Process Control System PCS 7
High Availability Process Control Advantages of high
availability components 5
Systems (V9.0)
Replacing components and
Function Manual
plant changes 6
Failure, switchover and
reintegration of high 7
availability components

Diagnostics 8

Valid for PCS 7 as of V9.0

05/2017
A5E39221836-AA
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
indicates that minor personal injury can result if proper precautions are not taken.

NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will be
used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property
damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified
personnel are those who, based on their training and experience, are capable of identifying risks and avoiding
potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:

WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended or
approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software described.
Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in
this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

Siemens AG A5E39221836-AA Copyright © Siemens AG 2017.

Division Process Industries and Drives Ⓟ 05/2017 Subject to change All rights reserved
Postfach 48 48
90026 NÜRNBERG
GERMANY
Table of contents

1 Security information......................................................................................................................................7
2 Preface.........................................................................................................................................................9
3 Basics of high availability............................................................................................................................15
3.1 Motivation for using high availability process control systems...............................................15
3.2 Plant-wide availability considerations.....................................................................................18
3.3 PCS 7 redundancy concept...................................................................................................19
3.3.1 Advantages of the PCS 7 redundancy concept ....................................................................19
3.3.2 PCS 7 redundancy concept 1 (fieldbus based on PROFIBUS DP) ......................................20
3.3.3 PCS 7 redundancy concept 2 (fieldbus based on PROFINET IO) ........................................22
3.4 Features of the PCS 7 redundancy concept at a glance........................................................24
3.5 Features for the configuration phase.....................................................................................26
3.6 Features for the commissioning and operation phases.........................................................27
3.7 Features for servicing and system expansions......................................................................29
3.8 Definition of availability...........................................................................................................30
3.9 Definition of the standby modes.............................................................................................31
3.10 Redundancy nodes................................................................................................................32
4 High availability solutions in PCS 7............................................................................................................35
4.1 Solutions for the I/O...............................................................................................................35
4.1.1 Redundant I/O........................................................................................................................38
4.1.2 Switched I/O...........................................................................................................................42
4.1.3 Components in the distributed I/O..........................................................................................45
4.1.3.1 Redundant interface modules in distributed I/O.....................................................................45
4.1.3.2 Redundant I/O modules.........................................................................................................46
4.1.3.3 Redundant actuators and sensors.........................................................................................48
4.2 Solutions for automation systems..........................................................................................50
4.2.1 Hardware components of the S7-400H..................................................................................50
4.2.2 How the SIMATIC S7-400H AS operates..............................................................................53
4.3 Solutions for communication..................................................................................................54
4.3.1 Network components.............................................................................................................56
4.3.2 Media Redundancy Protocol..................................................................................................59
4.3.3 Solutions for the terminal bus.................................................................................................61
4.3.3.1 Connecting PC stations to the terminal bus...........................................................................61
4.3.3.2 High availability terminal bus..................................................................................................61
4.3.3.3 Redundant, high availability terminal bus...............................................................................63
4.3.3.4 Redundant, high availability terminal bus based on the Parallel Redundancy Protocol
(PRP).....................................................................................................................................64
4.3.4 Solutions for the plant bus......................................................................................................68
4.3.4.1 Connecting PC stations to the plant bus................................................................................68

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 3
Table of contents

4.3.4.2 High availability plant bus.......................................................................................................69

4.3.4.3 Redundant, high availability plant bus....................................................................................71
4.3.4.4 AS 410H on redundant, high availability plant bus.................................................................74
4.3.5 Solutions for the fieldbus........................................................................................................76
4.3.5.1 Redundant PROFIBUS DP....................................................................................................76
4.3.5.2 High availability fieldbus based on PROFINET......................................................................78
4.3.5.3 Gateway between redundant and non-redundant PROFIBUS DP........................................80
4.3.5.4 Connecting PROFIBUS PA to PROFIBUS DP......................................................................81
4.3.5.5 High availability PROFIBUS PA.............................................................................................83
4.3.5.6 Connecting the FOUNDATION Fieldbus to PROFIBUS DP..................................................87
4.3.5.7 High availability FOUNDATION Fieldbus...............................................................................90
4.4 Solutions for integrating a PCS 7 system in a domain...........................................................93
4.5 Solutions for OS servers........................................................................................................94
4.6 Solutions for OS clients..........................................................................................................97
4.6.1 Additional OS clients..............................................................................................................97
4.6.2 Permanent operability............................................................................................................97
4.7 Solutions for SIMATIC BATCH..............................................................................................99
4.8 Solutions for the Route Control server.................................................................................102
4.9 Solutions for the engineering station....................................................................................104
4.10 Time synchronization...........................................................................................................105
5 Advantages of high availability components.............................................................................................107
5.1 Creating and expanding a project with pre-configured stations...........................................107
5.2 SIMATIC H station...............................................................................................................108
5.2.1 Overview of configuration steps...........................................................................................108
5.2.2 How to add a SIMATIC H station to your project.................................................................108
5.2.3 How to insert synchronization modules into the H CPU.......................................................110
5.2.4 How to configure redundant communication processors.....................................................111
5.2.5 How to set the CPU for the reaction of the input/output modules to channel faults.............113
5.3 Communications connections..............................................................................................115
5.3.1 Overview of configuration steps...........................................................................................115
5.3.2 Configuring the connection to the terminal bus....................................................................115
5.3.2.1 How to configure the redundant terminal bus on the basis of the Parallel Redundancy
Protocol................................................................................................................................115
5.3.2.2 How to connect singular components to the redundant terminal bus on the basis of the
Parallel Redundancy Protocol..............................................................................................116
5.3.3 How to configure a high availability plant bus......................................................................117
5.3.4 How to configure redundant PROFIBUS DP........................................................................119
5.3.5 How to configure a high availability fieldbus on the basis of PROFINET.............................122
5.3.6 How to configure a media-redundant fieldbus on the basis of PROFINET..........................125
5.3.7 How to configure the redundant PROFIBUS PA..................................................................128
5.3.8 How to configure the redundant FOUNDATION Fieldbus ...................................................130
5.4 Distributed I/O......................................................................................................................133
5.4.1 Overview of configuration steps...........................................................................................133
5.4.2 How to configure the redundant interface module for the I/O device...................................133
5.4.3 How to configure redundant input/output modules (PROFIBUS DP)...................................136
5.4.4 How to configure redundant input/output modules (PROFINET IO)....................................140

High Availability Process Control Systems (V9.0)

4 Function Manual, 05/2017, A5E39221836-AA
 Table of contents

5.4.5 How to configure the redundancy for HART field devices....................................................142

5.4.6 How to configure the Y Link.................................................................................................145
5.4.7 Configuring a bus link for PROFIBUS PA............................................................................147
5.4.8 Configuring a bus link for FF and compact FF segment......................................................148
5.4.9 Configuration of redundant signals......................................................................................151
5.5 Operator stations..................................................................................................................152
5.5.1 Overview of configuration steps...........................................................................................152
5.5.2 How to configure an OS server and its redundant OS partner server..................................152
5.5.3 How to set the project path of the target OS and standby OS.............................................155
5.5.4 How to set the redundancy connection for between an OS and AS....................................156
5.5.5 How to configure redundancy for OS servers on the engineering station............................159
5.5.6 How to set the redundancy connection for OS servers........................................................161
5.5.7 How to determine the S7 programs you want to assign to a given OS................................162
5.5.8 How to configure an OS client..............................................................................................163
5.5.9 How to configure an OS client for permanent operability.....................................................165
5.5.10 How to download a SIMATIC PCS 7 project to the target system.......................................168
5.5.11 Evaluating the redundancy tag "@RM_MASTER" with scripts............................................169
5.6 SIMATIC BATCH stations....................................................................................................170
5.6.1 Overview of configuration steps...........................................................................................170
5.6.2 How to configure a BATCH server and its redundant BATCH partner server......................170
5.6.3 How to configure a BATCH client.........................................................................................172
5.6.4 How to set the redundancy monitoring of BATCH servers...................................................174
5.6.5 How to configure the redundancy connection for BATCH servers on the engineering
station...................................................................................................................................175
5.6.6 How to set the redundancy connection for BATCH servers.................................................176
5.6.7 How to download the target systems for SIMATIC BATCH.................................................176
5.7 SIMATIC Route Control stations..........................................................................................178
5.7.1 Overview of configuration steps...........................................................................................178
5.7.2 How to configure a Route Control server and its redundant Route Control partner server....178
5.7.3 How to configure a Route Control client...............................................................................180
5.7.4 How to configure a redundant connection between a Route Control server and AS...........183
5.7.5 How to set the redundancy connection for Route Control servers.......................................185
5.7.6 How to set the redundancy of the Route Control servers....................................................186
5.7.7 How to download the target systems for SIMATIC Route Control.......................................186
5.8 Archive servers (Process Historian and Information Server)...............................................187
5.8.1 How to configure a Process Historian and its redundant partner server..............................187
6 Replacing components and plant changes...............................................................................................189
6.1 Failure and replacement of components..............................................................................189
6.1.1 Replacement of SIMATIC components in runtime...............................................................189
6.1.2 Replacement of bus components in runtime........................................................................191
6.1.3 Replacement of operator stations in runtime.......................................................................192
6.1.4 Replacement of BATCH stations in runtime.........................................................................193
6.1.5 Replacement of Route Control stations in runtime...............................................................194
6.2 Plant changes in runtime......................................................................................................196
7 Failure, switchover and reintegration of high availability components......................................................199
7.1 I/O........................................................................................................................................199
7.1.1 Failure of redundant interface modules................................................................................199
7.1.2 Failure of redundant I/O modules.........................................................................................199

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 5
Table of contents

7.2 Automation system...............................................................................................................202

7.2.1 Failure of the master CPU....................................................................................................202
7.2.2 Failure of a fiber-optic cable.................................................................................................202
7.3 Communication....................................................................................................................204
7.3.1 Failure of redundant bus components..................................................................................204
7.4 OS server.............................................................................................................................205
7.4.1 Failure, switchover and restarting redundant OS servers....................................................205
7.5 BATCH server......................................................................................................................210
7.5.1 Failure of BATCH servers....................................................................................................210
7.6 Route Control server............................................................................................................211
7.6.1 Reaction of Route Control servers to failures......................................................................211
7.7 OS clients.............................................................................................................................213
7.7.1 Switchover characteristics OS clients with permanent operability.......................................213
7.8 BATCH clients......................................................................................................................215
7.8.1 Switchover characteristics of BATCH clients.......................................................................215
7.9 Route Control clients............................................................................................................216
7.9.1 Switchover characteristics of Route Control clients.............................................................216
7.10 Guide to updating a redundant OS in runtime......................................................................217
7.10.1 Introduction..........................................................................................................................217
7.10.2 Overview of the required tasks.............................................................................................219
7.10.3 Phase 1: Updating Server_2................................................................................................224
7.10.4 Phase 2: Updating OS clients interconnected to Server_2..................................................227
7.10.5 Phase 3: Download of connections, gateways and changes to the AS...............................229
7.10.6 Phase 4: Updating OS clients interconnected to Server_1..................................................230
7.10.7 Phase 5: Updating Server_1................................................................................................232
7.11 Guide to updating a redundant BATCH server in runtime....................................................236
7.11.1 Software update (migration).................................................................................................236
7.12 Guide to updating a redundant Route Control server in runtime..........................................237
7.12.1 Updating a redundant Route Control server in runtime........................................................237
7.13 Redundancy behavior of the PCS 7 OS, SIMATIC BATCH and SIMATIC Route Control
servers.................................................................................................................................239
8 Diagnostics...............................................................................................................................................243
8.1 Advanced self-diagnostics of communication connections..................................................244
8.2 State of redundant operator stations in diagnostic pictures.................................................245
Index.........................................................................................................................................................247

High Availability Process Control Systems (V9.0)

6 Function Manual, 05/2017, A5E39221836-AA
Security information 1
Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, systems, machines, and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is
necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
security concept. Siemens’ products and solutions only form one element of such a concept.
Customer is responsible to prevent unauthorized access to its plants, systems, machines and
networks. Systems, machines and components should only be connected to the enterprise
network or the internet if and to the extent necessary and with appropriate security measures
(e.g. use of firewalls and network segmentation) in place.
Additionally, Siemens’ guidance on appropriate security measures should be taken into
account. For more information about industrial security, please visit:

http://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure.
Siemens strongly recommends to apply product updates as soon as available and to always
use the latest product versions. Use of product versions that are no longer supported, and
failure to apply latest updates may increase customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS
Feed under

http://www.siemens.com/industrialsecurity.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 7
Security information

High Availability Process Control Systems (V9.0)

8 Function Manual, 05/2017, A5E39221836-AA
Preface 2
Purpose of this documentation
This documentation informs you about the following aspects of configuring high availability
systems with the SIMATIC PCS 7 Process Control System:
● The basic solution concepts
● The functional mechanisms
● The most important configurations
It presents the availability solutions on all automation levels (control, process, field).
You will find references to other product manuals containing specific information for working
with individual components.

Options for accessing PCS 7 documentation

The documentation required for PCS 7 includes the following types:
● PCS 7 Readme
The readme file is available in two versions:
– PCS 7 Readme (offline)
This version is installed by PCS 7 Setup. The file only contains general information and
links to documents on the Internet.
– PCS 7 Readme (online)
This version contains all information on the installation and use of PCS 7 in the format
which is already familiar to you. The file is only available on the Internet to keep it always
up-to-date.
Note
The information provided in the PCS 7 Readme (online) on the Internet takes
precedence over all other PCS 7 documentation.
Read this PCS 7 Readme carefully, because it contains important information and
amendments on PCS 7.

● PCS 7 System Documentation

System documentation contains information that covers several products, such as
configuration manuals and Getting Started manuals. This documentation serves as a
guideline for the overall system and explains the interaction between the individual
hardware and software components.
See information in the product overview Process Control System PCS 7; PCS 7 -
Documentation; Section "Options for accessing the documentation".
● PCS 7 Product Documentation
Product documentation contains information about special hardware and software
components. The individual documents provide detailed information on the specific
component.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 9
Preface

Full versions of the documentation are available from the "Technical Documentation SIMATIC
PCS 7" website: http:\\www.siemens.com/pcs7-documentation (http:\\www.siemens.com/
pcs7-documentation)
You can find additional information in the product overview Process Control System PCS 7;
PCS 7 - Documentation; Section "Options for accessing the documentation".

Required basic knowledge

General knowledge in the area of automation engineering and basic knowledge of PCS 7 is
required to understand this documentation. It is also assumed that the reader knows how to
use computers or other equipment similar to PCs (such as programming devices) with the
Windows operating system.
The configuration manuals and the Getting Started documentation for PCS 7 will provide you
with basic information regarding the use of PCS 7.

Position in the information landscape

The following documentation provides more information about high availability process control
systems and the handling of the individual components. This documentation is part of the
PCS 7 software.

Manual Contents
Getting Started ● Creating projects
Process Control System ● Working with the CFC Editor
PCS 7;
Part 1 - Getting Started ● Working with the Import/Export Wizard
● Working with the SFC Editor
● Compiling, downloading and testing
● Working with the operator station
Configuration manual ● Basics of PCS 7
Process Control System ● Creating projects
PCS 7;
Engineering System ● Configuring hardware
● Configuring networks
Configuration manual ● Configuring SIMATIC connections
Process Control System ● Interconnecting faceplates
PCS 7;
Operator Station ● Configuring operator stations
● Compiling the OS
● Installation guidelines
Process Control System ● Activation of the maintenance functions
PCS 7; ● Configuration of redundancy
Maintenance Station
function manual ● Adding the OPC server

High Availability Process Control Systems (V9.0)

10 Function Manual, 05/2017, A5E39221836-AA
 Preface

Manual Contents
Configuration manual ● Getting Started
WinCC ● Operating principle of WinCC redundancy
● User archives
● Creating the "Project_Redundancy_Server" example project
● Description of the WinCC projects
● Server project
Manual ● Structure of a redundant WinCC system
WinCC Hardware Options, ● Operating principle of WinCC redundancy
Part 3 Redundancy
● Configuring the OS server pair
● Guide for setting up a redundant system
● Entering the servers in Windows
Manual ● Structure of a redundant BATCH system
Process Control System ● Configuring the BATCH server pair
PCS 7;
SIMATIC BATCH ● Installation guidelines
Manual ● Setting up a redundant Route Control system
Process Control System ● Configuring the Route Control server pair
PCS 7;
SIMATIC Route Control ● Installation guidelines
Manual ● Updating a PCS 7 Project with and without use of new functions
Process Control System ● Upgrading a redundant system during online operation
PCS 7;
Software update ...
Manual ● Redundant SIMATIC automation systems
Automation System ● Increasing availability
S7-400H, High Availability
Systems ● System and operating modes of the S7-400H
● Linking and updating
Manual ● Modifying standard systems in runtime
Modifying the System in Run‐
time via CiR
Manual ● Configuration options
Distributed I/O device ● Mounting
ET 200M
● Wiring
● Commissioning and diagnostics
Manual ● Configuration options
ET 200SP ● Mounting
Distributed I/O system
● Wiring
● Commissioning and diagnostics
Manual ● Configuration options
ET 200SP HA ● Mounting
Distributed I/O system
● Wiring
● Commissioning and diagnostics

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 11
Preface

Manual Contents
Manual ● Configuration options
ET 200iSP ● Mounting
Distributed I/O Device
● Wiring
● Commissioning and diagnostics
Operating instructions ● Configuration options
SIMATIC NET; ● Mounting
Industrial Ethernet Switches
SCALANCE X-200 ● Wiring
● Commissioning and diagnostics
Operating instructions ● Configuration options
SIMATIC NET; ● Mounting
Industrial Ethernet Switches
SCALANCE X-300 ● Wiring
● Commissioning and diagnostics
Operating instructions ● Configuration options
SIMATIC NET; ● Mounting
Industrial Ethernet Switches
SCALANCE X-400 ● Wiring
● Commissioning and diagnostics
Manual ● Networks with Industrial Ethernet and Fast Ethernet
SIMATIC NET ● Network configuration
Industrial Twisted Pair and
Fiber-Optic Networks ● Passive components for electrical and optical networks
● Active components and topologies
Manual ● Configuration options
SIMATIC Diagnostic Repeat‐ ● Mounting
er for PROFIBUS DP
● Wiring
● Commissioning and diagnostics
Operating instructions ● Fundamentals of PROFIBUS PA
DP/PA coupler, active field ● DP/PA Coupler
distributors, DP/PA Link and
● DP/PA Link
Y Link
● DP/PA Link in redundant operation with the S7-400H
Operating instructions ● Configuration options
SIMATIC; Bus Link; ● Mounting
FF Link
● Wiring
● Commissioning and diagnostics
Operating instructions ● Configuration options
SIMATIC; Bus Link; ● Mounting
Compact FF Link
● Wiring
● Commissioning and diagnostics

High Availability Process Control Systems (V9.0)

12 Function Manual, 05/2017, A5E39221836-AA
 Preface

Manual Contents
System manual ● Overview
SIMATIC; PROFINET; ● Configuration/Configuration examples
System description
● Data exchange and communication
● IO engineering
Documentation ● Components released for redundancy in PCS 7
PCS 7 - Released Modules

Guide
This manual is organized into the following topics:
● Basics of high availability in PCS 7
● Description of high availability solutions in PCS 7
● Description of configurations for various redundant components in PCS 7
● Failure scenarios and diagnostic options
● Options for quantitative analysis of high availability process control systems
● Glossary with important terms for understanding this documentation
● Index of important keywords

Conventions
In this documentation, the names of elements in the software interface are specified in the
language of this documentation. If you have installed a multi-language package for the
operating system, some of the designations will be displayed in the base language of the
operating system after a language switch and will, therefore, differ from the designations used
in the documentation.
If you use the operating system Windows 10, you will find the Siemens SIMATIC programs in
the Start menu under the menu command All apps > Siemens Automation.

Changes compared to the previous version

Below you will find an overview of the most important changes in the documentation compared
to the previous version:
As of PCS 7 V9.0
● Using the redundancy concept for PROFINET IO (Page 22)
● Using the redundant IO concept for ET 200SP HA (Page 38)

See also
High availability fieldbus based on PROFINET (Page 78)
High availability FOUNDATION Fieldbus (Page 90)

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 13
Preface

Connecting the FOUNDATION Fieldbus to PROFIBUS DP (Page 87)

Solutions for the terminal bus (Page 61)

High Availability Process Control Systems (V9.0)

14 Function Manual, 05/2017, A5E39221836-AA
Basics of high availability 3
3.1 Motivation for using high availability process control systems

Advantages of high availability components

Process control systems are responsible for controlling, monitoring and documenting
production and manufacturing processes. Due to the increasing degree of automation and the
demand for improved efficiency, the availability of these systems is playing an increasingly
important role.
Failure of the control system or any of its components can lead to costly downtime in production
and manufacturing. The expense involved in restarting a continuous process also has to be
taken into consideration along with the actual production losses resulting from a failure. In
addition, the loss of an entire batch may occur due to lost quality data. If the process is intended
to operate without supervisory or service personnel, a process control system must be
configured high availability for all of the components.
You can minimize the risk of a production failure and other detrimental effects by using high
availability components in a process control system. A redundant design ensures increased
availability of a control system. This means that all components involved in the process have
a backup in continuous operation that simultaneously participates in the control tasks. When
a fault occurs or one of the control system components fails, the correctly operating redundant
component takes over the continuing control task. The ultimate goal is to increase the high
availability and fail-safe performance in process control systems.
The following applies to you as the plant operator:
The higher the cost of a production stoppage, the more you need a high availability system.
The higher initial investment usually associated with a high availability system is soon offset
by the savings resulting from decreased production downtimes.

High availability PCS 7 process control system

The following components of the PCS 7 process control system allow you to implement high
availability at all automation levels in the form and to the degree you require:
● Operator stations, maintenance station, central archive server, BATCH stations, Route
Control stations (management level)
● Bus system
● Automation systems (process level)
● Distributed I/O (field level)
The following figure shows an example of a high availability process control system with PCS 7
components.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 15
Basics of high availability
3.1 Motivation for using high availability process control systems

26FOLHQWV %$7&+FOLHQWV 5RXWH&RQWUROFOLHQWV

7HUPLQDOEXV

(QJLQHHULQJ
VWDWLRQ
06FOLHQW
06VHUYHU 26VHUYHU %$7&+VHUYHU 5RXWH&RQWURO
VHUYHU

3ODQWEXV

6+ PS CPU CPCPCPCPCP PS CPU CPCPCPCPCP

)LHOGEXV

(70 PS PS IM IM SM SM SM SM SM SM

6HQVRU

(70 PS PS IM IM SM SM SM SM SM SM

6HQVRU

Legend for the above illustration:

Note
The following short designations are commonly used in this documentation.

Short designation Meaning

Engineering sta‐ Engineering station, PC
tion
OS server Operator station, PC project data station in the project form "WinCC Server"

High Availability Process Control Systems (V9.0)

16 Function Manual, 05/2017, A5E39221836-AA
 Basics of high availability
3.1 Motivation for using high availability process control systems

Short designation Meaning

OS client Operator station, PC visualization station in the project form "WinCC Client"
BATCH server BATCH station, PC recipe and batch data station
BATCH client BATCH station, PC recipe creation and batch visualization station
Route Control Route Control station, PC Route Control data station
server
Route Control cli‐ Route Control station, PC Route Control visualization station
ent
Plant bus, terminal Bus systems for communication over Industrial Ethernet (electrical or optical)
bus
S7-400H SIMATIC S7 high availability automation system, or H system for short
PS Power supply
CPU Central processing unit
CP Communications processor
IM Interface module
SM Signal module / I/O module in analog or digital form
ET 200M Distributed I/O device
Fieldbus Fieldbus for distributed I/O
Sensor Transmitters, sensors

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 17
Basics of high availability
3.2 Plant-wide availability considerations

3.2 Plant-wide availability considerations

Introduction
Availability must be analyzed globally for the system as a whole. Based on the degree of
availability needed, each system level, each system and each component within a level should
be evaluated. It is important to know the importance of each of these for the availability
requirements as well as the ways and means that the required availability will be achieved.

Avoiding repair time

In many industrial processes, it is not enough to simply correct the failure of a component and
then continue the process. The repair has to be made without interruption to the continuing
production process. The repair time can be considerably reduced by keeping spare parts in
stock on site. The use of high availability components in the process control system enables
you to correct the cause of the system or component failure in runtime. The function of the
component is retained if no fault occurs in the remaining active (redundant) components during
the time a failed counterpart component is being repaired. That is, the plant continues operation
without disruption.

Avoiding impermissible signal edge transitions

A reserve system with connected backup I/O may not cause a prohibited signal edge transition
when a change occurs in the operating state (power on or off) or operating mode (master or
slave).

High Availability Process Control Systems (V9.0)

18 Function Manual, 05/2017, A5E39221836-AA
 Basics of high availability
3.3 PCS 7 redundancy concept

3.3 PCS 7 redundancy concept

3.3.1 Advantages of the PCS 7 redundancy concept

Phases of a system lifecycle

High availability process control systems can be realized with SIMATIC PCS 7 at minimal cost
in all phases of a system lifecycle:
● Configuration
● Commissioning/operation
● Servicing
● Expansion

Advantages
PCS 7 offers the following essential advantages:
● It provides you with system-wide scalable solutions based on the PCS 7 modular design.
Advantage: The availability can be matched to your requirements. Your process control
system can be upgraded with the SIMATIC PCS 7 components that are actually needed.
● Hardware upgrades for high availability do not depend on the software configuration.
Advantage: If the user program has been configured with PCS 7, it does not have to be
adapted following a hardware upgrade. You only need to download the new hardware
configuration into the CPU.
● High availability automation system S7-400H with CPU (types: see documentation Process
Control System PCS 7; Released Modules), whose module racks can be set up in separate
locations.
Advantage: Protection for the spatially separated CPUs resulting in increased availability
in case of fire or explosion, for example.
● The use of redundant components in the process control system means isolated errors are
tolerated.
Advantage: The entire system does not fail when a single component in the process control
system fails. The redundant component takes over its tasks therefore allowing the process
to continue.
● Every failure of a redundant component is indicated on the OS clients in the form of a
process control message.
Advantage: You immediately receive crucial information about the status of your redundant
component. Specific components that have failed can be quickly replaced to restore the
redundancy.
● Software updates on redundant OS servers can be performed without loss of process
operability or loss of data.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 19
Basics of high availability
3.3 PCS 7 redundancy concept

3.3.2 PCS 7 redundancy concept 1 (fieldbus based on PROFIBUS DP)

Overview of the PCS 7 redundancy concept

PCS 7 offers you a redundancy concept that reaches all levels of process automation.

&OLHQWV26FOLHQW%$7&+FOLHQW5RXWH&RQWUROFOLHQW

5HGXQGDQWKLJKDYDLODELOLW\WHUPLQDOEXV 


26VHUYHU %$7&+VHUYHU 5RXWH&RQWURO
VHUYHU

5HGXQGDQWKLJKDYDLODELOLW\SODQWEXV 

6ZLWFK


$6[+KLJKDYDLODELOLW\DXWRPDWLRQV\VWHP

(70

 (70
6HQVRU$FWXDWRU

(70
)DLOVDIH

5HGXQGDQW/LQN

352),%863$ILHOGEXV


$FWLYHILHOGGLVWULEXWRU

</LQN
352),%86'3
352),%86'3

&RQQHFWLRQRIQRQUHGXQGDQW
352),%86'3GHYLFHVWR
UHGXQGDQW352),%86'3 

Figure 3-1 PCS 7 redundancy concept 1 (fieldbus based on PROFIBUS DP)

High Availability Process Control Systems (V9.0)

20 Function Manual, 05/2017, A5E39221836-AA
 Basics of high availability
3.3 PCS 7 redundancy concept

Note
The numbering of the components in the illustration relates to the descriptions provided below.

Number Description
1 Several clients (OS clients, BATCH clients, Route Control clients) can access data on a
server (OS server, BATCH server, Route Control server).
2 Communication between the operator stations (client and server) and communication with
the engineering station is over a redundant, high availability terminal bus (Industrial Ether‐
net).
The clients and server are connected to the terminal bus via switches.
3 The servers (OS server, BATCH server, Route Control server, maintenance server, central
archive server) can, when necessary, be set up redundantly.
4 Automation systems communicate with the OS servers/Route Control servers and engi‐
neering stations and among themselves over the redundant, high availability plant bus (In‐
dustrial Ethernet).
The automation system, server and engineering station are connected to the plant bus via
switches.
5 Each part of the redundant, high availability S7-400H automation systems is connected to
the plant bus with an Ethernet communications processor (CP).
Each part of the AS is connected to several fieldbus chains (their PROFIBUS DP). The
internal fieldbus interfaces or additional communications processors are used for the at‐
tachment.
6 The redundant connection to the fieldbus system is achieved by using two interface modules
in each distributed I/O device (e.g. ET 200M on PROFIBUS DP).
7 Using redundant digital or analog input/output modules, you can evaluate signals from sen‐
sors/actuators. If one of the two redundant modules fails, the input/output signal of the func‐
tioning module are evaluated.
8 Single Fieldbus systems can be connected to the redundant PROFIBUS DP.
The configuration of a redundant fieldbus can be realized with a redundant gateway (for
example, PA link). The field devices are connected to the subsystem (for example, PROFI‐
BUS PA) via AFD, active field distributors, (or AFS when ring/coupler redundancy is used).
9 The Y Link allows you to connect non-redundant PROFIBUS distributed I/O devices to a
redundant PROFIBUS DP.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 21
Basics of high availability
3.3 PCS 7 redundancy concept

3.3.3 PCS 7 redundancy concept 2 (fieldbus based on PROFINET IO)

Overview of the PCS 7 redundancy concept for PROFINET IO

PCS 7 offers you a redundancy concept that reaches all levels of process automation.

&OLHQWV26FOLHQW%$7&+FOLHQW5RXWH&RQWUROFOLHQW

5HGXQGDQWIDXOWWROHUDQWWHUPLQDOEXV 


26VHUYHU %$7&+VHUYHU 5RXWH&RQWURO
VHUYHU

5HGXQGDQWIDXOWWROHUDQWSODQWEXV 

6ZLWFK

 
$6 $6
6+ 6+
+&,5SRVVLEOH +&,5SRVVLEOH

(763+$ (763+$

 0RGXOHVLQ,2UHGXQGDQF\ 
(763+$ (70


352),1(7V\VWHPV 352),1(7V\VWHP
$6UHGXQGDQF\FRQQHFWLRQ $6UHGXQGDQF\FRQQHFWLRQ

HJ
VHQVRU

Figure 3-2 PCS 7 redundancy concept 2 (fieldbus based on PROFINET IO)

Note
The numbering of the components in the illustration relates to the descriptions provided below.

High Availability Process Control Systems (V9.0)

22 Function Manual, 05/2017, A5E39221836-AA
 Basics of high availability
3.3 PCS 7 redundancy concept

Number Description
*
1 Several clients (OS clients, BATCH clients, Route Control clients) can access data on a
server (OS server, BATCH server, Route Control server).
2 Communication between the operator stations (client and server) and communication with
the engineering station is over a redundant, high availability terminal bus (Industrial Ether‐
net).
The clients and server are connected to the terminal bus via switches.
3 The servers (OS server, BATCH server, Route Control server, maintenance server, central
archive server) can, when necessary, be set up redundantly.
4 Automation systems communicate with the OS servers/Route Control servers and engi‐
neering stations and among themselves over the redundant, high availability plant bus (In‐
dustrial Ethernet).
The automation system, server and engineering station are connected to the plant bus via
switches.
5 Each part of the redundant, high availability S7-400H automation systems is connected to
the plant bus with an Ethernet communications processor (CP).
Each part of the AS is connected to several fieldbus chains (their PROFINET IO). The in‐
ternal fieldbus interfaces or additional communications processors are used for the attach‐
ment.
6 On PROFINET IO can be connected to the redundant distributed I/O devices based on
ET 200SP HA or ET 200M.
7 The ET 200SP HA IO Redundancy is the possibility to reduce the wiring effort with regard
to the connection of separate peripheral modules. The ET 200SP HA IO Redundancy is
optimized for usage with one sensor/actor per redundant channel pair.

For more information on usage of SIMATIC PCS 7 with PROFINET, refer SIMATIC PCS 7 with
PROFINET (https://support.industry.siemens.com/cs/ww/en/view/72887082).

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 23
Basics of high availability
3.4 Features of the PCS 7 redundancy concept at a glance

3.4 Features of the PCS 7 redundancy concept at a glance

Introduction
The easiest way to increase availability is to keep replacement parts in stock on site and to
have fast service at your disposal to replace defective components.
In this documentation, we provide you with PCS 7 software and hardware solutions that go
well beyond fast service and replacement part warehousing. It focuses on "automated high
availability process control systems".

System-wide, scalable solutions in PCS 7 available

Plants are divided into the following layers in PCS 7:
● Field layer
● Process layer
● Management level
The components of PCS 7 enable you to implement high availability solutions at all automation
system levels in the form and to the degree you desire. In PCS 7, individual components (such
as signal modules), complex systems (such as operator control and monitoring systems) and
complete plants can be configured in such a way that one sub-component can automatically
take on the function of another sub-component if it fails.
You decide which components in the plant require increased availability.
The following table lists the high availability components for the three layers.

Process layer Components

Management level OS clients, maintenance clients, BATCH clients, Route Control clients
OS servers, maintenance servers, Process Historian, information servers,
BATCH servers, Route Control servers
Terminal bus (Industrial Ethernet)
Process layer Plant bus (Industrial Ethernet)
Automation system AS 41xH
Field layer Fieldbus
● PROFIBUS DP, PROFIBUS PA, FOUNDATION Fieldbus, PROFINET IO
Distributed I/O device
● ET 200SP HA, ET 200M, ET 200SP, ET 200iSP, ET220S, and ET200pro
Field devices
● PROFIBUS DP, PROFIBUS PA, FOUNDATION Fieldbus and HART
devices

High Availability Process Control Systems (V9.0)

24 Function Manual, 05/2017, A5E39221836-AA
 Basics of high availability
3.4 Features of the PCS 7 redundancy concept at a glance

Basics of increased availability

Increased availability in PCS 7 is based on the following principles:
● Duplication of a component
Example:
Use of duplicate signal modules
● Duplication of a component and a software component that performs an automatic fail-over
from active and passive components in the case of malfunction.
Example of redundant components:
A signal is acquired with two signal modules and the redundancy software. The failure of
one module remains non-critical for operation of the plant.
● Technical solutions for configuring components that prevent the failure of a sub-component.
Example:
Configuration of a network in a ring topology with redundancy manager component. If part
of the ring is disrupted (by a defective cable, for example), the operation of the network is
maintained.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 25
Basics of high availability
3.5 Features for the configuration phase

3.5 Features for the configuration phase

Features for the configuration phase

In the configuration phase, PCS 7 provides you with support with the following features.

Feature Meaning
Fault prevention through simplified configura‐ You do not need additional training to configure the re‐
tion of the various components dundant components. Configuration can be performed
in a similar way as for standard systems.
Simple integration of redundant I/O No special knowledge is needed about redundant I/O
modules.
The communication links between the sys‐ With the HW Config or NetPro graphical user interface,
tem components are configured transparent the configuration of the communication links is per‐
to the application. formed transparent to the application.

High Availability Process Control Systems (V9.0)

26 Function Manual, 05/2017, A5E39221836-AA
 Basics of high availability
3.6 Features for the commissioning and operation phases

3.6 Features for the commissioning and operation phases

Features for the commissioning and operation phases

The following table lists the features PCS 7 offers for the commissioning and operation phases.
The redundant components allows the continuation of the process if a component fails.
Operator control and monitoring of the process remains unaffected. In addition, the archiving
of process data is not interrupted during the commissioning phase. Defective components can
be replaced in runtime.

Note
If a component fails in a redundant control system, the high availability is lost. This means that
another failure could potentially result in the failure of the entire system, although such
occurrences are rare (for example, if both bus lines are disconnected in the case of a redundant
bus system).
You can find additional information on this in the section "Redundancy nodes (Page 32)".

Feature Meaning Possible error / possible reason

Toleration of an isolated An isolated error is tolerated since the high Fault or failure of servers and clients
error availability redundant component contin‐ Examples:
ues the process. ● Hard disk failure
● Operating system failure
● Connection failure
● Hard disk capacity for archiving exhausted
Error or failure of the automation system
Examples:
● Failure of power supply
● Failure of a CPU
Error or failure of the communication
Examples:
● Line break
● Electromagnetic compatibility (EMC)
Error or failure of central or distributed I/O modules
Example:
● Component failure
● Short circuit
Fault in distributed I/O devices
Examples:
● Failure of the power supply (PS)
● Failure of an interface (IM)
Ensure uninterrupted op‐ The system can continue process control Failure of an individual component in a high availa‐
eration through redun‐ without operator intervention. bility process control system.
dant components. Upgrade and expansion of the system.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 27
Basics of high availability
3.6 Features for the commissioning and operation phases

Feature Meaning Possible error / possible reason

Ability of process to con‐ If an OS server fails, the system switches Failure of the OS server
tinue to be controlled and over to the configured redundant partner Examples:
monitored even when a server. All OS clients are automatically
● Operating system failure
server switchover occurs. switched over to the now activate OS part‐
ner server. The process can continue to be ● Hard disk defect
controlled and monitored through the OS
clients even during the switchover period.
Display of the master / Information about the master / standby The master / standby identification changes if the
standby identification of identification of the OS server can be re‐ active OS server (master) fails.
the OS server. quested and visualized using the OS cli‐
ents.
No loss of data; gap-free The project data are saved according to the Failure of the OS server, for example, due to a hard
data archiving. interval configured. disk defect.
Permanent operability of The failure of some OS clients can be tol‐ One or more client operator stations fail, for exam‐
the control process by erated if the remaining clients continue to ple, due to a hardware or software error.
configuring a preferred be connected to the process. Duration of the switchover of the OS clients to the
server for each OS client. redundant OS server
Replacement of faulty The failed components can be replaced OS client failure: e.g., operating system
components and recon‐ without influencing the ongoing process OS server failure: e.g., network adapter
nection to the system in and subsequently reconnected. A redun‐
Plant bus failure: e.g., wire break
runtime. dancy update is then performed.
Central rack failure: e.g., PS, CPU, synchronization
line, CP, SM
Fieldbus failure: e.g., defective PROFIBUS bus
connector
Failure of the distributed I/O device: e.g., PS, IM,
SM
Update of faulty compo‐ Redundancy synchronization is performed Switching on a redundant component after a redun‐
nent with current system for all high availability components, for ex‐ dancy fault. Example: Startup of the module after a
status after being reinte‐ ample, a CPU or a server after return to CPU is replaced with subsequent data synchroni‐
grated into the system. operation. zation on the CPU conducting the process.
System upgrades and ex‐ Redundantly designed components can be Copying BIOS versions to redundant PC stations
pansions in runtime upgraded, expanded or replaced in run‐ Software updates for redundant PC stations with‐
time. out utilization of new functions
Displays and documenta‐ Documentation of availability, for example, Displays and documentation of a potential compo‐
tion testing based on the mean time between nent failure in advance.
failure (MTBF) residual time with optional
printout.

High Availability Process Control Systems (V9.0)

28 Function Manual, 05/2017, A5E39221836-AA
 Basics of high availability
3.7 Features for servicing and system expansions

3.7 Features for servicing and system expansions

Features for servicing and system expansions

PCS 7 offers the following features for servicing and system expansions:

Feature Meaning
Asset management with the maintenance station The maintenance station provides comprehensive
information for servicing and diagnostics of PCS 7
plants.
Integrated diagnostics of components (for exam‐ Diagnostics of components without an additional
ple, LEDs) for fast, local error detection. programming device (PG).
Faster service from SIEMENS Customer Support. The service is on site within 2 to 48 hours to main‐
tain the availability guarantee.
Repairs and component expansions (upgrades, Repair and component expansions can be made in
conversions and updates) in runtime. a high availability system. System components are
installed redundantly so that repairs and expan‐
sions can be made in runtime.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 29
Basics of high availability
3.8 Definition of availability

3.8 Definition of availability

Definitions
Availability is usually defined as follows:
Quotient of MTBF and (MTBF + MTTR)
or in short form
actual operating condition / nominal operating condition.
Whereby:
● MTBF = mean time between failure; average amount of time between two successive error
events, repair time excluded
● MTTR = mean time to repair; average amount of time between repair events

Increasing the basic availability

Based on this definition, the basic availability of a standard component or a standard system
can be increased by the following:
● Reduction of error frequency
● Decreasing the period necessary for repairs
A variety of measures can reduce the repair time:
– Proximity to customer service
– Spare parts warehousing
– Repairs in runtime or repairs without downtime
With "repairs in runtime", no repair time is needed in the system to correct unscheduled
operation disruptions.

High Availability Process Control Systems (V9.0)

30 Function Manual, 05/2017, A5E39221836-AA
 Basics of high availability
3.9 Definition of the standby modes

3.9 Definition of the standby modes

Introduction
The availability of a system can be increased by additional components in the system (standby
components). The operating mode of these components distinguishes them from the
components that are active in process mode.

Standby operating mode

Operating mode Definition

Hot standby Hot standby means the parallel redundant processing of signals in redundant
components. This allows a bumpless switchover of the entire system to the
standby components.
Warm standby Warm standby means the fast continuation of the aborted function by standby
components at a program continuation point.
Cold standby Cold standby means that there is a component of the system available that can
be activated if a fault occurs. Following a restart, the newly activated component
takes over the function of the previously failed component.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 31
Basics of high availability
3.10 Redundancy nodes

3.10 Redundancy nodes

Functionality
Redundancy nodes provided protection from failure of systems with redundant components.
A redundancy node is independent when the failure of one component within the node does
not affect the reliability in other nodes or in the entire system.
The availability of a complete system is illustrated in block diagrams. In a redundant system,
a component in the redundancy node can fail without affecting the operation of the complete
system. In the chain of redundancy nodes, the weakest link determines the availability of the
entire system.
The block diagrams below present examples to illustrate this point.

Redundancy nodes without fault

The following is a block diagram showing individual redundancy nodes operating without a
fault.

5HGXQGDQF\
QRGHV &3 ,0
&38 &3 %XV 60 (QFRGHU
26FOLHQW %XV 26VHUYHU %XV &3 ,0

26FOLHQW %XV 26VHUYHU %XV &3 ,0

&38 &3 %XV 60 (QFRGHU
&3 ,0

Availability of a redundancy node despite faults

If a component in a redundancy node fails, the overall system continues to operate.

&3 ,0
&38 &3 %XV 60 (QFRGHU
26FOLHQW %XV 26VHUYHU %XV &3 ,0

26FOLHQW %XV 26VHUYHU %XV &3 ,0

&38 &3 %XV 60 (QFRGHU
&3 ,0

High Availability Process Control Systems (V9.0)

32 Function Manual, 05/2017, A5E39221836-AA
 Basics of high availability
3.10 Redundancy nodes

Total failure of a redundancy node

The following figure shows a complete system that has ceased to operate due to a failure of
the "Field bus" redundancy node.

&3 ,0
&38 &3 %XV 60 (QFRGHU
26FOLHQW %XV 26VHUYHU %XV &3 ,0

26FOLHQW %XV 26VHUYHU %XV &3 ,0

&38 &3 %XV 60 (QFRGHU
&3 ,0

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 33
Basics of high availability
3.10 Redundancy nodes

High Availability Process Control Systems (V9.0)

34 Function Manual, 05/2017, A5E39221836-AA
High availability solutions in PCS 7 4
4.1 Solutions for the I/O

Introduction
In this section you will learn about the I/O systems and components that contribute to increasing
the availability of your system. This means using the distributed I/O in PCS 7.

Distributed I/O
Distributed I/O refers to modules (input/output modules and function modules) that are used
in a modular, distributed I/O device (such as the ET 200SP HA, ET 200M, ET 200SP or
ET 200iSP).
Distributed I/O devices are often spatially separated from the central rack and located in direct
proximity to the field devices themselves. This minimizes the requirements for wiring and
ensuring the electromagnetic compatibility. Communication connections between the CPU of
the automation system and the distributed I/O can be established with the following network
types:
● PROFIBUS DP
● PROFINET IO
In addition to the I/O devices, distributed I/O includes field devices such as actuators, weighing
systems, motor protection control equipment and all other field devices that can be integrated
in the plant via the bus system.
HART devices are connected and addressed via the corresponding modules in the distributed
I/O device. HART devices are actuators and sensors that can be configured per HART protocol
(HART: Highway Addressable Remote Transducer).

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 35
High availability solutions in PCS 7
4.1 Solutions for the I/O

Network components that are integrated at the fieldbus belong to the distributed I/O. These
include, for example, the following network components:
● Bus links
– DP/PA-Link
The DP/PA‑Link enables the connection of a lower-level bus system such as PROFIBUS
PA to a redundant PROFIBUS DP.
– Y-Link
With the Y-Link, you connect singular PROFIBUS components to a redundant system.
– FF-Link / Compact FF Link
This bus link enables the connection of a lower-level bus system such as FOUNDATION
Fieldbus to a redundant PROFIBUS DP.
● PROFINET switches
With the PROFINET switches, you integrate PROFINET networks in the fieldbus of an AS.
● Compact Field Unit
The Compact Field Unit, as a PROFINET IO device, combines the effort of distributed I/O
for digital IO and bus link for field devices on PROFIBUS PA.
An AS interface can be connected using AS-Interface master modules (CPs) that are used in
the distributed I/O device. This enables the connection of simple sensors and actuators to
PCS 7 with AS-Interface. PCS 7 integrates other I/O levels in a project in this way.

Increasing availability
The availability of the I/O can be increased through the following configuration options:
● Redundant I/O (distributed I/O)
The entire signal path up to the sensor/actuator is configured redundantly. Additional
information on this topic is available in section "Redundant I/O (Page 38)".
● Switched I/O (distributed I/O)
The communication path to the I/O (station) is redundant. There is only one input/output
module (SM) for processing a process signal.
Additional information on this topic is available in section "Switched I/O (Page 42)".

High Availability Process Control Systems (V9.0)

36 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.1 Solutions for the I/O

5HGXQGDQW,2
+V\VWHP (70

&3 &38 &3 %XV ,0 60

&3 &38 &3 %XV ,0 60

+V\VWHP (763+$

&38 %XV ,0
60

60
&38 %XV ,0

6ZLFKHG,2
+V\VWHP (70

&3 &38 &3 %XV ,0

60

&3 &38 &3 %XV ,0

Modules for the distributed I/O

Note
Information on which modules are released for the distributed I/O in PCS 7 can be found in
the documentation PCS 7 - Released modules. You can find this documentation on the Internet
at: http:\\www.siemens.com/pcs7-documentation (http:\\www.siemens.com/pcs7-
documentation).

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 37
High availability solutions in PCS 7
4.1 Solutions for the I/O

4.1.1 Redundant I/O

Redundant I/O
Redundant I/O describes the situation when the I/O modules (SM) for processing a process
signal are doubly available and can be addressed by both CPUs. The CPU signal or process
signal will continue to be processed by a functioning module even when its partner fails. The
entire signal path up to the sensor/actuator is configured redundantly.

Note
With PCS 7, you can determine if errors in redundantly acquired signals will have an effect of
a module or channel. You can find additional information about this in the following sections:
● Section "Redundant input/output modules (Page 46)"
● Section "Failure of redundant input/output modules (Page 199)"

Configuration with PROFIBUS DP

On PROFIBUS DP you can configure redundant I/O with selected S7-300 I/O modules of the
distributed I/O device (e. g. ET 200M or ET 200iSP).
The distributed I/O device is connected as redundant DP slave to a high availability automation
system operating as the DP master via PROFIBUS DP. A redundant configuration is achieved
by installing an additional distributed I/O device and an additional PROFIBUS DP connection.

Note
ET 200M
For the ET 200M, in a high availability system with PCS 7, use only active bus modules. Active
bus modules enable you to plug and pull modules in runtime.

The following figure illustrates this configuration with ET 200M. Signals from redundant sensors
can be registered.

High Availability Process Control Systems (V9.0)

38 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.1 Solutions for the I/O

6+

(70
[,0

5HGXQGDQWLQSXWPRGXOH
352),%86'3

(QFRGHU

Availability
The block diagram shows an example configuration with ET 200M without a fault.

+V\VWHP (70

36 &3 &38 &3 %XV ,0 60LQ(70,

(QFRGHU

36 &3 &38 &3 %XV ,0 60LQ(70,,

If a fault occurs in a maximum of one signal path per redundancy node (e.g. bus line
(bus = PROFIBUS DP) in the first redundancy node and an input module (SM) in the second
redundancy node), the overall system remains operable. The connected device continues to
supply data to the central device, which remains available. If any other component in the
redundancy chain fails, however, the complete system will fail.

+V\VWHP (70

36 &3 &38 &3 %XV ,0 60LQ(70,

(QFRGHU

36 &3 &38 &3 %XV ,0 60LQ(70,,

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 39
High availability solutions in PCS 7
4.1 Solutions for the I/O

Installation rules
The configuration always has to be symmetrical when using redundant I/O. Follow these
installation rules:
● Using ET 200M as distributed I/O device: Both subsystems of the S7 400H must be
configured identically. The same modules are located at the same slots.
Example: CPU and CPs are located in both subsystems at the same slot.
● Using ET 200SP HA as distributed I/O device: By using IO redundancy the terminal block
(TB45...) only needs to be connected to the fielddevice (sensor or actor).
● The communication paths and interfaces must be configured the same way in both
subsystems.
Example: The fieldbus cables in both subsystems are connected to the same bus interface
of the CPU 41x-xH.
● Redundant modules are always identical (article number, hardware version, firmware
version)

Configuration rules
● In a PROFIBUS System
A DP slave must have the same PROFIBUS address in the mutually redundant DP master
systems.
● In a PROFINET IO System
The first module in Redundant I/O must be placed at an odd-numbered slot on a terminal
block (TB45...).

Redundant I/O of ET 200SP HA

Redundant I/O of ET 200SP HA describes the situation when a pair of I/O modules (SM) use
the same connectors for the sensor/actuator. The CPU signal or process signal will continue
to be processed by a functioning module even when its partner fails. The entire signal path up
to the sensor/actuator can configured redundantly.

Note
With PCS 7, you can determine if errors in redundantly acquired signals will have an effect on
a module or channel. You can find additional information about this in the following sections:
● Section "Redundant I/O modules (Page 46)"
● Section "Failure of redundant interface modules (Page 199)"

Configuration
In PCS 7, you can configure Redundant I/O with selected IO modules from ET 200SP HA.
The ET 200SP HA distributed I/O is connected as a PROFINET IO-Device to a automation
system operating as the IO Controller via PROFINET IO. A redundant configuration of IO
modules is achieved by installing 2 identical IO modules on a terminal block for Redundant I/
O (TB45...).

High Availability Process Control Systems (V9.0)

40 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.1 Solutions for the I/O

The following figure illustrates this configuration. Signals from redundant sensors can be
registered and IO-modules can drive actors.

$6
6+ PRGXOHVLQUHGXQGDQW,2
+&,5SRVVLEOH
,2PRGXOHV

7HUPLQDOEORFN7%

HJ
VHQVRU
(763+$

(763+$

352),1(7V\VWHPV
$6UHGXQGDQF\FRQQHFWLRQ

Availability
The block diagram shows an example configuration with Redundant I/O in ET 200SP HA
without a fault.

$6+ (763+$
5HGXQGDQW,2

36 &38 %XV ,0 60LQ(763+$,

(QFRGHU

36 &38 %XV ,0 60LQ(763+$,,

If a fault occurs in an input module (SM) the system remains operable. The connected device
continues to supply data to the central device, which remains available. If any other component
in the redundancy chain fails, however, the complete system will fail.

$6+ (763+$
5HGXQGDQW,2

36 &38 %XV ,0 60LQ(763+$,

(QFRGHU

36 &38 %XV ,0 60LQ(763+$,,

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 41
High availability solutions in PCS 7
4.1 Solutions for the I/O

Installation rules
The configuration always has to be symmetrical when using redundant I/O. Follow these
installation rules:
● The first module in Redundant I/O must be placed at an odd-numbered slot on a terminal
block (TB45...).
● Redundant modules are always identical (article number, firmware version, release)
                   

,2 ,2 ,2 ,2 ,2 ,2

UHG UHG UHG UHG UHG UHG

Figure 4-1 Slot configuration by Redundant I/O

Configuration rules

Note
This type of redundant operation is possible only with certain I/O modules of the ET 200SP
HA. For additional information, please refer to the following documents:
● Documentation PCS 7 - Released Modules
● Manual Automation System S7-400H; High Availability Systems

Additional information
● Section "Redundant interface modules in distributed I/O (Page 45)"
● Section "Redundant I/O modules (Page 46)"
● System manual Distributed I/O System; ET 200SP HA
● Manual Automation System S7-400H; High Availability Systems

4.1.2 Switched I/O

Switched I/O
Switched I/O describes the situation when there is only one I/O module (SM) for processing a
process signal. The communication path to the I/O (station) is redundant. In the event that a
communication path fails, the distributed I/O (station) switches to the functioning
communication path. The non-redundant I/O modules of the distributed I/O can be addressed
via the redundant interface module (DP slave) of both central modules (CPU) of a high
availability system.

High Availability Process Control Systems (V9.0)

42 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.1 Solutions for the I/O

Configuration
A switched I/O can be set up in PCS 7 with the following distributed I/O devices:
● ET 200M
For this setup, you require an ET 200M with active backplane bus modules and a redundant
IM 153-2 interface module.
● ET 200iSP
For this setup, you require an ET 200iSP and a redundant IM 152-1 interface module.
Each subsystem of the S7-400H is connected to one of the two PROFIBUS DP interfaces of
the interface module via a DP master interface.
The following figure illustrates this configuration for the ET 200M.

6+

6LQJOHFKDQQHOVZLWFKHG
(70,2
FRQVLVWLQJRI
[,0
352),%86'3

Configuration with PROFINET IO

On PROFINET IO you can configure redundant connected I/O Devices with selected modules
of distributed I/O devices of ET 200M or ET 200SP HA.
The distributed I/O device is connected as a redundant IO-Device to a high availability
automation system operating as the IO master via PROFINET IO. A redundant configuration
is achieved by installing the distributed I/O device with 2 interface modules or using MRP-
connection.
With ET 200SP HA, selected IO modules in IO redundancy can be connected to receive signals
from redundant sensors and the operate redundant actors.
The following figure illustrates the possible configuration with ET 200SP HA. Sensors and
actors can configure redundant I/O with selected modules.

Note
High availability PROFINET IO
When using rings with PROFINET IO, it is absolutely necessary to operate the fieldbus ring
with MRP (media redundancy protocol).

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 43
High availability solutions in PCS 7
4.1 Solutions for the I/O

3ODQWEXV

$6 $6 $6 $6
&38 &38 &38 &38
&,5SRVVLEOH +&,5SRVVLEOH +&,5SRVVLEOH +&,5SRVVLEOH

(763+$ (763+$ (763+$ (763+$

(763+$ (763+$ (763+$ (763+$

352),1(7V\VWHP 352),1(7V\VWHP 352),1(7V\VWHPV 352),1(7V\VWHPV

Availability
The block diagram shows the availability of the configuration illustrated above. When both
systems are operating without fault, the block diagram appears as follows:

+V\VWHP (70

&3 &38 &3 %XV ,0

60

&3 &38 &3 %XV ,0

The following figure shows how one component may fail without this affecting the operation of
the complete system.

+V\VWHP (70

&3 &38 &3 %XV ,0

60

&3 &38 &3 %XV ,0

The system remains available even when one component in part of a line of the redundancy
node fails. There is only one I/O module and therefore no corresponding redundancy node. It
is the weakest link in the complete system's chain.

High Availability Process Control Systems (V9.0)

44 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.1 Solutions for the I/O

Installation rules
The configuration always has to be symmetrical when using switched I/O. Follow these
installation rules:
● CPU 41x-xH and additional DP masters must be located in the same slots in each
subsystem (for example, in slot 4 of both subsystems).
● The PROFIBUS cables in both subsystems must be connected to the same interface (for
example, to the PROFIBUS DP interfaces of the two CPU 41x-xH).

Configuration rules
● A DP slave must have the same PROFIBUS address in the mutually redundant DP master
systems.

Additional information
● Section "Redundant interface modules (Page 45)"
● Manual Automation System S7-400H; High Availability Systems

4.1.3 Components in the distributed I/O

4.1.3.1 Redundant interface modules in distributed I/O

Redundant interface modules

By using two interface modules in one distributed I/O device, the following can be implemented:
● Setup of a switched distributed I/O
● Setup of a redundant distributed I/O
If the active interface module or the communication path fails via this interface module, the
passive interface module takes over the relevant functions without interruption. The active
interface is indicated by an illuminated "ACT" LED on the respective interface module.
Configuration:

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 45
High availability solutions in PCS 7
4.1 Solutions for the I/O

The configuration is provided as an example in the section "Redundant I/O (Page 38)".
● ET 200M with redundant IM 153-2
Two IM 153-2 interface modules are mounted on the active bus module in the distributed
I/O device for redundant operation.
● ET 200SP HA with redundant IM 155-6
Two IM 155-6 interface modules are mounted in the distributed I/O device for redundant
operation.
● ET 200iSP with redundant IM 152-1
Two IM 152-1 interface modules are mounted on the active TM-IM/IM terminal module in
the distributed I/O device for redundant operation.
Note
The signal modules of the ET 200iSP cannot be used redundantly.

Additional information
● Section "How to configure the redundant interface module for the I/O device (Page 133)"
● Section "Failure of redundant interface modules (Page 199)"
● Manual SIMATIC, Distributed I/O Device ET 200M
● Manual SIMATIC, Distributed I/O Device ET 200SP HA
● Manual SIMATIC, Distributed I/O Device ET 200iSP
● Manual Automation System S7-400H; High Availability Systems

4.1.3.2 Redundant I/O modules

Configuring redundant input/output modules

Redundant I/O modules enable you to increase the availability in the I/O area.
The following configurations are possible with redundant I/O modules:
● Redundant input/output modules in redundant distributed I/O
An example of this is the configuration shown in the section "Redundant I/O (Page 38)"
● Redundant input/output modules in single-channel switched distributed I/O
An example of this is the configuration shown in the section "Switched I/O (Page 42)"
Note
Refer to the interconnection examples for redundant I/O (redundant input/output modules)
in the manual Automation System S7-400H; High Availability Systems.

● Redundant input/output modules in IO Redundancy:

An example of this is the configuration shown in the section "Redundant I/O (Page 38)".

High Availability Process Control Systems (V9.0)

46 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.1 Solutions for the I/O

Note
In case of using the I/O modules redundancy, the diagnostic feature or capability needs to be
activated.

Redundant operation of I/O modules of ET 200SP HA

The following requirements must be met to operate redundant I/O modules of ET 200SP HA:
● PCS 7 as of V9.0
● CPU 410-5H as of firmware version V8.2
● Suitable I/O modules (documentation: PCS 7 - Released Modules)

Redundant operation of S7-300 I/O modules of ET200M (PROFIBUS DP)

The following requirements must be met to operate redundant S7-300 I/O modules of ET200M
(PROFIBUS DP):
● PCS 7 as of V6.0
● H-CPU as of firmware version V3.1
● Suitable S7-300 I/O modules (documentation: PCS 7 - Released Modules)

Required software and configuration

You select and configure the redundant modules in HW Config.
● In order for both subsystems of the H system to be able to address redundant input/output
modules, S7 driver blocks from the "Redundant I/O" library and PCS 7 driver blocks from
the PCS 7 Library as of PCS 7 V9.0 are required in addition to the necessary hardware.
● Modules with the same article number and version number are configured redundantly to
one another
You interconnect the signals in the CFC chart. You can find information on this in the section
"Configuration of redundant signals (Page 151)".
When the user program is compiled, the required driver blocks are placed, interconnected and
configured automatically.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 47
High availability solutions in PCS 7
4.1 Solutions for the I/O

Reaction to a channel fault

You can define the passivation characteristics, for example how redundant input/output
modules react to a channel fault (such as broken wire, short-circuit on the signal line). The
reaction to a channel fault depends on the following aspects:
● Module employed
● Configuration
● Version of the PCS 7 library
– As of PCS 7 V7.1, the potential passivation reaction is automatically detected based on
the configured modules. The passivation reaction is set channel-by-channel.
– Only the module-based passivation reaction can be selected with the Redlib V3.x library.
– You can set the channel-based passivation reaction with the Redlib library as of V4.
You will find information on the passivation reaction for individual modules in the
documentation PCS 7 - Released Modules.

Additional information
● Section "How to configure redundant input/output modules (PROFIBUS DP) (Page 136)"
● Section "Failure of redundant I/O modules (Page 199)"
● Section "How to set the CPU for the reaction of the input/output modules to channel faults
(Page 113)"
● Manual Automation System S7-400H; High Availability Systems
● Online help for STEP 7

4.1.3.3 Redundant actuators and sensors

Detecting failures
Actuators and sensors of I/O field level can be configured redundantly for PCS 7. A requirement
therefore is, that you can configure a pair of actuators/sensors to a pair of I/O-modules. The
failure of an actuator or sensor can be detected and reported as an error in the process control
system based on the used input/output module to which the redundant actuators or sensors
are connected. If an actuator/sensor fails, the automation system continues working with the
intact actuator/sensor. This means the current status of process values can be read or output
at any time.

Note
Read the product description of the I/O module used to find out whether the module can detect
and report a failure of the connected actuators and sensors.

High Availability Process Control Systems (V9.0)

48 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.1 Solutions for the I/O

Note
No redundant Actuators and sensors with ET 200SP HA
ET 200SP HA is optimized for Redundant I/O and uses a single sensor/actor connected to a
pair of I/O-modules (redundant channel pair).
So you can't connect a pair of actuators/sensors.

Additional information
● Manual Automation System S7-400H; High Availability Systems

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 49
High availability solutions in PCS 7
4.2 Solutions for automation systems

4.2 Solutions for automation systems

Introduction
This chapter presents solutions that can be used to increase the availability of an automation
system.

S7-400H high availability programmable controller

Only a high availability automation system can ensure an extremely short process safety time,
for example, a switchover time in the milliseconds range. PCS 7 enables you to configure your
process control system with redundancy using the S7-400H high availability programmable
controller.

Functionality
The S7-400H programmable controller and all the other components in the PCS 7 environment
are tuned to one another.
With this solution, a second backup CPU, which is event-synchronized to the master CPU,
performs the same processing tasks of the user program as the master. If the active master
CPU fails, the standby CPU continues processing the user program without delay. This type
of standby is referred to as "Hot standby".
There are always two CPUs and two power supplies in an S7-400H. The communications
processors and I/O modules are expansion modules.

4.2.1 Hardware components of the S7-400H

Hardware components
The following hardware components are available for the configuration of the high availability
automation system.

Hardware components
Racks Rack UR2-H
Rack UR2
Rack UR1
Rack CR3
Central processing units Central processing unit CPU 410-5H
Central processing unit CPU 412-3H ... 5H PN/DP
Central processing unit CPU 414-4H ... 5H PN/DP
Central processing unit CPU 416-5H PN/DP
Central processing unit CPU 417-4H ... 5H PN/DP
Synchronization modules Synchronization modules
Synchronization cable Synchronization cable (up to 10 km)

High Availability Process Control Systems (V9.0)

50 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.2 Solutions for automation systems

Hardware components
Communication processors Communication processor CP 443-5 Extended
Communication processor CP 443-1

Setup

5DFNV 6SDWLDOO\VHSDUDWHGVXEV\VWHPEDVLF
V\VWHP6+

ILEHURSWLFFDEOHV
6\QFKURQL]DWLRQFDEOHV
36 &38 V\QFPRGXOHV

Racks
The following racks are available for installing the S7-400H. Normally, the UR2-H rack is used.

Type Slots Special feature

Rack UR2‑H 2x9 Installation of two separate subsystems each with nine
modules. The two subsystems are electrically isolated
(not mechanically).
It is not possible to replace a rack in runtime.
Rack UR2 1x 9 Two racks are required for an S7-400H .
You can replace a rack in runtime.
Rack UR1 1x 18 Two racks are required for an S7-400H .
You can replace a rack in runtime.
Rack CR3 1x 4 Two racks are required for an S7-400H .
You can replace a rack in runtime.

Central processing units

There are two CPUs in an H-system. The two CPUs are connected to one another using
synchronization modules and fiber-optic cables.

Power supply
A separate power supply module from the standard S7-400 series is needed for each
subsystem of the S7-400H. Two power supply modules can be used in each subsystem to
increase the availability of the high availability system. In this case, use the following power
supply modules that can be used for redundancy.
Power supply modules for 24 VDC as well as for 120/230 VAC nominal input voltages with
output currents of 10 and 20 A.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 51
High availability solutions in PCS 7
4.2 Solutions for automation systems

Synchronization modules
Synchronization modules are used to link the two central processing units. They are installed
in the central processing units and interconnected with fiber-optic cable. Two synchronization
modules are installed in each CPU.
Set the rack number for the H CPU as of firmware version V4.X directly on the CPU. The
synchronization modules can be replaced in runtime.
The same rack number must be set at all synchronization modules up to firmware V3.x.

Fiber-optic cables for synchronization

The fiber-optic cables are connected to the synchronization modules and form the physical
connection (redundancy link) between the two automation stations. The synchronization
cables must not be cross-connected.
In addition to the standard lengths of 1 m, 2 m, and 10 m, custom-made synchronization cables
are available in lengths up to 10 km.

Transmission medium
The suitable physical transmission medium depends on the range, resistance to interference
and the transmission rate.
● Industrial Ethernet using fiber-optic cables or triaxial or twisted-pair copper lines can be
used for communication between the automation system and the OS servers.
● PROFIBUS DP or PROFINET IO with electrical or optical components is used for
communication from the automation system to the distributed I/O device.
The transmission media and communications processors can be configured redundantly. If
the active communication component (CP, bus) fails, the communication automatically
continues through the redundant connection.
High availability communication for plant bus:
● The communication modules should be configured to use ISO protocol.
● Exception:
High availability communication with CPU 41x PN/DP and SOFTNET-IE S7 REDCONNECT
The communication modules need to be configured to use ISO-on-TCP.

Equipping the rack

The hardware setup in the automation system and the configuration in HW Config must match:
● Rack (4, 9 or 18 slots for redundant and, in some cases, remote configuration)
● Power supply modules (in some cases redundant configuration)
● H CPU with sync modules in slots "IF1" and "IF2"
● If necessary: Communications processors (CP 443-1, CP 443-5 Extended)

High Availability Process Control Systems (V9.0)

52 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.2 Solutions for automation systems

Configuration
A pre-existing network can be used for high availability communication between non-redundant
SIMATIC stations and (redundant) SIMATIC H stations. You set the parameters of the high
availability S7 connections in NetPro.
The required communication blocks for data transmission (measured values, binary values,
interlocks) are available in the PCS 7 Library. The communication blocks differ in their
transmission mechanism which, for example, may be secured or unsecured.

Additional information
● Section "How to add a SIMATIC H station to your project (Page 108)"
● Section "How to insert synchronization modules into the H CPU (Page 110)"
● Section "How to configure redundant communication processors (Page 111)"
● Section "Time synchronization (Page 105)"
● Manual Automation System S7-400H; High Availability Systems

4.2.2 How the SIMATIC S7-400H AS operates

Active redundancy
The automation system consists of two redundantly configured subsystems, which are
synchronized through fiber-optic cables.
The two subsystems form a high availability automation system that operates with a dual-
channel design according to the principle of active redundancy. Active redundancy, often
referred to as functional redundancy, means that all redundant components are in continual
operation and simultaneously involved in the acquisition of process data. The control task is
the responsibility of the redundancy partner that is active at any given time. The user programs
loaded in both CPUs are fully identical and are run synchronously by both CPUs.
If the active CPU fails, the automation system automatically switches to the redundant CPU
(see section "Hardware components of the S7-400H (Page 50)" and documentation Process
Control System, SIMATIC PCS 7, Released Modules). The switchover has no effect on the
ongoing process because it is bumpless.

Additional information
● Section "Failure of the master CPU (Page 202)"
● Section "Failure of a fiber-optic cable (Page 202)"
● Manual Automation System S7-400H; High Availability Systems

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 53
High availability solutions in PCS 7
4.3 Solutions for communication

4.3 Solutions for communication

Introduction
In this section, you will learn about the redundancy concepts for the various levels of the
process control system.

Requirements for communication systems

The availability of a process control system is not only determined by the automation system,
the environment also plays a considerable role. This includes not only the operator control and
monitoring components but also a high-performance communication system that connects the
management level to the process level and the process level to the field level.
Distributed control systems are also needed in the manufacturing and processing automation.
Complex control tasks are broken down into smaller, simpler steps with distributed form. The
demand for communication between distributed systems increases.
High-performance, comprehensive communication system is needed to fulfill this demand. The
communication connections between the systems involved should be redundant.
Local networks (LAN) form the basis of the communication system. The following are options
that can be implemented based on the specific system requirements:
● Electrical
● Optical
● Electrical/optical combination
The communication connections are grouped in three areas:
● Terminal bus
● Plant bus
● Fieldbus
In PCS 7, we recommend that the bus systems are set up in a ring structure. The ring structure
makes the bus "high availability", since it can compensate for the failure of a bus line.

Redundant communication connections

Redundant communication connections can be formed on all levels of the process control
system.
When a communication error occurs, communication automatically switches over from the
active connection to the backup connection. Both connections use the same media and
protocols. The switchover has no effect on the user program running in the CPU.

High Availability Process Control Systems (V9.0)

54 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

5HGXQGDQWO\GHVLJQHGFRPPXQLFDWLRQFDEOHV

&RQWUROOHYHO
7HUPLQDOEXV
3&QHWZRUNLQG(WKHUQHW

3URFHVVOHYHO
3ODQWEXV
,QGXVWULDO(WKHUQHW

)LHOGOHYHO
)LHOGEXV
352),%86'3

Overview of the redundant and high availability bus systems

In PCS 7 systems, you can configure fully redundant bus systems with redundant components
for the following bus systems:
● Redundant, high availability terminal bus (Page 63)
● Redundant, high availability plant bus (Page 71)
● Redundant PROFIBUS DP (Page 76)
Bus systems set up as a ring are high availability. In ring structures, the signal path remains
intact even if there is a disconnection on the transmission cable at any point in the ring (for
example due to a wire break). The availability is ensured by ring redundancy.
This high availability is used in the following bus systems:
● High availability terminal bus (Page 61)
● High availability plant bus (Page 69)
● High availability PROFIBUS PA (Page 83)
● High availability FOUNDATION Fieldbus (Page 90)
● High availability fieldbus based on PROFINET (Page 78)
The following sections describe the basics of these communications solutions.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 55
High availability solutions in PCS 7
4.3 Solutions for communication

4.3.1 Network components

Introduction
Local networks (LAN) form the basis of the communication system. The following are options
that can be implemented based on the specific system requirements:
● Electrical
● Optical
● Optical/electrical (mixed operation)

Overview of the network components

You can set up bus systems with the following link and switch modules of SIMATIC NET.

Network component Bus system Application

Switch Terminal bus Type-specific use in network setup
(SCALANCE series) Plant bus Selected SCALANCE X components enable the
following:
● Transmission rates up to 1 Gbps
● Media converter (electrical/optical
bidirectional)
● Function as redundancy manager
(configuration of ring redundancy)
● Function as standby manager (redundant
linking of networks)
Depending on the type, either optical or electrical
connections are used.
SCALANCE X204 RNA Terminal bus Connecting a singular infrastructure component
(communication on the ba‐ to the redundant terminal bus. For example:
sis of the Parallel Redun‐ ● A master clock for a system, e.g.
dancy Protocol - PRP) SICLOCK TC400
● domain controller
● File server
Ports:
● 2 ports for the infrastructure components
● 2 ports for the connection to the redundant
terminal bus (LAN A and LAN B)
Switch Fieldbus ● Fieldbus as high availability PROFINET ring
(SCALANCE series) ● PROFINET
OLM (Optical Link Module) Fieldbus Setup of optical transmission paths
● PROFIBUS DP Configuration variants:
● DP master (electrical) > OLM > FO > OLM >
interface module (electrical connection)
● DP master (electrical) > OLM > FO >
interface module (optical connection)

High Availability Process Control Systems (V9.0)

56 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

Network component Bus system Application

AFD (Automatic Field Dis‐ Fieldbus Connection of field devices via ring redundancy
tributor) ● PROFIBUS PA ● Maximum of 31 fieldbus components on one
AFDiSD bus
● FOUNDATION
Fieldbus ● Maximum of 8 AFD/ADFiSD on a redundant
bus link
● Maximum of 4 field devices per AFD
● Maximum of 6 field devices per AFDiSD
AFS (Automatic Field Split‐ Fieldbus Connection of field devices via coupler redun‐
ter) ● PROFIBUS PA dancy

● FOUNDATION ● 1 AFS on a redundant bus link

Fieldbus ● Up to 31 fieldbus components on the AFS

Redundancy manager
Certain network components in the SIMATIC NET product range support the redundancy
manager function.
This function enables the configuration of ring redundancy. Network components operating as
the redundancy manager can ensure that the bus connections remain undisturbed if there is
a fault on a bus line (such as a cable break).
Example of a ring structure with SCALANCE X400 and X200
The SCALANCE X414-3E as the redundancy manager has a gray background in the figure.

Standby manager
Switches and data links (network cable) connect the redundant networks. Redundant coupling
of networks is only possible if two devices (switches) within a network segment support the
standby manager function. Certain network components from the SIMATIC NET product range
support this function.
Within a network segment, both devices are configured for the standby manager function. The
two devices exchange data frames via the bus line and thereby synchronize their operating
status. One network component becomes the standby manager (master) and the other standby
manager (slave).
When operation is error-free, the data link running between the redundant networks is active
for the standby manager (master). If this data link fails (e.g., due to a defective device or cable
break), the standby manager (slave) activates its data link while the fault remains pending.
Example of a ring structure with SCALANCE switches

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 57
High availability solutions in PCS 7
4.3 Solutions for communication

5HGXQGDQF\PDQDJHU

%XV %XV
6WDQGE\0DQDJHU0DVWHU
6WDQGE\0DQDJHU6ODYH

5HGXQGDQF\PDQDJHU

SCALANCE X switches for setting up redundant networks

You can find additional information on SCALANCE X switches approved for PCS 7 in the
Process Control System PCS 7; Released Modules documentation. The switches must have
the necessary functions available to set up the relevant redundant network:
● Redundancy manager
● Standby manager
● Parallel Redundancy Protocol

PC stations on networks
The PC stations are connected to the networks via network adapters and network cables.
The network adapters occupy a slot in the PC or programming device (PG). The following
different network adapters are used depending on requirements. You can find information
about this in the following sections:
● Section "Connecting PC stations to the terminal bus (Page 61)"
● Section "Connecting PC stations to the plant bus (Page 68)"

Additional information
● Documentation Process Control System PCS 7; PCS 7 Readme
● Documentation Process Control System PCS 7; Released modules
● Manual SIMATIC Net Twisted Pair and Fiber-Optic Networks
● Manual SIMATIC Net PROFIBUS Networks
● Manual SIMATIC; Communication with SIMATIC
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-200
● Operating instructions SIMATIC NET; Industrial Ethernet; SCALANCE X204RNA,
SCALANCE X204RNA EEC
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-300
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400
● Configuration Manual SIMATIC NET; Industrial Ethernet Switches; SCALANCE X-300;
SCALANCE X-400

High Availability Process Control Systems (V9.0)

58 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

4.3.2 Media Redundancy Protocol

Use of media redundancy protocol

Note
High Speed Redundancy Protocol (HRP) and Media Redundancy Protocol (MRP)
The X200 IRT switches cannot serve as redundancy manager and standby manager at the
same time.
The standby manager can only be operated with the High Speed Redundancy Protocol.
Standby redundancy and media redundancy protocol do not work together.

HRP MRP
Separate terminal and plant bus X -
Common terminal and plant bus X -
PROFINET fieldbus - X

Note
PROFINET fieldbus
If you configure a fieldbus ring with PROFINET, you must use the Media Redundancy Protocol
(MRP). The High Speed Redundancy Protocol (HRP) and MRP cannot be used simultaneously
in a ring. The PROFINET fieldbus ring may only consist of devices that support MRP
functionality.

High Speed Redundancy Protocol (HRP)

HRP is used for redundant coupling in a terminal and plant bus ring.
Ring redundancy and redundant connection of rings are possible by means of configuration
of the following functions:
● Redundancy manager
● Standby manager

High Speed Redundancy (HSR - obsolete)

Obsolete term: This term can be found in older firmware versions of Industrial Ethernet
switches. The functionality corresponds to that of HRP. You can find additional information
about High Speed Redundancy and High Speed Redundancy Protocol in the documentation
of the Industrial Ethernet switches.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 59
High availability solutions in PCS 7
4.3 Solutions for communication

Media Redundancy Protocol (MRP)

For redundant coupling in a fieldbus ring based on PROFINET, all devices must support MRP.

Note
Industrial Ethernet switches that support MRP
The following Industrial Ethernet switches support the MRP function:
● SCALANCE XB-200 as of firmware V1.2
● SCALANCE X-200 as of firmware V4.0
● SCALANCE XC-200 as of firmware V2.1
● SCALANCE XP-200 as of firmware V2.0
● SCALANCE X-300 as of firmware V3.0
● SCALANCE X-400 as of firmware V3.0

Configuration of the watchdog time

When a transmission path fails, it may take up to 200 ms to reconfigure the network (switching
to the redundant transmission path).
Increase the watchdog time for each station by adjusting the following values:
● Select the "fixed update time" setting.
● Increase the update time to a value that is less than the fastest update of the process image
partition (PIP) for this station.
● Increase the number of accepted update cycles with missing I/O data, so that the watchdog
time is > 200 ms.

Additional information
● You can find information about configuration of PROFINET in the PROFINET System
manual; System Description. You can find more information on internet (http://
support.industry.siemens.com/cs/ww/en/view/19292127).
● You can find information about HRP and MRP in the documentation of the Industrial
Ethernet switches.
● You can find information about High-availability Seamless Redundancy (HSR) in the
section "Redundant, high availability terminal bus based on the Parallel Redundancy
Protocol (PRP) (Page 64)".

See also
How to configure the redundant terminal bus on the basis of the Parallel Redundancy
Protocol (Page 115)
How to configure a high availability plant bus (Page 117)
How to configure a media-redundant fieldbus on the basis of PROFINET (Page 125)

High Availability Process Control Systems (V9.0)

60 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

4.3.3 Solutions for the terminal bus

4.3.3.1 Connecting PC stations to the terminal bus

You connect the following PC stations to industrial Ethernet via network adapters
(communication modules or communication processors):
● Operator stations
● BATCH stations
● Route Control stations
● Engineering stations
The network adapters occupy a slot in the PC or programming device (PG). Depending on the
requirement.

Network adapters for connection to the terminal bus

The following network adapters are released in PCS 7 (standard communication modules):
● PCIe network adapters:
– Intel® PRO/1000 PT Server Adapter
– (Intel® Gigabit CT Desktop Adapter (Intel® PRO/1000 PT Desktop Adapter is permitted)
● Integrated network adapter
– INTEL ... (LM-Adapter)
– INTEL ... (L-Adapter)

Variants for the redundant connection of the PC station to a terminal bus

● High availability terminal bus (Page 61)
● Redundant, high availability terminal bus (Page 63)
Using the product documentation, check whether the network adapters are suitable for
realizing the respective concept for the terminal bus.

Additional information
● Documentation Process Control System PCS 7; Released modules
● Documentation Process Control System PCS 7; PCS 7 Readme

4.3.3.2 High availability terminal bus

The terminal bus connects the servers (OS servers, BATCH servers, Route Control servers)
with the clients of the process control system (OS clients, BATCH clients, Route Control
clients).
high availability terminal bus can be set up in a ring structure with network components of
SIMATIC NET. The network components enable unrestricted operation of the terminal bus.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 61
High availability solutions in PCS 7
4.3 Solutions for communication

For example, a broken cable in the connection between the modules is tolerated and
communication remains uninterrupted.
If the terminal bus experiences problems, no process data are sent from the servers to the
clients.

High availability communication solutions

The following solutions are available to guard against failure of the terminal bus:
● Ring structure in an electrical network. The connection to the switches is electrical.
● Ring structure in an optical network with switches and FO cables. The connection to the
switches is electrical or optical.
● Ring structure in a combined network with optical and electrical switches and FO cables.
The connection to the switches is electrical.
● Ring structures as optical, electrical and combined networks with transfer rates up to 1
Gbps based on the modular switches

Configuration
In the following figure, the terminal bus is shown as a ring with switches as an example. The
OS servers are connected to the switches in a distributed pattern in order to take optimal
advantage of the switch functionality. The probability of OS server failure due to the failure of
a switch and the bus load are thereby reduced.
The log data of the control process is secured and continuously available if you use two OS
clients each equipped with a line printer for printing the message sequence reports.

Note
If a switch fails, the connection to the associated nodes will also fail. Therefore, redundant
servers must not be connected to the same switch.

26FOLHQWV

3ULQWHU

3ULQWHUIRUPHVVDJH
High availability terminal bus VHTXHQFHUHSRUW
Industrial Ethernet

26VHUYHU 5HGXQGDQW26VHUYHUSDLU

High Availability Process Control Systems (V9.0)

62 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

Availability
If there is a fault in a ring line, the communication between clients and servers via the switches
remains unaffected. However, if one of the switches fails, the link between the connected OS
servers and the OS clients is interrupted. To increase the high availability even more, however,
the redundant ring described in the following section can be used.

26FOLHQW
26VHUYHU
26FOLHQW
26VHUYHU
26FOLHQW %XV

26VHUYHU
26FOLHQW

26VHUYHU
26FOLHQW

%XV

%XV

Additional information
● Manual SIMATIC Net Twisted Pair and Fiber-Optic Networks
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-300
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-200

4.3.3.3 Redundant, high availability terminal bus

Functionality
The terminal bus connects the servers (OS servers, BATCH servers, Route Control servers)
etc. with the clients of the process control system (OS clients, BATCH clients, Route Control
clients).
The following solutions for a redundant, high availability terminal bus is offered:
● Redundant, high availability terminal bus based on the Parallel Redundancy Protocol
(PRP) (Page 64)
Separate double ring with PRP; solution in accordance with IEC 62439-3)

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 63
High availability solutions in PCS 7
4.3 Solutions for communication

Redundant components
The following components are configured redundantly:
● Electrical or optical network with Ethernet switches
● Switches, fiber optic cables and electrical connections
● Ring structures based on switches from the SCALANCE series.
You can find additional information on the switches used with PCS 7 in the section "Network
components (Page 56)".

Additional information
● Section "How to configure the redundant terminal bus on the basis of the Parallel
Redundancy Protocol (Page 115)"
● Documentation PCS 7 Released Modules
● Manual SIMATIC Net Twisted Pair and Fiber-Optic Networks
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400
● Configuration manual SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-200
● Operating instructions SIMATIC NET; Industrial Ethernet; "SCLANCE X204RNA,
SCALANCE X204RNA EEC"
● Operating instructions SIMATIC NET; PG/PC - Industrial Ethernet; SOFTNET‑IE RNA
● Online help for SOFTNET IE RNA

4.3.3.4 Redundant, high availability terminal bus based on the Parallel Redundancy Protocol
(PRP)
The section below describes the basic structure of a redundant high availability terminal bus
using the SIMATIC NET SOFTNET-IE RNA software. This software is based on the Parallel
Redundancy Protocol (PRP) as specified in IEC 62439-3.
Each PC station is connected to 2 separate redundant networks with two network adapters
each. The communications processes on the redundantly connected PC stations are organized
by the SIMATIC NET SOFTNET-IE RNA software.
The SIMATIC NET SOFTNET-IE RNA software package is required on each redundantly
connected PC station.
You can find additional information on this in the section "How to configure the redundant
terminal bus on the basis of the Parallel Redundancy Protocol (Page 115)".
The following diagram illustrates a sample configuration based on the SIMATIC NET
SOFTNET‑IE RNA software:

High Availability Process Control Systems (V9.0)

64 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

&OLHQW26 &OLHQW26 1HWZRUNDGDSWHU

1HWZRUNDGDSWHU

6&$/$1&(;51$

/$1$ /$1%
5HGXQGDQF\PDQDJHU 5HGXQGDQF\PDQDJHU

6HUYHUB0 6HUYHUB6

Configuration limits for the operator station

You can find information about this in the documentation Process Control System PCS 7;
Licenses and Configuration Limits.

Redundant, high availability terminal bus with SIMATIC NET SOFTNET‑IE RNA
All protocols among the redundantly connected components are automatically duplicated, sent
and distributed in the mutually redundant networks. The respective receiver uses the first
incoming frame with the same information from the redundant networks.
Advantages:
● Easy administration
● A fault on one bus has no effect on the redundant bus

Components
SCALANCE series switches are used to connect the components. Recommended switches
that support the Parallel Redundancy Protocol may be found in the Process Control System
PCS 7; Released modules documentation.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 65
High availability solutions in PCS 7
4.3 Solutions for communication

Encrypted communication
"Encrypted communication" is not approved for stations with SIMATIC NET SOFTNET‑IE RNA.

Note
It does not apply for WinCC/SCS secure communication.

Availability - redundant high availability terminal bus

The entire transmission route can be configured redundantly. A transmission route remains
operational for communication on the terminal bus if any of the network components fails.

266HUYHU 26&OLHQW

1HWZRUNDGDSWHU %XV 1HWZRUNDGDSWHU

1HWZRUNDGDSWHU 1HWZRUNDGDSWHU

1HWZRUNDGDSWHU 1HWZRUNDGDSWHU

1HWZRUNDGDSWHU %XV 1HWZRUNDGDSWHU

266HUYHU 26&OLHQW

%XV %XV

%XV %XV

Connecting non-redundant networks and components

An integrated solution of network components and protection devices can be implemented for
a substation or process application using PRP-compatible SCALANCE X products. Connect
components having only one network connection to the redundant, high availability terminal
bus using the SCALANCE X204RNA . Select this connection for infrastructure components,
for example:
● Central plant clock (e.g. SICLOCK TC400)
● Domain controllers (DCs), DNS, WINS, DHCP, WSUS
● WLAN access point
● File server

High Availability Process Control Systems (V9.0)

66 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

Requirements
● A maximum of 2 non-redundant networks and components with only one network
connection for each SCALANCE X204RNA
● Two separate, redundant terminal bus networks
● Maximum distance to network node (component/switch):
– Standard Ethernet cable up to 10m
– IE FastConnect cable up to 100m
Recommendation for use
The PRP protocol requires the transmission of additional protocol information. The
transmission rate of 100 Mbps is not fully reached when PRP is used.
Recommendation:
Stations that transport a high volume of data over the network should always be connected
directly to the redundant rings using two network adapters and the "SIMATIC NET SOFTNET-
IE RNA" software. This recommendation applies to the following PC stations in PCS 7:
● Process Historian
● BATCH server
● OpenPCS 7 station

Note
Highly recommended
For PC's used for infrastructure purposes, for example, DC’s, DNS, WINS, DHCP, WSUS and
virus scanner, it is highly recommended that the PC should be connected via the SCALANCE
X204RNA switch.
MTU size is very important for communication between RNA and non RNA devices. For more
information, refer to the section "Workgroup and domain" in the PCS 7 PC-Configuration
manual.

Common bus system for terminal bus and plant bus

As of PCS 7 V8.0 SP1, you can operate redundant, separate bus systems as a common
terminal bus and plant bus. Configure each redundant bus system as described in the following
sections:
● Section "How to configure the redundant terminal bus on the basis of the Parallel
Redundancy Protocol (Page 115)"
● Section "How to configure a high availability plant bus (Page 117)"

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 67
High availability solutions in PCS 7
4.3 Solutions for communication

Note
Using VLAN
You can use a Virtual Local Area Network (VLAN) to divide a physical bus system into logical
subnets (e.g. terminal bus and plant bus).
You can find additional information on this on the Internet: https://
support.industry.siemens.com at Entry ID: 66807297 (https://support.industry.siemens.com/
cs/ww/en/view/66807297) .

Additional information
● Online help for "SIMATIC NET SOFTNET-IE RNA" software
● Section "How to configure the redundant terminal bus on the basis of the Parallel
Redundancy Protocol (Page 115)"
● You can find information on the available operating systems in the PCS 7 Readme file
You can find additional information on this on the Internet http:\\www.siemens.com/pcs7-
documentation (http:\\www.siemens.com/pcs7-documentation):
● Operating Instructions SIMATIC NET; Industrial Ethernet; "SCALANCE X204RNA,
SCALANCE X204RNA EEC
● Operating instructions SIMATIC NET; PG/PC - Industrial Ethernet; SOFTNET-IE RNA V8.2

4.3.4 Solutions for the plant bus

4.3.4.1 Connecting PC stations to the plant bus

Network adapters for connection to the high availability plant bus (1 ring)
Suitable network adapters are required in the PC station to establish the connection to the
communication partners in the plant.

Network adapter Number of con‐ Connection type Redundancy type

nections
1x Standard Ethernet 8 S7 connection -
network adapter 4 S7 connection, fault-tolerant 2-way redundancy
(prerequisite: CPU as of firmware ver‐
sion V6.0)
1x Communications pro‐ 64 S7 connection -
cessor 32 S7 connection, fault-tolerant 2-way redundancy
(CP 16x3/CP 1628)
2x Communications pro‐ 32 S7 connection, fault-tolerant 2-way redundancy
cessor 16 S7 connection, fault-tolerant 4-way redundancy
(CP 16x3/CP 1628)

High Availability Process Control Systems (V9.0)

68 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

Network adapters for connection to the redundant, high availability plant bus (2 rings)
You need network adapters with an integrated processor for connection to the redundant, high
availability plant bus.

Network adapter Number of con‐ Connection type Redundancy type

nections
2x Communications pro‐ 32 S7 connection, fault-tolerant 2-way redundancy
cessor 16 S7 connection, fault-tolerant 4-way redundancy
(CP 16x3/CP 1628)

License key for AS communication

Depending on the network adapters used, you need a license key for PC stations with
communication to the AS.
When using high availability S7 connections, you require a license for the software S7-
REDCONNECT .

Network adapter License key for product

Standard Ethernet network adapter BCE
Standard Ethernet network adapter with high avail‐ SOFTNET-IE S7 REDCONNECT VM
ability connections
When using SIMATIC NET CP (e.g. CP 1623) Industrial Ethernet (IE)
When using SIMATIC NET CP (e.g. CP 1623) with HARDNET-IE S7 REDCONNECT
high availability connections.

Additional information
● You can find approved network adapters in the Catalog Overview Process Control System
PCS 7; Released Modules
● Documentation Process Control System PCS 7; PCS 7 Readme

4.3.4.2 High availability plant bus

The plant bus connects automation systems to servers (OS server, Route Control server). The
connection to a high availability plant bus is implemented with Ethernet communications
processors (CPs) that are installed in each subsystem of the automation system and in the
servers.
High availability plant bus can be set up in a ring structure with network components of
SIMATIC NET. The network components ensure unrestricted operation of the plant bus. For
example, a broken cable in the connection between the modules is tolerated and
communication remains uninterrupted.
If the plant bus is disrupted, no process data are transferred between the servers and the
automation systems or between the automation systems themselves.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 69
High availability solutions in PCS 7
4.3 Solutions for communication

High availability communication solutions

The following communication solutions are offered to prevent a possible failure:
● Ring structure in an electrical network.
The connection to the switches is electrical.
● Ring structure in an optical network with switches and FO cable.
The connection to the switches is electrical or optical.
● Ring structure in a combined network with optical and electrical switches and a FO cable.
The connection to the switches is electrical.
● Ring structures as optical, electrical and combined networks with transmission rates up to
1 Gbps based on modular SCALANCE X switches
The use of switches from the SCALANCE series is recommended. Modules for optical and
electrical connection are available for these switches.

Configuration - ring structure

The following figure represents a high availability plant bus in a ring structure with switches.
The following automation systems can be used:
● AS 41xH
5HGXQGDQW
26VHUYHUSDLU

6&$/$1&(;
6ZLWFKPRGXOHV

+LJKDYDLODELOLW\SODQWEXV 6ZLWFKPRGXOHDV
,QGXVWULDO(WKHUQHW UHGXQGDQF\PDQDJHU

6+KLJKDYDLODELOLW\ 6SDWLDOO\VHSDUDWHGUDFNV
DXWRPDWLRQV\VWHP HDFKZLWK&3

6\QFKURQL]DWLRQFDEOHV

Availability - ring structure

In this system, one CP 443-1 may fail in each subsystem of the AS without this affecting the
complete system.
The plant bus (identified by an * in the following figure) is equipped with switches for high
availability operation. Each OS server is wired to two switches. The bus can be separated at
any location. The overall system remains functional even if a switch fails. The redundant OS
partner server then communicates via the functional switch. The same scenario applies to the
switches that each have a CP of a subsystem of the H system connected.

High Availability Process Control Systems (V9.0)

70 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

To guard against the failure of all switches, however, the redundant double ring described in
the following section can be used.

+6\VWHP3DUW

&3 %XV &3

26VHUYHU
&3

+6\VWHP3DUW
&3

%XV
26VHUYHU

%XV

Additional information
● Section "How to configure a high availability plant bus (Page 117)"
● Manual SIMATIC Net Twisted Pair and Fiber-Optic Networks
● Manual SIMATIC; Communication with SIMATIC
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400

4.3.4.3 Redundant, high availability plant bus

Functionality
The plant bus connects automation systems to servers (OS server, Route Control server). The
connection to a redundant, high availability plant bus is implemented with Ethernet
communication processors (CPs) that are installed in each subsystem of the automation
system and in the servers.
A redundant, high availability plant bus is set up using two identical, separate plant bus rings
(double ring). The network components ensure unrestricted operation of the plant bus. If one
of the plant buses fails, communication is maintained over the second plant bus.

Redundant communication solutions

The following communication solutions are offered to prevent a possible failure:
● Redundant electrical or optical network with switches set up as Industrial Ethernet
● Combined redundant network with switches, FO cables and electrical connection
● Ring structures can be set up based on modular switches from the SCALANCE series.
(Can be implemented as optical, electrical and combined networks)
The use of switches from the SCALANCE series is recommended. Modules for optical and
electrical connection are available for these switches. You can find additional information on
the switches used with PCS 7 in the "Network components (Page 56)" section.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 71
High availability solutions in PCS 7
4.3 Solutions for communication

Configuration - redundant, high availability plant bus

The figure below shows the basic configuration of the redundant, high availability plant bus.
● Bus1 shows the functionally correct configuration (shared switches for AS and OS).
● Bus2 shows the typical configuration in PCS 7 plants (separate switches for AS and OS).
Note
Check the redundancy behavior of the individual components during commissioning.

26VHUYHU
26VHUYHU 5HGXQGDQW26VHUYHUSDLU
HDFKZLWKWZR&3HJ&3

6ZLWFKPRGXOHVZLWK
LQWHJUDWHGUHGXQGDQF\
SURSHUWLHV %XV

Redundant, high availability plant bus

Industrial Ethernet

%XV

+LJKDYDLODELOLW\DXWRPDWLRQ 6SDWLDOO\VHSDUDWHGUDFNV
V\VWHP HDFKZLWKWZR&3
6+

6\QFKURQL]DWLRQFDEOHV

Note
Address areas and IP addresses of the components on the plant bus
Always assign IP addresses in different IP address ranges to the network adapters (separate
address range for Bus1 and separate address range for Bus2).
Example:
● Ring 1:
– IP address area: 192.168.1.0 - 192.168.1.255
– Subnet mask: 255.255.255.0
● Ring 2:
– IP address area: 192.168.2.0 - 192.168.2.255
– Subnet mask: 255.255.255.0

AS 41xH on redundant, high availability plant bus

High Availability Process Control Systems (V9.0)

72 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

You may connect one redundant AS per CPU without redundant communication modules.
Connection possibilities:
● Single connection of an AS 41xH with one CP each per CPU. Availability is then reduced
accordingly.
● Single connection of an AS 41xH via an internal Ethernet interface of the CPU. Availability
is then reduced accordingly.
● Redundant connection of an AS 410H via internal Ethernet interfaces of the CPU
AS 410 on redundant, high availability plant bus
An AS 410 can be connected to the redundant, high availability plant bus without
communication modules. You can find additional information on this in section "AS 410H on
redundant, high availability plant bus (Page 74)".

Availability - redundant, high availability plant bus

The block diagram for a redundant, high availability plant bus with two CPs each in both OS
servers and additional switches appears as follows:
In this system, one CP 16x3 can fail in each OS server or one CP 443‑1 in each subsystem
of the AS without this affecting the complete system. The plant bus (bus) is configured
redundantly and with redundant switches in each case. As a result, a failure of the bus
component and all components involved (switches) is covered.

26VHUYHU +6\VWHP3DUW

&3 %XV &3

&3 %XV &3

&3 &3
%XV %XV
&3 &3
%XV %XV
26VHUYHU +6\VWHP3DUW

Additional information
● Section "Connecting PC stations to the plant bus (Page 68)"
● Section "Media Redundancy Protocol (Page 59)"
● Section "How to configure a high availability plant bus (Page 117)"
● Documentation PCS 7 Released Modules
● Manual SIMATIC Net Twisted Pair and Fiber-Optic Networks
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400
● Manual SIMATIC Communication with SIMATIC

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 73
High availability solutions in PCS 7
4.3 Solutions for communication

4.3.4.4 AS 410H on redundant, high availability plant bus

Functionality
The plant bus connects automation systems to servers (OS server, Route Control server).
An automation system with a SIMATIC S7 410H-type CPU can be connected to a redundant,
high availability plant bus.
In the event a plant bus fails, the two Ethernet connections of the CPU allow the plant bus to
operate without restrictions. If one of the plant buses fails, communication is maintained over
the second plant bus.

Configuration - AS 410H on redundant, high availability plant bus

The figure below shows the basic structure of the redundant, high availability plant bus with
an AS 410H. The AS 410H also has 2 Ethernet connections and can be connected to the
redundant, high availability plant bus.
● Bus1 shows the functionally correct configuration (shared switches for AS and OS).
● Bus2 shows the typical configuration in PCS 7 plants (separate switches for AS and OS).
Note
Check the redundancy behavior of the individual components during commissioning.

26VHUYHU
26VHUYHU 5HGXQGDQW26VHUYHUSDLU
HDFKZLWKWZR&3HJ&3

6ZLWFKPRGXOHVZLWK
LQWHJUDWHGUHGXQGDQF\
SURSHUWLHV %XV

Redundant, high availability plant bus

Industrial Ethernet

%XV

+LJKDYDLODELOLW\DXWRPDWLRQ 6SDWLDOO\VHSDUDWHGUDFNV
V\VWHP
6+

6\QFKURQL]DWLRQFDEOHV

High Availability Process Control Systems (V9.0)

74 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

Note
Address areas and IP addresses of the components on the plant bus
Always assign IP addresses in different IP address ranges to the network adapters (separate
address range for Bus1 and separate address range for Bus2).
Example:
● Ring 1:
– IP address area: 192.168.1.0 - 192.168.1.255
– Subnet mask: 255.255.255.0
● Ring 2:
– IP address area: 192.168.2.0 - 192.168.2.255
– Subnet mask: 255.255.255.0

Availability - high availability available plant bus

The block diagram for a redundant, high availability plant bus with a CPU 410H and two CPs
in the OS server is shown below:

26VHUYHU $6

&3 %XV &38+

&3 %XV &38+

In this system, one CP 16x3 or one subsystem of the AS can fail in the OS server without
affecting the overall system. The plant bus (bus) is configured redundantly and with redundant
switches in each case. As a result, a failure of the bus component and all components involved
(switches) is covered.

Additional information
● Manual SIMATIC; PCS 7 Process Control System; CPU 410-5H Process Automation
● Section "How to add a SIMATIC H station to your project (Page 108)"
● Manual SIMATIC; Automation System S7-400H; High Availability Systems

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 75
High availability solutions in PCS 7
4.3 Solutions for communication

4.3.5 Solutions for the fieldbus

4.3.5.1 Redundant PROFIBUS DP

Functionality
The field bus is used for data exchange between the automation system (AS) and the
distributed I/O. PROFIBUS DP (distributed peripheral)-- the field bus standard for
manufacturing and process automation--is used. PROFIBUS DP includes the specifications
for the following elements:
● Physical bus characteristics
● Access method
● User protocol
● User interface
PROFIBUS DP is suitable for fast, cyclic data exchange with field devices. It is used to connect
distributed I/O, for example, ET 200M, with very fast response times.
It is often advantageous to connect several DP master systems to an automation system in
order to increase the number of I/O components that can be connected. This also enables
segments to be formed, allowing individual production areas to operate independent of one
another.

High availability communication solutions

The following high availability communication solutions are offered for PROFIBUS DP:
● Redundant PROFIBUS DP as an electrical network
● Redundant PROFIBUS DP with OLMs (optical network)

Configuration
The S7-400H high availability automation system features a DP master interface on each CPU
for connecting to PROFIBUS DP. The redundant PROFIBUS DP connects the redundant
DP master to the redundant interface modules of the distributed I/O.
The following figure shows an example for connecting redundant distributed I/O based on
ET 200M to a redundant PROFIBUS DP.

High Availability Process Control Systems (V9.0)

76 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

6+

(70
[,0

5HGXQGDQWLQSXWPRGXOH
352),%86'3

(QFRGHU

Availability
If the active PROFIBUS DP fails, sensors and H system can communicate with each other
over the redundant bus connection. The configuration shown in the following figure provides
increased availability due to the redundant interfacing of the distributed I/O.

+V\VWHP
36

&38 &3 %XV ,0 60

,0
(70,
(QFRGHU

&38 &3 %XV ,0

,0 60

36 (70,,

Additional information
● Section "How to configure redundant PROFIBUS DP (Page 119)"
● Manual SIMATIC Net PROFIBUS Networks
● Manual SIMATIC; Communication with SIMATIC

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 77
High availability solutions in PCS 7
4.3 Solutions for communication

4.3.5.2 High availability fieldbus based on PROFINET

Functionality
The fieldbus is used for data communication between the automation system (AS) and the
distributed I/O. PROFINET is a standard for manufacturing and process automation. The
PROFINET-based fieldbus comprises the specifications for the following elements:
● Physical bus characteristics
● Access method
● User protocol
● User interface
PROFINET is suitable for fast, cyclic data communication with field devices.

High availability communication solutions

The following high availability communication solutions are offered for the PROFINET-based
fieldbus:
● Electrically designed network
● Optically designed network

Configurations
The S7-400H high availability automation system features a PROFINET interface on each
CPU 4xx-5H PN/DP for connecting to PROFINET. The high availability PROFINET connects
the CPU with the distributed I/O.

Note
High availability PROFINET
When using rings with PROFINET IO, it is absolutely necessary to operate the fieldbus ring
with MRP (media redundancy protocol) .

The following figure shows the connection of I/O based on PROFINET.

High Availability Process Control Systems (V9.0)

78 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

6+31'3 6+31'3

(70 (70
,031 ,031
352),1(7 352),1(7
,QSXWPRGXOH

352),1(7

(QFRGHU

352),1(7

Figure 4-2 Sample for high availability PROFINET with ET 200M

$6 $6
6+ 6+
+&,5SRVVLEOH +&,5SRVVLEOH

PRGXOHVLQ,2UHGXQGDQF\

(763+$ ,2PRGXOHV (763+$

7HUPLQDOEORFN7%

(763+$
HJ
VHQVRU (70

352),1(7V\VWHPV 352),1(7V\VWHP
$6UHGXQGDQF\FRQQHFWLRQ $6UHGXQGDQF\FRQQHFWLRQ

Figure 4-3 Sample for high availability PROFINET with ET 200SP HA

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 79
High availability solutions in PCS 7
4.3 Solutions for communication

Availability
If the communication connection via a CPU fails, the stations of the distributed I/O can
communicate with the H system over the high availability bus line. The configuration shown in
the following figure provides increased availability due to the interfacing of the distributed I/O.

+V\VWHP
36 (763+$
60
&38+ %XV ,0 (QFRGHU
60

,0

&38+ %XV ,0 (70

60 (QFRGHU
36

Figure 4-4 Sample for high availability PROFINET with ET 200SP HA and ET 200M

Note
Changes to PROFINET modules only take effect when you load your hardware configuration
with the updated STEP 7 version to the CPU, which is in "STOP" mode.

Additional information
● Section "How to configure a high availability fieldbus on the basis of PROFINET
(Page 122)"
● Section "How to configure a media-redundant fieldbus on the basis of PROFINET
(Page 125)"
● System manual SIMATIC; PROFINET; System description
● Manual SIMATIC; Communication with SIMATIC
● Manual SIMATIC STEP 7; Modifying the System during Operation via CiR
● Application example Configuration examples for the S7-400H with PROFINET SIMATIC
S7-400H as of V6.0 (https://support.industry.siemens.com/cs/ww/en/view/90885106)

4.3.5.3 Gateway between redundant and non-redundant PROFIBUS DP

Y Link
The Y-Link consists of two IM 153-2 interface modules and a Y coupler that are interconnected
through the corresponding bus modules (BM IM/IM and BM Y coupler).

High Availability Process Control Systems (V9.0)

80 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

Configuration

6+

[,0

<FRXSOHU

QRQUHGXQGDQW'3PDVWHUV\VWHP
352),%86'3

&RQQHFWLRQ
RIGLVWULEXWHG,2
GHYLFHV
UHGXQGDQW HJ
'3PDVWHUV\VWHP (76

Functionality
The Y-Link creates a gateway from the redundant DP master system of an S7-400H to a non-
redundant DP master system. This enables devices with only one PROFIBUS DP interface to
be connected to a redundant DP master system as switched I/O.
DPV1 slaves can be connected downstream from the Y-Link in addition to the standard
PROFIBUS DP slaves.
Y-Link with integrated repeater can forward diagnostic requests from the corresponding
function modules or input/output modules to the CPU.

Additional information
● Section "How to configure the Y Link (Page 145)"
● Operating Instructions DP/PA coupler, Active Field Distributor, DP/PA Link and Y Link
● Product overview Process Control System PCS 7; Released Modules

4.3.5.4 Connecting PROFIBUS PA to PROFIBUS DP

Bus links are gateways between bus systems and enable the communication connection of
the bus systems.

PA Link
The PA Link allows a connection between PROFIBUS DP and PROFIBUS PA. PA Link
includes the following modules, which are interconnected via the backplane bus:
● Interface module IM 153-2
● one or more FDC 157 DP/PA couplers

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 81
High availability solutions in PCS 7
4.3 Solutions for communication

Configuration

6+

3$OLQNZLWKUHGXQGDQWLQWHUIDFH
352),%86'3

[,0[)'&

352),%863$

Functionality
The DP/PA coupler connects PROFIBUS DP and PROFIBUS PA and decouples the various
transmission rates. It is a slave on the PROFIBUS DP and a master on the PROFIBUS PA.
Seen from the automation system, the PA Link is a modular slave. The individual modules of
this slave are the field devices that are connected to the lower-level PROFIBUS PA lines.
The PA devices connected to the PROFIBUS PA are assembled at a PROFIBUS address by
PA Link.
The PA Link can be connected directly to the PROFIBUS DP interface of programmable
controllers (S7 400) for the coupling between PROFIBUS DP and PROFIBUS PA.

Versions
You can connect a PROFIBUS PA to the PROFIBUS DP. The following variants can be
realized:
● Connection to a singular PROFIBUS DP
– Connection via PA Link (1 x interface module, 1 x DP/PA coupler)
– Connection via DP/PA coupler (45.45 Kbps on PROFIBUS DP)
– Connecting a redundant PROFIBUS PA:
You can find additional information on this in section "High availability PROFIBUS PA
(Page 83)".
● Connection to a redundant PROFIBUS DP
– Connection of a singular PROFIBUS PA via PA Link with redundant interconnection
(2 x interface module and 1 x DP/PA coupler)
– Connecting a redundant PROFIBUS PA:
You can find additional information on this in section "High availability PROFIBUS PA
(Page 83)".

High Availability Process Control Systems (V9.0)

82 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

Physical bus characteristics

● The application protocols for PROFIBUS DP and PROFIBUS PA are defined according to
IEC 61158-2 and are identical for these two fieldbus variants.
– You can set the transmission speed on the PROFIBUS DP. The maximum transmission
speed with the Y-link is 12 Mbps.
– The transmission speed on the PROFIBUS PA is 31.25 Kbps.
● If the DP/PA coupler is connected directly on PROFIBUS DP, the transfer rate is set to
45.45 Kbps. The DP/PA coupler can be operated with SIMATIC S7 automation systems
and all DP masters that support the transmission rate of 45.45 Kbps.
● Depending on the power consumption of the PA devices, up to 31 PA devices can be
connected to the PROFIBUS PA.

Use in hazardous areas

● The intrinsically safe PROFIBUS DP is specified for the type of protection EEx(ib).
● The following components can be used in operating environments of the Ex zone:
– PA Link in Ex version, up to Ex Zone 2
– PA Link or FDC 157-0 DP/PA coupler in a housing that meets at least degree of
protection IP54; up to Ex Zone 2
– DP/PA coupler Ex [i] cannot be used for redundant configuration (coupler redundancy,
ring); up to Ex Zone 1
● If you use a SIMATIC AFDiS as a field barrier between the PA Link or DP/PA coupler and
the field devices, you can connect the field devices in hazardous areas of Zone 0 or Zone
1. The outputs of the SIMATIC AFDiS fulfill the requirements for types of protection EEx(ia)
and EEx(ib).
● The number of devices is limited by the current.

Additional information
● Section "Configuring a bus link for PROFIBUS PA (Page 147)"
● Section "High availability PROFIBUS PA (Page 83)"
● Section "How to configure the redundant PROFIBUS PA (Page 128)"
● Operating Instructions DP/PA coupler, Active Field Distributor, PA Link and Y Link

4.3.5.5 High availability PROFIBUS PA

Functionality
PROFIBUS PA allows the connection of PA devices. A redundant PROFIBUS PA is connected
to FDC 157-0 redundant DP/PA couplers. If the communication path of the PROFIBUS PA
fails, the communication path is preserved as far as the spur line to the field devices.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 83
High availability solutions in PCS 7
4.3 Solutions for communication

High availability communication solutions

The following communication solutions are offered to prevent a possible failure:
● Ring redundancy with the AFD (Active Field Distributor)
● Coupler redundancy with the AFS (Active Field Splitter)
The DP/PA coupler can be used stand-alone or in the PA-Link .

Note
Mixed configurations
You can connect only one redundant DP/PA coupler pair per PA-Link . In mixed configurations,
you can operate up to 3 additional non-redundant DP/PA couplers. The coupler pair (FDC
157-0 DP/PA coupler) should be installed for redundant operation in the last two slots of the
ET 200 station.

Connecting the high availability PROFIBUS PA to PROFIBUS DP

You can connect a high availability PROFIBUS PA to the PROFIBUS DP. The following
variants can be realized:
● Redundant connection to the redundant PROFIBUS DP
– The redundant PA-Link is the transition to the high availability PROFIBUS PA.
(2 x interface module and 2 x DP/PA coupler)
● Connection to a single PROFIBUS DP PROFIBUS DP
– A DP/PA-Link with redundant coupler pair is the transition to the high availability
PROFIBUS PA.
(1 x interface module and 2 x DP/PA coupler)
– A coupler pair FDC 157 is the transition to the high availability PROFIBUS PA.
(2 x DP/PA coupler directly to PROFIBUS DP)
We recommend the following configuration limits in PCS 7 when connecting PA devices using
AFD or AFS :
● In the case of ring redundancy (high availability connection):
– In the interest of increased availability, connect a maximum of 4 field devices (one field
device per branch line) to an active field distributor AFD (maximum of 8 AFD to a
redundant DP/PA coupler).
– You can connect a total of 31 field devices.
● In the case of coupler redundancy:
– 1 AFS connected to a redundant DP/PA coupler
– Connect field devices via AFD (max. 8 AFD).
– In the interest of increased availability, connect a maximum of 4 field devices (one field
device per branch line) to an active field distributor AFD (maximum of 8 AFD to an AFS).

High Availability Process Control Systems (V9.0)

84 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

● You can connect a maximum of 31 field devices per PROFIBUS PA.

● The maximum power consumption of 1 A must not be exceeded. This figure includes all
components connected to the PROFIBUS PA.

Configuration
Examples for connections of field devices via AFD and AFS are shown in the following figures.

6+

3$/LQNZLWK
UHGXQGDQW,0DQG
UHGXQGDQW'33$FRXSOHU)'&

)DXOWWROHUDQW352),%863$

$)'L6 $)' $)'

PD[

3$/LQNZLWK
UHGXQGDQW,0DQG
UHGXQGDQW'33$FRXSOHU)'&

$)6
)DXOWWROHUDQW352),%863$
352),%86'3

352),%86'3

$)'L6 $)' PD[$)'

PD[

Figure 4-5 Redundant connection to the redundant PROFIBUS DP

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 85
High availability solutions in PCS 7
4.3 Solutions for communication

3$/LQN
ZLWKVLQJOH,0DQG
UHGXQGDQW'33$FRXSOHU)'&
)DXOWWROHUDQW352),%863$

$)'L6 $)' $)'

PD[

'LUHFWFRQQHFWLRQWR352),%86'3
UHGXQGDQW'33$FRXSOHU)'&

$)6
)DXOWWROHUDQW352),%863$
352),%86'3

$)'L6 $)' PD[$)'

PD[

Figure 4-6 Connection to a single PROFIBUS DP

Transmission rate
You have two interfacing options for the gateway between PROFIBUS DP and PROFIBUS
PA. These result in different transmission rates on PROFIBUS DP.
● If you connect the DP/PA couplers via a PA-Link , a transmission rate of up to 12 Mbps is
possible on the PROFIBUS DP.
● If you connect the DP/PA couplers directly, the transmission rate on PROFIBUS DP is 45.45
Kbps.
● The transmission speed on the PROFIBUS PA is 31.25 Kbps.

Availability - redundant interfacing

In a redundant system, we recommend that you implement the connection to the PROFIBUS
DP redundantly (redundant IM 153-2).
If a PA bus cable, an IM 153-2 or a DP/PA coupler fails, the communication connection to the
field devices is retained. The AFD or AFS automatically switches the connection to the
available signal path.

High Availability Process Control Systems (V9.0)

86 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

352),%86'3 352),%863$
PD[0ELWV NELWV

&38 &3 %XV ,0 '33$FRXSOHU

&38 &3 %XV ,0 '33$FRXSOHU $)' $)' $)'

3$GHYLFH 3$GHYLFH 3$GHYLFH

Additional information
● Section " Connection of PROFIBUS PA to PROFIBUS DP (Page 81)"
● Section "How to configure redundant PROFIBUS PA (Page 128)"
● Operating Instructions DP/PA coupler, Active Field Distributor, PA Link and Y Link

4.3.5.6 Connecting the FOUNDATION Fieldbus to PROFIBUS DP

Bus link for FOUNDATION Fieldbus

The following bus links are available for communications between PROFIBUS DP and
FOUNDATION Fieldbus H1:
● Compact FF Link
This bus link consists of modules of the type Compact FF Link.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 87
High availability solutions in PCS 7
4.3 Solutions for communication

Configuration
The following figure is an example of the configuration of a bus link based on the Compact FF
Link.

6,0$7,&6+

352),%86'3
352),%86'3

[&RPSDFW))/LQN

+LJKDYDLODELOLW\)281'$7,21)LHOGEXV

$)'L6

Functionality
The bus link connects PROFIBUS DP and FOUNDATION Fieldbus with one another and
decouples various transmission rates. It is a slave on the PROFIBUS DP and master on the
FOUNDATION Fieldbus. From the point of view of the automation system, the bus link is a
modular slave. The individual modules of this slave are the field devices that are connected
to the lower-level FF segment.
The FF devices connected to the FF segment are combined at one PROFIBUS address by
the bus link.
The bus link can be connected directly to the PROFIBUS DP interface of data record gateway-
capable automation devices for the coupling between PROFIBUS DP and FOUNDATION
Fieldbus .

High Availability Process Control Systems (V9.0)

88 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

Versions
You can connect one FF segment to the PROFIBUS DP for each bus link. The following
variants can be realized:
● Connection to a singular PROFIBUS DP
– Connection via Compact FF Link (1 x Compact FF Link)
– Connection of a redundant FF segment:
You can find additional information on this in the "Configuring a bus link for FF and
compact FF segment (Page 148)" section.
● Connection to a redundant PROFIBUS DP
– Connection of a singular FOUNDATION Fieldbus via Compact FF Link to a redundant
interface (2 x IM 153-2 FF und 1 x FDC 157)
– Connection of a redundant FF segment:
You can find additional information on this in section "High availability FOUNDATION
Fieldbus (Page 90)".

Physical bus characteristics

● The application protocols for PROFIBUS DP and FOUNDATION Fieldbus are determined
according to IEC 61158-2.
– You can set the transmission speed on the PROFIBUS DP. The maximum transmission
rate is 12 Mbps.
– The transmission speed on the FOUNDATION Fieldbus is 31.25 Kbps. The transmission
method is determined by IEC 61158‑2 .
● Depending on the power consumption of the FF devices, up to 31 FF devices can be
connected to the FOUNDATION Fieldbus .

Use in hazardous areas

● The intrinsically safe PROFIBUS DP is specified for the type of protection EEx(ib) .
● When the bus link is built into an enclosure conforming to at least an IP 54 degree of
protection, the bus link can be installed in operating environments up to Ex Zone 2.
● If you use a SIMATIC AFDiS as a field barrier between the bus link and the field devices,
you can connect the field devices in hazardous areas of zones 0 or 1. The outputs of the
SIMATIC AFDiS fulfill the requirements for types of protection EEx(ia) and EEx(ib).
● The number of devices is limited by the current.

Additional information
● Documentation SIMATIC; Process Control System PCS 7; PCS 7 Readme
● Documentation SIMATIC; PCS 7 process control system; PCS 7 - FOUNDATION Fieldbus
● Operating Instructions SIMATIC; Bus Link; Compact FF Link

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 89
High availability solutions in PCS 7
4.3 Solutions for communication

4.3.5.7 High availability FOUNDATION Fieldbus

Functionality
PCS 7 enables the connection of field devices to the FOUNDATION Fieldbus H1 (referred to
only as FOUNDATION Fieldbus or FF from this point). A high availability FOUNDATION
Fieldbus is connected to the redundantly configured Compact FF Link. If the transmission path
fails, the communication path of the FOUNDATION Fieldbus is preserved as far as the spur
line to the field devices.

High availability communication solutions

The following communication solutions are offered to prevent a possible failure:
● Ring redundancy with the AFD (Active Field Distributor)
● Coupler redundancy with the AFS (Active Field Splitter)

Connection of the high availability FOUNDATION Fieldbus to PROFIBUS DP

You can connect a high availability FOUNDATION Fieldbus to the PROFIBUS DP. The
following variants can be realized:
● Connecting a high availability FOUNDATION Fieldbus via redundant bus link to a
redundant PROFIBUS DP
Installation with Compact FF Link (2x Compact FF Link)
● Connecting a FOUNDATION Fieldbus via redundant bus link to a redundant PROFIBUS DP
Installation with Compact FF Link (2x Compact FF Link)
We recommend the following configuration limits in PCS 7 when connecting FF devices using
AFD or AFS :
● You can connect an FF segment to a redundantly installed Compact FF Link.
● For the purpose of increasing availability when using ring redundancy (high availability
connection), connect a maximum of 4 field devices (one field device per spur line) to an
active field distributor AFD (maximum of 8 AFD to a redundant Compact FF Link).
● Connect an active field splitter (AFS) to a redundant coupler in the case of coupler
redundancy. Connect the field devices via AFD (max. 8 AFD). For the purpose of increasing
availability, connect a maximum of 4 field devices per AFD.
● You can connect a maximum of 31 field devices per FF segment.
● The maximum power consumption of the bus link must not be exceeded. This figure
includes all components connected to the FF segment.

High Availability Process Control Systems (V9.0)

90 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.3 Solutions for communication

Configuration
Examples using the FF Link for connections to field devices via AFD and AFS are shown in
the following figures.

6+

[&RPSDFW))/LQN

+LJKDYDLODELOLW\)281'$7,21)LHOGEXV

PD[$)' $)'
$)'L6
PD[
PD[

[&RPSDFW))/LQN

+LJKDYDLODELOLW\)281'$7,21)LHOGEXV
$)6
)281'$7,21)LHOGEXV

PD[$)' $)'
$)'L6
352),%86'3

PD[
PD[

UHGXQGDQW
'3PDVWHUV\VWHP

Figure 4-7 Connection to a redundant PROFIBUS DP

Transmission rate
You have two interconnection options for the gateway between PROFIBUS DP and
FOUNDATION Fieldbus . These result in different transmission rates on PROFIBUS DP.
● If you connect via a bus link, a transmission rate of up to 12 Mbps is possible on PROFIBUS
DP.
● The transmission speed on the FOUNDATION Fieldbus is 31.25 Kbps.

Availability - high availability interfacing

In a redundant system, we recommend that you implement the interface to PROFIBUS DP
redundantly (redundant bus link).

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 91
High availability solutions in PCS 7
4.3 Solutions for communication

The communications connection to the field devices remains established, even when an FF
cable or a module fails. The AFD or AFS automatically switches the connection to the available
signal path.

352),%86'3 )281'$7,21)LHOGEXV
PD[0ESV NELWV

&38 &3 %XV ,0)) )'&

&38 &3 %XV ,0)) )'& $)' $)' $)'

))GHYLFH ))GHYLFH ))GHYLFH

Figure 4-8 Schematic view for the installation with FF Link (2x IM 153‑2 FF, 2 x FDC 157)

Additional information
● Section "Connecting the FOUNDATION Fieldbus to PROFIBUS DP (Page 87)"
● Section "Configuring a bus link for FF and compact FF segment (Page 148)"
● Documentation SIMATIC; Process Control System PCS 7; PCS 7 Readme
● Operating Instructions SIMATIC; Bus Link; Compact FF Link
● Documentation SIMATIC; PCS 7 process control system; PCS 7 - FOUNDATION Fieldbus

High Availability Process Control Systems (V9.0)

92 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.4 Solutions for integrating a PCS 7 system in a domain

4.4 Solutions for integrating a PCS 7 system in a domain

For additional information, please refer to the following documents:
● Function manual Process Control System PCS 7; Time Synchronization
● On the Internet pages of Customer Support in Whitepaper SIMATIC; Safety Concept PCS
7 and WinCC; Basic document (https://support.industry.siemens.com/cs/ww/en/view/
60119725)

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 93
High availability solutions in PCS 7
4.5 Solutions for OS servers

4.5 Solutions for OS servers

Redundant OS servers
PCS 7 enables you to configure two OS servers redundantly for high availability operation.
This ensures that you can monitor and control your process at all times. The solution represents
the entry level into high availability process control systems.

Configuration
The figure below shows an example of a configuration with redundant OS server and Process
Historian.

3URFHVV 26FOLHQWV
+LVWRULDQ

7HUPLQDOEXV,QGXVWULDO(WKHUQHW

26VHUYHU 5HGXQGDQW26 PD[VHUYHUV

VHUYHUV UHGXQGDQW

6\VWHPEXV,QGXVWULDO(WKHUQHW

Functionality
Redundant OS servers monitor each other in runtime. If one OS partner server fails, the event
is detected in time.
If one of the two OS server fails, the OS partner server takes over the process. The interface
between OS clients and the automation system remains available.
The OS clients are automatically switched to the redundant OS partner server. This means
that the OS clients always remain available for the control and monitoring of the process. During
the failure period, the redundant OS partner server continues to archive all messages and
process data in the WinCC project. Once the failed OS server comes back online, the contents
of all the message, process value and user archives are automatically copied to the returning
OS server. This copy process is referred to as redundancy synchronization. Redundancy
synchronization fills the gaps in the various archives that result from failures.
During the failure period, the internal master/standby identification changes from the failed OS
server to its OS partner server. The master identification remains with the OS partner server
even when the failed OS server comes back online.

Configuring the archives

Tag logging and alarm logging have to be configured functionally identical for redundant OS
servers. Functionally identical configuration means the same archives, whereby extensions in
the form of additional measuring points and archives are permitted.

High Availability Process Control Systems (V9.0)

94 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.5 Solutions for OS servers

OS partner servers (OS_Stby) are configured in the SIMATIC Manager. Using the menu
command PLC > Download synchronizes the functionality.

Redundant external archive server

You use the Process Historian for central acquisition of archive information of the process
control system. You can set up two Process Historians with redundancy functionality for high
availability operation. The associated information server can be configured in such a way that
it connects to the active Process Historian to execute tasks.
If a Process Historian of a server pair fails, the data is automatically synchronized on the return
of the failed server.
This server does not require a connection to the plant bus.

Redundant maintenance station

PCS 7 allows you to configure two maintenance servers with redundancy functionality for high
availability operation.

Setting up a redundant OS server

The following configuration shows the basic operating principle of redundant OS servers.

Note
You need to connect the redundant PC stations through a redundancy connection. This
connection offers security against problematic behavior during communication between the
OS servers.

&RQQHFWLRQWRWKHWHUPLQDOEXV

5HGXQGDQW26VHUYHUSDLU

:LQ&& :LQ&&
SURMHFW$ SURMHFW$v

26 26
VHUYHU VHUYHU

$UFKLYH $UFKLYH

5HGXQGDQF\FRQQHFWLRQ

&RQQHFWLRQWRWKHSODQWEXV

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 95
High availability solutions in PCS 7
4.5 Solutions for OS servers

Redundancy connection
You need the following components to make the redundancy connection, depending on the
distance to be bridged:

Maximum distance Required components Connection

10 m Null modem cable Serial connection
100 m ● Crossover network cable Ethernet connection
● Per server: A free network connection (see
section "Network components (Page 56)")
1000 m Fiber-optic cable Ethernet connection
Per server:
● A free network connection
(see section "Network components
(Page 56)")
● 1 Ethernet cable
● 1 media converter
(e.g., SCALANCE X101-1)

Availability
The availability of the complete system is ensured even if one of the two OS servers fails
because the two OS servers form an independent redundancy node.

26VHUYHU
%XV %XV

26VHUYHU

Note
The buses marked with * (terminal bus and plant bus) can be configured redundantly with
optical or electronic switch modules.

Additional information
● Section "Network components (Page 56)"
● Section "How to configure an OS server and its redundant OS partner server (Page 152)"
● Online help for WinCC; WinCC Redundancy
● Documentation on the Process Historian

High Availability Process Control Systems (V9.0)

96 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.6 Solutions for OS clients

4.6 Solutions for OS clients

4.6.1 Additional OS clients

Additional OS clients
OS clients are PC stations that are used for control and monitoring of an automation process.
They are connected to the OS servers through the terminal bus. The OS servers form the
process connection to the automation system.
An OS client has its own WinCC project and visualizes the process data generated on an OS
server.
If an OS client fails, this does not disrupt the overall process because the automation program
in the CPU continues to control the process and the OS servers continue to process and archive
the process data. However, the visualization of the process is lost and you can only influence
the process through the OS servers. You should therefore protect against such failure by
integrating additional OS clients.
By specifying a preferred server, you can distribute multiple OS clients between the redundant
OS servers. The automation process can therefore be operated continuously, even during a
switchover from the active OS to its OS partner server.

Additional information
● Section " How to configure an OS client (Page 163) "
● Online help for WinCC

4.6.2 Permanent operability

Permanent operability
"Permanent operability" in a redundant environment is the unrestricted ability to influence the
system at any time even when confronted with the failure of one of the redundant OS servers.
It is the most important safety characteristic for plants with critical operations.
This function is important in all systems in which the ability to handle failure of an OS server
in a redundant configuration is not enough and in which continuous control of a process must
be maintained. In the event of an OS server failure, all OS clients connected to the failed server
temporarily lose their connection to the process while they switch over. In order to ensure that
the OS clients can control and monitor the automation process continuously, the OS clients
are distributed between the redundant OS servers with specification of a preferred OS server.
The failure of some OS clients can therefore be tolerated because the other clients remain
connected to the process.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 97
High availability solutions in PCS 7
4.6 Solutions for OS clients

Preferred server
A "preferred server" is an OS server in the redundant OS server pair that is preferred by the
OS client for a connection. A preferred server can be defined separately for each OS client in
order to ensure permanent operability. The distribution of the OS clients between the OS
servers distributes the loads and increases the performance of the system as a whole.

Operating principle
If the active OS server fails, the process values on all of the connected OS clients are no longer
updated and there is no operator control on these OS clients during the switchover. Other OS
clients that are connected in parallel to the redundant OS partner server are not affected by
this. The plant operator can therefore change to these OS clients if needed.
Generally, the following applies: The OS clients always connect to the specified preferred
server if it is available. If it is not available, the OS clients automatically connect to its redundant
OS partner server. If you do not specify a preferred server for an OS client, it connects to the
OS server that has the master identification.
When the failed OS server comes online again, the OS client automatically reconnects to its
preferred server. The master identification of the OS server does not change even when the
failed OS server comes back online.

Additional information
● Section "How to configure an OS client for permanent operability (Page 165)"
● Online help for WinCC

High Availability Process Control Systems (V9.0)

98 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.7 Solutions for SIMATIC BATCH

4.7 Solutions for SIMATIC BATCH

Redundant BATCH servers

SIMATIC BATCH enables you to configure two BATCH servers redundantly for high availability
operation. This ensures that you can monitor and control your batch process at all times.

Functionality
Redundant BATCH servers monitor each other in runtime to detect the failure of a BATCH
server as early as possible.
If one of the two BATCH servers fails, the process can be controlled over the second BATCH
server after the switchover.
● The interface for message processing between the active BATCH server and the OS server
remains available.
● The BATCH clients automatically fail over to the functioning (active) BATCH server. After
the switchover, it is possible to control and monitor the process from all BATCH clients.
In SIMATIC BATCH, the consistency of the databases is achieved by data replication. In this
solution, each of the BATCH servers of a server pair has its own database in which the batch
data stored. The two databases are continuously synchronized.

Setting up a redundant BATCH server

The following configuration shows the basic operating principle of redundant BATCH servers.
The BATCH servers are also connected to the plant bus if SIMATIC BATCH is operated "AS-
based".

&RQQHFWLRQWRWKHWHUPLQDOEXV

5HGXQGDQW%$7&+VHUYHUSDLU

3URMHFW$ 3URMHFW$v

%$7&+ %$7&+
VHUYHU VHUYHU

'DWDEDVH
$UFKLYH $UFKLYH )DXOWWROHUDQWUHSOLFDWLRQ
V\QFKURQL]DWLRQ
VROXWLRQ

5HGXQGDQF\FRQQHFWLRQ

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 99
High availability solutions in PCS 7
4.7 Solutions for SIMATIC BATCH

Redundancy connection
You need the following components to make the redundancy connection, depending on the
distance to be bridged:

Maximum Required components Connection

distance
100 m ● Crossover network cable Ethernet connection
● Per server: A free network connection
(see section "Network components (Page 56)")
1000 m Fiber-optic cable Ethernet connection
Per server:
● A free network connection
(see section "Network components (Page 56)")
● 1 Ethernet cable
● 1 media converter (e.g., SCALANCE X101-1)

Note
When a redundant server pair is used as an OS server and BATCH server, the redundancy
connection must be configured via the Ethernet connection.
Serial linking of the BATCH server pair is not possible in PCS 7.

Availability
The following two block diagrams of fully operational systems illustrates the availability of the
BATCH clients and BATCH servers. All BATCH components form an independent redundancy
node since they are redundant. This ensures the independence of the subsystem.

Note
Only the BATCH components and the terminal bus are shown in the block diagrams. The
terminal bus marked with * can be configured redundantly with switch modules.

%$7&+ %$7&+
FOLHQW VHUYHU
%XV
%$7&+ %$7&+
FOLHQW VHUYHU

The communication between BATCH clients and BATCH servers is performed over the
terminal bus.

High Availability Process Control Systems (V9.0)

100 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.7 Solutions for SIMATIC BATCH

%$7&+
FOLHQW

%$7&+
VHUYHU

%$7&+
26VHUYHU
VHUYHU
%XV

26FOLHQW 26VHUYHU

26FOLHQW

The BATCH servers also communicate with OS servers over the terminal bus. The OS servers
are connected to the automation system over the plant bus.

Note
SIMATIC BATCH in "AS-based" operating mode
The BATCH servers are also connected to the plant bus if SIMATIC BATCH is operated "AS-
based". The redundant interface is implemented as on OS servers. You can find additional
information on this in section "Solutions for OS servers (Page 94)".

Additional information
● PC station identified as faulty; see section "Solutions for OS servers (Page 94)"
● Section "How to configure a BATCH server and its redundant BATCH partner server
(Page 170)"
● Section "How to configure a BATCH client (Page 172)"
● Manual and online help for SIMATIC BATCH

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 101
High availability solutions in PCS 7
4.8 Solutions for the Route Control server

4.8 Solutions for the Route Control server

Redundant Route Control servers

SIMATIC Route Control allows you to implement two Route Control servers with redundancy
functionality for high availability operation. This ensures that you can monitor and control your
route control at all times.

Functionality
The Route Control software automatically takes over the monitoring of the redundancy. The
redundant Route Control servers monitor each other in runtime.
If one of the two Route Control server fails, the process can be controlled via the second Route
Control server following switchover.
The Route Control clients automatically fail over to the functioning (active) Route Control
server.
When the failed Route Control server resumes normal service, it retrieves the current process
image from the automation system.
During the failure, the functioning Route Control server automatically receives the internal
Master ID. If the active master server failed, the master ID is passed from the failed Route
Control server to its Route Control partner server.
When the failed Route Control server becomes available again, it is given the standby ID. The
master ID remains with the Route Control partner server.

Configuration of a redundant Route Control server

The following configuration shows the basic operating principle of redundant Route Control
servers.

&RQQHFWLRQWRWKHWHUPLQDOEXV

5HGXQGDQW5&VHUYHUSDLU

3URMHFW$ 3URMHFW$v

5&VHUYHU 5&VHUYHU

$UFKLYH $UFKLYH

5HGXQGDQF\FRQQHFWLRQ

&RQQHFWLRQWRWKHSODQWEXV

High Availability Process Control Systems (V9.0)

102 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.8 Solutions for the Route Control server

Redundancy connection
You need the following components to make the redundancy connection, depending on the
distance to be bridged:

Maximum distance Required components Connection

10 m Null modem cable Serial connection
100 m ● Crossover network cable Ethernet connection
● Per server: A free network connection
(see section "Network components (Page 56)")
1000 m Fiber-optic cable Ethernet connection
Per server:
● A free network connection
(see section "Network components (Page 56)")
● 1 Ethernet cable
● 1 media converter (e.g., SCALANCE X101-1)

Availability
The availability of the complete system is also ensured even if one of the two Route Control
servers fails because the two Route Control servers form an independent redundancy node.

5&VHUYHU
%XV %XV

5&VHUYHU

Note
The buses marked with * (terminal bus and plant bus) can be configured redundantly with
optical or electronic switch modules.

Additional information
● PC station identified as faulty; see section "Solutions for OS servers (Page 94)"
● Section "How to configure a Route Control server and its redundant Route Control partner
server (Page 178)"
● Manual Process Control System PCS 7; SIMATIC Route Control

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 103
High availability solutions in PCS 7
4.9 Solutions for the engineering station

4.9 Solutions for the engineering station

Engineering station
The engineering station (ES) serves as a central configuration station.
There are no redundant engineering stations in PCS 7.
The ES is generally used to make changes to the configuration data of project components
such as AS, OS and BATCH and then download the changes to the target systems. This makes
PCS 7 configuration centralized and transparent.

Configuration
In order to use an ES as an OS client, you need to configure a PC station in the PCS 7 project
for the ES. This PC station is configured and downloaded the same way as an operator station
with regard to hardware (Station Configuration Editor), networks and connections (NetPro).
The ES is displayed in NetPro.
If you specify permanently configured connections under "Named Connections", the following
rules apply:
● When configuring the connections for the ES, you must configure a connection for every
AS. This will ensure that a connection can be established to every AS regardless of which
WinCC project is loaded.
● For connections from the individual PC stations (OS servers and ES) to the automation
systems, the following rules apply:
– All connections within an AS must have the same name.
– Two connections must be configured for each OS server and the ES, one in AS 1 and
one in AS 2.
– The connections to AS 1 and the connections to AS 2 must always have the same name.

Backing up configuration data

The configuration data should always be backed up following a change in the configuration.

High Availability Process Control Systems (V9.0)

104 Function Manual, 05/2017, A5E39221836-AA
 High availability solutions in PCS 7
4.10 Time synchronization

4.10 Time synchronization

Introduction
Time synchronization in a PCS 7 plant is of utmost importance for synchronizing, tracing,
documenting and archiving all time-critical processes. Time synchronization is particularly
important for the redundancy functions in PCS 7 such as the redundancy synchronization
between OS servers or BATCH servers.
Time synchronization is active after one component has assumed the time master function in
a PCS 7 system. All other time-dependent components receive the time from this time master.

Planning and setting up time synchronization in PCS 7

The information necessary for planning and setting up time synchronization within a Windows
network is available in the following documentation:
Function manual Process Control System PCS 7; PCS 7 Time Synchronization

Setting the time synchronization of SIMATIC H stations

When a SIMATIC H station is connected to the redundant high availability plant bus each with
two CP443-1 per CPU, the settings for time synchronization should be made according to the
table below.
Set the time synchronization of CP 443-1 by selecting the "Time synchronization" tab in the
object properties dialog of the CP.

Bus CPU 1/rack 1 CPU 2/rack 2

Plant bus1 CP 1/1 Time synchronization ena‐ CP 2/1 Time synchronization disa‐
bled bled
Plant bus2 CP 1/2 Time synchronization dis‐ CP 2/2 Time synchronization ena‐
abled bled

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 105
High availability solutions in PCS 7
4.10 Time synchronization

High Availability Process Control Systems (V9.0)

106 Function Manual, 05/2017, A5E39221836-AA
Advantages of high availability components 5
5.1 Creating and expanding a project with pre-configured stations

PCS 7 wizards "New Project" and "Extend Project"

You can create high availability stations for the AS and PC stations using the PCS 7 "New
Project" and "Expand Project" wizards in the SIMATIC Manager. For redundant PC stations,
you configure a redundant multiple station system using the PCS 7 wizard.
● PCS 7 "New Project" Wizard
Use the PCS 7 "New Project" wizard to create a new PCS 7 project as a multiproject.
You are guided through the individual configuration steps of the PCS 7 wizard. While
working through the wizard, you specify the CPU, select the number of levels in the plant
hierarchy and the AS objects to be created (CFC/SFC charts) and OS objects (PCS 7 OS,
SIMATIC BATCH, SIMATIC Route Control). Technological names such as plant, unit and
function are specified and you can adapt these later to the requirements of your plant.
● PCS 7 "Expand Project" wizard (pre-configured stations)
Using this wizard, you can expand a project with pre-configured stations, such as an AS or
a PC station for OS, BATCH or Route Control.
The AS is set up using the configuration bundles which you can find in the PCS 7 catalog
and know from the PCS 7 "New Project" wizard. If you use such bundles in your plant, all
required objects are created when you insert pre-configured stations.

Additional information
● Configuration manual Process Control System PCS 7; Engineering System

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 107
Advantages of high availability components
5.2 SIMATIC H station

5.2 SIMATIC H station

5.2.1 Overview of configuration steps

Overview of configuration steps

You configure the redundancy functionality of the SIMATIC H station by performing the
following steps:

Step What?
1 Inserting a SIMATIC H station in a project (Page 108)
2 Plugging synchronization modules into the H_CPU (Page 110)
3 Configuring redundant communications processors (Page 111)
4 Setting the CPU for the error response of input/output modules (Page 113)

5.2.2 How to add a SIMATIC H station to your project

Introduction
The SIMATIC H station is contained in the hardware catalog of HW Config as a stand-alone
station type. This station type is required if you want to configure two central devices each with
a H CPU, thereby configuring the entire process control system with redundancy.
The direct connection of a singular CPU to the redundant, high availability plant bus is possible
with a CPU 410H.

Procedure
1. Open your PCS 7 project in the component view of SIMATIC Manager.
2. Select the menu command View > Component View.
3. Select the project.
4. Select the following menu command: Insert > Station > SIMATIC H Station.
5. Click the inserted SIMATIC H station.

High Availability Process Control Systems (V9.0)

108 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.2 SIMATIC H station

Result
The configuration in the SIMATIC Manager appears as follows:

Configuring the AS in HW Config

1. Double-click the Hardware object in the detail view.
The HW Config dialog box opens.
2. Open the catalog and select the profile of the current PCS 7 version.
3. Insert the following objects of the SIMATIC 400 (Insert > Object menu command):
You can find information about the objects in the information section of the catalog.
– Rack 400
– PS 400
– CPU 400 > CPU 400 H
Communication connections can be configured later. You can find information about
this in the following sections:
- Section "How to configure redundant PROFIBUS DP (Page 119)"
- Section "How to configure a high availability fieldbus on the basis of PROFINET
(Page 122)"
- Section "How to configure a media-redundant fieldbus on the basis of PROFINET
(Page 125)"
– CP-400 (optional)
Communication connections can be configured later. You can find information on this
in the section "How to configure redundant communication processors (Page 111)".

Additional information
● Manual Automation System S7-400H; High Availability Systems

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 109
Advantages of high availability components
5.2 SIMATIC H station

5.2.3 How to insert synchronization modules into the H CPU

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● HW Config is open.
● The rack has been inserted according to the configuration in HW Config.
● Each rack has been fitted with an H CPU in HW Config.

Procedure
1. In HW Config, select the menu command View > Catalog.
2. In the hardware catalog, double-click the H CPU you are using. Within the active tree view,
double-click on the version of the H CPU you have selected.
The H sync module is located below the version folder, e.g V4.0.
3. Select the H Sync Module and drag it onto slots "IF1" and "IF2" of each H CPU.

High Availability Process Control Systems (V9.0)

110 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.2 SIMATIC H station

Result
The following figure shows an example of the configured subsystems of the high availability
station in HW Config:

Additional information
● Documentation Process Control System PCS 7; PCS 7 - Released Modules
● Manual Automation System S7-400H; High Availability Systems

5.2.4 How to configure redundant communication processors

Introduction
If you use communications processors for communication in the SIMATIC H station, configure
at least one CP 443-1 for each H CPU on a plant bus. A redundant connection is possible.
The AS 410H has 2 integrated Ethernet connections and can be connected to the redundant,
high availability plant bus.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 111
Advantages of high availability components
5.2 SIMATIC H station

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● HW Config is open.
● The racks for the SIMATIC H station are inserted in HW Config, for example, 2 UR2-H racks.
● In HW Config, each rack has been fitted with an H CPU and the required synchronization
modules.

Procedure
1. In the hardware catalog, double-click the "SIMATIC 400" folder. Then double-click the
"CP-400" folder and finally the "Industrial Ethernet" folder.
2. Select the CP you are using and drag it to a free slot on the rack.
Note
Using a communication processor that supports multiple communication protocols
Configure the ISO interface for the "Fault-tolerant S7 connection" in the "Parameters" tab
of the "Properties - Ethernet Interface CP 443-1" dialog box.

High Availability Process Control Systems (V9.0)

112 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.2 SIMATIC H station

Result
The following figure shows an example of a configuration in HW Config: Connection to a high
availability plant bus is possible.

Additional information
● Manual Automation System S7-400H; High Availability Systems

5.2.5 How to set the CPU for the reaction of the input/output modules to channel faults

Introduction
Only perform the following procedure when the libraries "Redundant IO (V3.0)" or "Redundant
IO (V4.0)" are used.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 113
Advantages of high availability components
5.2 SIMATIC H station

As of PCS 7 V7.1, the characteristics of the redundant input/output modules are set for channel-
based reaction to channel faults. The function in the AS depends on the employed PCS 7
library and the modules.
Depending on the configured module, the code is automatically generated for the automation
system based on the optimal capabilities of the module.

Passivation reaction of the modules

You will find information on which modules are released for which passivation reaction in the
documentation PCS 7 - Released Modules.

Passivation reaction Reaction of the module

Module-based The module is passivated if a fault occurs.
Group-based If a fault occurs in a channel, the group of channels is passivated in a
module in which a least one fault has occurred.
Channel-based Only the channels on which the fault occurred are passivated.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● An H-CPU is configured in HW Config.
● S7 driver blocks from the "Redundant IO (V3.0)" or "Redundant IO (V4.0)" library

Procedure
1. In the component view, select the SIMATIC H station.
2. Double-click the "Hardware" object in the detail window.
HW Config opens.
3. Select the CPU you are using on slot 3.
4. Select the menu command Edit > Object Properties.
The "Properties - CPU ..." dialog box opens.
5. Select the "H Parameters" tab.
6. Please make a note of which data blocks in the "Data block no." input box are defined as
standard transmitters so that you do not use them in your configuration.
7. Select the required setting for the passivation behavior from the "Passivation behavior" list
in the "Redundant I/O" area.
– Module-based when the "Redundant IO (V3.0)" library is used
– Channel-based when the "Redundant IO (V4.0)" library is used

Additional information
● Function manual Process Control System PCS 7; software update without utilization of new
functions
● Documentation Process Control System PCS 7; PCS 7 - Released Modules

High Availability Process Control Systems (V9.0)

114 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.3 Communications connections

5.3 Communications connections

5.3.1 Overview of configuration steps

Introduction
After you have inserted all of the components (AS, OS and ES) in your project, you can use
NetPro to configure the network connections between the SIMATIC components. When the
configuration of the connections and network is complete, the configuration needs to be
compiled, saved and downloaded to the CPU of the automation system.

Downloading connection configurations

Connection configurations can be downloaded to the CPU in RUN mode. To do this, select
the connection to be downloaded in NetPro and transfer it to the CPU by selecting the menu
command Target systems > Download > Selected Connections. Process interfacing for
operation stations is not possible until the connections are made known to the AS.
You need to change the MAC addresses after failure of network adapters. You adapt the
addresses in the properties dialog box of the individual operator stations in NetPro. The
configuration has to be compiled and downloaded in NetPro each time it is changed.

Overview
This section describes the configuration steps for the following topics:
● Configuring a redundant, high availability terminal bus
● Configuring a high availability plant bus (Page 117)
● Configuring a redundant PROFIBUS DP (Page 119)
● Configuring a high availability fieldbus based on PROFINET (Page 122)
● Configuring a media-redundant fieldbus based on PROFINET (Page 125)
● Configuring a redundant PROFIBUS PA (Page 128)

5.3.2 Configuring the connection to the terminal bus

5.3.2.1 How to configure the redundant terminal bus on the basis of the Parallel Redundancy
Protocol

Introduction
The NetPro and HW Config programs do not support configuration of the terminal bus. The
"SIMATIC NET SOFTNET-IE RNA" software is used in PCS 7 for the connection of a PC
station to separate redundant networks.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 115
Advantages of high availability components
5.3 Communications connections

Conditions and rights required

You require the following to be able to install and operate SOFTNET-IE RNA on your PC:
● 2 free Ethernet network adapters
● 2 separate Ethernet network adapters
● Administrator rights for installation
● Exactly one software license for SOFTNET-IE RNA per PC.

Installation and configuration

You can install the "SIMATIC NET SOFTNET-IE RNA" software with the PCS 7 system setup.
Select the "User-defined Installation" installation mode and select the "SOFTNET-IE RNA ..."
program in "Options".
You can find information about the configuration in the SIMATIC NET; PG/PC - Industrial
Ethernet Operating Instructions; SOFTNET-IE RNA.

Additional information
● Online help for "SIMATIC NET SOFTNET-IE RNA" software
● You can find additional information on this on the Internet http:\\www.siemens.com/pcs7-
documentation (http:\\www.siemens.com/pcs7-documentation):
– Operating instructions SIMATIC NET; SCALANCE X204RNA, SCALANCE X204RNA
EEC
– Operating instructions SIMATIC NET PG/PC; Industrial Ethernet SOFTNET-IE RNA
V8.2
● You can find information on the individual SIMATIC NET products and their configuration
on the Internet (https://support.industry.siemens.com).

5.3.2.2 How to connect singular components to the redundant terminal bus on the basis of the
Parallel Redundancy Protocol

Introduction
You can connect the following non-redundant objects to a redundant network with the
SCALANCE X204RNA .
● Non-redundant networks
● Components that have just one network connection, for example
You will find additional information on this topic in section "Redundant, high availability terminal
bus based on the Parallel Redundancy Protocol (PRP) (Page 64)".

High Availability Process Control Systems (V9.0)

116 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.3 Communications connections

Procedure
1. Connect the networks for the redundant terminal bus (referred to as LAN A and LAN B
below) to the following ports of the SCALANCE X204RNA :
– PRP A (LAN A)
– PRP B (LAN B)
2. Connect the non-redundant objects to the following ports:
– P1
– P2
3. Configure the SCALANCE X204RNA.

Messages
● SCALANCE X204RNA has signaling contacts.

Additional information about configuration

You can find additional information on this on the Internet http:\\www.siemens.com/pcs7-
documentation (http:\\www.siemens.com/pcs7-documentation):
● Operating instructions SIMATIC NET; SCALANCE X204RNA, SCALANCE X204RNA EEC
● Operating instructions SIMATIC NET PG/PC; Industrial Ethernet SOFTNET-IE RNA V8.2

5.3.3 How to configure a high availability plant bus

Introduction
You configure the communication connections for the plant bus with NetPro. Industrial Ethernet
is used for the plant bus.

High availability plant bus

You can set up a high availability plant bus with a ring structure.
The components of the process control system are connected to the plant bus using switch
modules.
The degree of availability you require determines whether or not you should use additional
network adapters in the OS servers and in each subsystem of the automation system.
This section describes the procedure for a high availability plant bus (ring) with switch modules
without additional CPs.
Additional information is available in the section "High availability plant bus (Page 69)".

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 117
Advantages of high availability components
5.3 Communications connections

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● The hardware configuration of the subsystems of the H system is the same.
● One of the following network adapters is configured in HW Config for the connection to the
plant bus:
– a PNIO interface of a CPU 410-5H in every subsystem of the H system.
– a CP 443-1 CP has in every subsystem of the H system.
● Two SIMATIC PC have been configured in HW Config:
– High availability plant bus:
CP 16x3; CP 1628 or standard network adaptor (as of V6.0 CPU)
– Redundant, high availability plant bus:
CP 16x3 or CP 1628

Procedure
1. Open NetPro in SIMATIC Manager with the menu command Options > Configure
Network.
2. Select the menu command Insert > Network Objects to open the hardware catalog.
3. In the hardware catalog, click the plus sign to open the submenu containing the subnets.
4. Double-click the "Industrial Ethernet" subnet to insert it into the network view.
Note
To drag subnets into the NetPro project window, click the network, hold down the left mouse
button and drag it to the desired location. If you cannot place the object where you want it,
you may need to move other objects to make the necessary space.

5. In the left subsystem of the SIMATIC H station, select the PNIO interface of the CPU 410-5H
or the interface icon for the CP 443-1 and drag a connection to the Industrial Ethernet
subnet.
Repeat the procedure for the network adapter of the right subsystem.
6. Follow the same procedure for the network adapters (CPs) in both OS servers.
7. Save your configuration.

High Availability Process Control Systems (V9.0)

118 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.3 Communications connections

Result
The following figure shows the resulting configuration:

Additional information
● Online help for STEP 7

5.3.4 How to configure redundant PROFIBUS DP

Introduction
The following section describes how to create and connect a redundant PROFIBUS DP.

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● HW Config is open.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 119
Advantages of high availability components
5.3 Communications connections

● The UR2-H rack has been inserted twice in HW Config.

● In HW Config, each mounting rack has been fitted with an H CPU in slot 3 and the required
synchronization modules.

Procedure

Note
Steps 1 through 4 are necessary only when a CP 443-5 Extended is used for the connection
to the redundant PROFIBUS.

1. In HW Config, select the menu command Insert > Hardware Components.

2. In the hardware catalog, double-click the "SIMATIC 400" folder. Then double-click the
"CP-400" folder and finally the "PROFIBUS" folder.
3. Select the version of the CP 443-5 Extended you are using and drag it to a free slot on the
module rack.
The "Properties - PROFIBUS Interface CP 443-5 Ext ..." dialog box opens.
4. Click "OK".
5. Select the slot on the rack for which you want to specify a redundant PROFIBUS DP
interface:
– Slot X2 to use the PROFIBUS DP interfaces of the CPU
– Slot of the CP 443-5 Extended to use the PROFIBUS DP interfaces of the CP 443-5
Extended
6. Select the menu command Edit > Master System > Insert.
The "Properties - PROFIBUS Interface CP 443-5 Ext..." dialog box opens.
Note
When inserting the DP master system for the redundant PROFIBUS DP interface, the entry
"Redundant subnet ..." is displayed below the "Subnet" list.

7. Click "New".
The "New Subnet" dialog box opens.
8. Make any necessary system-specific settings in the "New Subnet ..." dialog box (for
example, bus name, transmission rates, etc.).
9. Click "OK".
The new DP master system is entered in the "Subnet" list.
10.Click "OK".
11.Repeat steps 1 to 10 for the redundant rack.

High Availability Process Control Systems (V9.0)

120 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.3 Communications connections

Result
The figure below shows the result of the configuration process in HW Config. Here, a distributed
I/O has already been assigned to the DP master systems for the purpose of illustrating the
redundancy principle:

Additional information
● Online help for STEP 7

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 121
Advantages of high availability components
5.3 Communications connections

5.3.5 How to configure a high availability fieldbus on the basis of PROFINET

Introduction
The following section describes how to create and connect a high availability fieldbus on the
basis of PROFINET.
● Configure the components in HW Config.
● In the Topology Editor, configure the connections between the components in accordance
with the cable sequence in the system.

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● HW Config is open.
● The redundant backplane is inserted in HW Config.
● In HW Config, each rack has been fitted with an 4xx-xH PN/DP H CPU and the required
synchronization modules.
● The PROFINET IO systems are added to the H-CPU. This can be done using Insert on the
H‑CPU.

Configuring in HW Config
1. In the hardware catalog, open the PROFINET IO > I/O > folder of the IO device type:
– ET 200M
– ET 200SP
– ET 200SP HA
2. Select the version of the interface module (ET 200M: IM 153-4 ...; ET 200SP HA: IM 155-6-
PN/HA) you are using and move it onto the PROFINET IO system using drag-and-drop.

High Availability Process Control Systems (V9.0)

122 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.3 Communications connections

Result
The figure below shows the result of the configuration process in HW Config. The distributed
I/O is connected to the PROFINET IO system. The physical setup is configured below with the
Topology Editor.

Connecting the components with the Topology Editor

1. Select the PROFINET IO System of the first CPU of this automation system.
2. Select the Edit > PROFINET IO > Topology menu command.
The "Topology Editor" dialog box opens.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 123
Advantages of high availability components
5.3 Communications connections

3. Select the "Graphic View" tab.

Note:
You can move the displayed objects. You can select the section displayed via the thumbnail
view. Position the objects in accordance with the cable sequence in the system.
4. Using drag-and-drop, connect the I/Os of the CPU and the interface modules (green
squares) in accordance with the cable sequence in the system.
You can make additional system-specific settings on the "Table View" tab. For additional
information, refer to the online help of the dialog box.

Additional information
● Online help for STEP 7

High Availability Process Control Systems (V9.0)

124 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.3 Communications connections

5.3.6 How to configure a media-redundant fieldbus on the basis of PROFINET

Introduction
The following section describes how to create and connect a media-redundant ring on the
basis of PROFINET.
● Configure the components in HW Config.
● In the Topology Editor, configure the connections between the components in accordance
with the cable sequence in the system.
● Configure the media redundancy for the following modules:
– CPU
– IM

Requirements
● The PCS 7 project with a SIMATIC station is open in SIMATIC Manager.
● HW Config is open.
● A rack with a PROFINET-capable module (CPU or CP) has been inserted in HW Config.
● The PROFINET IO systems have been inserted at the PROFINET-capable modules (CPU
or CP). This can be done by inserting the PROFINET-capable module.

Configuring in HW Config
1.
2. In the hardware catalog, open the PROFINET IO > I/O > folder of the IO device type:
– ET 200M
– ET 200SP
– ET 200SP HA
3. Select the version of the interface module (ET 200M: IM 153-4 ...; ET 200SP HA: IM 155-6-
PN/HA) you are using and move it onto the PROFINET IO system using drag-and-drop.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 125
Advantages of high availability components
5.3 Communications connections

Result
The figure below shows the resulting configuration in HW Config for the X5 interface of the
CPU. The distributed I/O is connected to the PROFINET IO system. The physical setup is
configured below with the Topology Editor.

Connecting the components with the Topology Editor

1. Select the PROFINET IO system of the PROFINET-capable modules (CPU or CP) of this
automation system.
2. Select the Edit > PROFINET IO > Topology menu command.
The "Topology Editor" dialog box opens.

High Availability Process Control Systems (V9.0)

126 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.3 Communications connections

3. Select the "Graphic View" tab.

Note:
You can move the displayed objects. You can select the section displayed via the thumbnail
view. Position the objects in accordance with the cable sequence in the system.
4. Using drag-and-drop, connect the I/Os of the PROFINET-capable modules (CPU or CP)
and the interface modules (green squares) in accordance with the cable sequence in the
system. Connection path for an interface of the PROFINET-capable module:
From Port1 > via the interface modules of the distributed I/O > to Port 2
You can make additional system-specific settings on the "Table View" tab. For additional
information, refer to the online help of the dialog box.

Configuring domain management in HW Config

Note
Media redundancy
Only one MRP ring can be operated on a PROFINET interface.
If you are operating multiple MRP rings on a CPU with multiple PROFINET interfaces, you
must not connect the MRP rings to one another.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 127
Advantages of high availability components
5.3 Communications connections

If you are operating multiple MRP rings, the MRP manager must be configured. In most cases
the CPU is configured as MRP manager.
1. Select any one member on PROFINET IO.
2. In HW Config, select the menu Edit > PROFINET IO > Domain Management... .
3. Select the tab "MRP-Domain".
4. In the Area "MRP Domain" choose the MRP Domain (mark the used domain in the tab
"MRP Domain", if more then one are available).
5. On PROFINET IO select the member which should be configured as MRP-Manager.
– Click "Edit".
The dialog box "Edit Media Redundancy" opens.
– In the "Role" drop box select the entry "Manager".
Check the settings and click "OK".
6. Select the members on PROFINET IO whitch should be configured as MRP client. (You
can select more then one).
– Click "Edit".
The dialog box "Edit Media Redundancy" opens.
– In the "Role" drop box select the entry "Client".
Check the settings and click "OK".

Additional information
● Online help for STEP 7

5.3.7 How to configure the redundant PROFIBUS PA

Introduction
The following is a description of how to configure a redundant PROFIBUS PA that is connected
to a redundant PROFIBUS DP.

High Availability Process Control Systems (V9.0)

128 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.3 Communications connections

You can find configuration variants in the section "High availability PROFIBUS PA (Page 83)".

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● Two DP master systems are configured for the SIMATIC H station in HW Config and these
are used as connection paths for the redundant interface.
● For commissioning: The PROFIBUS addresses are set with the DIL switches on the
FDC 157-0 DP/PA couplers.
● You can install a maximum of 5 FDC 157-0 DP/PA couplers, one coupler pair of which is
used at the end of the configuration in redundant mode.

Hardware setting on the DP/PA coupler

Note
The redundancy mode set on the DP/PA coupler (DIL switch bit 7) must match the configured
redundancy mode:
● OFF: coupler redundancy (default setting)
● ON: ring redundancy (line redundancy)
If there is a discrepancy between the set redundancy mode and the configured redundancy
mode, a diagnostic message is generated.

Procedure
1. In the component view, select the SIMATIC H station and double-click the "Hardware"
object in the detail window.
HW Config opens.
2. If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.
3. In the current PCS 7 profile, double-click "PROFIBUS DP" and then "DP/PA Link".
4. Select the FDC 157-0 DP/PA coupler and drag it onto one of the two PROFIBUS DP lines.
5. Select shortcut menu command Object Properties.
The "Properties - DP Slave" dialog box opens.
6. Click "PROFIBUS".
7. Enter the PROFIBUS address (PROFIBUS DP) in the "Properties - PROFIBUS Interface
FDC 157-0" dialog box and click "OK".
The "Properties - PROFIBUS" dialog box opens.
8. Open the "Network Settings" tab.
9. Select the "User-defined" item in the "Profile" list.
10.Click "Bus parameters...".
11.Ensure the value 3 is set for the "Retry Limit" parameter.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 129
Advantages of high availability components
5.3 Communications connections

12.Click "OK" in the dialog boxes that were opened for this procedure.
13.Repeat steps 1 to 13 for the second DP/PA coupler for coupler redundancy.

Result
The following figure shows the resulting configuration in HW Config:

Additional information
● Operating Instructions DP/PA coupler, Active Field Distributor, DP/PA Link and Y Link

5.3.8 How to configure the redundant FOUNDATION Fieldbus

Introduction
The following is a description of how to configure a redundant FOUNDATION Fieldbus that is
connected to a redundant PROFIBUS DP .
You can find the configuration variants in the documentation on the bus link used:
● Operating Instructions SIMATIC; Bus Link; FF Link
● Operating Instructions SIMATIC; Bus Link; Compact FF Link

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● Two DP master systems are configured for the SIMATIC H station in HW Config and these
are used as connection paths for the redundant interface.
● For commissioning: The FF addresses are set at the bus link:
– FF Link: DIP switch at coupler FDC 157-0
– Compact FF Link: DIP switch
● When using the FF Link, you can install a maximum of 2 FDC 157-0 couplers (coupler pair
in redundant mode).

High Availability Process Control Systems (V9.0)

130 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.3 Communications connections

Setting redundant mode at the bus link

The redundant mode set at the bus link has to match the configured redundant mode.
FF Link - Setting at coupler FDC 157-0 (DIP switch bit 7) or Compact FF Link - Setting at
Compact FF Link (DIP switch "RING" ):
● OFF: Coupler redundancy or non-redundant configuration
● ON: Ring redundancy

Note
Configuration
If there is a discrepancy between the set redundancy mode and the configured redundancy
mode, a diagnostic message is generated.

Bus link with FOUNDATION Fieldbus: Create FF subsystem

1. In the component view, select the SIMATIC station and double-click the "Hardware" object
in the detail window.
HW Config opens.
2. If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.
3. Open the PROFIBUS DP > FF Link folder in the current PCS 7 profile.
4. Drag-and-drop the module to be used as a bus link on PROFIBUS DP onto the PROFIBUS
DP master system:
– IM 153-2 FF (for FF Link)
– IM 655-5 FF (for Compact FF Link)
5. Enter the node address for the PROFIBUS DP in the "Parameters" tab of the Properties
dialog.
A free address is suggested by the system.
Note
"Configuration via PDM" option
You configure the bus link and the FF devices using SIMATIC PDM in PCS 7. If the
"Configuration with PDM" option is selected, you can open SIMATIC PDM by double-
clicking the bus link.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 131
Advantages of high availability components
5.3 Communications connections

6. Optional steps for a redundant FOUNDATION Fieldbus:

These steps depend on the bus link that is used for the interconnection to the PROFIBUS DP:
1. Select the following modules depending on the bus link used:
● for FF Link: "IM 153-2 FF"
● for Compact FF Link: "IM 655-5 FF"
2. In the table, double click the slot of the first coupler depending on the bus link used.
● for FF Link: "FDC 157"
● for Compact FF Link: "Field Device Coupler"
The "Properties - Coupler" dialog box opens.
3. Select the "Parameters" tab.
4. Select the redundancy mode in the "Value" column:
● No redundant configuration (default)
● Coupler redundancy
● Ring redundancy

7. Click "OK".
The bus link is created with a FF subsystem.

Result
The following figure shows the resulting configuration in HW Config:

Additional information
● Operating Instructions SIMATIC; Bus Link; FF Link
● Operating Instructions SIMATIC; Bus Link; Compact FF Link

High Availability Process Control Systems (V9.0)

132 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.4 Distributed I/O

5.4 Distributed I/O

5.4.1 Overview of configuration steps

Introduction
The following sections describe configuring redundancy of the individual components of the
distributed I/O.

Overview
This section describes the configuration steps for the following topics:
● Configuring the redundant interface for the I/O device (Page 133)
● Configuring redundant input/output modules (Page 136)
● Configuring the input/output modules in IO Redundancy (Page 140)
● Configuring the Y Link (Page 145)
● Configuring a bus link for PROFIBUS PA (Page 147)
● Configuring a bus link for an FF segment (Page 148)
● Configuration of redundant signals (Page 151)

5.4.2 How to configure the redundant interface module for the I/O device

Introduction
Once you have integrated the interface module (IM 153-2 for ET 200M, IM 152-1 for ET 200iSP;
IM 155-6 for ET 200SP HA) as hardware in the distributed I/O device, the component is made
known to the system in SIMATIC Manager with HW Config or NetPro.

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● If you want to use ET 200SP HA, a redundant CPU 410-5H with firmware version ≳ 8.2 is
configured for the SIMATIC H station in HW Config.
● A redundant fieldbus system is configured for the SIMATIC H station in HW Config.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 133
Advantages of high availability components
5.4 Distributed I/O

Procedure
1. In the component view, select the SIMATIC H station and double-click the "Hardware"
object in the detail window.
HW Config opens.
2. If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.
3. Double-click on the fieldbus system in the current PCS 7 profile. It depends of required
fieldbus system.
– PROFIBUS DP
– PROFINET IO
4. Double-click the I/O device you want to connect:
– ET 200M
– ET 200iSP
– ET 200SP HA
5. Select the interface module:
– For ET 200M: IM 153-2 in the hardware catalog.
– For ET 200iSP: IM 152-1 whose hardware catalog description is "..., can be used
redundantly in the H system".
– For ET 200SP HA: IM 155-6 in the hardware catalog. Depending the type of redundancy
you can select the I/O modules shown in the following figure:

6HOHFWLRQ
6

6HOHFWLRQ
6 5 5
,2GHYLFHWR 5HGXQGDQW
UHGXQGDQW ,2GHYLFHWRD
,2FRQWUROOHU UHGXQGDQW
,2FRQWUROOHU

6. Drag the interface module to one of the two fieldbus system lines.
The connection to the redundant line is established automatically.
– If you use PROFIBUS DP:
Enter the PROFIBUS address in the "Properties - PROFIBUS Interface IM..." dialog box
and click "OK".
– If you use PROFINET IO:
Enter the Ethernet address and Subnetmask in the "Properties - PROFINET IO Interface
IM..." dialog box and click "OK".

High Availability Process Control Systems (V9.0)

134 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.4 Distributed I/O

Result
The following figure shows an example configuration in HW Config:

Additional information
● Function manual Process Control System PCS 7; High-Precision Time Stamping
● Manual DP/PA Link and Y Link Bus Couplings

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 135
Advantages of high availability components
5.4 Distributed I/O

5.4.3 How to configure redundant input/output modules (PROFIBUS DP)

Introduction
You configure the redundant I/O modules using HW Config.

Note
Redundant operation is possible only with certain S7-300 I/O modules of the ET 200M. For
additional information, please refer to the following documents:
● Documentation PCS 7 - Released Modules
● Manual Automation System S7-400H; High Availability Systems

Note
Only input/output modules with the same article number and the same product version in
analog or digital version can be used.

Assigning redundant modules

Redundant modules can be assigned to each other for the ET 200M as follows:
● The modules are located in two different ET 200M stations on the same redundant
PROFIBUS DP (see sample configuration).
● The modules are located in two different ET 200M stations on different redundant
PROFIBUS DPs.
● The modules are located in the same ET 200M station.

High Availability Process Control Systems (V9.0)

136 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.4 Distributed I/O

Example configuration
The figure below shows the setup for redundant input modules in a switched distributed
configuration.

6+

5HGXQGDQWVZLWFKHG(70,2
FRQVLVWLQJRI[,0DQG[60

6LJQDOPRGXOH6LJQDO
,
352),%86'3

(QFRGHU

5HGXQGDQWVLJQDOPRGXOH6LJQDO
,

Method of operation in the example configuration

"Signal Module 1" is configured redundantly to "Redundant Signal Module 1". As a result,
Signals E1.1 and E10.1 are redundant to one another.
If a fault is detected in "Signal module 1", the user program continues to work with the address
I1.1, but the signal comes from the address I10.1. The user program does not detect an error
since the signal status is still correct. The event generates a diagnostic message that provides
information about the passivated signals.
As of PCS 7 V7.1, the passivation reaction of the redundant I/O modules are set for channel-
based reaction to channel faults. Additional information about passivation reaction is available
in the section "How to set the CPU for the reaction of the input/output modules to channel
faults (Page 113)".

Requirements
● The PCS 7 project involving an H CPU must have been created and opened in SIMATIC
Manager.
● A redundant DP master system is configured for the SIMATIC H station in HW Config.
● The interface modules for ET 200M (IM 153-2) on the redundant PROFIBUS DP are
configured in HW Config.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 137
Advantages of high availability components
5.4 Distributed I/O

Procedure
1. In the component view, select the SIMATIC H station and double-click the "Hardware"
object in the detail window.
HW Config opens.
2. If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.
3. Select the IM 153-2 (ET 200M) in which you want to configure the redundant module.
The module overview is displayed in the lower window pane.
4. In the hardware catalog, select a signal module that supports redundancy.
Using drag-and-drop, move the signal module onto a free slot in the IM 153-2 (lower window
pane).
5. Repeat steps 3 and 4 for the second signal module.
The modules for which redundancy is to be configured are inserted.
6. Select the first IM 153-2 again.
7. Double-click the inserted signal module in the module overview.
The "Properties ..." dialog box for this module opens.
8. Open the "Addresses" tab.
9. Select the process image partition in the "Process image" drop-down list.
10.Select the "Redundancy" tab.
11.Select the entry "2 modules" in the "Redundancy" drop-down list.

High Availability Process Control Systems (V9.0)

138 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.4 Distributed I/O

12.Click "Find".
The "Find Redundant Module" dialog box opens.

13.In the "Subsystem" list, select the DP master system in which the redundant signal module
is configured.
All the available PROFIBUS addresses in this DP master system are displayed in the
"PROFIBUS address" box.
14.In the "PROFIBUS address" box, select the IM 153-2 in which the redundant signal module
is configured.
The redundancy-capable signal modules available in this IM 153-2 for which no redundancy
has yet been configured are displayed in the "Redundant module" list.
15.Select the signal module you want to use as a redundant signal module in the "Redundant
module" list.
16.Click "OK" to close the dialog box.
17.In the "Additional parameters" area, make any additional settings required for input modules.
18.Click "OK".

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 139
Advantages of high availability components
5.4 Distributed I/O

Additional information
● Online help for STEP 7
● Documentation Process Control System PCS 7; PCS 7 - Released Modules
● Manual Automation System S7-400H; High Availability Systems

5.4.4 How to configure redundant input/output modules (PROFINET IO)

Introduction
You configure the redundant I/O modules in Redundant I/O using HW Config.

Note
Redundant operation is possible only with certain I/O modules of the ET 200SP HA. For
additional information, please refer to the following documents:
● Documentation PCS 7 - Released Modules
● Manual Automation System S7-400H; High Availability Systems

Note
Only input/output modules with the same article number and the same product version in the
analog or digital version can be used.

Assigning redundant modules

Redundant modules can be assigned to each other for the ET 200SP HA as follows:
● The peripheral modules are located in the same ET 200SP HA station.
● The peripheral modules are located on the same terminal block (TB 45...D)

High Availability Process Control Systems (V9.0)

140 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.4 Distributed I/O

Example configuration
The figure below shows the setup for peripheral modules in IO Redundancy in a ET 200SP
HA configuration.

6+ PRGXOHVLQ5HGXQGDQW,2
&,5SRVVLEOH
,2PRGXOHV

7HUPLQDOEORFN7%
352),1(7

(763+$ Sensor

(763+$

Method of operation in the example configuration

"Signal Module 1" is configured redundantly to "Redundant Signal Module 1". As a result,
Signals I1.1 and I2.1 are redundant to one another.
If a fault is detected in "Signal module 1", the user program continues to work with the address
I1.1, but the signal comes from the address I2.1. The user program does not detect an error
since the signal status is still correct. The event generates a diagnostic message that provides
information about the passivated signals.
As of PCS 7 V9.0, the passivation reaction of the redundant I/O modules are set for channel-
based reaction to channel faults. Additional information about passivation reaction is available
in the section "How to set the CPU for the reaction of the input/output modules to channel
faults".

Requirements
● The PCS 7 project involving a CPU 410-5H must have been created and opened in
SIMATIC Manager.

Procedure
1. In the component view, select the SIMATIC H station and double-click the "Hardware"
object in the detail window.
HW Config opens.
2. If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.
3. Select the IM 155-6 HA (ET 200SP HA) in which you want to configure the redundant
module.
The module overview is displayed in the lower window pane.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 141
Advantages of high availability components
5.4 Distributed I/O

4. In the hardware catalog, select a signal module that supports redundancy.

Using drag-and-drop, move the signal module onto a free slot in the IM 155-6 HA (lower
window pane).
5. Repeat steps 3 and 4 for the second signal module.
The modules for which redundancy is to be configured are inserted.
6. Select the first IM 155-6 HA again.
7. Double-click the inserted signal module in the module overview.
The "Properties ..." dialog box for this module opens.
8. Open the "Addresses" tab.
9. Select the process image partition in the "Process image" drop-down list.
10.Select in the "Redundancy" tab the entry "2 modules".
You see the 2nd module of the pair, if it is configured.

11.Click "OK" to close the dialog box.

12.In the "Additional parameters" area, make any additional settings required for input modules.
13.Click "OK".

Additional information
● Online help for STEP 7
● Documentation Process Control System PCS 7; PCS 7 - Released Modules
● Manual Automation System S7-400H; High AvailabilitySystems

5.4.5 How to configure the redundancy for HART field devices

HART field devices can be configured with redundant modules. HART field devices can only
be redundant, if they are configured separately, for example, by a 1 of 2 selection.

High Availability Process Control Systems (V9.0)

142 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.4 Distributed I/O

Procedure
1. Configure redundant modules for HART field devices in HW Config as described in section
"How to configure redundant input/output modules (PROFIBUS DP) (Page 136)".

In the example, the module on slot 6 is configured in each case:

– ET 200M station with PROFIBUS address 4: Module 6
– ET 200M station with PROFIBUS address 6: Module 6
In the following example,the module on slot 2 and 3 is configured for ET 200SP HA:

2. Place the "HART field device" in the detail view of the redundant module.
In the example, module 6 on ET 200M station with PROFIBUS address 4.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 143
Advantages of high availability components
5.4 Distributed I/O

3. Place the "HART field device" in the detail view of the redundant module.
In the example, module 6 on ET 200M station with PROFIBUS address 6.
4. Select the menu command Station > Save.
The settings are saved.
5. Double-click the added HART field device in one of the ET 200M stations.
SIMATIC PDM will open.
6. Make the necessary settings for the HART field device.

Retrospect implementation of the module redundancy for HART devices

There are no mechanisms set aside to implement a module redundancy for HART devices in
PCS 7.

Additional information
Operating Manual Process Control System PCS 7; SIMATIC PDM

High Availability Process Control Systems (V9.0)

144 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.4 Distributed I/O

5.4.6 How to configure the Y Link

Introduction
The Y Link consists of two IM 153-2 interface modules and a Y coupler. The Y Link creates a
gateway from a redundant DP master system to a non-redundant DP master system.
The following describes how to install and configure the Y Link.
You can find configuration examples in the section "Gateway between redundant and non-
redundant PROFIBUS DP (Page 80)".

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● A redundant DP master system is configured for the SIMATIC H station in HW Config.

Procedure
1. In the component view, select the SIMATIC H station and double-click the "Hardware"
object in the detail window.
HW Config opens.
2. If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.
3. In the current PCS 7 profile, double-click "PROFIBUS DP" and then "DP/PA Link".
4. Select the IM 153-2 interface module whose hardware catalog description is "Y Link".
5. Drag the IM 153-2 interface module to one of the two PROFIBUS DP lines.
6. Enter the PROFIBUS address in the "Properties - PROFIBUS Interface IM 153-2" dialog
box and click "OK".
7. Click on "Interface module for PROFIBUS DP" in the "Define Master System" dialog box
and click "OK".

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 145
Advantages of high availability components
5.4 Distributed I/O

Result
The following figure shows an example configuration in HW Config:

Additional information
● Manual DP/ PA Link and Y Link Bus Couplings

High Availability Process Control Systems (V9.0)

146 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.4 Distributed I/O

5.4.7 Configuring a bus link for PROFIBUS PA

Bus links are gateways between bus systems and enable the communication connection of
the bus systems.
The DP/PA Link is a bus link for communications between PROFIBUS DP and PROFIBUS
PA.

Functionality
When connecting a redundant PROFIBUS DP, the DP/PA Link consists of two IM 153-2
interface modules and one or more DP/PA couplers. The DP/PA coupler is used to build a
gateway between a redundant PROFIBUS DP subnet and a non-redundant PROFIBUS PA
subnet. When configuring in HW Config in SIMATIC Manager, you can only select the IM 153-2
interface modules and not the DP/PA coupler.
The DP/PA coupler is transparent in regard to addressing and communication. It does not have
its own bus address or diagnostic address; it simply forwards message frames. The field
devices connected to the PROFIBUS PA are addressed directly from the automation device.
The DP/PA coupler can be reconfigured in runtime but it cannot be replaced.

Note
You can find a list of PA slaves that can be connected in the manual SIMATIC Bus Couplers;
DP/PA Link and Y Link. Note that PCS 7 driver blocks are not available for all of the devices
listed. Contact the PCS 7 Support Center to check if such a driver block is available for the
device you have selected.

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● A redundant DP master system is configured for the SIMATIC H station in HW Config.

Example configuration
The following figure shows how the DP/PA Link is used.

6+

'33$OLQN
352),%86'3

[,0[)'&

352),%863$

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 147
Advantages of high availability components
5.4 Distributed I/O

Procedure
Configure the DP/PA Link as described in the section "How to configure the Y Link
(Page 145)".
The DP/PA Coupler does not appear in the hardware catalog for the configuration of the bus
system.
When configuring in HW Config, you only need to set the transmission speed for the selected
PROFIBUS DP network in the "Network Settings" tab of the "Properties PROFIBUS dialog box.

Result
The following figure shows an example configuration in HW Config:

Additional information
● Manual SIMATIC DP/PA Link and Y Link Bus Couplings

5.4.8 Configuring a bus link for FF and compact FF segment

Bus links are gateways between bus systems and enable the communication connection of
the bus systems.
The following bus links make the communication between PROFIBUS DP and FOUNDATION
Fieldbus H1 (hereafter referred to simply as FF) possible.
● Bus link "FF Link"
The redundantly configured bus link consists of 2 IM 153-2 FF interface modules and one
or more FDC 157-0 couplers.
The FF Link can be configured with an IM 153-2 FF interface module and 2 FDC 157-0
couplers. With this configuration, the FDC 157-0 coupler can be replaced in operation.
● Bus link "Compact FF Link"
The redundantly installed bus link consists of two Compact FF Linkmodules.

High Availability Process Control Systems (V9.0)

148 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.4 Distributed I/O

Functionality
The field devices connected to the FF segment are addressed directly from the PLC.
In PCS 7 there are the following possibilities for the installation of a bus link when connecting
to a redundant PROFIBUS DP:
● FF Link
The coupler FDC 157-0 is not displayed for addressing and communication. It does not
have its own bus address and simply forwards message frames.
● Compact FF Link
A coupler for the FF segment is integrated in the Compact FF Link (Field Device Koppler).
The redundant bus link can be re-configured and replaced during operation.

Note
Please note that PCS 7 driver blocks are not available for all of the devices listed. Contact the
PCS 7 Support Center to determine if a driver block is available for the device you have
selected.

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● A redundant DP master system is configured for the SIMATIC H station in HW Config.
● SIMATIC PDM V8.0 SP1 or higher

Example configuration
The following figure shows how the FF Link is used:

6+

[,0))

)'&
)281'$7,21)LHOGEXV
352),%86'3

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 149
Advantages of high availability components
5.4 Distributed I/O

Procedure
During configuration in HW Config, you can only select the FF Link interface module in
SIMATIC Manager:
● IM 153-2 FF (for FF Link)
● IM 655-5 FF (for Compact FF Link)
Configure the FF Link and Compact FF link bus link in the same way as the DP/PA link. You
can find information on this in the section "Configuring a bus link for PROFIBUS PA
(Page 147)".
More detailed information on configuring the message is available in the documentation
Compact FF Link Process Control System PCS 7, FOUNDATION Fieldbus
When configuring in HW Config, you only need to set the transmission rate for the affected
PROFIBUS DP network in the "Network Settings" tab of the "FOUNDATION Fieldbus
Properties" dialog box.

Note
The Field Device Koppler is a virtual bus link object in HW Config.

Result
The figure below shows the configuration of a FF Link in HW Config with the "PCS7_V81"
library as an example:

Additional information
● Operating Instructions SIMATIC; Bus Link; FF Link
● Operating Instructions SIMATIC; Bus Link; Compact FF Link
● Commissioning manual SIMATIC; PCS 7 - FOUNDATION Fieldbus
● Operating manual SIMATIC; SIMATIC PDM

High Availability Process Control Systems (V9.0)

150 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.4 Distributed I/O

5.4.9 Configuration of redundant signals

You configure only one signal in CDC for redundantly acquired signals.

Basic procedure
1. Place one channel block in the CFC for each redundantly acquired signal.
2. For redundantly detected signals (e.g. input 1.1 and input 10.1), interconnect only the
symbol with the least significant address (e.g. input 1.1).
3. Compile the user program when the configuration is completed.
The required driver blocks are automatically inserted, interconnected and configured during
compilation of the user program.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 151
Advantages of high availability components
5.5 Operator stations

5.5 Operator stations

5.5.1 Overview of configuration steps

Introduction
The following sections describe how to configure redundancy for operator stations.

Overview of configuration steps

You configure the redundancy functionality of the operator stations by performing the following
steps:

Step What?
1 Configuring the PC stations for a redundant OS server pair (Page 152)
2 Setting the project path for the target OS and standby OS (Page 155)
3 Creating a redundant connection between an OS and AS (Page 156)
4 Configuring redundancy for OS servers on the engineering station (Page 159)
5 Setting the redundancy connection for OS servers (Page 161)
6 Assigning S7 programs to the OS (Page 162)
7 Configuring an OS client (Page 163)
8 Configuring an OS client for permanent operability (Page 165)
9 Downloading the SIMATIC PCS 7 project to the target systems (Page 168)

5.5.2 How to configure an OS server and its redundant OS partner server

Introduction
The following describes the individual steps involved in installing the OS server and its
redundant OS partner server.
The example below shows the redundant connection of the two OS servers of the server pair
to the plant bus (using two CP 1623 or CP 1613 communication processors, for example, per
server).

Requirements
● The PCS 7 project with a SIMATIC H station is open in SIMATIC Manager.
● The PCs have two communication processors each for connection to the plant bus.
● Each PC has a standard network adapter for connection to the terminal bus.

High Availability Process Control Systems (V9.0)

152 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.5 Operator stations

Procedure

Note
Steps 1 to 11 of this procedure have already been performed if an OS server was created in
the project.

1. In the component view of SIMATIC Manager, select the project where you want to add the
operator station.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, OS server).
4. Enter the Windows name of the computer to be used as the OS server in the "Computer
name" box.
5. In the component view, select the SIMATIC PC station and double-click the "Configuration"
object in the detailed view.
The hardware configuration of the SIMATIC PC station opens.
6. If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.
7. In the hardware catalog under "SIMATIC PC Station > HMI...", select the "WinCC
application" and insert it in the configuration table by means of drag-and-drop.
8. Select the communication processor (CP 1623 or CP 1613) from the "SIMATIC PC Station
> CP Industrial Ethernet" folder of the hardware catalog and drag it to the PC station.
The "Properties - Ethernet Interface" dialog box opens.
9. Set the required address on the bus for the CP.
Select the "Set MAC address/Use ISO protocol" check box and click "OK".
10.Repeat steps 8 and 9 for the second communication processor.
11.Select the menu command File > Save, exit HW Config and change to SIMATIC Manager.
12.In the component view of SIMATIC Manager, select the project where you want to insert
the redundant operator station.
13.Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
14.Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, OS partner server).
15.Enter the Windows name of the computer to be used as the OS partner server in the
"Computer name" box.
16.In the component view, select the SIMATIC PC station and double-click the "Configuration"
object in the detail window.
The hardware configuration of the SIMATIC PC station opens.
17.If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 153
Advantages of high availability components
5.5 Operator stations

18.In the hardware catalog under "SIMATIC PC Station > HMI...", select the "WinCC
application (stby)" and insert it in the configuration table by means of drag-and-drop.
19.In the hardware catalog under SIMATIC PC Station > CP Industrial Ethernet, select the
communication processor and drag it to the PC station.
The "Properties - Ethernet Interface" dialog box opens.
20.Set the required address on the bus for the CP.
Select the "Set MAC address/Use ISO protocol" check box and click "OK".
21.Repeat steps 19 and 20 for the second communication processor.
22.Select the menu command File > Save and exit HW Config.

Result
Your project should now correspond to the project shown in the following figure. You can
change the names of the components as you wish.

Additional information
● Configuration manual Process Control System PCS 7; Engineering System; section "How
to Expand a Project with Pre-Configured Stations Using the PCS 7 Wizards"
● Online help for STEP 7
● You can find information about NDIS settings of a Maintenance Station in the manual
Process Control System PCS 7; PCS 7 - PC Configuration and Authorization

High Availability Process Control Systems (V9.0)

154 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.5 Operator stations

5.5.3 How to set the project path of the target OS and standby OS

Introduction

Note
The procedure described in this section applies to the following servers:
● OS server
● Maintenance server
The description for the OS server is used here.

The OS servers of an OS server pair must be made known to each other. You do this by making
the following settings for the SIMATIC PC stations:
● For both OS servers: "Target OS Computer"
● On the "master OS": OS name of the redundant OS server "Standby OS"
The destination OS computer is the Windows name of the PC in the Windows network to which
the server data (configuration data) for an OS server of an OS server pair was downloaded.
Master OS and standby OS mean the OS servers that make up an OS server pair.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● Two SIMATIC PC stations have been configured in HW Config as an OS server and OS
partner server.

Procedure
1. In the component view, select the OS that you want to specify as the master OS.
2. Select the menu command Edit > Object Properties.
The "Properties - [name of the OS]" dialog box opens.
3. Select the "Target OS and Standby OS" tab.
4. Click the "Browse" button next to the "Path to destination OS computer" box and enter the
path to the MCP file of the destination OS.
The destination OS computer is the computer where the project is to run.
The mcp file is generated automatically when you create the OS.
Note
Enter the network path for the destination OS using UNC (Universal Naming Convention)
notation: \\Server name\Share name\Directory name

5. Select the OS that you want to use as the standby OS from the "Standby OS" list.
All of the standby operator stations that you have created in SIMATIC Manager are
displayed in this drop-down box.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 155
Advantages of high availability components
5.5 Operator stations

6. Click "OK".
You have completed all settings for the master OS.
7. In the component view, select the OS that you want to use as the standby OS.
8. Select the menu command Edit > Object Properties.
The "Properties - [name of the OS]" dialog box opens.
9. Select the "Target OS and Master OS" tab.
10.Click the "Browse" button next to the "Path to destination OS computer" box and enter the
path to the MCP file of the destination OS.
The destination OS computer is the computer where the project is to run.
The mcp file is generated automatically when you create the OS.
11.Click "OK".
You have completed all settings for the standby OS.

Additional information
● Online help for STEP 7

5.5.4 How to set the redundancy connection for between an OS and AS

Introduction
To complete the configuration of the OS server and its redundant OS partner server, you need
to create the high availability network connections to the AS in NetPro.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● The AS is connected to the plant bus in NetPro.
● The plant bus has been configured.
● Two SIMATIC PC stations with network adapters have been configured in HW Config as
an OS server and OS partner server.

Procedure
1. Open NetPro in SIMATIC Manager with the menu command Options > Configure
Network.
2. Select the interface symbol in the first network adapter (e.g. CP 1613) in the picture of the
OS server and use the mouse to draw a connection to the plant bus.
The network adapter is now connected to the plant bus.
3. If two network adapters are configured for the plant bus in the OS server, connect the
second network adapter of the OS server to the (redundant) plant bus in the same way.
4. Connect the network adapters of the OS partner server to the plant bus in the same way.

High Availability Process Control Systems (V9.0)

156 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.5 Operator stations

5. Select the WinCC application of the OS server for which you want to configure a high
availability network connection.
The connection table is displayed in the lower window pane.
6. Select the first empty row in the connection table and select the menu command Insert >
New Connection.
The "New Connection" dialog box opens.
7. Select the desired connection partner in the tree.
8. Select the connection type "S7 connection fault-tolerant" in the "Connection" box.
9. Activate the "Show properties before inserting" check box.
This allows you to make settings or changes to the connection.
10.If redundant CPs for the plant bus are configured in the SIMATIC H stations, activate the
check box "Enable max. CP redundancy (with 4 connection paths)" in the "Redundancy"
group.
11.Click "OK" to save your entries.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 157
Advantages of high availability components
5.5 Operator stations

Result
The following figure shows the redundant network connection of the two OS servers to the
SIMATIC H station in NetPro:

Additional information
● Section "Network components (Page 56)"
● Section "How to configure a high availability plant bus (Page 117)"
● Online help for STEP 7

High Availability Process Control Systems (V9.0)

158 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.5 Operator stations

5.5.5 How to configure redundancy for OS servers on the engineering station

Introduction
Carry out the following configuration tasks on the Engineering Station. The description for the
OS server is used here.

Validity
The procedure described in this section applies to the following servers:
● OS server
● Maintenance server

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● You configured two SIMATIC PC stations in HW Config for operation as master and standby
OS servers.

Configuring WinCC Explorer "Redundancy"

Note
Settings in steps 5 and 6: The settings are adopted automatically from the configuration in
SIMATIC Manager. It may be necessary to adapt settings if projects have been copied or if
you configure in a different order from the one recommended for PCS 7.

1. In the component view of SIMATIC Manager, select the OS in the OS server and select
the menu command Edit > Open Object.
The WinCC Explorer opens.
2. Select the menu command Editor > Redundancy > Open in WinCC Explorer.
The "Redundancy" application opens.
3. Select the "Activate redundancy" check box.
4. In the "General" tab, select the "Default Master" check box if you want to set the OS server
as the default master.
Note
Make sure that only one of the two OS servers is the "default master" and that this option
is not selected for both of the OS servers in the "Redundancy" dialog box. Problems may
otherwise occur during redundancy switchover of OS clients.

5. In the "Redundant Partner Server" field, enter the computer name of the redundant OS
server. You can also use the “Browse” button to select an appropriate server from the
network.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 159
Advantages of high availability components
5.5 Operator stations

6. Select the following check boxes as required:

– Synchronization of Tag Logging after the partner server comes back online
– Synchronization of Alarm Logging after the partner server comes back online
– Online synchronization for Alarm Logging
– Synchronization after process connection error
– WinCC client switchover if the process connection is disrupted
7. Click "OK".

Result
The "General" tab in the "Redundancy" dialog can be configured as follows:

High Availability Process Control Systems (V9.0)

160 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.5 Operator stations

Additional information
● Online help for WinCC

5.5.6 How to set the redundancy connection for OS servers

Introduction
You will now select the connection path for the redundancy connection between 2 OS servers.
You can make the following settings directly on each of the mutually redundant OS servers.
The description for OS servers is used here.

Changing the connection path

Note
When the redundancy connection is established via a serial interface, you need to reboot the
PC station after changing the connection path.

Validity
The procedure described in this section applies to the following servers:
● OS server
● Maintenance server

Requirements
● The OS server and OS partner server are connected by a redundancy cable.
You can use the following as the redundancy cable:
– Network cable to additional network adapter (free onboard network adapter possible as
of PCS 7 V8.0, e.g. from Bundle PC SIMATIC IPC 647C)
– Null modem cable on the COM port
● OS server and OS partner server are installed as redundant OS servers.
● The "WinCC Redundancy" license key is available on the OS server and OS partner server.

Procedure
1. Select the PC station (workplace) in the tree view of Windows Explorer.
2. Select the "Simatic Shell" folder.
If you are using the Windows 10 operating system, you can find the Siemens SIMATIC
programs in the "Start" menu under All apps > Siemens Automation.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 161
Advantages of high availability components
5.5 Operator stations

3. Select the shortcut menu command Redundancy Settings....

The "Redundancy Settings" dialog box opens.
4. Select the connection path through which the OS server pair is connected in the drop-down
list.
– For connection via RJ45 cable:
In the "Network adapter" drop-down list, select the network adapter to which you want
to attach the network cable for the redundant connection between the two PC stations
of a server pair.
– For a serial connection:
In the "Serial port" dropdown list, select the port to which you want to attach the null-
modem cable for the redundant connection between the two PC stations of a server
pair: "COM1" or "COM2"
Note
One connection path is permitted between the two PC stations in a redundantly
configured server.

5. Click "OK".

5.5.7 How to determine the S7 programs you want to assign to a given OS

Introduction
The AS-OS assignment of a hierarchy folder in the plant view of SIMATIC Manager results in
the following in the component view:
● All CFCs and SFCs inserted in the plant view are stored in the chart folder of the assigned
AS.
● All pictures and reports inserted in the plant view are stored in the folder of the assigned
OS.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● The plant view is activated.

Procedure
1. Select the hierarchy folder for which you want to make the AS-OS assignment in the plant
view.
2. Select the menu command Edit > Object Properties and change to the "AS-OS Assignment"
tab.
3. From the "Assigned AS" list, select the S7 program that you want to assign to the selected
hierarchy folder.

High Availability Process Control Systems (V9.0)

162 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.5 Operator stations

4. If the lower-level objects have another assignment but you prefer all lower-level objects to
have the same assignment, select the "Pass on selected assignment to lower-level objects"
check box.
Note
The "Pass on selected assignment to all lower-level objects" check box is active if the lower-
level objects have another assignment or no assignment.

5. From the "Assigned OS" list, select the operator station you want to assign to the selected
hierarchy folder.
6. If the lower-level objects have another assignment but you prefer all lower-level objects to
have the same assignment, select the "Pass on selected assignment to lower-level objects"
check box.
Note
If you select "Area oriented" as the compilation mode, the OS assignment can only be
changed for PH folders of the OS area level.

7. Click "OK".

Result
The AS/OS assignment is selected, and the lower-level objects are passed on or not passed
on according to your setting.

Note
If you have divided up the projects so that there is only one OS or one AS in a project, you
cannot make an AS-OS assignment.

Additional information
● Online help for the "AS-OS Assignment" tab
● Online help for PH, IEA, and PO

5.5.8 How to configure an OS client

Introduction
The following section describes how to configure two OS clients, for example, that can be
interconnected with a redundant pair of OS servers.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 163
Advantages of high availability components
5.5 Operator stations

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● Each PC has a standard network adapter for connection to the terminal bus.

Procedure
1. In the component view of SIMATIC Manager, select the project in which you want to
configure the OS clients.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name.
4. In the component view, select the SIMATIC PC station and double-click the "Configuration"
object in the detail window.
The hardware configuration of the SIMATIC PC station opens.
5. If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.
6. In the hardware catalog under "SIMATIC PC Station > HMI...", select the "WinCC
application client" and insert it in the configuration table by means of drag-and-drop.
7. Select the menu command Station > Save.
8. Close the hardware catalog.
9. Repeat steps 2 to 8 for the second OS client.

High Availability Process Control Systems (V9.0)

164 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.5 Operator stations

Result
Your project should now correspond to the project shown in the following figure. You can
change the names of the components as you wish.

Using reference clients

You can set up additional monitoring stations using reference clients. They use configured OS
clients as a basis.
Refer to the configuration manual Process Control System PCS 7; Operator Station for more
information.

5.5.9 How to configure an OS client for permanent operability

Introduction
A minimum of two OS clients are required for permanent operability. A preferred server is
specified separately for each client, thus distributing the OS clients to the redundant OS
servers. This ensures that the process is continuously available even during a switchover from
a faulty OS server to the redundant OS partner server.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 165
Advantages of high availability components
5.5 Operator stations

Requirements
● The redundant OS server pair has been configured in SIMATIC Manager.
● WinCC redundancy is configured for the OS server (master).
● The OS server (master) has been compiled such that the server data have been generated.
● Two OS clients have been configured in SIMATIC Manager.
● The server data of the OS server (master) has been assigned to the client project.

Procedure
1. Open the WinCC project of the first OS client in the component view in SIMATIC Manager.
2. Open the "Server Data" editor in WinCC Explorer.
3. Select the "Configure" command in the shortcut menu.
The "Configure Server Data" dialog box opens.
4. Click the "No preferred server" cell in the "Preferred server" column.
A drop-down list then appears. The preferred servers available for selection depend on the
redundancy configuration of the OS servers and are transferred to the OS client with the
server data.
5. Select the preferred OS server for the OS client from the drop-down list box.
6. Close the dialog box.
7. Repeat steps 1 to 6 for the second OS client. Note that you must set the redundant OS
partner server as the preferred server for the second OS client.
8. Select the first OS client and select the menu command Edit > Object Properties.
The "Properties [name of OS]" dialog box opens.
9. Select the "Target OS" tab.
10.Click the "Browse" button next to the "Path to target OS computer" box and enter the path
to the MCP file of the OS client.
The MCP file is generated automatically when you create the OS.
11.Repeat steps 8 to 10 for the second OS client.

High Availability Process Control Systems (V9.0)

166 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.5 Operator stations

Result
The "Configure server data" dialog boxes on both OS clients appear as follows:
● Dialog box on OS client 1:

● Dialog box on OS Client 2:

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 167
Advantages of high availability components
5.5 Operator stations

Using reference clients

You can set up additional monitoring stations using reference clients. They use configured OS
clients as a basis.

Additional information
● Online help for WinCC
● Configuration manual Process Control System PCS 7; Operator Station

5.5.10 How to download a SIMATIC PCS 7 project to the target system

Introduction
You can download a PCS 7 project that you created in SIMATIC Manager along with the
components of the project (AS, OS, BATCH server/client) to the various target systems in a
single step with the menu command PLC > Compile/Download Programs.
You can also download the various components individually to the PLCs using the menu
command PLC > Download.

Requirements
● All of the required SIMATIC PC stations have been configured in SIMATIC Manager.
● The master OS/standby OS assignment has been made.
● The destination paths from the ES to the individual target systems have been configured.
● The AS and all of its components (synchronization modules, CPs, etc.) have been
configured.
● All network connections have been configured, saved and compiled in NetPro.
● The destination computer is already equipped with an operating system, a network
connection and WinCC.
● The PCS 7 project is open in SIMATIC Manager.

Procedure
1. Select the project in the component view of SIMATIC Manager.
2. Select the menu command PLC > Compile and Download Objects.
The "Compile and Download Objects" dialog box opens.
3. Check whether all components in the project have been configured for complete
compilation/downloading.
4. Click "Start".
The compile/download operation starts.

High Availability Process Control Systems (V9.0)

168 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.5 Operator stations

Sequence when loading redundant OS servers with "Changes-only download" function

The "Changes-only download" function of a redundant OS server is only available if both
partner stations are in process mode (runtime).
For safety reasons, downloading is not performed to a redundant OS server pair at the same
time:
● The OS server with the configured application "WinCC Appl. (stby)" is downloaded first.
● Once the downloading of the OS server with the configured application "WinCC Appl. (stby)"
has been successfully completed, the partner station with the configured application
"WinCC Appl." will be downloaded.

Additional information
● Configuration manual Process Control System PCS 7; Operator Station
● Online help for STEP 7

5.5.11 Evaluating the redundancy tag "@RM_MASTER" with scripts

Recommendation
If you decide to evaluate the "@RM_MASTER" tag with scripts, you should program an
operator button that can deactivate this part of the scripts. This way, you do not have to change
and reload scripts each time the software is updated.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 169
Advantages of high availability components
5.6 SIMATIC BATCH stations

5.6 SIMATIC BATCH stations

5.6.1 Overview of configuration steps

Introduction
The following sections describe how to configure redundancy for SIMATIC BATCH stations.

Overview of configuration steps

You configure the redundancy functionality of the BATCH stations by performing the following
steps:

Step What?
1 Configuring the PC Stations for a redundant BATCH server pair (Page 170)
2 Configuring the PC station for a BATCH client (Page 172)
3 Setting the network adaptor for redundancy monitoring of BATCH servers (Page 174)
4 Setting redundancy of the BATCH servers (Page 175)
5 Downloading the target systems for SIMATIC BATCH (Page 176)

5.6.2 How to configure a BATCH server and its redundant BATCH partner server

Introduction
The following describes how to configure a redundant BATCH server.
In the following example, the BATCH server is connected to the high availability terminal bus.

Requirements
● The SIMATIC BATCH software package (BATCH Engineering) has been installed in
addition to the PCS 7 software.
● The PCS 7 project is open in SIMATIC Manager.

Procedure
1. In the component view of SIMATIC Manager, select the project into which you want to insert
the BATCH server.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, BATCH server).

High Availability Process Control Systems (V9.0)

170 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.6 SIMATIC BATCH stations

4. Enter the Windows name of the computer to be used as the BATCH server in the "Computer
name" box.
5. In the component view, select the SIMATIC PC station and double-click the "Configuration"
object in the detailed view.
The hardware configuration of the SIMATIC PC station opens.
6. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
7. In the hardware catalog under "SIMATIC PC Station > BATCH...", select the "BATCH
application" and insert it in the configuration table by means of drag-and-drop.
8. Select the menu command File > Save, exit HW Config and change to SIMATIC Manager.
9. In the component view of SIMATIC Manager, select the project into which you want to insert
the redundant BATCH server.
10.Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
11.Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, BATCH partner server).
12.Enter the Windows name of the computer to be used as the BATCH partner server in the
"Computer name" box.
13.In the component view, select the SIMATIC PC station and double-click the "Configuration"
object in the detail window.
The hardware configuration of the SIMATIC PC station opens.
14.If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.
15.In the hardware catalog under "SIMATIC PC Station > BATCH...", select the "BATCH
application (stby)" and insert it in the configuration table by means of drag-and-drop.
16.Select the menu command File > Save and exit HW Config.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 171
Advantages of high availability components
5.6 SIMATIC BATCH stations

Result
The following figure shows an example configuration of a SIMATIC PC station with BATCH
application (stby):

Additional information
● Configuration manual Process Control System PCS 7; Engineering System; section "How
to Expand a Project with Pre-Configured Stations Using the PCS 7 Wizards"
● Manual Process Control System PCS 7; SIMATIC BATCH

5.6.3 How to configure a BATCH client

Introduction
A BATCH client and a OS client are often run together on one SIMATIC PC station. You
configure both client applications in HW Config in a SIMATIC PC station.

Requirements
● The SIMATIC BATCH software package (BATCH Engineering) has been installed in
addition to the PCS 7 software.
● The PCS 7 project is open in SIMATIC Manager.

High Availability Process Control Systems (V9.0)

172 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.6 SIMATIC BATCH stations

Procedure
1. In the component view of SIMATIC Manager, select the project into which you want to insert
the BATCH client.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name.
4. Enter the name of the computer to be used as the BATCH client in the "Computer name"
box.
5. In the component view, select the SIMATIC PC station and double-click the "Configuration"
object in the detailed view.
The hardware configuration of the SIMATIC PC station opens.
6. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
7. Under "SIMATIC PC Station > BATCH..." in the hardware catalog, select the "BATCH
application client" and insert it in the configuration table by means of drag-and-drop.
8. Save your current settings and close HW Config.

Result
The following figure shows the SIMATIC PC station with BATCH application client configured
in HW Config:

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 173
Advantages of high availability components
5.6 SIMATIC BATCH stations

Additional information
● Manual Process Control System PCS 7; SIMATIC BATCH

5.6.4 How to set the redundancy monitoring of BATCH servers

Introduction
A local Ethernet network needs to be built in PCS 7 for redundancy monitoring of redundant
BATCH servers.

Requirements
● A network adapter for the local Ethernet network is available for redundancy monitoring on
each BATCH server of a server pair (referred to below as the 3rd network adapter).
● All software components have been installed on the BATCH servers.

Procedure
1. Open the dialog window "Network connections" via the Control Panel.
2. Select the menu command Advanced > Advanced Settings.
3. The terminal bus must be at the top of the list for the connections. Set the 3rd network
adapter in the list under the terminal bus.
4. Deactivate the options "Client for Microsoft Networks" and "File and Printer Sharing ..." in
the "Network Adapters and Bindings" tab for the 3rd network adapter.
5. Click "OK".
6. In the "LAN or High-speed Internet" list of the "Network Connections" dialog box, select the
3rd network adapter and then select the menu command File > Properties.
7. Check the "Internet Protocol (TCP/IP)" box and deactivate all other elements.
8. Select "Internet Protocol (TCP/IP)".
9. Click "Properties".
The "Properties of Internet Protocol (TCP/IP)" dialog box opens.
10.Set the "local" IP address in the "General" tab.
Note
Enter different IP addresses for the master server and standby server from a private subnet
range (e.g., subnet 192.168.0.0) that cannot be routed to the WAN.

11.Click "OK".

High Availability Process Control Systems (V9.0)

174 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.6 SIMATIC BATCH stations

5.6.5 How to configure the redundancy connection for BATCH servers on the
engineering station

Introduction
Additional tasks must be performed in the engineering and for setting up the PC stations for
redundant BATCH servers:
● On the engineering station:
Check the default engineering settings in effect
● On each BATCH server:
Set the network adapter for redundancy monitoring

Time needed for ending process mode of a BATCH server

The time needed for ending process mode of a BATCH server depends on the size of the
SIMATIC BATCH configuration. The redundancy partner reports a fault on the BATCH server
after the configured time. This time is set for redundant BATCH servers so that it is slightly
longer than the time the BATCH server needs to normally end process mode in this plant.

Requirements
● The SIMATIC BATCH software package (BATCH Engineering) has been installed in
addition to the PCS 7 software.
● The PCS 7 project is open in SIMATIC Manager.
● The configuration of the server pair for BATCH server in HW Config is completed.
● A network adapter is set up for redundancy monitoring via an Ethernet connection on each
BATCH server.

Checking the configuration settings

1. Select the project in the component view of SIMATIC Manager.
2. Select the menu command Options > SIMATIC BATCH.
The "Plant Data" dialog box opens.
3. Select the project in the tree view.
4. Open the "Distribution" tab. Click "Update". Check the displayed settings.
5. Open the "OS Objects" tab. Click "Update". Check the selected message OS.
6. Open the "System Response" tab. Click "Update".
7. Check the displayed settings in the "Startup response" group.
You can find additional information about this in the manual Process Control System PCS
7; SIMATIC BATCH.
8. In the "Times" group, enter the required time in the "End" input box.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 175
Advantages of high availability components
5.6 SIMATIC BATCH stations

Additional information
● Manual Process Control System PCS 7; SIMATIC BATCH

5.6.6 How to set the redundancy connection for BATCH servers

Introduction
You will now select the connection path for the redundancy connection between 2 BATCH
servers.
You can make the following settings directly on each of the mutually redundant BATCH servers.

Note
Shared server for OS and SIMATIC BATCH
The configuration for redundancy connection has to be performed only once.

Requirements
● BATCH server and BATCH partner server are connected to an additional network adapter
via a redundancy cable.
● BATCH server and BATCH partner server are installed as redundant BATCH servers.

Procedure
1. Select the PC station (workplace) in the tree view of Windows Explorer.
2. Select the "Simatic Shell" folder.
If you are using the Windows 10 operating system, you can find the Siemens SIMATIC
programs in the "Start" menu under All apps > Siemens Automation.
3. Select the shortcut menu command Redundancy Settings....
The "Redundancy Settings" dialog box opens.
4. In the drop-down list under the "Network Adapter" group, select the network adapter through
which the redundancy communication to the partner server should be established.
5. Perform steps 1 to 4 for each partner server.

5.6.7 How to download the target systems for SIMATIC BATCH

Introduction
You can download a PCS 7 project that you created in SIMATIC Manager along with the
components of the project (AS, OS, BATCH server/client) to the various target systems in a
single step with the menu command PLC > Compile/Download Programs.

High Availability Process Control Systems (V9.0)

176 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.6 SIMATIC BATCH stations

Requirements
● The PCS 7 project is open in SIMATIC Manager in the component view.
● The SIMATIC BATCH configuration is completed.
● The batch plant is compiled.

Download via SIMATIC BATCH

1. Select the menu command Options > SIMATIC BATCH.
The "Plant Data" dialog box opens.
2. Select the plant object in the tree view.
3. Click "Download".
All PC stations for BATCH servers (single, redundant), DB servers and BATCH clients are
displayed with information about their download status in the "Downloading <plant>" dialog
box.
4. Click "Start".
The plant object is downloaded.

Additional information
● Manual Process Control System PCS 7; SIMATIC BATCH

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 177
Advantages of high availability components
5.7 SIMATIC Route Control stations

5.7 SIMATIC Route Control stations

5.7.1 Overview of configuration steps

Introduction
The following sections describe how to configure redundancy for SIMATIC Route Control
stations.

Overview of configuration steps

You configure the redundancy functionality of the SIMATIC Route Control stations by
performing the following steps:

Step What?
1 Configuring the PC stations for a redundant Route Control server pair (Page 178)
2 Configuring the PC station for a Route Control client (Page 180)
3 Creating a redundant connection between a Route Control server and AS (Page 183)
4 Creating a Route Control server (Page 186)
5 Downloading the target systems for Route Control (Page 186)

5.7.2 How to configure a Route Control server and its redundant Route Control partner
server

Introduction
The following describes how to configure a redundant Route Control server.
In the following example, the Route Control server is connected redundantly to the plant bus
via communication processors (two CP 1623 or CP 1613 per server).

Requirements
● The SIMATIC Route Control software package (Route Control Engineering) has been
installed in addition to the PCS 7 software.
● The PCS 7 project is open in SIMATIC Manager.

Procedure
1. In the component view of SIMATIC Manager, select the project into which you want to insert
the Route Control server.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.

High Availability Process Control Systems (V9.0)

178 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.7 SIMATIC Route Control stations

3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, Route Control server).
4. Enter the Windows name of the computer to be used as the Route Control server in the
"Computer name" box.
5. In the component view, select the SIMATIC PC station and double-click the "Configuration"
object in the detailed view.
The hardware configuration of the SIMATIC PC station opens.
6. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
7. In the "SIMATIC PC Station > Route Control ..." folder of the hardware catalog, select "RC
application" and insert it in the configuration table by means of drag-and-drop.
8. In the "SIMATIC PC Station > CP Industrial Ethernet" folder of the hardware catalog, select
the communication processor and drag it to the PC station.
The "Properties - Ethernet Interface" dialog box opens.
9. Set the required address on the bus for the CP.
Select the "Set MAC address/Use ISO protocol" check box and click "OK".
10.Repeat steps 8 and 9 for the second communication processor.
11.Select the menu command File > Save, exit HW Config and change to SIMATIC Manager.
12.In the component view of SIMATIC Manager, select the project into which you want to insert
the redundant Route Control server.
13.Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
14.Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, Route Control partner server).
15.Enter the Windows name of the computer to be used as the Route Control partner server
in the "Computer name" box.
16.In the component view, select the SIMATIC PC station and double-click the "Configuration"
object in the detail window.
The hardware configuration of the SIMATIC PC station opens.
17.If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.
18.Under "SIMATIC PC Station > Route Control ..." in the hardware catalog, select "RC
application (stby)" and insert it in the configuration table by means of drag-and-drop.
19.If redundant communication processors are installed for each PC station, repeat steps 8
and 9 for the second communication processor.
20.Select the menu command File > Save and exit HW Config.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 179
Advantages of high availability components
5.7 SIMATIC Route Control stations

Result
The following figure shows an example configuration of a SIMATIC PC station with Route
Control application (stby):

Additional information
● Configuration manual Process Control System PCS 7; Engineering System; section "How
to Expand a Project with Pre-Configured Stations Using the PCS 7 Wizards"
● Manual Process Control System PCS 7; SIMATIC Route Control

5.7.3 How to configure a Route Control client

Introduction
Below you find out how to configure a redundant Route Control client in HW Config.

High Availability Process Control Systems (V9.0)

180 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.7 SIMATIC Route Control stations

Requirements
● The SIMATIC Route Control software package (Route Control Engineering) has been
installed in addition to the PCS 7 software.
● The PCS 7 project is open in SIMATIC Manager.

Procedure
1. In the component view of SIMATIC Manager, select the project into which you want to insert
the Route Control client.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name.
4. Enter the name of the computer to be used as the Route Control client in the "Computer
name" box.
5. In the component view, select the SIMATIC PC station and double-click the "Configuration"
object in the detailed view.
The hardware configuration of the SIMATIC PC station opens.
6. If the hardware catalog is not visible, select the menu command View > Catalog.
The hardware catalog opens.
7. Under "SIMATIC PC Station > Route Control ..." in the hardware catalog, select "RC
application client" and insert it in the configuration table by means of drag-and-drop.
8. Save your current settings and close HW Config.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 181
Advantages of high availability components
5.7 SIMATIC Route Control stations

Result
The following figure shows the SIMATIC PC station with Route Control application client (RC
application client) configured in HW Config:

Shared client for OS and Route Control

If a Route Control client and OS client are operated together on a SIMATIC PC station,
configure both client applications in HW Config in one SIMATIC PC station.

Additional information
● Manual Process Control System PCS 7; SIMATIC Route Control

High Availability Process Control Systems (V9.0)

182 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.7 SIMATIC Route Control stations

5.7.4 How to configure a redundant connection between a Route Control server and
AS

Introduction
The redundant connections between the Route Control server and the AS are created in
NetPro using SIMATIC Route Control wizards.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● The AS is connected to the plant bus in NetPro.
● The plant bus has been configured.
● Two SIMATIC PC stations have been configured in HW Config as a Route Control server
and Route Control partner server with network adapters.

Procedure
1. In the SIMATIC Manager, select the menu command Options > SIMATIC Route Control >
Wizard.
2. In the "Introduction" dialog box of the wizard, click "Next".
The "What do you want to do?" dialog box opens.
3. In the "Generate S7 connections" group, activate the check box "AS-Server connection
information". Click "Next".
4. Make the settings according to the plant configuration.
The Route Control wizard automatically creates a high availability connection when a high
availability system is the connection partner.
5. When the Route Control server and SIMATIC H station are each connected to the plant
bus with 2 network adapters, the following additional steps need to be performed:
– Open NetPro in SIMATIC Manager with the menu command Options > Configure
Network.
– Select the Route Control application of the Route Control server for which you want to
configure a high availability network connection.
The connection table is displayed in the lower window pane.
– Select the connection to the SIMATIC H station in the connection table.
– Select the menu command Edit > Object Properties.
The "Properties... S7 Connection" dialog box opens.
– Select the "General" tab.
– To use 4-way redundancy, activate the check box "Enable max. CP redundancy (with
4 connection paths)".
– Click "OK".

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 183
Advantages of high availability components
5.7 SIMATIC Route Control stations

Result
The following figure shows the redundant network connection to the automation system for
both Route Control servers in NetPro. The example plant is configured with a redundant high
availability plant bus. Each PC station and each CPU is connected to the plant bus with 2
network adapters:

Additional information
● Section "How to configure a high availability plant bus (Page 117)"
● You can find information about the Route Control wizards in the manual Process Control
System PCS 7; SIMATIC Route Control.
● Online help for STEP 7

High Availability Process Control Systems (V9.0)

184 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.7 SIMATIC Route Control stations

5.7.5 How to set the redundancy connection for Route Control servers

Introduction
You will now select the connection path for the redundancy connection between two Route
Control servers.
You can make the following settings directly on each of the mutually redundant Route Control
servers.

Changing the connection path

Note
When the redundancy connection is established via a serial interface, you need to reboot the
PC station after changing the connection path.

Validity
The procedure described in this section applies to Route Control servers.

Requirements
● The Route Control server and Route Control partner server are connected by a redundancy
cable.
You can use the following as the redundancy cable:
– Null modem cable on the COM port
– Network cable on an additional network adapter
● Route Control server and Route Control partner server are installed as redundant Route
Control servers.

Procedure
1. Select the PC station (workplace) in the tree view of Windows Explorer.
2. Select the "Simatic Shell" folder.
If you are using the Windows 10 operating system, you can find the Siemens SIMATIC
programs in the "Start" menu under All apps > Siemens Automation.
3. Select the shortcut menu command Redundancy Settings....
The "Redundancy Settings" dialog box opens.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 185
Advantages of high availability components
5.7 SIMATIC Route Control stations

4. Select the connection path through which the Route Control server pair is connected in the
drop-down list.
– For connection via RJ45 cable:
In the "Network adapter" drop-down list, select the network adapter to which you want
to attach the network cable for the redundant connection between the two PC stations
of a server pair.
– For a serial connection:
In the "Serial port" drop-down list, select the port to which you want to attach the null-
modem cable for the redundant connection between the two PC stations of a server
pair: "COM1" or "COM2"
5. Click "OK".

5.7.6 How to set the redundancy of the Route Control servers

Introduction
Only the PC stations have to be configured in the SIMATIC Manager for a redundant Route
Control server.
The computer name must be configured and the "Computer name identical with PC station
name" option must be enabled in the object properties of the PC station.

Additional information
● Section "How to configure a Route Control server and its redundant Route Control partner
server (Page 178)"

5.7.7 How to download the target systems for SIMATIC Route Control

Introduction
For Route Control plants with redundant Route Route Control servers, you should always
download the Route Control configuration to the Route Control server and Route Control
clients.

Additional information
● You can find information on downloading the Route Control server in the manual Process
Control System PCS 7; SIMATIC Route Control.
● You can find information on downloading the configuration to a Route Control client in the
manual Process Control System PCS 7; SIMATIC Route Control.

High Availability Process Control Systems (V9.0)

186 Function Manual, 05/2017, A5E39221836-AA
 Advantages of high availability components
5.8 Archive servers (Process Historian and Information Server)

5.8 Archive servers (Process Historian and Information Server)

5.8.1 How to configure a Process Historian and its redundant partner server

Introduction
This section describes the individual steps involved in creating the Process Historian and its
redundant partner server.
In the following example, the two Process Historians of the server pair are connected
redundantly to the terminal bus.

Requirements
● The PCS 7 project is open in SIMATIC Manager.
● Each PC has two network adapters for connection to the terminal bus.

Procedure

Note
Steps 1 to 8 of this procedure have already been performed if a Process Historian was created
in the project.

1. In the component view of the SIMATIC Manager, select the project into which you want to
insert the Process Historian.
2. Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
3. Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, Archive 1).
4. Enter the Windows name of the computer to be used as Process Historian in the "Computer
name" box.
5. In the component view, select the SIMATIC PC station and double-click the "Configuration"
object in the detailed view.
The hardware configuration of the SIMATIC PC station opens.
6. If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.
7. In the hardware catalog under "SIMATIC PC Station > Archive", select the "Process
Historian Appl." and insert it in the configuration table by means of drag-and-drop.
8. Select the menu command Station > Save and compile, exit HW Config and change to
SIMATIC Manager.
9. In the component view of SIMATIC Manager, select the project where you want to insert
the redundant operator station.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 187
Advantages of high availability components
5.8 Archive servers (Process Historian and Information Server)

10.Select the menu command Insert > Station > SIMATIC PC Station.
A new SIMATIC PC station is inserted in the selected project.
11.Select the SIMATIC PC station, select the menu command Edit > Object Properties and
enter the desired name (in the example, Archive 2).
12.Enter the Windows name of the computer to be used as the Process Historian partner
server in the "Computer name" box.
13.In the component view, select the SIMATIC PC station and double-click the "Configuration"
object in the detail window.
The hardware configuration of the SIMATIC PC station opens.
14.If the hardware catalog is not visible, select the View > Catalog menu command.
The hardware catalog opens.
15.In the hardware catalog under "SIMATIC PC Station > Archive", select the "Process
Historian Appl. (stby)" and insert it in the configuration table by means of drag-and-drop.
16.Select the menu command Station > Save and compile and exit HW Config.

Additional information
● Configuration manual Process Control System PCS 7; Engineering System; section "How
to Expand a Project with Pre-Configured Stations Using the PCS 7 Wizards"
● Online help for STEP 7

High Availability Process Control Systems (V9.0)

188 Function Manual, 05/2017, A5E39221836-AA
Replacing components and plant changes 6
6.1 Failure and replacement of components

6.1.1 Replacement of SIMATIC components in runtime

Continuous operation
A crucial factor for continuous operation of high availability process control systems is the
replacement of faulty or failed components in runtime. Replacement of defective components
is only possible if high availability components are used. The redundant components continue
to operate and supply the function until the replacement is made. The system is no longer high
availability in this condition.

Which components can be replaced in central controllers?

The following components in a redundantly configured automation system can be replaced in
runtime:
● Central processing units (e.g., CPU 410-5H)
● Power supply modules (e.g., PS 405, PS 407)
● Communication modules
● Synchronization modules and fiber-optic cables
● Interface modules (e.g., IM 460, IM 461)

Which components of the distributed I/O can be replaced?

The following components in a redundantly configured distributed I/O system can be replaced
in runtime:
● DP master (CPU or CP in the AS)
● DP slaves (for example, ET 200M, ET 200iSP)
● IO controller (for example, CPU in AS)
● IO devices (for example, ET 200M, ET 200SP HA)
● Redundant interface modules (for example, IM 153-2; IM 152-1; IM 155-6 HA)
● Bus links (for example DP/PA-Link; FF Link, Compact FF Link).
● Input/output modules
● Fieldbus cables (PROFIBUS DP, PROFIBUS PA, PROFINET, FOUNDATION Fieldbus)

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 189
Replacing components and plant changes
6.1 Failure and replacement of components

Additional information
The following table shows where you can find the step-by-step instructions for replacing
components:

You can find the procedure used to .... in the manual Automaton System S7-400H; High Availability
replace components ... Systems in the section ...
Central racks Failure and replacement of a CPU (redundant CPU)
Failure and replacement of a power supply module
Failure and replacement of a communication processor
Failure and replacement of a synchronization module or FO ca‐
ble
Failure and replacement of an IM 460 and IM 461 interface
module
Distributed I/O (on PROFIBUS DP) Failure and replacement of distributed I/O components
Failure and replacement of an input/output or function module
Failure and replacement of a PROFIBUS DP master
Failure and replacement of a redundant PROFIBUS DP inter‐
face module
Failure and replacement of a PROFIBUS DP slave
Failure and replacement of PROFIBUS DP cables
Distributed I/O (on PROFINET IO) Failure and replacement of distributed I/O components
Failure and replacement of an input/output or function module
Failure and replacement of an IO controller
Failure and replacement of a redundant PROFINET IO interface
module
Failure and replacement of an IO device
Failure and replacement of PROFINET IO cables (Ethernet ca‐
ble)

Note
After every component replacement
Make sure that all systems are free from faults and that the H-system is operating redundantly
and without errors.

High Availability Process Control Systems (V9.0)

190 Function Manual, 05/2017, A5E39221836-AA
 Replacing components and plant changes
6.1 Failure and replacement of components

6.1.2 Replacement of bus components in runtime

Introduction
The information in this section relates to the following bus components
● Bus cable
● Bus links
● Switches, bridges

Failure and replacement of bus components

Components of a bus system (plant bus, terminal bus, fieldbus) can be replaced when there
is no risk of accidentally affecting other components as a result of the replacement.
Before making a replacement, the following aspects must be taken into consideration:
● Bus topology (for example ring structure, spur lines, redundancy connections, disrupted
bus cable)
● Connection of the bus system to "master systems":
– The assignment of clients to servers
– The connection to time master systems
– The connection to domain controllers
– For PCS 7 OS: The setting of preferred servers
● Other disrupted components

Recommended procedure
If a bus component is partially functional, we recommend the following procedure:
● If repairs are necessary, first replace the defective bus cable.
● Insert a new bus component into the existing system before you remove the old bus
component completely.
● Avoid the occurrence of double faults.
● Replace the connection to the connected components in series (not at the same time).

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 191
Replacing components and plant changes
6.1 Failure and replacement of components

Additional information
The following table shows where you can find the step-by-step instructions for replacing
components:

You can find the procedure used to .... in the following documentation
replace components ...
FF link Operating Instructions SIMATIC; Bus Link; FF Link
● Replacing the IM 153-2 FF
● Replacing the Field Device Coupler FDC 157
● Restoring the IM 153-2 FF factory settings
Compact FF Link Operating Instructions SIMATIC; Compact Bus Link; FF Link
● Replacing a bus link
● Restoring the Compact FF Link factory settings

Note
After every component replacement
Make sure that all systems are free from faults and that the H-system is operating redundantly
and without errors.

6.1.3 Replacement of operator stations in runtime

Replacement of operator stations

When replacing operator stations, a distinction must made between:
● Replacing an OS server
● Replacing an OS client
Note
Information on updating operator stations with redundant OS servers in runtime can be
found in "guidelines on updating a redundant OS in runtime (Page 217)".

Requirements
● The new PC contains the same hardware components.
● An image of the PCs to be replaced is used for the installation.
● The name of the replaced PC is used for the new PC.
● The same IP address is used for the new PC.
● The MAC address is adapted in the project.

High Availability Process Control Systems (V9.0)

192 Function Manual, 05/2017, A5E39221836-AA
 Replacing components and plant changes
6.1 Failure and replacement of components

Replacing an OS server
Follow the steps below to replace an OS server:

Step What?
1 Switch OS clients over to the server that will be remaining in operation.
2 Deactivate and replace the OS server,
3 Check the network addresses and download the configuration data.
4 On the engineering station: Download OS server data (and automatic redundancy update).
5 Start WinCC.
6 Activate process mode.
7 Activate or switch over assigned OS clients.

Replacing an OS client
Follow the steps below to replace an OS client:

Step What?
1 Deactivate process mode.
2 Deactivate and replace the OS client.
3 Check the network addresses and download the configuration data.
4 On the engineering station: Download target system (OS client).
5 Activate process mode.

Changing to a new PCS 7 version

You can find information on how to convert all operator stations of a redundant system to a
new PCS 7 version in the section Guide to updating a redundant OS in runtime (Page 217).
You can also refer the Process Control System PCS 7; Software Update without Utilization of
New Functions manual.

6.1.4 Replacement of BATCH stations in runtime

Replacement of BATCH stations

When replacing BATCH stations, a distinction must made between:
● Replacing a BATCH server
● Replacing a BATCH client

Requirements
● The new PC contains the same hardware components.
● An image of the PCs to be replaced is used for the installation.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 193
Replacing components and plant changes
6.1 Failure and replacement of components

● The name of the replaced PC is used for the new PC.

● The same IP address is used for the new PC.
● The MAC address is adapted in the project.

Replacing the BATCH server

Follow the steps below to replace a BATCH server:

Step What?
1 Replace the BATCH server.
2 On the engineering station: Open the BATCH configuration dialog, select PCell, download
BATCH server.
3 Start the BATCH server (BATCH server starts up as standby server).

Replacing the BATCH client

Follow the steps below to replace a BATCH client:

Step What?
1 Close the BATCH Control Center.
2 Replace the BATCH client.
3 On the engineering station: Open the BATCH configuration dialog, select PCell, download
BATCH client.
4 Open the BATCH Control Center.

6.1.5 Replacement of Route Control stations in runtime

Replacement of Route Control stations

When replacing Route Control stations, a distinction must made between:
● Replacing a Route Control server
● Replacing a Route Control client

Requirements
● The new PC contains the same hardware components.
● An image of the PCs to be replaced is used for the installation.
● The name of the replaced PC is used for the new PC.
● The same IP address is used for the new PC.
● The MAC address is adapted in the project.

High Availability Process Control Systems (V9.0)

194 Function Manual, 05/2017, A5E39221836-AA
 Replacing components and plant changes
6.1 Failure and replacement of components

Replacing the Route Control server.

Follow the steps below to replace a Route Control server:

Step What?
1 Replacing the Route Control server.
2 On the engineering station: Open Route Control Engineering and download the Route Control
server
3 Start Route Control (Route Control starts as standby server).
4 Update the Route Control servers using the Route Control Center, so that both Route Control
servers operate with the same database.

Replacing the Route Control client.

Follow the steps below to replace a Route Control client:

Step What?
1 Close the Route Control Center.
2 Replacing the Route Control client.
3 On the engineering station: Download Route Control client from the SIMATIC Manager or
Route Control Engineering.
4 Open the Route Control Center.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 195
Replacing components and plant changes
6.2 Plant changes in runtime

6.2 Plant changes in runtime

Plant changes in runtime

In addition to the options for replacing failed components in runtime as described in the section
titled "Failure and replacement of components during operation", the CPU (41x-xH) also
supports a system modification without interrupting the running program.

Requirements
● The relevant hardware components are suitable for insertion and removal under voltage.
● The H system with CPU is available.

Use cases for plant changes

A plant change in which the hardware of the plant is changes occurs in the following cases:
● Hardware components of a high availability system are removed.
● Hardware components of a high availability system are added.
● Hardware components of a high availability system are replaced by non-identical
components.
Plant modification always requires a software modification. Configuration changes are made
in HW Config and downloaded to the CPU. The modified hardware is physically replaced,
removed or added.
Similar to the events that occur when components are replaced, when the system is modified
in runtime, the functions of the modified components are taken over by the corresponding
redundant components. The running program is not interrupted.

Which components can be changed?

changes Possible modifications

Changes in the CPU ● Editing CPU Parameters
● Changes to the memory components of the CPU
Adding for removing mod‐ ● Communication modules
ules in central racks ● Interface modules (for example, IM 460, IM 461), in de-energized
state only

High Availability Process Control Systems (V9.0)

196 Function Manual, 05/2017, A5E39221836-AA
 Replacing components and plant changes
6.2 Plant changes in runtime

changes Possible modifications

Adding or removing mod‐ ● DP slaves with redundant interface modules (for example, ET 200M,
ules components in distrib‐ DP/PA Link, Y Link)
uted I/O modules
● IO devices with redundant interface modules (for example:
ET 200SP HA)
● Non-redundant DP slaves in any DP master system
● Non-redundant IO devices in any PROFINET IO system (CPU410
with firmware >= V8.2 is necessary)
● Modules in modular DP slaves
● Modules in modular IO devices (ET200SP HA only)
● DP/PA Coupler
● PA devices (process automation)
● FF devices
● Use of a free channel or reassignment of a utilized channel on an
existing module
Changing the parameters ● Editing parameters
settings for a module

Additional information
You can find detailed, step-by-step instructions on the procedure for plant changes in runtime
in the manual Automation System S7-400H; High Availability Systems.

Note
Note the following information:
● The procedures described for PCS 7 can be found in the Automation System S7-400H;
High Availability Systems manual, "Modifying the System During Operation" section.
● Make sure that all systems are free from faults and that the H-system is operating
redundantly and without errors after any modification to the plant.
● If you violate one or more rules in this procedure, the high availability system may respond
in ways that restrict its availability, up to and including failure of the entire process control
system.

The following table is an overview of the descriptions. The procedures described for making
changes in runtime assume that the system is designed redundantly and that your aim is to
achieve this again.

You can find the procedure ....in the manual Automation System S7-400H; High Availability Sys‐
used to replace compo‐ tems in section ...
nents ...
Components Adding Components in PCS 7
Removing Components in PCS 7
Changes to the memory components of the CPU
Parameter Editing CPU Parameters
Changing the parameters settings for a module

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 197
Replacing components and plant changes
6.2 Plant changes in runtime

High Availability Process Control Systems (V9.0)

198 Function Manual, 05/2017, A5E39221836-AA
Failure, switchover and reintegration of high
availability components 7
7.1 I/O

7.1.1 Failure of redundant interface modules

Functionality
Interface modules can be configured redundantly in the distributed I/O device (ET 200M, ET
200iSP, ET 200SP HA). The interface modules provide the interface to the automation system
through the fieldbus system at the CPU. When there are two interface modules, in other words,
the system has been configured with "Redundancy", if one of the two modules fails, the other
interface module takes over the automation process without interruption.

Failure
If the active interface module fails, a bumpless switchover to the redundant interface module
is performed. In the switchover, the master identification changes from the failed interface
module to the interface module that is now active.
If the redundant interface module fails, the master identification does not change.

Hot restart
When the failed interface module restarts, the redundant interface module keeps the master
identification. The master identification changes back to the now replaced or repaired module
only if the redundant interface module fails.

7.1.2 Failure of redundant I/O modules

Functionality
As soon as an error occurs in one of the redundantly configured modules, there is a bumpless
switchover to the second module, which then takes over the signal processing.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 199
Failure, switchover and reintegration of high availability components
7.1 I/O

Failure scenarios
The following faults may occur in a module:
● Hardware or power failure in the module
● Detected signal interference (e.g. wire break, discrepancy)
● Fault on the assigned bus line to an interface module
The driver blocks detect a disturbance:
● At the input signals:
The disturbed input module or, when channel selectivity is configured, the disturbed channel
is passivated and only the signal of the redundant modules is evaluated. A module or
channel is passivated when the function blocks can no longer access the respective module
or channel.
● At analog output modules:
Only analog output modules with power outputs can be operated redundantly (0 to 20 mA,
4 to 20 mA). The value to be output is halved and each module outputs one half of the
value. If one module fails, the redundant module outputs the entire value.

Discrepancy with input modules

A discrepancy error at the input value occurs when there is a non-tolerated difference between
the input values after the configured discrepancy time has expired. The following parameters
should be set to configure the discrepancy:
● For digital input modules:
– Discrepancy time (maximum allowed time that the redundant input signals can differ)
● For analog input modules:
– Tolerance window (configured by the percent of the end value of the measuring range)
Two analog values are the same if they are within the tolerance window.
– Discrepancy time (maximum allowed time that the redundant input signals are outside
the tolerance windows)
– Value applied
The value applied is one of the two analog input values that is transferred in the user
program.
With discrepancy, information is entered in the diagnostics buffer and a corresponding
message is generated.

Depassivation
Passivated modules or, when channel selectivity is configured, passivated channels are
depassivated with the following events:
● When the H system starts up
● When operating state of the H system changes to "Redundant"
● Following a system modification in runtime
● Following depassivation via the maintenance station

High Availability Process Control Systems (V9.0)

200 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.1 I/O

● Following a prompt from the user program via an acknowledgement signal, for example,
on an OS with a "Depassivation" button at the block
● After pulling/plugging a module
● Following a diagnostic interrupt (e.g. wire break, measured value)

Additional information
● Online Help for STEP 7
● Manual Automation System S7-400H; High Availability Systems
● Manual Process Control System PCS 7; PCS 7 OS Process Control

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 201
Failure, switchover and reintegration of high availability components
7.2 Automation system

7.2 Automation system

7.2.1 Failure of the master CPU

Functionality
The initial situation is that the S7-400H is in "Redundant" system mode. The execution of the
user program is synchronized on both CPUs of the H system and, for example, CPU0 is the
master CPU and CPU1 is the backup CPU. Event-driven synchronization ensures that the
backup CPU always continues processing without interruption if the master CPU fails.

Example: Failure of the master CPU

If CPU0 fails, for example, the following LEDs light up on CPU1:
● REDF = Redundancy loss
● IFM1F = Interface fault Interface Module 1
This indicates the first fiber-optic cable of the synchronization line.
● IFM2F = Interface fault Interface Module 2
This indicates the second fiber-optic cable of the synchronization line.
The H system switches to "Solo" system mode. CPU1 ensures uninterrupted execution of the
user program. CPU1 is now the master CPU. The H system is no longer in "Redundant" system
mode.

Example: Reintegration of the failed master CPU

When the failed CPU0 is reintegrated, it does not become the master CPU. The master CPU
automatically performs the link-up and update of the reintegrated CPU0. Both processes are
necessary in order to check and synchronize the data in the memory of the master CPU and
the backup CPU. CPU0 then goes to RUN mode. Now the system is once again in "Redundant"
mode.

7.2.2 Failure of a fiber-optic cable

Requirements for the example

● The S7-400H is in "Redundant" system mode in the starting scenario.
● The CPU in Rack 0 is the master CPU and the CPU in Rack 1 is the backup CPU.
● The mode selectors of both CPUs are set to RUN.

High Availability Process Control Systems (V9.0)

202 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.2 Automation system

Example: Failure of a fiber-optic cable

If a fiber-optic cable fails, the REDF LED and the IFM1F or IFM2F LED light up on the two
CPUs depending on the location of the fiber-optic cable failure. The H system goes to "Solo"
system mode and the user program continues to be processed by the master CPU used up
to this point (CPU0).

Example: Reintegration of the CPU in rack 1

Once the defective fiber-optic cable has been replaced and connected to both CPUs, you must
restart the backup CPU that is in STOP mode, i.e. CPU in Rack 1.
There are several options available to you:
● You have access to the automation system:
Turn the keyswitch on the failed CPU from its current position to STOP back to the setting
(RUN).
● You have an Ethernet connection to the H system:
In the "Operating Mode" dialog box, restart the CPU in Rack 1, which is in STOP mode.
– Open the PCS 7 project on an ES, click the "Online" icon in the task bar of SIMATIC
Manager and select a CPU in the right window pane.
– Open the shortcut menu with a right click and open the "Operating Mode" dialog box
with the menu command PLC > Operating Mode.
– Select the CPU in Rack 1 and click "Warm restart".
The CPU in Rack 1 links up again and performs an update. The system is then in
"Redundant" mode again.

Result
When the CPU in Rack 1 is back online, the "Operating mode" dialog box appears as follows:

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 203
Failure, switchover and reintegration of high availability components
7.3 Communication

7.3 Communication

7.3.1 Failure of redundant bus components

Functionality
As soon as a fault occurs on a transmission path, the second transmission path takes over
and forwards the signals.

Failure scenarios
The following problems can occur on a bus component:
● Defective bus component (e.g., CP, coupler, AFD, AFS, cable)
● Problem on a bus line (e.g., overload, wire break)

Additional information
● Manual SIMATIC Net Twisted Pair and Fiber-Optic Networks
● Manual SIMATIC Net PROFIBUS Networks
● Manual SIMATIC; Communication with SIMATIC
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-200
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-300
● Operating instructions SIMATIC NET; Industrial Ethernet Switches SCALANCE X-400

High Availability Process Control Systems (V9.0)

204 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.4 OS server

7.4 OS server

7.4.1 Failure, switchover and restarting redundant OS servers

Introduction
This section describes the criteria by which the master/standby identification of an OS server
changes. Examples are given to illustrate how the system reacts to failures.

Note
Information on updating operator stations with redundant OS servers in runtime can be found
in "guidelines on updating a redundant OS in runtime (Page 217)".

Fault scenarios
● The project is not activated on the redundant OS partner server.
● The network connection from the OS server to the redundant OS partner is disrupted.
● The network connection to the OS clients is disrupted.
● The process connection to the AS is disrupted.
● The PC station is not operating correctly.

Reaction of WinCC redundancy to possible faults

WinCC redundancy can react to faults, errors or error messages in the following ways:
● By saving events and the time they occurred
● By synchronizing the archives of the process data (Tag Logging) and message data (Alarm
Logging) with the archive data of the active OS server when a failed OS server is recovered.
● By changing the system tags "@RM_MASTER" and "@RM_MASTER_NAME" according
to the situation.
● By automatically interconnecting the OS clients with the preferred server or with the
available OS server with master identification. The "@RM_SERVER_NAME" tag indicates
for an OS client the OS server to which this OS client is currently connected.
● By generating process control messages in the message list.
The fault scenarios listed above and the resulting reactions by WinCC Redundancy are
described in the following.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 205
Failure, switchover and reintegration of high availability components
7.4 OS server

Example configuration

26FOLHQWV

7HUPLQDOEXV

:LQ&&SURMHFW :LQ&&5HGXQGDQF\ :LQ&&

SURMHFW

$UFKLYHV\QFKURQL]DWLRQ
DIWHUUHFRYHU\
26VHUYHU 26
SDUWQHU
VHUYHU
'DWDEDVH 'DWDEDVH

0DVWHULGHQWLILHU 0DVWHULGHQWLILHU
9DULDEOH #50B0DVWHU  9DULDEOH #50B0DVWHU 

3ODQWEXV

Startup of an OS server pair

The following applies, in general: An OS server pair consists of the OS server and its OS
partner server. The two PCs are configured with WinCC Redundancy in a redundant grouping.
When the OS server pair starts up, WinCC Redundancy first checks which of the two OS
servers is to be assigned the master identification. This depends on which OS server starts
up first.
● If one OS partner server is active already when the other comes online, the second OS
server receives the standby identification.
● If no other OS server is active when an OS server starts up, it is assigned the master
identification.
The internal WinCC tag @RM_MASTER is set to identify the master OS server. The internal
WinCC tag @RM_MASTER is reset to identify the standby OS server.
The "@RM_MASTER_NAME" tag contains the name of the OS server, for example, "Server
1". You can display this tag, for example, in an I/O field of a Graphics Designer picture. Other
applications or scripts can also evaluate these tags. The "@RM_MASTER" tag can also be
changed.

High Availability Process Control Systems (V9.0)

206 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.4 OS server

WinCC project is deactivated

A functionally equivalent WinCC project is activated on both OS servers. If the WinCC project
is deactivated on OS Server 1 (master identification), WinCC Redundancy triggers the
following reactions:
● OS Server 2 (standby identification) saves the time of the failure (date and time of day) of
OS Server 1 (master identification).
● OS Server 2 reports the failure of OS Server 1 with a process control message in the
process control list.
● OS Server 2 now takes over the role of the master by setting the @RM_MASTER tag. The
@RM_MASTER_NAME tag is changed accordingly.
● If the WinCC project is activated again on OS Server 1, OS Server 1 is set as the standby
and the @RM_MASTER tag is reset. The @RM_MASTER_NAME tags are changed
accordingly.
Gaps in the archive data occur on OS Server 1 during the time it is inactive. As soon as OS
Server 1 returns, the gaps in the data are remedied by the following measures:
● OS Server 2 saves the date and the time of day, marking the return of OS Server 1.
● OS Server 2 reports the return of OS Server 1 with a process control message in the
message list.
● The data gaps in the message, process data and user archives of OS Server 1 are filled
by the data from the OS Server 2 memory. Conditions: The options "Synchronization of
Tag Logging after the partner server comes back online" and "Synchronization of Alarm
Logging after the partner server comes back online" must be enabled in the "Redundancy"
dialog box for this.
● The @RM_MASTER tags remain unchanged in both servers:
– OS Server 2 keeps the master identification.
– The @RM_MASTER tag remains set.
– The @RM_MASTER tag for OS Server 1 is reset.

Disrupted network connection to the OS partner server

A disrupted network connection is only detected in the redundancy scheme when:
● There is a fault in the spur line.
● There is a defective connector or network adapter.
● A PC station is identified as faulty.
3&VWDWLRQ

%UDQFKOLQH

6ZLWFK

1HWZRUNDGDSWHU

%XV %XV

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 207
Failure, switchover and reintegration of high availability components
7.4 OS server

The terminal bus as a whole and the communication between the AS and OS servers remains
unaffected.
Both OS servers are started and begin processing an activated WinCC project. If a disruption
in the network connection to the OS partner server occurs in this situation, WinCC Redundancy
reacts as follows:
● Both OS servers save the date and time of day of the failure.
● Both OS servers report the failure with a process control message in the message list.
● If the disrupted OS server is a master, the master/standby identification changes.
During the connection failure no online synchronization for alarm logging, operation messages
and user archives can be performed between the two OS servers. As soon as the connection
is restored, this is remedied by following actions:
● Both OS servers save the date and time of day of the restored connection.
● Both OS servers report the return with a process control message in the message list.
● Data from the alarm logging, tag logging and the user archives accumulated during the
connection failure are transmitted to the returning OS server.
● The @RM_MASTER and @RM_MASTER_NAME tags remain unchanged in both servers.

Disrupted network connection between the OS client the OS server

An OS server and the OS client connected to it are processing an activated WinCC project. A
redundant OS partner server has been configured for the OS server in WinCC Redundancy.
The OS server is defined as the preferred server for the OS client. A disrupted network
connection to the OS server may result from a cable break in the spur line from the network
to the OS server. The terminal bus as a whole remains unaffected.
If a connection failure occurs between the OS client and the OS servers, WinCC Redundancy
triggers the following reactions:
● The OS client is not switched over from the failed OS server to its redundant OS partner
server because the redundant OS partner server is also not available.
● When the connection is available again, the OS client automatically switches back to its
preferred server.

Disrupted network connection to the AS

If a fault occurs on the plant bus connection between the OS server and the AS, WinCC
Redundancy reacts as follows:
● The disruption of the plant bus connection is reported to the OS partner server.
● The OS partner server receives the message that the OS server has failed.
● The OS partner server saves the date and the time of day of the OS server failure.
● An OS client is automatically switched over from the failed OS server to its redundant OS
partner server. Condition: The "WinCC client switch in case of a process connection error"
option must be selected in the "Redundancy" dialog box for this.
When the process connection to the OS server is restored, the missing data in the archive of
the OS server is updated by the procedure described below. Condition: The "Synchronization

High Availability Process Control Systems (V9.0)

208 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.4 OS server

after process connection error" option must be selected in the "General" tab of the
"Redundancy" dialog box for this.
● The OS partner server saves the date and the time of day marking the return of the OS
server.
● The data gaps in the archives of the failed OS server are updated by the data from the
memory of the OS partner server. The process data of all automation systems (even those
that have not failed) are synchronized.
● When the process connection is restored, this is announced by a process control message
in the message list.

PC station identified as faulty

In PCS 7, the PC stations are preset in such a way that the network adapters are automatically
deactivated when a PC station is identified as faulty. Depending on the Autostart settings, a
manual reboot is required or an automatic reboot of the server is triggered.

Note
Terminate process mode on redundant systems
If the process mode of the PC station is to be terminated manually or the redundancy partner
of the PC station is not available, a corresponding message points out this situation.

Additional information
● Online help for WinCC

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 209
Failure, switchover and reintegration of high availability components
7.5 BATCH server

7.5 BATCH server

7.5.1 Failure of BATCH servers

Functionality
BATCH applications and any configured WinCC applications are active on BATCH servers. A
BATCH client visualizes the batch data of the BATCH server to which it is connected.

Failure of the master BATCH server

If the master BATCH server fails, for example, due to an operating system failure or an
application error, the standby BATCH server detects that the master is no longer available
based on redundancy mechanisms and takes over the master role. The BATCH clients are
then automatically switched over from the master BATCH server to the standby BATCH server.
The running BATCH program is automatically resumed after the switchover to the redundant
BATCH server. The BATCH program status is synchronized between the active BATCH server
and the AS. You have to manually trigger the BATCH program to continue if communication
errors have occurred.
In a replication solution, the databases on the master BATCH server and the standby BATCH
server are continually synchronized. If the BATCH servers switch over, the new active BATCH
server always has access to the latest BATCH data.

Note
Data reliability
During the switchover from the failed BATCH server to its redundant BATCH server, no
automation process data are visualized on a BATCH client. Operator inputs are also lost during
this brief period.

PC station identified as faulty

You can find information on this in the section "Failure, switchover and restarting redundant
OS servers (Page 205)".

Additional information
● Manual Process Control System PCS 7; SIMATIC BATCH

High Availability Process Control Systems (V9.0)

210 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.6 Route Control server

7.6 Route Control server

7.6.1 Reaction of Route Control servers to failures

Functionality
Route Control applications and any configured WinCC applications are active on Route Control
servers. A Route Control client visualizes the route list of the Route Control server to which it
is interconnected.

Failure of the master Route Control server

If the master Route Control server fails, for example, due to failure of the operating system or
failure in an application, the standby Route Control server recognizes that the master is no
longer available based on redundancy mechanisms and takes over the role of master. The
new master automatically assumes all control functions of the running route control program,
even of routes already requested. The visualization continues, since the Route Control clients
automatically switch to the new master.
The status is synchronized between the active Route Control server and the AS. If
communication errors occurred, the Route Control program can only be continued manually.

Note
Data security
During the switchover from the failed Route Control server to its redundant Route Control
server, no data from the automation process is visualized on a Route Control client. Operator
inputs during this switchover time are neither accepted nor executed.
Operation of a route via a Route Control faceplate from a PCS 7 OS is possible during
redundancy switchover of a Route Control server, if there is a communications connection
between PCS 7 OS and the automation system.

Activating process mode of Route Control servers

Note
Please note that you need to activate process mode for redundant Route control servers one
after the other. One of the two Route Control servers will take on the property of Master server,
depending on the configuration.

PC station identified as faulty

You can find information on this in the section "Failure, switchover and restarting redundant
OS servers (Page 205)".

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 211
Failure, switchover and reintegration of high availability components
7.6 Route Control server

Additional information
● Manual Process Control System PCS 7; SIMATIC Route Control

High Availability Process Control Systems (V9.0)

212 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.7 OS clients

7.7 OS clients

7.7.1 Switchover characteristics OS clients with permanent operability

Functionality
If the connection to the configured OS server is interrupted, the process values on the OS
clients are no longer updated. After successful switchover to the partner server, the process
can be operated again on all OS clients. Other OS clients interconnected with the redundant
OS partner server are not affected by this.

Example configuration

26FOLHQW 26FOLHQW
3HUPDQHQWRSHUDELOLW\

7HUPLQDOEXV

26VHUYHU 5HGXQGDQW26 5HGXQGDQW26VHUYHU

VHUYHU SDLU

3ODQWEXV

$XWRPDWLRQV\VWHPV

Permanent operability
If OS Server 1 fails, OS Client 1 is connected to redundant OS Server 2. The identity of the
redundant partner server of OS Server 1 comes from the downloaded server data on the OS
client. OS Client 1 is not available during the switchover to redundant OS Server 2 for a short
time. However, if redundant OS Server 2 is specified as the preferred server for OS Client 2,
you can operate the plant during the switchover from the failed OS Server 1 to redundant OS
Server 2.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 213
Failure, switchover and reintegration of high availability components
7.7 OS clients

Once OS Server 1 becomes available again, OS Client 1 is switched over to the returning OS
Server 1 because it is the configured preferred server.
Permanent operability is restored after the switchover is complete. OS Client 1 is not available
for the duration of the switchover to OS Server 1. OS Client 2 remains operable without any
interruption.
The status of the "@RM_Master" redundancy tag does not apply to the OS client with preferred
server configuration. The @RM_SERVER_NAME tag indicates the OS server to which this
OS client is currently connected.

Note
Information on updating operator stations with redundant OS servers in runtime can be found
in "guidelines on updating a redundant OS in runtime (Page 217)".

Reaction of an OS client without a preferred server

If no "preferred server" is configured for the OS client in the "Configure Server Data" dialog
box, the OS client connects to the OS server of a redundancy configuration for which the
"@RM_Master" redundancy tag is set.
If the active OS server fails, its redundant OS partner server becomes the master server. You
can recognize which of the two redundant OS servers is currently acting as the master server
by the status of "@RM_Master" redundancy tag. You can trigger a manual switchover by
setting or resetting this tag. All OS clients without a preferred server set connects to the "new"
master server.

Switchover criteria of the OS client

The following faults trigger an OS client switchover. It is not relevant here whether or not a
preferred server has been configured.
● The network connection to the redundant OS server is disrupted.
● The redundant OS server fails, e.g., due to power loss.
● The WinCC project of the redundant OS server is deactivated.
● A disruption of the network connection between OS server and AS, when the option "WinCC
client switch in case of a process connection error" is selected in the "Redundancy" dialog
box.

Additional information
● Online help for WinCC

High Availability Process Control Systems (V9.0)

214 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.8 BATCH clients

7.8 BATCH clients

7.8.1 Switchover characteristics of BATCH clients

Functionality
If the master BATCH server fails, the BATCH clients automatically switch to the redundant
BATCH server.

Reactions during switchover

During a switchover, a message window is displayed on the screen of the BATCH client
indicating the switchover. The BATCH client cannot be operated during this time. The message
window closes and the BATCH client can be operated only when the switchover from the failed
BATCH server to the redundant BATCH server is complete.

Additional information
● Manual Process Control System PCS 7; SIMATIC BATCH

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 215
Failure, switchover and reintegration of high availability components
7.9 Route Control clients

7.9 Route Control clients

7.9.1 Switchover characteristics of Route Control clients

Functionality
If the master Route Control server fails, the Route Control clients are automatically switched
over to the redundant Route Control server.

Reactions during switchover

During a switchover, a message window is displayed on the screen of the Route Control client
indicating a switchover. The Route Control client cannot be operated during this time. The
message window closes and the Route Control client can be operated again only when the
switchover from the failed Route Control server to the redundant Route Control server is
complete.

Note
The route can be controlled from a Route Control faceplate during the switchover of a Route
Control server.

Additional information
● Manual Process Control System PCS 7; SIMATIC Route Control

High Availability Process Control Systems (V9.0)

216 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

7.10 Guide to updating a redundant OS in runtime

7.10.1 Introduction

Introduction
You can find a guide to updating a redundant OS in runtime below. This means that the
operation of the PCS 7 system is not disrupted, the AS does not switch to STOP mode and
the automation process can continue to be operated and monitored.

Requirements
● The redundant OS is made up of the following components:
– Redundant OS server
– OS clients
● The PCS 7 version is at least PCS 7 V7.1.3.

Information on updating the PC stations and project data

You can find information on updating the PC stations and project data in the Process Control
System PCS 7; Software Update without Utilization of the New Functions documentation.

Rules

CAUTION
Make sure that you keep to the described order to avoid disrupting operation of the PCS 7
system.

Note
Perform the steps described from Phase 1 to Phase 5 without extended interruptions because
the redundancy is not available during the update.

Note
Updating the maintenance station
Process mode on the maintenance client must be deactivated prior to updating the project on
the ES.
The maintenance server must be the last server to be updated.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 217
Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Checking time synchronization

To avoid any jumps in time (UTC/local standard time) when "updating redundant systems in
runtime", check the time synchronization of the OS in the updated PCS 7 project on the ES:
1. Open SIMATIC Manager.
2. Select the OS in the component view.
3. Select the menu command Edit > Open Object.
WinCC Explorer opens.
4. Click the "Computer" object in the tree view.
5. Select the menu command Edit > Properties.
The "Computer Properties" dialog box opens.
6. Select the "Parameters" tab.
7. In the "PLC Clock Setting" group, activate the "PLC is set to coordinated universal time
(UTC)" check box.

Objectives of the update

● The automation system remains uninterrupted in RUN mode.
● The process remains controllable at all times.

Sequence of the Update

Updating involves five phases:

Phase Action
Phase 1 Updating Server_2 (Page 224)
Phase 2 Updating the OS clients interconnected with Server_2 (Page 227)
Phase 3 Downloading the connections, gateways and changes to the AS (Page 229)
Phase 4 Updating the OS clients interconnected with Server_1 (Page 230)
Phase 5 Updating Server_1 (Page 232)

High Availability Process Control Systems (V9.0)

218 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

The procedure described below must be repeated for all client-server relationships in the
system, as appropriate.
● If you have several redundant servers, first update only the clients interconnected with the
standby server that has already been updated or that has been defined as the preferred
server for these clients.
● Then update the clients that are interconnected with the master server or that have defined
it as their preferred server.
&OLHQWV26FOLHQW%$7&+FOLHQW5RXWH&RQWUROFOLHQW

     

5HGXQGDQWIDXOWWROHUDQWWHUPLQDOEXV

  

 26VHUYHU  %$7&+VHUYHU  5RXWH&RQWURO

VHUYHU

5HGXQGDQWIDXOWWROHUDQWSODQWEXV

6ZLWFK


)DXOWWROHUDQWDXWRPDWLRQV\VWHP
$6[+

Figure 7-1 The numbering shows the sequence for the update.

7.10.2 Overview of the required tasks

Introduction
You update the redundant OS in runtime in five phases. Each phase is broken down into
individual steps.
The section shows you an overview of the steps required in the five phases. You will find more
detailed instructions for each phase in the following sections.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 219
Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Initial situation
● Server_1 is master server.
● Server_2 is standby server.
● Client_1 is connected to Server_1 because this server is configured as its preferred server.
Client_1 represents all OS clients connected to Server_1.
● Client_2 is connected to Server_2 because this server is configured as its preferred server.
Client_2 represents all OS clients connected to Server_2.

Requirements
● Process Mode of the Maintenance Client was ended before the ES was updated.
● The update of the PCS 7 project for the ES is complete.
● If the Maintenance Station is used, SIMATIC PDM is installed on the ES.
● All the settings for the configured mode have been made. The configuration data has been
loaded onto the ES from NetPro.
● If you want to use encrypted communication after the software update: "Encrypted
communication" is activated for the ES with migration mode. You can find information about
this in the documentation Process Control System PCS 7; PCS 7 PC Configuration.
● All OS servers and all OS clients are running with PCS 7 V8.0 or higher.

Note
If a Process Historian is used in the Plant, it has to be updated, be in the state "Active" and all
recoveries have to be finished first, before any OS Server is stopped. Otherwise some data
gaps might not get closed after the migration is done.

High Availability Process Control Systems (V9.0)

220 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Overview of the required tasks

NOTICE
Interrupted redundancy
Perform the steps described from Phase 1 to Phase 5 without extended interruptions because
the redundancy is not available during the update.
Upgrading Process Historian before the OS servers in runtime
You must first upgrade the Process Historian server to Process Historian 2014 SP2 (PCS 7
V9.0) before you:
● upgrade a PCS 7 plant to version PCS 7 V9.0 in runtime
● and simultaneously upgrade the operating systems of the OS servers, e.g. Server 2008
to Server 2012
● or replace the hardware of the OS servers
You can only start upgrading the OS servers in runtime when the Process Historian is in the
"Active" operating state and all pending restorations have been executed.
Start the restoration multiple times, if necessary, if you still detect data gaps. You can start
the restoration manually in the management console or with the PH tray icon.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 221
Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Phase Step
Phase 1: 1. Server_2: Deactivate and exit WinCC
Updating Serv‐ 2. Server_2:
er_2 Back up the PCS 7 project
Back up the operating system and the PCS 7 software installation
3. Server_2: Install or update the operating system, PCS 7 Installation "OS server"
4. Server_2: If you want to use secure communication after the software update:
Activate "Secure communication" with migration mode. You can find information
about this in the documentation Process Control System PCS 7; PCS 7 PC
Configuration.
5. ES: Download OS connection data and target system
6. Server_2: Start WinCC
7. Server_2: Check and save the "Redundancy" dialog box
8. Server_2: Check and save the "Time Synchronization" dialog box
9. Client_2: Deactivate process mode and exit WinCC
10. Server_2: Activate WinCC Runtime
11. Other redundant OS server pairs:
Perform Phase 1: Steps 1 to 9
Phase 2: 1. Client _2:
Update the OS Back up the PCS 7 project
clients Back up the operating system and of the PCS 7 software installation
that are 2. Client _2: Install or update the operating system, PCS 7 Installation "OS client"
interconnected
on 3. Client _2: If you want to use secure communication after the software update:
Server_2 Activate "Secure communication" with migration mode. You can find information
about this in the documentation Process Control System PCS 7; PCS 7 PC
Configuration.
4. ES: Download to OS target system
5. Client _2: Activate
Phase 3: 1. ES: Download connections and gateways from NetPro to the AS
Downloading 2. ES: Download CFC charts to the AS
the connections,
gateways, and
changes
to the AS

High Availability Process Control Systems (V9.0)

222 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Phase Step
Phase 4: 1. Client_1: Deactivate and exit WinCC
Update the OS 2. Client_1:
clients that are Back up the PCS 7 project
interconnected Back up the operating system and the PCS 7 software installation
on
Server_1 3. Client_1: Install or update the operating system, PCS 7 Installation "OS client"
4. Client _1: If you want to use secure communication after the software update:
Activate "Secure communication" with migration mode. You can find information
about this in the documentation Process Control System PCS 7; PCS 7 PC
Configuration.
5. ES: Download of OS target system
6. Client_1: Select the operability of the clients
Phase 5: 1. Server_1: Deactivate and exit WinCC
Updating Serv‐ 2. Client_1: Activate
er_1
3. Server_1:
Back up the PCS 7 project
Back up the operating system and the PCS 7 software installation
4. Server_1: Install or update the operating system, PCS 7 Installation "OS server"
5. Server_1: If you want to use secure communication after the software update:
Activate "Secure communication" with migration mode. You can find information
about this in the documentation Process Control System PCS 7; PCS 7 PC
Configuration.
6. ES: Download OS connection data and OS target system
7. Server_1: Start WinCC
8. Server_1: Check and save the "Redundancy" dialog box
9. Server_1: Check and save the "Time Synchronization" dialog box
10. Server_1: Activate WinCC process mode
11. Other redundant OS server pairs:
Perform Phase 5: Steps 1 to 9
12. ES: Start SIMATIC PDM

Result
When you have completed all the steps, your system has the following status:
● Updated Server_1 is standby server.
● Updated Server_2 is master server.
● Updated Client_1 is connected to its preferred server Server_1.
● Updated Client_2 is connected to its preferred server Server_2.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 223
Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

The updating of your redundant operator stations is complete.

Note
Encrypted communication
If you have used encrypted communication, it is activated in migration mode for all PC stations
in the system. Use encrypted communication in migration mode only as a temporary solution.
Deactivate migration mode in the entire system. You can find information about this in the
documentation Process Control System PCS 7; PCS 7 PC Configuration.

7.10.3 Phase 1: Updating Server_2

Introduction
In the first phase, you update redundant Server_2. In this way, you avoid an unnecessary
switchover for OS clients that have no preferred server configured.
You can find additional information about redundancy synchronization in WinCC Information
System > Configurations > Redundant Systems.
During the steps involved in Phase 1, your system continues to work with only one server. The
system remains controllable from the OS clients that have not yet been updated. If this server
fails, the automation system can no longer be controlled.

NOTICE
Interrupted redundancy
Perform the steps without extended interruptions because the redundancy is not available
during the update.

Initial situation before phase 1

● Server_1 is master server.
● Server_2 is standby server.
● Client_1 is connected to Server_1.
● Client_2 is connected to Server_2 because this server is configured as its preferred server.

Requirements
● The PCS 7 project you are updating has already been updated on the ES.
● When using an archive server:
– Synchronization of the archive must be complete to ensure that the process data (RT
data) is consistent.

High Availability Process Control Systems (V9.0)

224 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Procedure - Phase 1
Note that you will need to work alternately on Server_1 and Server_2.
Phase 1 / 1. Server_2: Deactivate and exit WinCC
● Deactivate WinCC Runtime and exit WinCC on the standby Server_2.
The system reacts as follows:
– Client_1 remains interconnected with Server_1.
– Client_2, which has Server_2 configured as the preferred server, changes over to
Server_1.
– Server_1 detects a failure caused by deactivation of Server_2. If you have configured
system alarms, Server_1 generates a process control message to this effect.
Phase 1 / 2. Server_2: Backup of the PCS 7 project; backup of the operating system and of
the PCS 7 software installation
● Back up your previous operating system, the previous PCS 7 software installation and your
current PCS 7 project as a fallback strategy.
Phase 1 / 3. Server_2: Installation or update of the operating system, PCS 7 Installation "OS
server"
● Install or update the operating system (you can find information about this in the manual
Process Control System PCS 7; PCS 7 PC Configuration).
An OS server can only run on a server operating system which has been released for PCS 7.
You can find additional information on this in the Process control system PCS 7; PCS 7
Readme documentation.
● Install the necessary PCS 7 components.
In the "Program Packages" dialog of the PCS 7 Setup, select the "OS Server" check box
or, if the OS is to swap out data to the Process Historian, the "OS-Server for Process
Historian" check box.
● Make the necessary settings.
Note that Windows administration of PCs should be performed by a Windows administrator.
You can find a detailed description of the PCS 7 installation and the required PCS 7-specific
settings for PC stations in the manual Process Control System PCS 7; PCS 7 PC
Configuration.
Phase 1 / 4. Server_2: If you want to use encrypted communication after the software update:
Activate "Encrypted communication" with migration mode. You can find information about this
in the documentation Process Control System PCS 7; PCS 7 PC Configuration.
Phase 1 / 5. ES: Download OS connection data and OS target system
● Open NetPro and download the connection data from the ES to Server_2.
● Right-click on the OS to be transferred in the open PCS 7 project below the WinCC
application. Select the menu command PLC > Download to Current Project > Selected
Station in the shortcut menu.
This starts the transfer from the ES to Server_2.
Phase 1 / 6. Server_2: Start WinCC
● Start WinCC on Server_2.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 225
Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Phase 1 / 7. Server_2: Check and save the "Redundancy" dialog box

● Open the "Redundancy" editor and check the settings in the dialog box. Click "OK" to exit
the dialog box even if you have made no changes.
Phase 1 / 8. Server_2: Check and save the "Time Synchronization" dialog box
● Open the "Time Synchronization" editor and check the settings in the dialog box. Click "OK"
to exit the dialog box even if you have made no changes.
Phase 1 / 9. Client_2: Deactivate process mode and exit WinCC
● Deactivate the process mode on all clients where Server_2 is set up as preferred server.
Note
In WinCC Explorer (Server data), you can activate Server_1 for operation as preferred
server for Client_2 within the phases 1 and 2. This setting retains operability of the clients.

Phase 1 / 10. Server_2: Activate WinCC Runtime

● Activate WinCC Runtime on Server_2.
The system reacts as follows:
– There is no server switchover. Depending on the configuration, the activated Server_2
becomes the standby or master server.
– All OS clients still receive their visualization data from OS server Server_1, which has
not yet been updated.

Note
If a Process Historian is used in the project ensure the following:
● The Process Historian was updated before
● The Process Historian is in the "Active" state.
● "PH-Ready Configuration" was done after update-/new- installation at Server_2.

Phase 1 / 11. Other redundant OS server pairs: Repeat steps 1 to 10

● If you are using more than one redundant OS server pair, you must first update standby
server Server_2 for each.
● Carry out the Phase 1 steps 1 through 10 for each Server_2.
Note
Migration of the central archive server (CAS) on the Process Historian
You can find more information about this in the "WinCC Classic Information System".

Result after Phase 1

● Server_2 is updated and not connected to any OS clients.
● Server_1 is the master server in the PCS 7 project being updated.

High Availability Process Control Systems (V9.0)

226 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

● Server_2 can be either master or standby, depending on the configuration.

● The archives will be synchronized between Server_1 and Server_2.
● Client_1 is connected to Server_1.
● Client_2 is either deactivated or interconnected with Server_1 after you have changed the
preferred server setting. Client_2 cannot access the upgraded Server_2 as the preferred
server.

7.10.4 Phase 2: Updating OS clients interconnected to Server_2

Introduction
In Phase 2, you update the OS clients that were interconnected with Server_2.
The system can be controlled at all times using Client_1, which is interconnected with the not-
yet-updated Server_1.
The same PCS 7 version is running on the active OS server Server_1 and on Client_1. Mixed
operation between OS clients and OS servers of different PCS 7 versions is not possible.
Archive data and messages that have accrued on OS server Server_1 during the update
process are available on both OS servers. Synchronization of the archives is complete with
the following message: "REDRT: <name of the OS server> finished". If Process Historian is
used, check the recoveries at the Process Historian Server and wait until they are finished, if
there are any queuing.

CAUTION
Interrupted redundancy
Perform the steps without extended interruptions because the redundancy is not available
during the update.

Initial situation before phase 2

● Server_1 is master server in the PCS 7 project.
● The updated Server_2 is standby server in the updated PCS 7 project.
● Client_1 is connected to Server_1.
● Client_2 is either deactivated or interconnected with Server_1 after you have changed the
preferred server setting. Client_2 cannot access the upgraded Server_2 as the preferred
server.

Requirement
The PCS 7 project you are updating has already been updated on the ES.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 227
Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Procedure - Phase 2
Phase 2 / Step 1. Client_2: Backup of the PCS 7 project, of the operating system and of the
PCS 7 software installation
● Back up your previous operating system, the previous PCS 7 software installation and your
current PCS 7 project as a fallback strategy.
Phase 2 / 2. Client_2: Installation of the operating system, PCS 7 Installation "OS client"
● Install or update the operating system (you can find information about this in the manual
Process Control System PCS 7; PCS 7 PC Configuration).
An OS client runs only on an operating system that has been released for PCS 7. You can
find additional information on this in the Process Control System PCS 7; PCS 7 Readme
documentation.
● Install the necessary PCS 7 components.
In the PCS 7 Setup, select the "OS Client" check box in the "Program Packages" dialog
box.
● Make the necessary settings.
Note that Windows administration of PC stations should be performed by a Windows
administrator. You can find a detailed description of the PCS 7 installation and the required
PCS 7-specific settings for PC stations in the manual Process Control System PCS 7; PCS 7
PC Configuration.
Phase 2 / 3. Client_2: If you want to use encrypted communication after the software update:
Activate "Encrypted communication" with migration mode. You can find information about this
in the documentation Process Control System PCS 7; PCS 7 PC Configuration.
Phase 2 / 4. ES: Download to OS target system
● Right-click on the OS to be transferred in the open PCS 7 project below the WinCC
application. Select the menu command PLC > Download in the shortcut menu. This
downloads the project for Client_2 from the ES to the relevant OS.
Phase 2 / 5: Client_2: Activate
● Start WinCC on Client_2.
● Activate WinCC Runtime.

The system reacts as follows:

● Client_2 connects with the upgraded Server_2.

Result after Phase 2

● Server_1 is master server in the PCS 7 project.
● The updated Server_2 is standby server in the updated PCS 7 project.
● Client_1 is connected to Server_1.

High Availability Process Control Systems (V9.0)

228 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

● Updated Client_2 is connected to its preferred server Server_2.

● The system can be controlled from all OS clients.
Note
Maintenance client
If Server_2 is the maintenance server (last OS server pair to be updated in the project),
then the maintenance client (Client_2) can be started.
Maintenance client accesses to intelligent field devices are only possible after completion
of the software update.

7.10.5 Phase 3: Download of connections, gateways and changes to the AS

Introduction
In Phase 3, connections, gateways and CFCs are downloaded to the AS from NetPro by
downloading changes only.

Initial situation before phase 3

● Server_1 is master server in the PCS 7 project.
● The updated Server_2 is standby server in the updated PCS 7 project.
● Client_1 is connected to Server_1.
● Updated Client_2 is connected to its preferred server Server_2.
● The system can be controlled from all OS clients.

Requirements
● The PCS 7 project you are updating has already been updated on the ES.
● Configuration of the automation systems ready for download. All AS are compiled.

Procedure - Phase 3
Phase 3 / 1. ES: Transfer NetPro connection data and gateways to the AS
● Open NetPro and select your AS. Select the menu command PLC > Download to Current
Project > Connections and Gateways.
● Select the CPU you want to download to in the "Select Target Module" dialog box and exit
the dialog box by clicking "OK".
Phase 3 / 2. ES: Download CFCs to the AS

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 229
Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

If there was no download to the AS during the project update, you now need to download to
the AS.
● Select an AS in SIMATIC Manager.
● Select the menu command PLC > Download.
● Select the "Changes only" check box.
Note
If you select the "Include user data blocks" check box, the user data blocks on the AS are
overwritten. You can find additional information in the online help for the "S7 Download"
dialog box.

● Close the dialog box by clicking "OK".

Repeat the steps for downloading to the AS for each AS in the project.

The system reacts as follows:

● The system can be controlled and monitored from all clients.

Result after Phase 3

● Server_1 is master server in the PCS 7 project.
● The updated Server_2 is standby server in the updated PCS 7 project.
● Client_1 is connected to Server_1.
● Updated Client_2 is connected to its preferred server Server_2.
● The system can be controlled from all OS clients.

7.10.6 Phase 4: Updating OS clients interconnected to Server_1

Introduction
In Phase 4, you update the OS clients that are interconnected with Server_1.
The system can be controlled at all times using Client_2, which is interconnected with Server_2.

CAUTION
Interrupted redundancy
Perform the steps without extended interruptions because the redundancy is not available
during the update.

High Availability Process Control Systems (V9.0)

230 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Initial situation before phase 4

● Server_1 is master server in the PCS 7 project.
● The updated Server_2 is standby server in the updated PCS 7 project.
● Client_1 is connected to Server_1.
● Updated Client_2 is connected to its preferred server Server_2.
● The system can be controlled from all OS clients.

Requirement
The PCS 7 project you are updating has already been updated on the ES.

Procedure - Phase 4
Phase 4 / 1. Client_1: Deactivate and exit WinCC
● Deactivate WinCC Runtime and exit WinCC on OS Client_1.
Phase 4 / 2. Client_1: Backup of the PCS 7 project, of the operating system and of the PCS 7
software installation
● Back up your previous operating system, the previous PCS 7 software installation and your
current PCS 7 project as a fallback strategy.
Phase 4 / 3. Client_1: Installation or update of the operating system, PCS 7 Installation "OS
client"
● Install or update the operating system (you can find information about this in the manual
Process Control System PCS 7; PCS 7 PC Configuration).
An OS client runs only on an operating system that has been released for PCS 7. You can
find additional information on this in the Process Control System PCS 7; PCS 7 Readme
documentation.
● Install the necessary PCS 7 components.
In the PCS 7 Setup, select the "OS Client" check box in the "Program Packages" dialog
box.
● Make the necessary settings.
Note that Windows administration of PCs should be performed by a Windows administrator.
You can find a detailed description of the PCS 7 installation and the required PCS 7-specific
settings for PC stations in the manual Process Control System PCS 7; PCS 7 PC
Configuration.
Phase 4 / 4. Client_1: If you want to use encrypted communication after the software update:
Activate "Encrypted communication" with migration mode. You can find information about this
in the documentation Process Control System PCS 7; PCS 7 PC Configuration.
Phase 4 / 5. ES: Download to OS target system
● Right-click on the OS to be transferred in the open PCS 7 project below the WinCC
application.
● Select the menu command PLC > Download in the shortcut menu. This downloads the
project for OS Client_1 from the ES to the relevant OS.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 231
Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Phase 4 / 6. Client_1: Select the operability of the clients

Options:
● If all clients should remain operable, set the preferred server for Client_1 to Server_2.
Client_1 is operable after you have completed Phase 4. After having updated Server_1 in
Phase 5, change the server setting for Client_1 to preferred server = Server_1.
● If you do not need Client _1 to be operable during the software update, the preferred server
for Client _1 does not have to be changed.

The system reacts as follows:

● Client_1 is connected to Server_2 or deactivated.

Result after Phase 4

● Server_1 is master server in the PCS 7 project.
● The updated Server_2 is standby server in the updated PCS 7 project.
● Client_1 is updated (deactivated or connected to Server_2).
● OS Client_2 is interconnected with its preferred Server_2.

7.10.7 Phase 5: Updating Server_1

Introduction
While you perform the steps in phase 5, your system runs only with Server_2. The system
remains controlled from the OS clients that were updated in phases 2 and 4.

CAUTION
Interrupted redundancy
Perform the steps without extended interruptions because the redundancy is not available
during the update.

Initial situation before phase 5

● Server_1 is master server in the PCS 7 project.
● The updated Server_2 is standby server in the updated PCS 7 project.
● Client_1 is updated (deactivated or connected to Server_2).
● OS Client_2 is interconnected with its preferred Server_2.

High Availability Process Control Systems (V9.0)

232 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Requirements
● The PCS 7 project you are updating has already been updated on the ES.
● Archive synchronization is complete.
– Message: "REDRT: <name of the OS server> finished".
– Using a Process Historian:
The data from the circular log of OS Server 1 is transferred or migrated to Process
Historian.
You can find additional information on this in the documentation SIMATIC; Process
Historian Installation Notes.
● Make sure that at least one updated OS client is interconnected with Server_2.
If no OS client is interconnected with Server_2, your system cannot be operated while you
are updating Server_1.

Procedure - Phase 5
Phase 5 / 1. Server_1: Deactivate and exit WinCC
● Deactivate WinCC Runtime on Server_1.
● Exit WinCC on Server_1.
● Updated Server_2 is master server.
Phase 5 / 2. Client_1: Setting the preferred server
● If the preferred server for Client_1 is set to Server_2, carry out the following steps:
– Close WinCC Runtime on Client_1.
– Set the preferred server for Client_1 to Server_1.
– Start WinCC on OS Client_1.
● Activate WinCC Runtime.
Phase 5 / 3. Server_1: Backup of the PCS 7 project, of the operating system and of the PCS
7 software installation
● Back up your previous operating system, the previous PCS 7 software installation and your
current PCS 7 project as a fallback strategy.
Phase 5 / 4. Server_1: Installation or update of the operating system, PCS 7 Installation "OS
server"
● Install or update the operating system (you can find information about this in the manual
Process Control System PCS 7; PCS 7 PC Configuration).
An OS server can only run on a server operating system which has been released for PCS 7.
You can find additional information on this in the Process control system PCS 7; PCS 7
Readme documentation.
● Install the necessary PCS 7 components.
In the "Program Packages" dialog of the PCS 7 Setup, select the "OS Server" check box
or, if the OS is to swap out data to the Process Historian, the "OS-Server for Process
Historian" check box.
● Make the necessary settings.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 233
Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Note that Windows administration of PCs should be performed by a Windows administrator.

You can find a detailed description of the PCS 7 installation and the required PCS 7-specific
settings for PC stations in the manual Process Control System PCS 7; PCS 7 PC
Configuration.
Phase 5 / 5. Server_1: If you want to use encrypted communication after the software update:
Activate "Encrypted communication" with migration mode. You can find information about this
in the documentation Process Control System PCS 7; PCS 7 PC Configuration.
Phase 5 / 6. ES: Download OS connection data and OS target system
● Open NetPro and download the connection data from the ES to Server_1.
● Right-click on the OS to be transferred in the open PCS 7 project below the WinCC
application. Select the menu command PLC > Download in the shortcut menu. This starts
the transfer from the ES to Server_1.
Phase 5 / 7. Server_1: Start WinCC
● Start WinCC on Server_1.
Phase 5 / 8. Server_1: Check and save the "Redundancy" dialog box
● Open the "Redundancy" editor and check the settings in the dialog box. Click "OK" to exit
the dialog box even if you have made no changes.
Phase 5 / 9. Server_1: Check and save the "Time Synchronization" dialog box
● Open the "Time Synchronization" editor and check the settings in the dialog box. Click "OK"
to exit the dialog box even if you have made no changes.
Phase 5 / 10. Server_1: Activate WinCC Runtime
● Activate WinCC Runtime on Server_1.

Note
If a Process Historian is used in the project make sure:
● The Process Historian was updated before
● The Process Historian is in the "Active" state.
● "PH-Ready Configuration" was done after update-/new- installation at Server_1.

Phase 5 / 11. Perform Phase 5: Steps 1 to 10

If you are using more than one redundant OS server pair, repeat steps of Phase 5 / step 1
through 10 for each Server_1.
Phase 5 / 12. ES: Starting SIMATIC PDM
Start the SIMATIC PDM on the ES, if installed.

The system reacts as follows:

● Server_1 becomes standby server.

High Availability Process Control Systems (V9.0)

234 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.10 Guide to updating a redundant OS in runtime

Result after Phase 5

● Updated Server_1 is standby server.
● Updated Server_2 is master server.
● Updated Client_1 is connected to its preferred server Server_1.
● Updated Client_2 is connected to its preferred server Server_2.
The updating of your redundant operator stations is complete.
Maintenance client accesses to intelligent field devices are possible when the PDM server has
been started on the engineering station.

NOTICE
Archive data
When migrating the project from CAS to a Process Historian, only the latest archive data from
the operator stations is available.
Archive data from swapped out archives and archive data from a previously used central
archive server may need to be migrated.

Note
Encrypted communication
If you have used encrypted communication, it is activated in migration mode for all PC stations
in the system. Use encrypted communication in migration mode only as a temporary solution.
Deactivate migration mode in the entire system. You can find information about this in the
documentation Process Control System PCS 7; PCS 7 PC Configuration.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 235
Failure, switchover and reintegration of high availability components
7.11 Guide to updating a redundant BATCH server in runtime

7.11 Guide to updating a redundant BATCH server in runtime

7.11.1 Software update (migration)

Information is available in the SIMATIC BATCH product documentation:
● Operating manual SIMATIC Process Control System PCS 7; SIMATIC BATCH; section
"Software Update (Migration)."

High Availability Process Control Systems (V9.0)

236 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.12 Guide to updating a redundant Route Control server in runtime

7.12 Guide to updating a redundant Route Control server in runtime

7.12.1 Updating a redundant Route Control server in runtime

For servers and single-station systems which are used for OS and Route Control, please
observe the following information.

Requirement
● The Route Control project on the engineering station has been updated.
● Note the phases described in section "Guide to updating a redundant OS in runtime
(Page 217)".
Note
Backing up the log files
Back up the log files before replacing or reinstalling a computer, at the latest. You can find
the configured storage path via the Route Control Engineering (list for route log in the path:
Project Settings > Runtime Parameters > Routes Log > Values for Server and Standby).

Procedure
Execute the following steps on the servers, note the sequence and the states on each PC
station.

Default Master (1) Default Standby (1)

1. V8.x (2) – Runtime V8.x (2) – Runtime
2. V8.x (2)
– Runtime Exit Runtime
Execute an update installation on the "Default Standby Serv‐
er" and the Engineering Station.
3. V8.x (2) – Runtime Update the database to the new version and download it
(you may have to update and download the WinCC project)
4. V8.x (2) – Runtime Start the RC server (and also WinCC Runtime, if needed)
Do not update the current server (default master)! and perform the update (the default standby server must be
selected on a client with a new version in the RC Center
using the menu command Program > Server Selection)
5. The default master continues to operate as standby Activate the default standby
server This RC server becomes the master (new version – Runtime)
● RC clients with V8.x SPx (2) report errors because
connection to an RC server of another version is not
possible.
● RC clients with the new version connect to the RC server
● All running routes will be processed with the new RC
server.
6 Exit RC server New version – Runtime
7. Execute an update installation on the default master. New version – Runtime
The next step involves changing the master role.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 237
Failure, switchover and reintegration of high availability components
7.12 Guide to updating a redundant Route Control server in runtime

Default Master (1) Default Standby (1)

8. Start RC server (or WinCC Runtime) – starts as New version – Runtime
standby (you may have to update the project) The database is read.
9. New version – Runtime (standby) New version – Runtime
(1)
: Default master or standby refers to the current state of the server pair before the software update in runtime. Any
redundancy switching is not necessary.
(2)
: V8.x. means Route Control V8.2.

Additional information
● Programming and Operating Manual SIMATIC Process Control System PCS 7; SIMATIC
Route Control; section "Software update."

High Availability Process Control Systems (V9.0)

238 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.13 Redundancy behavior of the PCS 7 OS, SIMATIC BATCH and SIMATIC Route Control servers

7.13 Redundancy behavior of the PCS 7 OS, SIMATIC BATCH and

SIMATIC Route Control servers

Error-free System
A redundant server pair is considered to be fault-free when the following conditions are met:
● Both servers are in process mode (master or standby).
● All process mode data are synchronized between the servers.

Failure of a server computer (computer of a server pair)

Order of the reactions Reactions

Failure at the master server (Serv‐ Failure at the standby server (Server_b
er_a power off) power off)
For computers with a Standby server (Server_b) becomes
server function or master
computers with a No redundancy switchover master re‐
combination of server mains master
functions
● BATCH server
● OS server
● Route Control
server

Failure of the terminal bus

Order of the reactions Reactions

Failure at the master server (Serv‐ Failure at the standby server (Serv‐
er_a) er_b)
Only for BATCH server The dialog "Restart request" appears at the server affected by the failure.
or for BATCH server in
combination with Route
Control server
Only for BATCH server Network adapter for terminal bus and redundant link are deactivated.
or for BATCH server in
combination with Route
Control server
For computers with a Standby server (Server_b) be‐
server function or com‐ comes master
puters with a combina‐ No redundancy switchover master re‐
tion of server functions mains master
● BATCH server
● OS server
● Route Control
server

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 239
Failure, switchover and reintegration of high availability components
7.13 Redundancy behavior of the PCS 7 OS, SIMATIC BATCH and SIMATIC Route Control servers

Order of the reactions Reactions

Failure at the master server (Serv‐ Failure at the standby server (Serv‐
er_a) er_b)
For OS server or com‐ Process control message is output on the PCS 7 OS
puters with a combina‐
tion of server functions
● BATCH server
● OS server
● Route Control
server
Only for BATCH server If automatic restart is activated, it is executed on the server affected by the
or for BATCH server in failure.
combination with Route The server is in "Standby" mode following restart.
Control server

Plant bus failure

● PCS 7 OS server:
So that the failure of the plant bus is recognized, the option "WinCC client switch in case
of a process connection error" has to be selected.
(Default setting: the option is selected)
● SIMATIC BATCH:
Failure of the plant bus is only relevant for SIMATIC BATCH if the batches are executed in
the automation system.

Order of the reactions Reactions

Failure at the master server (Serv‐ Failure at the standby server (Serv‐
er_a) er_b)
Only for BATCH serv‐ Standby server (Server_b) becomes
er or for BATCH serv‐ master;
er in combination with Computer (server a) becomes stand‐
Route Control server by
No redundancy switchover master re‐
mains master
only for Route Control Standby server (Server_b) becomes No redundancy switchover master re‐
server master mains master
Computer switches to initialization or error status.
The computer becomes standby following reconnection to the plant bus.
For OS server or com‐ Process control message is output on the PCS 7 OS.
puters with a combi‐ No isolation of the network adapter.
nation of server func‐
tions
● BATCH server
● OS server
● Route Control
server

High Availability Process Control Systems (V9.0)

240 Function Manual, 05/2017, A5E39221836-AA
 Failure, switchover and reintegration of high availability components
7.13 Redundancy behavior of the PCS 7 OS, SIMATIC BATCH and SIMATIC Route Control servers

Failure of the redundant connection

Order of the reactions Reactions

Master server Standby server
Only for BATCH serv‐ The dialog "Restart request" appears
er or for BATCH serv‐ on the standby server.
er in combination with
Route Control server
For OS server or com‐ Process control message is output on the PCS 7 OS
puters with a combi‐
nation of server func‐
tions
● BATCH server
● OS server
● Route Control
server
only for Route Con‐ No reaction to the error.
trol server
Only for BATCH serv‐ No reaction ● Network adapter for terminal bus
er or for BATCH serv‐ and redundant link are deactivated.
er in combination with
● If automatic restart is activated, it is
Route Control server
executed on the server affected by
the failure.
The server is in "Standby" mode
following restart.

Failure of software components (Health check)

Order of the reactions Reactions

Master server Standby server
OS server or BATCH The dialog "Restart request" appears The dialog "Restart request" appears
server or for BATCH on the standby server. on the standby server.
server in combination A redundancy switchover then takes
with Route Control place.
server
For OS server or com‐ ● Process control message is output on the PCS 7 OS
puters with a combi‐ ● Network adapter for terminal bus and redundant link are deactivated.
nation of server func‐
tions ● If automatic restart is activated, it is executed on the server affected by the
failure.
● BATCH server
The server is in "Standby" mode following restart.
● OS server
● Route Control
server

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 241
Failure, switchover and reintegration of high availability components
7.13 Redundancy behavior of the PCS 7 OS, SIMATIC BATCH and SIMATIC Route Control servers

Automatic restart
The following is required for the automatic restart:
● Automatic restart has to be activated for all applications that are take part in process mode.
● All process mode data are synchronized between the servers.
If a redundancy error occurs on one server following the automatic restart, note the following:
If a new redundancy error occurs within the first hour that this computer again takes part in
process mode, no automatic restart is executed.

Note
Restart
The automatic restart is also limited to 3 restarts. The counter is reset after 3 hours. At least
3 hours have to pass before the counter is reset following the third restart. If a restart is triggered
hourly due to an error, an autoreboot is no longer executed following the 3rd error (because it
has not been 3 hours without autoreboot)

Delayed reaction to errors

A double error can result in a delayed reaction by the server.
Example:
● Error 1: The partner server is not available or cannot be reached.
● Error 2: An additional error occurs during process mode (e.g. terminal bus cable pulled).
● Reaction:
– The computer first remains MASTER.
– An error is reported.
– The reaction to the error is delayed.
– Only when the partner server is recognized and all data are synchronized does the
dialog "Restart request" appear.
Note:
As long as the process mode data from WinCC or SIMATIC BATCH are not
synchronized, the server remains in the status MASTER.

High Availability Process Control Systems (V9.0)

242 Function Manual, 05/2017, A5E39221836-AA
Diagnostics 8
Information is available in the manual Process Control System PCS 7; Service Support and
Diagnostics.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 243
Diagnostics
8.1 Advanced self-diagnostics of communication connections

8.1 Advanced self-diagnostics of communication connections

PCS 7 features advanced self-diagnostics for redundant software systems (servers). If this
diagnostics routine detects an internal fault, and in the event that the redundant partner server
is fully functioning, all communication connections on the server affected by the fault are
disconnected (terminal and plant bus).
The affected server is then restarted automatically.

Requirements
● Use of a PCS 7 OS (multi-station) redundant system, SIMATIC BATCH and SIMATIC Route
Control.
● The following settings have been made on the server systems:
– Automatic Windows logon (not relevant for servers in WinCC service mode)
– Automatic start of the PCS 7 server applications

Procedure
1. Use the search box in the start menu to open the file "gpedit.msc".
The "Local Group Policy Editor" dialog box opens.
2. In the tree view, select the folder Local Computer Policy > Computer Configuration >
Administrative Templates > System.
3. Double-click the "Display Shutdown Event Tracker" object in the detail view.
The "Display Shutdown Event Tracker" dialog box opens.
4. Select the "Deactivated" option button.
5. Click "OK".
Note
Before a PCS 7 server application is exited, an availability check is carried out on the
relevant redundant partner server. If the partner server is not fully functional, the user is
informed of this status and can proceed accordingly.
The availability check is only carried out in service mode if a user is logged on.

Additional information
You can find more information in the corresponding documentation and readme files on:
● PCS 7 OS
● SIMATIC BATCH
● SIMATIC Route Control
● SIMATIC NET

High Availability Process Control Systems (V9.0)

244 Function Manual, 05/2017, A5E39221836-AA
 Diagnostics
8.2 State of redundant operator stations in diagnostic pictures

8.2 State of redundant operator stations in diagnostic pictures

When using a Maintenance Station, the block icons show the redundancy state of the
redundant OS servers in the diagnostic area. You can find information on the block icons
displayed for redundant components in the documentation Process Control System PCS 7;
Maintenance Station.
For OS Clients on Windows, the state of connected servers shows the redundancy state of
redundant OS and PH servers.

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 245
Diagnostics
8.2 State of redundant operator stations in diagnostic pictures

High Availability Process Control Systems (V9.0)

246 Function Manual, 05/2017, A5E39221836-AA
Index
Client, 97, 163
Configuring, 163
A Communication lines, 54
Communication modules, 50
Actuators, 48
Communication solutions, 54, 61, 63, 74, 76
Adding, 196
High availability terminal bus, 61
Components of the distributed I/O, 196
Redundant field bus, 76
Modules in central and expansion racks, 196
Redundant fieldbus, 78
Advantages of high availability components, 108
Redundant terminal bus, 63
Notes, 108
Redundant, high availability plant bus, 71
Requirements, 108
Communications connections, 115
Assign, 162
Configuring, 115
S7 program to OS, 162
Compact FF Link, 87, 149
Automation system, 50, 53
Connecting, 87
Components, 50
Compile/download program, 168
Hardware components, 50
Components, 63, 76
How the S7-400H Operates, 53
Fieldbus, 76, 78
Operating principle, 53
High availability terminal bus, 61
Availability, 30, 76, 94
Redundant terminal bus, 63
Field bus, 76
Redundant, high availability plant bus, 71
Fieldbus, 78
Components of S7-400H, 50
OS server, 94
Components";"CPU 410, 74
Configuration
Batch client, 172
B Bus interface IM 153-2, 133
Basic knowledge, 9 Cross-project, 104
Required, 9 Download to target system, 168
BATCH, 174 DP/PA Coupler, 147
Monitoring, 174 Engineering station, 104
Network adapter, 174 FOUNDATION Fieldbus, 130
Redundancy, 174 OS clients, 163
BATCH client, 215 OS clients for permanent operability, 165
Switchover characteristics, 215 Plant bus, 117
Batch process, 99 Redundant BATCH servers, 170
Batch server, 210 Redundant fieldbus, 119
Response to failure, 210 Redundant Process Historian, 187
Bumpless continuation, 18 Terminal bus, 115, 116
Bus interface IM 153-2, 133 Y Link, 145
Configuring, 133 Configuration via PDM, 131
Requirement, 133 Configuring
Bus link, 81, 87 FF Bus Link, 149
FF link, 87 High availability fieldbus, 122, 125
PA Link, 81 Interconnected signal, 47
PROFINET, 123, 126
Redundant OS servers, 152
C Redundantly acquired signal, 47
Topology, 123, 126
Central processing unit, 50
WinCC Redundancy, 159
Changes in the CPU, 196
Configuring instructions, 108
Channel-based, 113

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 247
Index

Configuring redundant BATCH servers, 170 Fault, 205

Configuring the Batch client, 172 Network connection from the OS client to the OS
Connecting server, 205
FF Bus Link, 87 Network connection to the AS, 205
Plant bus, 61 Network connection to the OS partner
Terminal bus, 61 server, 205
Continuation, 18 FDC 157-0
Bumpless, 18 Couplers, 149
CP 1613, 61 Features for commissioning, 27
CP 1623, 61 Features for servicing, 29
CPU 410";"Connecting redundantly, 74 Features for system extension, 29
CPU settings, 113 Features for the configuration phase, 26
Creating, 156 Features for the operation phase, 27
OS, 152 FF Bus Link
Process Historian, 187 Connecting, 87
Redundant connection between AS and OS, 156 FF link, 149
Configuring, 149
Connecting, 87
D Fiber-optic cable, 50, 202
Response to failure, 202
Deactivating, 205
Fieldbus, 76, 119, 122, 125
WinCC project, 205
Availability, 76, 78
Definition, 30
Components, 76, 78
Availability, 30
Configuring, 119, 122, 125
Definition of the standby modes, 31
Setup, 78
Depassivation, 199
Structure, 76
Redundant I/O modules, 199
FOUNDATION Fieldbus, 90
Discrepancy time, 199
Redundant, 90
Documentation
Access options, 9
for planning and configuration, 9
Download target systems, 168
H
DP/PA Coupler, 147 H station, 108
DP/PA Link, 147 Inserting, 108
Configuring, 147 Requirement, 108
Hardware components
S7-400, 50
E High availability automation system, 50
High availability process control systems, 15
Electrical ring, 54
High availability terminal bus, 61
Engineering station, 104
Availability, 61
Configuring, 104
Components, 61
Textual reference, 104
Setup, 61
ES, 104
High availability with redundancy nodes, 19
ESM, 54
Display, 19
ET 200M, 133
Hot restart, 199
Configuring bus interface, 133
Redundant interface, 199
How to configure a PC station for a redundant Route
Control server, 178
F How to configure a PC station for a Route Control
Failure of redundant bus components, 204 client, 180
How to configure a redundant connection between a
Route Control server and AS, 183

High Availability Process Control Systems (V9.0)

248 Function Manual, 05/2017, A5E39221836-AA
 Index

How to configure the redundant PROFIBUS PA, 128

How to download a SIMATIC BATCH project to the
target system, 176 O
How to set the redundancy of the BATCH
Open
servers, 175
Existing STEP 7 project, 143
How to set the redundancy of the Route Control
Operating principle, 53, 94, 97, 136, 140
servers, 186
OS server, 94
HW Config
Permanent operability, 97
Starting, 143
Redundant I/O modules, 136, 140
S7-400H, 53
Optical PROFIBUS, 76
I Optical ring, 54
I/O, 35, 38, 40, 42 Optical/electrical ring, 54
Central, 35 Option
Distributed, 35 Configuration via PDM, 131
FF link, 87 OS client, 97, 163
PA Link, 81 Additional, 97
Redundant, 38, 40 Configuring, 163
Redundant actuators and sensors, 48 Permanent operability, 97
Redundant I/O modules, 46 OS clients, 213
Redundant interfacing, 45 Switchover characteristics, 213
Single-channel switched distributed I/O, 42 OS server
Y Link, 80 Availability, 94
IM 153-2, 133 Configuring, 152
Increasing availability, 50 Creating, 152
Automation system, 50 Failure, switchover and restart, 205
Input/output module, 136, 140 Operating principle, 94
Configuring, 136, 140 Setup, 94
Operating principle, 136, 140 Time synchronization, 105
Setup, 136, 140 OS terminal, 97
Inserting, 108 OSM, 54
H station, 108 Overview of configuration steps, 133, 152, 170, 178
Inserting a SIMATIC H station, 108 Overview of features, 24
Inserting sync modules, 52 PCS 7, 24
Interfacing, 45

P
M PA Link, 81
Master CPU, 202 Passivation reaction, 113
Reintegration, 202 PC station, 104
Response to failure, 202 PCS 7 overview of features, 24
Module-based, 113 Features for commissioning, 27
Modules, 196 Features for servicing, 29
Adding, 196 Features for the configuration phase, 26
Removing, 196 Features for the operation phase, 27
Multiproject engineering, 104 Permanent operability, 97
Operating principle, 97
Plant bus
N Configuring, 117
Connecting, 61
Network components, 56
Plant bus";"Redundant high availability, 74

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 249
Index

Plant bus, redundant high availability, 71 Redundant I/O, 38, 40

Availability, 71 Redundant interface, 199
Components, 71 Hot restart, 199
Setup, 71, 74 Response to failure, 199
Plant changes in runtime, 196 Redundant OS servers, 94
Power supply Configuring, 152
S7-400H, 50 Creating, 152
Preface, 9 Redundant Route Control servers, 102
Preferred server, 97 Redundant systems, 217
Process control system PCS 7, 15 Updating, 217
Process Historian Redundant, high availability terminal bus, 63
Creating, 187 Reintegration, 202
Redundant configuration, 187 Master CPU, 202
PROFIBUS PA, 83 Removing, 196
Redundant, 83 Components of the distributed I/O, 196
PROFINET, 78 Modules in central and expansion racks, 196
Topology, 123, 126 Repair time, 18
Topology Editor, 123, 126 Replacement of BATCH stations in runtime, 193
Project path, 155 Replacement of bus components in runtime, 191
Setting, 155 Replacement of operator stations in runtime, 192
Replacement of Route Control stations in
runtime, 194
Q Replacement of SIMATIC components, 189
Replication, 99
Quick guide, 219, 224, 229, 232
Requirement, 119, 122, 125, 136, 140, 147, 149
Updating redundant systems, 219, 224, 229, 232
Configuring FDC 157-0, 149
Configuring redundant I/O modules, 136, 140
Configuring the DP/PA coupler, 147
R Configuring the high availability fieldbus, 122,
Racks 125
S7-400H, 50 Configuring the the redundant fieldbus, 119
Reaction of Route Control servers to failures, 211 Requirements, 196
Redundancy, 54 Advantages of high availability components, 108
With electrical ring, 54 Configuring OS clients for permanent
With optical ring, 54 operability, 165
Redundancy Concept, 19 Configuring redundant BATCH servers, 170
Redundancy monitoring, 174 Configuring the Batch client, 172
BATCH, 174 Configuring the OS client, 163
Network adapter, 174 Configuring the redundant plant bus, 117
Redundancy nodes, 32 Configuring the Y Link, 145
Availability without fault, 32 Configuring WinCC redundancy, 159
Total failure, 32 Creating a Process Historian, 187
without fault, 32 Creating OS servers, 152
Redundant BATCH servers, 99 Inserting synchronization modules, 52
Redundant communication connections, 115, 116, Plant changes in runtime, 196
117, 119, 122, 125 Redundant connection between AS and OS, 156
Configuring the fieldbus, 119, 122, 125 Setting the project path for OS servers, 155
Configuring the plant bus, 117 Response to failure, 199, 202, 205, 210
Configuring the terminal bus, 115, 116 Batch server, 210
Redundant connection between OS and AS, 156 Fiber-optic cable, 202
Creating, 156 Master CPU, 202
Redundant double ring, 71, 74 Redundant I/O modules, 199

High Availability Process Control Systems (V9.0)

250 Function Manual, 05/2017, A5E39221836-AA
 Index

Redundant interface, 199 Single-channel switched distributed I/O, 42

Redundant OS servers, 205 Solutions for the I/O, 35
Ring, 56 Starting HW Config, 143
Ring structure, 56 STEP 7 project
Route Control, 186 Opening, 143
Target systems, 186 Structure, 76
Fieldbus, 76
Switchlover criteria
S OS client, 213
Switchover characteristics, 213, 215
S 7 programs, 162
BATCH client, 215
Assign, 162
OS clients, 213
S7 network components, 54
Switchover criteria, 213
For redundant ring structure, 54
switchover reaction of Route Control clients, 216
S7-400H, 53
Synchronization module, 50, 52
Hardware components, 50
Inserting, 52
Operating principle, 53
Requirements, 52
Power supply, 50
S7-400H, 50
Racks, 50
Synchronization module, 50
Sensors, 48
Server, 94
T
Setting, 155 Target system, 168
Project path, 155 Target systems, 186
Setup, 74, 94, 136, 140, 145, 147, 149 Downloading Route Control, 186
Fieldbus, 78 Terminal bus, 61, 63
OS server, 94 Configuring, 115, 116
Redundant I/O modules, 136, 140 Connecting, 61
Redundant plant bus, 71 High availability, 61
With DP/PA coupler, 147 Redundant, high availability, 63
With Y Link, 145 Textual reference, 104
Short designations of components, 15 Time synchronization, 105
Signal 3rd party, 105
Interconnected redundant, 47 Use cases, 105
Signal module, 136, 140 Via external receiver, 105
SIMATIC PC station, 155, 156, 159, 162, 163, 165, Via LAN with connected WinCC server, 105
168, 170, 172 Via LAN with specified computer, 105
Compile OS, 162 Via plant bus, 105
Configuring OS clients for permanent Topology Editor, 123, 126
operability, 165 Total failure, 32
Configuring redundant BATCH servers, 170 Redundancy nodes, 32
Configuring the Batch client, 172
Configuring WinCC redundancy, 159
Creating a redundant Process Historian, 187 U
Redundant connection between AS and OS, 156
Updating, 217
Setting the project path, 155
Redundant system, 217
SIMATIC PCS 7 redundancy concept, 19
Updating a redundant system in runtime, 217
SIMATIC PCS 7 overview of features, 24
Updating redundant systems, 219, 224, 229, 232
For commissioning, 27
Phase 2, 227
For servicing and system expansion, 29
Phase 4, 230
For the configuration phase, 26
Quick guide, 219, 224, 229, 232
For the operation phase, 27
Simatic Shell, 161, 176, 185

High Availability Process Control Systems (V9.0)

Function Manual, 05/2017, A5E39221836-AA 251
Index

V
Validity, 9

W
WinCC client, 97
WinCC project, 205
Deactivating, 205
WinCC Redundancy, 159
Configuring, 159
WinCC Server, 94
Windows domain
Synchronizing, 105

Y
Y Link, 80, 145
Configuring, 145
Requirements, 145
Setup, 145

High Availability Process Control Systems (V9.0)

252 Function Manual, 05/2017, A5E39221836-AA