Siemens SIMATIC S7-400H Manual
  1. Manuals
  2. Brands
  3. Siemens Manuals
  4. Controller
  5. SIMATIC S7-400H
  6. Manual
Siemens SIMATIC S7-400H Manual

Siemens SIMATIC S7-400H Manual

Fault-tolerant systems
Hide thumbs Also See for SIMATIC S7-400H:
Table of Contents

Advertisement

Quick Links

See also: System Manual
SIMATIC
S7-400H Programmable
Controller
Fault-Tolerant Systems
Manual
This manual has the order number:
6ES7988-8HA10-8BA0
Edition 07/2000
A5E00068197-04
Important Notes, Contents
Fault-Tolerant Systems in
Automation Engineering
S7-400H Installation Options
Getting Started
System and Operating Modes of
the S7-400H
Link-up and Update
Using I/O on the S7-400H
Communications
Configuring with STEP 7
Failure and Replacement of
Components During Operation
Modifications to the System while
in Operation
Appendices
Characteristic Values of
Redundant Programmable Logic
Controllers
Separate Operation
Converting from S5-H to S7-400H
Differences between
Fault-Tolerant Systems and
Standard Systems
Function Modules and
Communication Processors Used
on the S7-400H
Glossary, Index
1
2
3
4
5
6
7
8
9
10
A
B
C
D
E

Advertisement

Table of Contents
loading

Related Manuals for Siemens SIMATIC S7-400H

Summary of Contents for Siemens SIMATIC S7-400H

  • Page 1 Important Notes, Contents Fault-Tolerant Systems in Automation Engineering S7-400H Installation Options SIMATIC Getting Started System and Operating Modes of S7-400H Programmable the S7-400H Controller Link-up and Update Fault-Tolerant Systems Using I/O on the S7-400H Manual Communications Configuring with STEP 7 This manual has the order number: Failure and Replacement of 6ES7988-8HA10-8BA0...
  • Page 2 Trademarks SIMATIC , SIMATIC HMI and SIMATIC NET are registered trademarks of SIEMENS AG. Some of other designations used in these documents are also registered trademarks; the owner’s rights may be violated if they are used by third parties for their own purposes.

  • Page 3: A5E00068197

    Important Notes Purpose of the manual The present manual is intended for persons involved in the areas of configuration, commissioning and servicing of programmable logic control systems. To help you get familiar with the product, we recommend that you start with the example in Chapter 3.
  • Page 4 Important Notes Online Help In addition to the manual, detailed support on how to use the software is provided by the online Help system integrated in the software. The Help system can be accessed using a number of interfaces: In the Help menu are a number of commands: Contents opens the Help index. You will find help on fault-tolerant systems at Call Help on options packages, configuring fault-tolerant systems.
  • Page 5 +49 (180) 5050-222 Fri. 0.00 a.m. to 12.00 p.m. Fax: +49 (180) 5050-223 Phone: +49 (911) 895-7777 E-mail: techsupport@ Fax: +49 (911) 895-7001 ad.siemens.de GMT: +1:00 GMT: +01.00 Europe / Africa (Nuremberg) America (Johnson City) Asia/Australia (Singapore) Authorization Technical Support and...
  • Page 6 SIMATIC Customer Support provides you with comprehensive additional information in SIMATIC products by means of its online services: You can obtain up–to–date information – on the Internet at http://www.ad.siemens.de/simatic Current product information leaflets and downloads which you may find useful for your product: –...

  • Page 7: Table Of Contents

    Contents Fault-Tolerant Systems in Automation Engineering ..... . . Redundant Programmable Logic Controllers in the SIMATIC Series ..Increasing System Availability .
  • Page 8 Contents Special Features during Link-up and Update ......5-28 Using I/O on the S7-400H ..........Introduction .
  • Page 9 Contents 9.2.3 Failure and Replacement of a PROFIBUS-DP Slave ....9-15 9.2.4 Failure and Replacement of PROFIBUS-DP Cables ....9-16 Modifications to the System while in Operation .
  • Page 10 Contents 10.6.5 Step E: Transition to the Redundant System Mode ....10-46 10.7 Changing the Memory Components of the CPU ..... 10-47 10.7.1 Expand the main and/or load memory...

  • Page 11: Fault-Tolerant Systems In Automation Engineering

    Fault-Tolerant Systems in Automation Engineering This chapter contains an introduction to redundant and fault-tolerant programmable logic controllers. In Section You Will Find On Page Redundant Programmable Logic Controllers in the SIMATIC Series Increasing System Availability S7-400H Programmable Controller Fault-Tolerant Systems A5E00068197-04...

  • Page 12: Redundant Programmable Logic Controllers In The Simatic Series

    At the same time there is a demand for fail-safe programmable logic controllers with the greatest degree of distribution possible. Redundant programmable logic controllers from Siemens have proved themselves in operation and thousands are in service. Perhaps you are already familiar with one of the fault-tolerant systems such as the SIMATIC S5-115H and S5-155H, or the fail-safe S5-95F and S5-115F systems.
  • Page 13 Fault-Tolerant Systems in Automation Engineering Why do we have fault-tolerant programmable logic controllers? The objective of using high-availabilty programmable logic controllers is a reduction of losses of production. It does not matter whether the losses are caused by an error or as a result of maintenance work. The higher the costs of a stoppage, the more worthwhile it is to use a fault-tolerant system.

  • Page 14: Increasing System Availability

    Fault-Tolerant Systems in Automation Engineering Increasing System Availability The S7-400H programmable logic controller meets these high requirements for availability, intelligence and distribution that are required of state-of-the-art programmable logic controllers. Further, it features all the functions for acquiring and preparing process data and for controlling, regulating and monitoring units and systems.
  • Page 15 Fault-Tolerant Systems in Automation Engineering Redundant nodes Redundant nodes represent the fault tolerance of systems with redundant components. The independence of a redundant node is given when the failure of a component within the node does not result in reliability constraints in other nodes or in the entire system.
  • Page 16 Fault-Tolerant Systems in Automation Engineering S7-400H Programmable Controller Fault-Tolerant Systems A5E00068197-04...

  • Page 17: S7-400H Installation Options

    S7-400H Installation Options The first part of the description starts with the basic configuration of the fault-tolerant S7-400H programmable controller and the components making up the S7-400H base system. We then describe the hardware components with which you can expand this base system. The second part describes the software applications with which you can configure and program the S7-400H.
  • Page 18 S7-400H Installation Options Figure 2-1 shows an example of the configuration of an S7-400H with common distributed I/O and a connection to a redundant system bus. On the next few pages we will describe step by step the hardware and software components necessary for configuring and operating the S7-400H.

  • Page 19: Base System Of The S7-400H

    S7-400H Installation Options Base System of the S7-400H Hardware of the Base System By base system of the S7-400H we mean the minimum configuration of the S7-400H. The base system consists of all the requisite hardware components that make up the fault-tolerant control system. Figure 2-2 shows the components in the installation.
  • Page 20 S7-400H Installation Options Mounting rack for S7-400H We recommend you the UR2-H mounting rack for the S7-400H. The mounting rack makes it possible to configure two separate subsystems, each containing nine slots, and is suitable for installation in 19” cabinets. Alternatively, you can also configure the S7-400H on two separate mounting racks.

  • Page 21: I/O For The S7-400H

    S7-400H Installation Options I/O for the S7-400H For the S7-400H you can use virtually any of the input/output modules featured in the SIMATIC S7 system range. The I/O can be used in central racks expansion units distributed over PROFIBUS DP. The function modules (FMs) and communication processors (CPs) that can be used in the S7-400H will be found in Appendix E.

  • Page 22: Communication

    S7-400H Installation Options Communication For communication tasks on the S7-400H you can use almost any communications components offered in the SIMATIC system range. This applies to communication components used either with central I/O or distributed I/O such as system buses (Industrial Ethernet, PROFIBUS) point-to-point connection Availability of communications You can vary the availability of communications with the S7-400H.

  • Page 23: Configuration And Programming Applications

    S7-400H Installation Options Configuration and Programming Applications The S7-400H is configured and programmed with STEP 7 just like any other SIMATIC S7 programmable logic controller. After configuration with STEP 7, you treat the S7-400H as a normal S7-400 system. For you this means that you can use your full knowledge of the SIMATIC S7 and, for example, only have to take minor constraints into account when writing your user program.

  • Page 24: User Program

    S7-400H Installation Options User Program The rules applicable to the design and programming of the standard S7-400 system apply similarly to the S7-400H. The user programs are stored in an identical form in the two central processing units and are executed simultaneously (event-synchronous). From the viewpoint of user program execution, the S7-400H behaves in exactly the same manner as a standard system.

  • Page 25: Documentation

    S7-400H Installation Options Documentation The following illustration presents an overview of the description of the different components and possibilities presented by the S7-400H PLC. Subject Documentation Hardware: S7/M7-400 standard documentation CPU 417-4H Installation Redundancy-capable power supply Module Specifications synchronization submodule Instruction List rack UR2-H IM 153-2...
  • Page 26 S7-400H Installation Options S7-400H Programmable Controller Fault-Tolerant Systems 2-10 A5E00068197-04...
  • Page 27 Getting Started This guide walks you through the steps that have to be performed to commission the system by means of a specific example and results in a working application. You will learn how an S7-400H programmable logic controller operates and become familiar with its response in the event of a fault.

  • Page 28: Requirements

    Getting Started Requirements The following requirements must be met: A permitted version of the STEP 7 standard software and the ”S7 Fault-Tolerant System” option pack are correctly installed on your programming device (refer to Section 8.1). You must have the modules required for the hardware configuration: an S7-400H PLC consisting of: –...

  • Page 29: Configuring Hardware And Starting Up The S7-400H

    Getting Started Configuring Hardware and Starting Up the S7-400H Installing Hardware To configure the S7-400H as illustrated in Figure 3-1, perform the following steps: Rack 0 Rack 1 S7-400H PLC ET 200M distributed I/O Figure 3-1 Hardware Configuration Configure the two subunits of the S7-400H PLC as described in the S7-400, M7-400 Programmable Controllers, Hardware and Installation/Module Specifications manuals.
  • Page 30 Getting Started Connect the programming device to the first CPU 417-4 H (CPU0). This CPU should be the master CPU of the S7-400H. A high-quality RAM test is performed after power on. It requires approximately 8 seconds per megabyte of RAM. During this time the CPU cannot be addressed via the multipoint interface and the STOP LED flashes.

  • Page 31: Examples Of Fault-Tolerant System Response In The Event Of Faults

    Getting Started Note You can start and stop the S7-400H programmable logic controller using the programming device too. You will find more information on this in online Help of the S7-400H options package. Examples of Fault-Tolerant System Response in the Event of Faults Example 1: Failure of a central processing unit or power supply Initial situation: The S7-400H is in the Redundant system mode.
  • Page 32 Getting Started S7-400H Programmable Controller Fault-Tolerant Systems A5E00068197-04...

  • Page 33: System And Operating Modes Of The S7-400H

    System and Operating Modes of the S7-400H This chapter features an introduction to the subject of S7-400H fault-tolerant systems. You will learn the basic concepts that are used in describing how fault-tolerant systems operate. Following that, you will receive information on fault-tolerant system modes. These modes depend on the operating modes of the different fault-tolerant CPUs, which will be described in the section that follows after that one.

  • Page 34: Introduction

    System and Operating Modes of the S7-400H Introduction The S7-400H consists of two redundant configured subsystems that are synchronized via fiber-optic cables. The two subsystems create a fault-tolerant programmable logic controller operating with a two-channel (1-out-of-2) structure on the “active redundancy” principle. What does active redundancy mean? Active redundancy, frequently referred to as functional redundancy too, means that all redundant resources are constantly in operation and are simultaneously...
  • Page 35 CPUs on the S7-400. Event-driven synchronization procedure The “event-driven synchronization” procedure patented by Siemens has been used on the S7-400H. This procedure has proved itself in practice and has already been used for the S5-115H and S5-155H PLCs.
  • Page 36 System and Operating Modes of the S7-400H Self-tests Malfunctions have to be detected, isolated and reported as quickly as possible. Consequently, widely-ranging self-test functions have been implemented on the S7-400H and run automatically and entirely in the background after POWER ON, in cyclic operation and even in the ERROR-SEARCH mode.

  • Page 37: System Modes Of The S7-400H

    System and Operating Modes of the S7-400H Note With a fail-safe system, the periodic self-tests must not be inhibited and then enabled again. For more details refer to the manual S7-400F and S7-400FH Programmable Controllers; Fail-Safe Systems. System Modes of the S7-400H The system modes of the S7-400H result from the operating modes of the two CPUs.

  • Page 38: Operating Modes Of The Cpus

    System and Operating Modes of the S7-400H Operating Modes of the CPUs Operating modes describe the behavior of the CPUs at any given point of time. Knowledge of the operating modes of the CPUs is useful for programming startup, the test and the error diagnostics. Operating modes from POWER ON to the Redundant system mode Generally speaking, the two CPUs enjoy equal rights so that either CPU can be the master or the standby CPU.
  • Page 39 System and Operating Modes of the S7-400H Explanations relating to Figure 4-2 Table 4-2 Explanations Relating to Figure 4-2 System and Operating Modes of the Fault-tolerant System Item Description Once the power supply has been turned on, the two CPUs (CPU 0 and CPU 1) are in the STOP mode.

  • Page 40: Startup Operating Mode

    System and Operating Modes of the S7-400H 4.3.2 STARTUP Operating Mode Except for the additions described below, the CPUs of the S7-400H behave in exactly the same way in the STARTUP mode as the standard CPUs on the S7-400 Types of startup CPU 417-4H distinguishes between a cold restart and a complete restart (warm restart).

  • Page 41: Run Operating Mode

    System and Operating Modes of the S7-400H 4.3.4 RUN Operating Mode Except for the additions described below, the CPUs of the S7-400H behave in exactly the same way in the RUN mode as the standard CPUs on the S7-400 do. The user program is executed by at least one of the two CPUs in the following system modes: Solo mode...

  • Page 42: Hold Operating Mode

    System and Operating Modes of the S7-400H 4.3.5 HOLD Operating Mode With the exception of the additions described below, the S7-400H in HOLD mode behaves in exactly the same way as a regular CPU on the S7-400. The HOLD mode is a special case. It is only used for test purposes. When is the HOLD mode possible? The HOLD mode can be reached only from the STARTUP mode and from RUN submode of Solo mode.

  • Page 43: Error-Search Operating Mode

    System and Operating Modes of the S7-400H 4.3.6 ERROR-SEARCH Operating mode During the self-test the master CPU and the standby CPU compare the contents of their memories. If the test discovers different memory contents, a comparison error is reported. The preset reaction to a comparison error is the ERROR-SEARCH mode (default reaction).

  • Page 44: Time Response

    System and Operating Modes of the S7-400H Reaction to recurring comparison error The reaction to a recurring comparison error depends on whether the error occurs in the subsequent self-test cycle or not until later. Table 4-4 Reaction to Recurring Comparison Error Comparison Error Occurs Again ...

  • Page 45: Link-Up And Update

    Link-up and Update In Section You Will Find On Page Effects of Link-up and Update Functional Sequence of Link-up and Update Time Monitoring 5-15 Special Features during Link-up and Update 5-28 S7-400H Programmable Controller Fault-Tolerant Systems A5E00068197-04...

  • Page 46: Effects Of Link-Up And Update

    Link-up and Update Effects of Link-Up and Update Link-up and update are indicated by the REDF LEDs on the two CPUs. On link-up these LEDs flash with a frequency of 0.5 Hz, and on update with a frequency of 2 Hz. Link-up and update have various effects on the execution of the user program and the communication functions.

  • Page 47: Functional Sequence Of Link-Up And Update

    Link-up and Update Functional Sequence of Link-Up and Update There are two types of link-up and update: In a “normal” link-up and update the fault-tolerant system should change from Solo mode to the Redundant system mode. The two CPUs then process the same program in synchronously.
  • Page 48 Link-up and Update Process diagram for link-up and update The following illustration outlines the functional sequence of link-up and update in general terms. The starting point is with the master in Solo mode. In the illustration CPU 0 is assumed to be the master CPU. Master CPU (CPU 0) Standby CPU (CPU 1) Link-up...
  • Page 49 Link-up and Update Standby CPU (CPU 1) Master CPU (CPU 0) Update STOP (REDF LEDs flash at 2 Hz) Status message “Update” to all partners logged on Asynchronous SFCs for data records given negative acknowledgement Messages delayed All OBs up to priority class 15 (inc.
  • Page 50 Link-up and Update Minimum signal duration of input signals during the update During the update, program scanning is stopped for a certain time (we will discuss this subject in greater detail later). So that the change of an input signal can be reliably detected by the CPU even during the update, the following condition must be satisfied: Minimum signal duration >...

  • Page 51: Process Of Link-Up

    Link-up and Update 5.2.1 Process of Link-up In the link-up process a distinction is made between whether the Redundant system mode or a master/standby switch-over is to be achieved. Link-up to achieve the Redundant system mode In order to preclude differences in the two subsystems, the master CPU and the standby CPU perform the following comparisons.
  • Page 52 Link-up and Update Note If you have not changed either the hardware configuration or the type of load memory on the standby CPU a master/standby switch-over is still carried out and the previous master CPU switches to STOP mode. Switch to CPU with extended memory configuration You may have made the following memory modifications on the standby CPU: –...

  • Page 53: Process Of Updating

    Link-up and Update Note If you have not changed the type of load memory or enlarged the main memory or the load memory on the standby CPU this will not switch to RUN mode but instead will relapse into STOP mode with a corresponding diagnostics buffer entry. If you have not changed the operating system on the standby CPU this will not switch to RUN mode but instead will relapse into STOP mode with a corresponding diagnostics buffer entry.
  • Page 54 Link-up and Update Transfer of all the data block contents that have been modified the since link-up. Communication jobs from which the CPU itself derives jobs for other modules (e.g. I/O) are given a negative acknowledgement (see list below). Initial calls (in other words, calls resulting in manipulation of the work memory, refer also to the system software for S7-300/400 system and standard functions ) of communication functions receive a negative acknowledgement.
  • Page 55 Link-up and Update Note Process interrupts and diagnostic interrupts are stored by the I/O. If such interrupts were set by modules of the remote input/output station they will be caught up when the block is lifted. If they were set by modules of the central I/O they can then only all be caught up if the particular interrupt request did not occur again during the block.

  • Page 56: Switch To Cpu With Modified Configuration

    Link-up and Update Log on and off for messages Acknowledge messages Note The last 3 functions are recorded by a WinCC system and automatically repeated when the update is complete. 5.2.3 Switch to CPU with modified configuration If link-up and update was triggered from STEP 7 using the option “Switch to CPU with modified configuration”...

  • Page 57: Block Link-Up And Update

    Link-up and Update Note When switching to a CPU with a modified configuration the load memories of the master and standby may be of different sizes. 5.2.4 Block Link-up and Update Link-up and update is associated with a scan-cycle time extension. Within this there is a margin of time in which no I/O updating is performed (see section 5.3 “Time Monitoring”).
  • Page 58 Link-up and Update In order for the activation of the push button to be recognized by the CPU the blocking time for priority classes > 15 (see below for definition) must be clearly below 18 ms. Since in STEP 7 you are able to set the maximum blocking time for priority classes >...

  • Page 59: Time Monitoring

    Link-up and Update Time Monitoring During the update program scanning is stopped for a particular duration. Section 5.3 will be relevant to you if this duration is critical for your process. If so, configure one or more of the monitoring times described below. During the update the fault-tolerant system will monitor to check that the scan-cycle time extension, the communication delay and the blocking time for priority classes >...
  • Page 60 Link-up and Update Minimum I/O hold time: This is the period of time between copying of the outputs from the master CPU to the standby CPU and the time of transition to the Redundant system mode or master/standby switch-over (time at which the former master CPU switches to STOP mode and the new master CPU switches to RUN mode).

  • Page 61: Time Behavior

    Link-up and Update Update aborted Fault-tolerant system remains in Solo mode with existing master CPU in RUN mode Reason for aborting entered in the diagnostic buffer OB 72 called (with corresponding start information) The standby CPU then re-evaluates its system data blocks. Afterwards –...

  • Page 62: Determination Of The Monitoring Times

    Link-up and Update Time behavior during the update The transfer time during updating depends on the number and overall length of the modified data blocks; it does not depend on the modified volume of data within a block. It is also dependent on the current process state and on the communication load.
  • Page 63 Link-up and Update Use of redundant input and output modules Note If you have redundant I/O modules and have taken this into account in your program accordingly, you might have to add a premium to the calculated monitoring times, so that surging does not occur at the output modules. A premium is required only if you operate modules redundantly from the following table.
  • Page 64 Link-up and Update Calculation of the min. I/O hold time (T The following applies to the calculation of the min. I/O hold time: with central I/O: T = 30 ms with remote I/O: T TRmax where T = maximum target rotation time TRmax of all DP master systems of the H station With the use of central and remote I/O the resulting minimum I/O hold time is:...
  • Page 65 Link-up and Update In the final phase of the update all the OBs are delayed or blocked. To avoid the max. blocking time for priority classes > 15 being unnecessarily extended as a result of unfortunate symbolic programming, modify the time-critical I/O components in a selected watchdog interrupt.
  • Page 66 Link-up and Update Note If T (DP master system) < 0 the calculation is to be stopped here. Possible remedies are listed after the following example calculation. Make the appropriate modifications and start the calculation from 1 again. Select the minimum of all the T (DP master system) values.
  • Page 67 Link-up and Update The recommended value for the max. blocking time for priority classes > 15 now results from: MAX (T P15 = P15_AWP P15_OD Example of calculation of T In the following the maximum permissible period of time on update during which the operating system performs no program scanning and no I/O updates is determined for a given system configuration.
  • Page 68 Link-up and Update 8. From section 5.3.4 for 170 Kbytes user program data: = 194 ms P15_AWP Check: if T = 194 ms < T = 660 ms, continue with P15_AWP P15_HW 9. Formula [3] now provides the recommended max. blocking time for priority classes >...
  • Page 69 Link-up and Update Calculation of the max. scan-cycle time extension We recommend the following formula: Maximum cycle time prolongation = 10 (maximum blocking time for priority classes > 15) The final time is determined by the process state and the communication load on your system.

  • Page 70: Influences On The Time Behavior

    Link-up and Update 5.3.3 Influences on the Time Behavior The period during which no I/O updates take place is primarily determined by the following influencing factors: number and size of data blocks modified during the update number of instances of SFBs in the S7 communication information and SFBs for generating block-related messages modifications to the System while in Operation settings via dynamic volume frameworks...
  • Page 71 Link-up and Update Table 5-3 Typical values for the user program share T of the P15_AWP max. blocking time for priority classes > 15 Main memory data P15_AWP 500 Kbyte 430 ms 1 Mbyte 800 ms 2 Mbyte 1.51 s 5 Mbyte 3.66 s 10 Mbyte...

  • Page 72: Special Features During Link-Up And Update

    Link-up and Update Special Features during Link-up and Update Requirement of input signals during the update During the update the process signals read in previously are retained and are not updated. Modification of a process signal during the update will only be recognized by the CPU if the modified signal state remains at the end of the update.

  • Page 73: Using I/O On The S7-400H

    Using I/O on the S7-400H This chapter provides an overview of the different I/O configurations on the S7-400H programmable logic controller and its availability. Further, it provides information on configuration and programming of the selected I/O installation. For the S7-400H you can use virtually any of the input/output modules featured in the SIMATIC S7 system range.

  • Page 74: Introduction

    Using I/O on the S7-400H Introduction I/O configuration types In addition to the power supplies and central processing units, which are always redundant, there are the following configuration types for the I/O, which are supported by the operating system: Single-channel, one-sided configuration with normal availability Single-channel, switched configuration with enhanced availability A two-channel redundant configuration is similarly possible.

  • Page 75: Using A Single-Channel, One-Sided I/O

    Using I/O on the S7-400H Using a Single-Channel, One-Sided I/O What is a single-channel, one-sided I/O? With the single-channel, one-sided configuration single input/output modules are present (single-channel). The input/output modules are located in just one of the subsystems and are only addressed by that subsystem. A single-channel, one-sided I/O configuration is possible in central controllers and expansion units distributed I/Os...
  • Page 76 Using I/O on the S7-400H Single-channel, one-sided I/Os and user program Information read in on one side – for example, from digital inputs – is transferred automatically to the second subsystem via the synchronization link in the Redundant system mode. After the information has been transferred, both subsystems have the data from the single-channel, one-sided I/O and evaluate them in the two identical user programs that are present.

  • Page 77: Using Single-Channel, Switched I/O

    Using I/O on the S7-400H Using Single-Channel, Switched I/O What is a single-channel, switched I/O? With the single-channel, switched configuration single input/output modules are present (single-channel). In Redundant mode they may be addressed by both subsystems. In Solo mode, the master subsystem can always address all switched I/O (as opposed to one-way I/O).
  • Page 78 Using I/O on the S7-400H Switched ET 200M distributed I/O DP/PA coupler IM 157 Figure 6-2 Single-Channel, Switched ET 200M Distributed I/O Rule When you use a single-channel, switched I/O, the configuration must always be symmetrical, in other words: the CPU 417-4 H and other DP masters must be located in both subsystems in identical slots –...
  • Page 79 Using I/O on the S7-400H Single-channel, switched I/O and user program In Redundant mode, in principle each subsystem may access single-channel switched I/O. The information is automatically transferred over the synchronization link and compared. An identical value is available to the two subsystems at all times owing to the synchronized access.
  • Page 80 Using I/O on the S7-400H Note If the DP master interface module can recognize failure of the complete DP master system (e.g. in the case of a short circuit), only this event is reported (“Master system failure coming” W#16#39C3). The operating system then no longer reports individual station failures.
  • Page 81 Using I/O on the S7-400H No pulses during switch-over of the active channel To prevent temporary failure of the I/O or output of substitute values during switch-over between the active and slave channel the DP stations of the switched I/O maintain their outputs until switch-over is complete and the new active channel has taken over processing.

  • Page 82: Connecting A Redundant I/O

    Using I/O on the S7-400H Connecting a Redundant I/O What is a redundant I/O? A redundant I/O consists of input/output modules, of which several are present. If you wish to use a redundant I/O, you can implement it at user level. Configurations The following configurations having a redundant I/O are possible (Figure 6-3): Redundant system with one-way central and/or distributed I/O.
  • Page 83 Using I/O on the S7-400H Hardware installation and configuration of the redundant I/O If you wish to use a redundant I/O, we would recommend you the following strategy: Use the I/O in the following manner: – with a one-sided configuration, one I/O module in each subsystem –...
  • Page 84 Using I/O on the S7-400H Note Variables BGA and PZF_BIT must also be valid outside OB1 and OB122. The variable VERSUCH2, on the other hand, is used only in OB1. 2nd attempt: = WRONG Read module A first? Access to Access to module A module B...
  • Page 85 Using I/O on the S7-400H Example of STL The requisite sections of the user program (OB1, OB 122) are listed below. Table 6-1 OB 1 Explanation SET; VERSUCH2; //Initialization BGA; //Read module A first? WBGB; //If No, continue with module B WBGA: SET;...
  • Page 86 Using I/O on the S7-400H Table 6-2 OB 122 Explanation // Does module A cause PZF? L OB122_MEM_ADDR; //Logical base address affected L W#16#8; == I; Module A? JCN M01; //If No, continue with M01 //PZF upon access to module A SET;...

  • Page 87: Communications

    Communications In this chapter you will find an introduction to communications with fault-tolerant systems and their specific characteristics. You will learn the basic concepts, the bus systems you can use for fault-tolerant communications and the types of connection. You will learn how communications take place via fault-tolerant connections and standard connections, and how to configure and program them.

  • Page 88: Fundamentals And Basic Concepts

    Communications Fundamentals and Basic Concepts Overview Fault-tolerant controllers make it possible for controllers, including their I/O, to feature redundancy. With growing demands on the availability of an overall system it is necessary to raise the fault tolerance of communications – in other words, communications have to be configured so that they are also redundant.
  • Page 89 Communications onnection (S7 connection) A connection is the logical assignment of two communication peers to implement a communication service. Every connection has two endpoints containing the information required for addressing the communication peer and other attributes for establishing the connection. An S7 connection is the communication connection between two standard CPUs or from one standard CPU to a CPU in a fault-tolerant system.
  • Page 90 Communications Redundant connections CPU b1 CPU a1 CP b1 CP a1 Bus 1 CPU a2 Bus 2 CP a2 CP b2 CPU b2 Fault-tolerant Fault-tolerant system a system b Bus1 Bus2 CPU a1 CP b1 CPU b1 CP a1 LAN (red.) CP a2 CPU b2 CP b2...

  • Page 91: Suitable Networks

    Communications Resource requirements of fault-tolerant S7 connections CPU 417-4H allows the operation of 64 fault-tolerant S7 connections. On the CP each partial connection requires a connection resource. Suitable Networks The choice of physical transfer medium depends on the desired expansion, the fault tolerance aimed at and the transmission rate.

  • Page 92: Profibus

    Communications 7.2.2 PROFIBUS PROFIBUS is a communications network for cells and fields in accordance with PROFIBUS Standard EN 50 170, Volume 2, with the hybrid token bus and master slave access procedure. Networking takes place over two-wire cables or fiber-optic cables.

  • Page 93: Supported Communication Services

    Communications Supported Communication Services The following services can be used: S7 communications over fault-tolerant S7 connections via PROFIBUS and Industrial Ethernet S7 communications over S7 connections via MPI, PROFIBUS and Industrial Ethernet standard communications (FMS, for example) via PROFIBUS S5-compatible communications (SEND and RECEIVE blocks, for example) via PROFIBUS and Industrial Ethernet The following are not supported: basic communications...
  • Page 94 Communications Configuration The availability of the system, including communications, is set during configuration. Please refer to the STEP 7 documentation to find out how to configure connections. Only S7 communication is used for fault-tolerant S7 connections. To do this, select in the “New Connection”...

  • Page 95: Communications Between Fault-Tolerant Systems

    Communications 7.4.1 Communications between Fault-Tolerant Systems Availability The simplest method of enhancing the availability of interconnected systems is to use a redundant system bus configured with an optical two-fiber ring or a duplicated electrical bus system. In this case the connected nodes may consist of simple standard components.
  • Page 96 Communications Fault-tolerant system a Fault-tolerant system b System bus as optical two- Fault-tolerant fiber ring Redundancy system a block diagram Fault-tolerant system b OLM/ CPb1 CPUb1 CPUa1 CPa1 Bus1 OLM/ CPb2 CPUa2 CPa2 CPUb2 Bus2 1-out-of-2 redundancy Figure 7-3 Example of Redundancy with Fault-Tolerant System and Redundant Ring Fault-tolerant system a Fault-tolerant system b Bus1...

  • Page 97: Communications Between Fault-Tolerant Systems And A

    Communications 7.4.2 Communications between Fault-Tolerant Systems and a Fault-Tolerant CPU Availability Availability can be enhanced by using a redundant system bus and by using a fault-tolerant CPU on a standard system. If the communication peer is a CPU 417-4 H, fault-tolerant connections can be configured again here, as opposed to a CPU 416, for example.

  • Page 98: Communications Between Fault-Tolerant Systems And Pcs

    Communications 7.4.3 Communications between Fault-Tolerant Systems and PCs Availability When fault-tolerant systems are connected to a PC, the availability of the overall system concentrates not only on the PCs (OS) and their data management but also on data acquisition on the programmable logic controllers. PCs are not fault-tolerant on account of their hardware and software characteristics.

  • Page 99: Communications Via S7 Connections

    Communications Communications via S7 Connections Communications with standard systems Fault-tolerant communications are not possible between fault-tolerant and standard systems. The following examples illustrate the actual availability of the communicating systems. Configuration Standard connections are configured with STEP 7. Programming If standard communications are used on a fault-tolerant system, all the communication functions apart from “global data communications”...
  • Page 100 Communications When fault-tolerant systems and standard systems are interconnected, the availability of communications cannot be enhanced by means of a twin electrical bus system. In order to be in a position to use the second bus system as a redundant bus, you have to use a second S7 connection, which has to be managed accordingly in the user program (refer to Figure 7-7).

  • Page 101: Communications Over Redundant S7 Connections

    Communications 7.5.2 Communications over Redundant S7 Connections Availability Availability can be enhanced by using a redundant system bus and by using two separate CPs on a standard system. Redundant communications can be operated even with standard connections. Two separate S7 connections have to be configured for this. Connection redundancy has to be implemented by means of programming for this purpose.

  • Page 102: Communications Via A Point-To-Point Cp On The Et200M

    IMa2 Figure 7-10 Example of Interconnection of a Fault-Tolerant System and a Single-Channel Non-Siemens System Failure behavior Double errors in the fault-tolerant system (i.e. CPUa1 and IM153-2) and single errors in the third-party system will result in total failure of communications between the systems involved (refer to Figure 7-10).

  • Page 103: Random Connection With Single-Channel Systems

    OLM/ PC as gateway Single-channel system CPUa1 CPa1 Bus1 CP 1 Gateway CP 2 Cable OLM/ CPUa2 CPa2 Bus2 Figure 7-11 Example of Interconnection of a Fault-Tolerant System and a Single-Channel Non-Siemens System S7-400H Programmable Controller Fault-Tolerant Systems 7-17 A5E00068197-04...
  • Page 104 Communications S7-400H Programmable Controller Fault-Tolerant Systems 7-18 A5E00068197-04...

  • Page 105: Configuring With Step 7

    Configuring with STEP 7 This chapter presents an overview of the special features and possibilities of the S7-400H options package. The first section describes how to install the options package. The second section lists the extensions of the STEP 7 options package and summarizes some central points which you have to take into account when you are configuring a fault-tolerant system.

  • Page 106: Installing The Options Package

    Configuring with STEP 7 Installing the Options Package Software requirements In order to install the “S7 fault-tolerant system” option package, version 1 or higher, you must have the STEP 7 standard package, V5.1 (or higher) installed on your PG or PC. Installing the options package Start the PC or programming device on which you have installed the STEP 7 standard package and make sure that no STEP 7 applications are open.

  • Page 107: Configuring With Step

    Configuring with STEP 7 Configuring with STEP 7 The basic approach to configuring the S7-400H is no different from that used to configure the S7-400 – in other words creating projects and stations configuring hardware and networking loading system data onto the programmable logic controller. Even the different steps that are required for this are identical for the most part to those with which you are familiar from the S7-400.

  • Page 108: Configuring Hardware

    Configuring with STEP 7 Installation rules An H station may contain up to 20 expansion racks. Even-numbered mounting racks can be assigned only to central controller 0, whereas odd-numbered mounting racks can be assigned only to central controller 1. Modules connected to a communication bus can be operated only in mounting racks 0 through 6.

  • Page 109: Configuring Networks

    Configuring with STEP 7 8.2.3 Configuring Networks The fault-tolerant S7 connection is a separate connection type of the “Configure Networks” application. The following communication peers can communicate with each other: S7 H station (with 2 H-CPUs) –> S7 H station (with 2 H-CPUs) S7 400 station (with 1 H-CPU) –>...

  • Page 110: Programming Device Functions In Step

    Configuring with STEP 7 Programming Device Functions in STEP 7 Display in SIMATIC Manager In order to do justice to the special features of an H station, the way in which the system is displayed and edited in SIMATIC Manager differs from that of a S7-400 standard station as follows: In the offline view, the S7 program is displayed only under CPU0 of the H station.

  • Page 111: Failure And Replacement Of Components During Operation

    Failure and Replacement of Components During Operation One factor that is crucial to the uninterrupted operation of the fault-tolerant controller is the replacement of failed components while in operation. Rapid repair quickly reestablishes the fault tolerance. We will show you in the sections that follow how simple and fast it can be to repair and replace components in the S7-400H.

  • Page 112: Failure And Replacement Of Components In Central Racks And Expansion Racks

    Failure and Replacement of Components During Operation Failure and Replacement of Components in Central Racks and Expansion Racks Which components can be replaced? The following components can be replaced during operation: central processing units – for example, CPU 417-4H power supply modules – for example, PS 405 and PS 407 signal and function modules communication processors synchronization submodules and fiber-optic cables...

  • Page 113: Failure And Replacement Of A Central Processing Unit Cpu 417-4H

    Failure and Replacement of Components During Operation 9.1.1 Failure and Replacement of a Central Processing Unit CPU 417-4H Complete replacement of the CPU is not always necessary. If the failure affects only the load memory, all you have to do is replace the memory card concerned. Both cases are described below.
  • Page 114 Failure and Replacement of Components During Operation Starting situation for replacement of the load memory Failure How Does the System React? The S7-400H is in the Redundant system Affected CPU switches to STOP and mode and an error access to the load makes a reset request.

  • Page 115: Failure And Replacement Of A Power Supply Module

    Failure and Replacement of Components During Operation 9.1.2 Failure and Replacement of a Power Supply Module Initial situation Both central processing units are at RUN. Failure How Does the System React? The S7-400H is in the Redundant system Partner CPU switches to Solo mode. mode and one power supply module fails.

  • Page 116: Failure And Replacement Of An Input/Output Or Function Module

    Failure and Replacement of Components During Operation 9.1.3 Failure and Replacement of an Input/Output or Function Module Initial situation Failure How Does the System React? The S7-400H is in the Redundant system Both CPUs report the event in the mode and an input/output or function diagnostic buffer and via appropriate module fails.

  • Page 117: Failure And Replacement Of A Communication Processor

    Failure and Replacement of Components During Operation 9.1.4 Failure and Replacement of a Communication Processor This section describes the failure and replacement of communication processors for the PROFIBUS and Industrial Ethernets. The failure and replacement of communication processors for the PROFIBUS-DP are described in Section 9.2.1.

  • Page 118: Fandilure Andnd Replandcement Of And Synchronizandtion Submodule Or Fiber-Optic Candble

    Failure and Replacement of Components During Operation 9.1.5 Failure and Replacement of a Synchronization Submodule or Fiber-Optic Cable In this section three different error scenarios are to be differentiated: Failure of a synchronization submodule or fiber-optic cable Successive failure of the two synchronization submodules or fiber-optic cables Simultaneous failure of the two synchronization submodules or fiber-optic cables Initial situation...
  • Page 119 Failure and Replacement of Components During Operation Step What Has To Be Done? How Does the System React? If in step 6 the standby CPU has gone Master CPU executes to STOP: insert/remove-module interrupt OB 83 and redundancy error OB Extract the synchronization submodule 72 (incoming).
  • Page 120 Failure and Replacement of Components During Operation Initial situation Failure How Does the System React? Simultaneous failure of the two Both CPUs report the event in the synchronization submodules or diagnostic buffer and via OB 72. fiber-optic cables: Both CPUs become the master CPU and The S7-400H is in the Redundant system remain in RUN mode.
  • Page 121 Failure and Replacement of Components During Operation 9.1.6 Failure and Replacement of an IM 460 and IM 461 Interface Module The IM 460 and IM 461 interface modules make it possible to connect expansion racks. Initial situation Failure How Does the System React? The S7-400H is in the Redundant system Connected expansion unit is turned off.

  • Page 122: Failure And Replacement Of Components Of The Distributed I/O

    Failure and Replacement of Components During Operation Failure and Replacement of Components of the Distributed I/O Which components can be replaced? The following components of the distributed I/O can be replaced during operation: PROFIBUS-DP master PROFIBUS-DP interface module (IM 153-2 or IM 157) PROFIBUS DP slave PROFIBUS-DP cable Note...
  • Page 123 Failure and Replacement of Components During Operation 9.2.1 Failure and Replacement of a PROFIBUS-DP Master Initial situation Failure How Does the System React? The S7-400H is in the Redundant system With single-channel, one-sided I/O: mode and one DP master module fails. DP master can no longer process connected DP slaves.

  • Page 124: Failure And Replacement Of A Redundant Profibus-Dp

    Failure and Replacement of Components During Operation 9.2.2 Failure and Replacement of a redundant PROFIBUS-DP Interface Module Initial situation Failure How Does the System React? The S7-400H is in the Redundant system Both CPUs report the event in the mode and a PROFIBUS-DP interface diagnostic buffer and via OB 70.

  • Page 125: Failure And Replacement Of A Profibus-Dp Slave

    Failure and Replacement of Components During Operation 9.2.3 Failure and Replacement of a PROFIBUS-DP Slave Initial situation Failure How Does the System React? The S7-400H is in the Redundant system Both CPUs report the event in the mode and one DP slave fails. diagnostic buffer and via the appropriate Procedure To replace a DP slave, perform the following steps:...

  • Page 126: Failure And Replacement Of Profibus-Dp Cables

    Failure and Replacement of Components During Operation 9.2.4 Failure and Replacement of PROFIBUS-DP Cables Initial situation Failure How Does the System React? The S7-400H is in the Redundant system With single-channel, one-sided I/O: mode and the PROFIBUS-DP cable is Rack failure OB (OB 86) is started defective.

  • Page 127: Modifications To The System While In Operation

    Modifications to the System while in Operation In addition to the possibilities described in Chapter 9 for replacing failed components while in operation, CPU 417-4H firmware version V2.0.0 or higher also allows a system modification to be performed without interrupting the program running.

  • Page 128: Possible Hardware Modifications

    Modifications to the System while in Operation 10.1 Possible Hardware Modifications How is a hardware modification performed? If the hardware components concerned are suitable for unplugging or plugging in live the hardware modification can be carried out in the Redundant system mode. However, since loading a modified hardware configuration in the Redundant system mode would result in the fault-tolerant system stopping this must temporarily be put into Solo mode.
  • Page 129 Modifications to the System while in Operation Note The addition or removal of interface modules IM460 and IM461, external DP master interface module CP443-5 Extended and the associated connecting cables is not allowed. Adding or removing components of the remote input/output station, such as –...
  • Page 130 Modifications to the System while in Operation Loaded data blocks must not be cleared and generated again, i.e. the SFCs 22 (CREATE_DB) and 23 (DEL_DB) may not be applied to DB numbers occupied by loaded DBs. Make sure that at the time the system modification is made on the PG/ES the current status of the user program is still available as a STEP 7 project in modular form.
  • Page 131 Modifications to the System while in Operation Preparations To keep the time during which the fault-tolerant system must run in Solo mode to a minimum you should perform the following steps before commencing the hardware modification: Make sure that the memory components of the CPUs are sufficient for the new configuration and the new user program.

  • Page 132: Adding Components In Pcs7

    Modifications to the System while in Operation 10.2 Adding Components in PCS7 Initial situation You have ensured that the CPU parameters (e.g. the monitoring times) suit the planned new program. If necessary you must first change the CPU parameters accordingly (see Section 10.6). The fault-tolerant system is working in the Redundant system mode.

  • Page 133: Pcs7, Step 1: Modification Of Hardware

    Modifications to the System while in Operation 10.2.1 PCS7, Step 1: Modification of Hardware Initial situation The fault-tolerant system is working in the Redundant system mode. Procedure Add the new components to the system. – Plug new central modules into the rack. –...

  • Page 134: Pcs7, Step 2: Offline Modification Of The Hardware Configuration

    Modifications to the System while in Operation 10.2.2 PCS7, Step 2: Offline Modification of the Hardware Configuration Initial situation The fault-tolerant system is working in the Redundant system mode. Procedure Perform all the modifications to the hardware configuration relating to the added hardware offline.

  • Page 135: Pcs7, Step 3: Stopping The Standby Cpu

    Modifications to the System while in Operation 10.2.3 PCS7, Step 3: Stopping the Standby CPU Initial situation The fault-tolerant system is working in the Redundant system mode. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...

  • Page 136: Pcs7, Step 4: Loading New Hardware Configuration In The Standby Cpu

    Modifications to the System while in Operation 10.2.4 PCS7, Step 4: Loading new Hardware Configuration in the Standby CPU Initial situation The fault-tolerant system is working in Solo mode. Procedure Load the compiled hardware configuration in the standby CPU that is in STOP mode.

  • Page 137: Pcs7, Step 5: Switch To Cpu With Modified Configuration

    Modifications to the System while in Operation 10.2.5 PCS7, Step 5: Switch to CPU with modified configuration Initial situation The modified hardware configuration is loaded into the standby CPU. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...
  • Page 138 Modifications to the System while in Operation Reaction if monitoring times are exceeded If one of the monitored times exceeds the maximum value configured the update is interrupted and no change of master takes place. The fault-tolerant system remains in Solo mode with the previous master CPU and in certain conditions attempts to perform the change of master later.

  • Page 139: Pcs7, Step 6: Transition To The Redundant System Mode

    Modifications to the System while in Operation 10.2.6 PCS7, Step 6: Transition to the Redundant System Mode Initial situation The fault-tolerant system works with the new hardware configuration in Solo mode. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...

  • Page 140: Pcs7, Step 7: Changing And Loading User Program

    Modifications to the System while in Operation 10.2.7 PCS7, Step 7: Changing and Loading User Program Initial situation The fault-tolerant system works with the new hardware configuration in the Redundant system mode. Caution The following program modifications are not possible in the Redundant system mode and result in the system mode Stop (both CPUs in STOP mode): structural modifications to an FB interface or the FB instance data structural modifications to global DBs...

  • Page 141: Use Of Free Channels On An Existing Module

    Modifications to the System while in Operation Result The fault-tolerant system processes the entire system hardware with the new user program in the Redundant system mode. 10.2.8 Use of free channels on an existing module The use of previously free channels of an I/O module depends primarily on whether or not parameters can be assigned to the module.

  • Page 142: Removing Components In Pcs7

    Modifications to the System while in Operation 10.3 Removing Components in PCS7 Initial situation You have ensured that the CPU parameters (e.g. the monitoring times) suit the planned new program. If necessary you must first change the CPU parameters accordingly (see Section 10.6). The modules to be removed and the associated sensors and actuators are no longer of any significance for the process to be controlled.

  • Page 143: Pcs7, Step I: Offline Modification Of The Hardware Configuration

    Modifications to the System while in Operation 10.3.1 PCS7, Step I: Offline Modification of the Hardware Configuration Initial situation The fault-tolerant system is working in the Redundant system mode. Procedure Perform offline only the configuration modifications relating to the hardware to be removed.

  • Page 144: Pcs7, Step Ii: Changing And Loading User Program

    Modifications to the System while in Operation 10.3.2 PCS7, Step II: Changing and Loading User Program Initial situation The fault-tolerant system is working in the Redundant system mode. Caution The following program modifications are not possible in the Redundant system mode and result in the system mode Stop (both CPUs in STOP mode): structural modifications to an FB interface or the FB instance data structural modifications to global DBs...

  • Page 145: Pcs7, Step Iii: Stopping The Standby Cpu

    Modifications to the System while in Operation 10.3.3 PCS7, Step III: Stopping the Standby CPU Initial situation The fault-tolerant system is working in the Redundant system mode. The user program will no longer attempt to access the hardware to be removed. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...

  • Page 146: Pcs7, Step V: Switch To Cpu With Modified Configuration

    Modifications to the System while in Operation 10.3.5 PCS7, Step V: Switch to CPU with modified configuration Initial situation The modified hardware configuration is loaded into the standby CPU. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...
  • Page 147 Modifications to the System while in Operation Reaction if monitoring times are exceeded If one of the monitored times exceeds the maximum value configured the update is interrupted and no change of master takes place. The fault-tolerant system remains in Solo mode with the previous master CPU and in certain conditions attempts to perform the change of master later.

  • Page 148: Pcs7, Step Vi: Transition To The Redundant System Mode

    Modifications to the System while in Operation 10.3.6 PCS7, Step VI: Transition to the Redundant System Mode Initial situation The fault-tolerant system works with the new hardware configuration in Solo mode. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...

  • Page 149: Pcs7, Step Vii: Modification Of Hardware

    Modifications to the System while in Operation 10.3.7 PCS7, Step VII: Modification of Hardware Initial situation The fault-tolerant system works with the new hardware configuration in the Redundant system mode. Procedure Disconnect all the sensors and actuators from the components to be removed. Unplug modules of the one-way I/O that are no longer required from the rack.

  • Page 150: Adding Components In Step 7

    Modifications to the System while in Operation 10.4 Adding Components in STEP 7 Initial situation You have ensured that the CPU parameters (e.g. the monitoring times) suit the planned new program. If necessary you must first change the CPU parameters accordingly (see Section 10.6).

  • Page 151: Step 7, Step 1: Modification Of Hardware

    Modifications to the System while in Operation 10.4.1 STEP 7, Step 1: Modification of Hardware Initial situation The fault-tolerant system is working in the Redundant system mode. Procedure Add the new components to the system. – Plug new central modules into the rack. –...

  • Page 152: Step 7, Step 2: Offline Modification Of The Hardware Configuration

    Modifications to the System while in Operation 10.4.2 STEP 7, Step 2: Offline Modification of the Hardware Configuration Initial situation The fault-tolerant system is working in the Redundant system mode. The modules added will not yet be addressed. Procedure Perform all the modifications to the hardware configuration relating to the added hardware offline.

  • Page 153: Step 7, Step 4: Stopping The Standby Cpu

    Modifications to the System while in Operation 10.4.4 STEP 7, Step 4: Stopping the Standby CPU Initial situation The fault-tolerant system is working in the Redundant system mode. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...

  • Page 154: Step 7, Step 6: Switch To Cpu With Modified Configuration

    Modifications to the System while in Operation 10.4.6 STEP 7, Step 6: Switch to CPU with modified configuration Initial situation The modified hardware configuration is loaded into the standby CPU. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...
  • Page 155 Modifications to the System while in Operation Reaction if monitoring times are exceeded If one of the monitored times exceeds the maximum value configured the update is interrupted and no change of master takes place. The fault-tolerant system remains in Solo mode with the previous master CPU and in certain conditions attempts to perform the change of master later.

  • Page 156: Step 7, Step 7: Transition To The Redundant System Mode

    Modifications to the System while in Operation 10.4.7 STEP 7, Step 7: Transition to the Redundant System Mode Initial situation The fault-tolerant system works with the new hardware configuration in Solo mode. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...

  • Page 157: Step 7, Step 8: Changing And Loading User Program

    Modifications to the System while in Operation 10.4.8 STEP 7, Step 8: Changing and Loading User Program Initial situation The fault-tolerant system works with the new hardware configuration in the Redundant system mode. Restrictions Caution Structural modifications to an FB interface or the instance data of an FB are not possible in the Redundant system mode and result in the system mode Stop (both CPUs in STOP mode).

  • Page 158: Use Of Free Channels On An Existing Module

    Modifications to the System while in Operation 10.4.9 Use of free channels on an existing module The use of previously free channels of an I/O module depends primarily on whether or not parameters can be assigned to the module. Modules to which parameters cannot be assigned In the case of modules to which parameters cannot be assigned free channels can be connected and used in the user program at any time.

  • Page 159: Removing Components In Step 7

    Modifications to the System while in Operation 10.5 Removing Components in STEP 7 Initial situation You have ensured that the CPU parameters (e.g. the monitoring times) suit the planned new program. If necessary you must first change the CPU parameters accordingly (see section 10.6).

  • Page 160: Step 7, Step I: Offline Modification Of The Hardware Configuration

    Modifications to the System while in Operation 10.5.1 STEP 7, Step I: Offline Modification of the Hardware Configuration Initial situation The fault-tolerant system is working in the Redundant system mode. Procedure Perform offline all the modifications to the hardware configuration relating to the hardware to be removed.

  • Page 161: Step 7, Step Ii: Changing And Loading User Program

    Modifications to the System while in Operation 10.5.2 STEP 7, Step II: Changing and Loading User Program Initial situation The fault-tolerant system is working in the Redundant system mode. Restrictions Caution Structural modifications to an FB interface or the instance data of an FB are not possible in the Redundant system mode and result in the system mode Stop (both CPUs in STOP mode).

  • Page 162: Step 7, Step Iii: Stopping The Standby Cpu

    Modifications to the System while in Operation 10.5.3 STEP 7, Step III: Stopping the Standby CPU Initial situation The fault-tolerant system is working in the Redundant system mode. The user program will no longer attempt to access the hardware to be removed. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...

  • Page 163: Step 7, Step V: Switch To Cpu With Modified Configuration

    Modifications to the System while in Operation 10.5.5 STEP 7, Step V: Switch to CPU with modified configuration Initial situation The modified hardware configuration is loaded into the standby CPU. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...
  • Page 164 Modifications to the System while in Operation Reaction if monitoring times are exceeded If one of the monitored times exceeds the maximum value configured the update is interrupted and no change of master takes place. The fault-tolerant system remains in Solo mode with the previous master CPU and in certain conditions attempts to perform the change of master later.

  • Page 165: Step 7, Step Vi: Transition To The Redundant System Mode

    Modifications to the System while in Operation 10.5.6 STEP 7, Step VI: Transition to the Redundant System Mode Initial situation The fault-tolerant system works with the new (restricted) hardware configuration in Solo mode. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...

  • Page 166: Step 7, Step Vii: Modification Of Hardware

    Modifications to the System while in Operation 10.5.7 STEP 7, Step VII: Modification of Hardware Initial situation The fault-tolerant system works with the new hardware configuration in the Redundant system mode. Procedure Disconnect all the sensors and actuators from the components to be removed. Remove the desired components from the system.

  • Page 167: Step 7, Step Viii: Modifying And Loading Organization Blocks

    Modifications to the System while in Operation 10.5.8 STEP 7, Step VIII: Modifying and loading organization blocks Initial situation The fault-tolerant system is working in the Redundant system mode. Procedure Make sure that the interrupt OBs 4x and 82 no longer react to interrupts from the removed components.

  • Page 168: Changing The Cpu Parameters

    Modifications to the System while in Operation 10.6 Changing the CPU Parameters Only certain parameters (object properties) of the CPUs can be modified while in operation. They are identified in the screen form by blue text (if you have set blue as the color for dialog box text on the Windows Control Panel, the modifiable parameters are shown in black).

  • Page 169: Step A: Changing The Cpu Parameters Offline

    Modifications to the System while in Operation Initial situation The fault-tolerant system is working in the Redundant system mode. Procedure To change the CPU parameters of a fault-tolerant system the steps listed below are to be performed. Details of each step are listed in a subsection. Step What Has To Be Done? Refer to Section...

  • Page 170: Step C: Loading New Hardware Configuration In The Standby Cpu

    Modifications to the System while in Operation Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC > Operating Mode. In the Operating Mode dialog box select the standby CPU and click the Stop button.

  • Page 171: Step D: Switch To Cpu With Modified Configuration

    Modifications to the System while in Operation 10.6.4 Step D: Switch to CPU with modified configuration Initial situation The modified hardware configuration is loaded into the standby CPU. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...

  • Page 172: Step E: Transition To The Redundant System Mode

    Modifications to the System while in Operation 10.6.5 Step E: Transition to the Redundant System Mode Initial situation The fault-tolerant system works with the modified CPU parameters in Solo mode. Procedure In SIMATIC Manager select a CPU of the fault-tolerant system and select the menu command PLC >...

  • Page 173: Changing The Memory Components Of The Cpu

    Modifications to the System while in Operation 10.7 Changing the Memory Components of the CPU The Redundant system mode is only possible if the two CPUs have the same memory components. For this, the following conditions must be met: The main memory of the two CPUs must be the same size. The load memory of the two CPUs must be the same size and of the same type (RAM or FLASH).
  • Page 174 Modifications to the System while in Operation Procedure Perform the steps below in the order specified: Step What Has To Be Done? How Does the System React? Switch the standby CPU to STOP mode using The system is working in Solo mode. the PG.

  • Page 175: Changing The Type Of Load Memory

    Modifications to the System while in Operation 10.7.2 Changing the type of load memory The following types of memory cards are available as load memory: RAM card for the test and commissioning phase FLASH card for the permanent storage of the finished user program The size of the new memory card is irrelevant here.
  • Page 176 Modifications to the System while in Operation Step What Has To Be Done? How Does the System React? Modify the memory components of the – second CPU as you did for the first CPU in step 2. Load the user program and the hardware –...

  • Page 177: Perform Operating System Update

    Modifications to the System while in Operation 10.8 Perform operating system update The Redundant system mode is possible if both CPUs are working with the same operating system version. An operating system update can be performed while in operation. Note An operating system update is allowed only with certain specific firmware versions to the next higher firmware version.
  • Page 178 Modifications to the System while in Operation S7-400H Programmable Controller Fault-Tolerant Systems 10-52 A5E00068197-04...
  • Page 179 Characteristic Values of Redundant Programmable Logic Controllers The present appendix presents a brief introduction to the characteristic values of redundant programmable logic controllers and shows the practical effects of redundant configuration types by means of a few selected configurations. In Section You Will Find On Page Basic Concepts...

  • Page 180: A.1 Basic Concepts

    Characteristic Values of Redundant Programmable Logic Controllers Basic Concepts The parameters normally used for a quantitative assessment of redundant programmable logic controllers are reliability and availability, which are described in further detail below. Reliability Reliability is the characteristic of a technical device to fulfill its function during its operating period.
  • Page 181 Characteristic Values of Redundant Programmable Logic Controllers Availability Availability is the probability of a system being capable of operation at a specified point of time. It can be enhanced by means of redundancy – for example, by using redundant I/O modules or by using multiple sensors at one sampling point. Redundant components are arranged such that system operability is not affected by the failure of a single component.

  • Page 182: A.2 Comparison Of Mtbfs For Selected Configurations

    Characteristic Values of Redundant Programmable Logic Controllers Comparison of MTBFs for Selected Configurations The following sections compare systems having a central I/O. The following framework conditions are set for the calculation. MDT (Mean Down Time) 4 hours Ambient temperature 40 degrees Buffer voltage is guaranteed A.2.1 System Configurations With Central I/O...
  • Page 183 Characteristic Values of Redundant Programmable Logic Controllers Redundant CPUs in different mounting racks Redundant CPU 417-4 H in split mounting rack Factor Mounting rack UR2-H fiber-optic cables Redundant CPU 417-4H in separate mounting racks Factor Mounting Mounting rack, UR1 rack, UR1 fiber-optic cables S7-400H Programmable Controller Fault-Tolerant Systems A5E00068197-04...

  • Page 184: A.2.2 System Configurations With Distributed I/O

    Characteristic Values of Redundant Programmable Logic Controllers A.2.2 System Configurations With Distributed I/O The following system with two fault-tolerant CPUs 417-4 H and a one-sided I/O is taken as a basis for calculating a reference factor which specifies the multiple of the availability of the other systems with a distributed I/O compared with the baseline.
  • Page 185 Characteristic Values of Redundant Programmable Logic Controllers Redundant CPUs with redundant I/O Redundant one-sided I/O Factor fiber-optic cables ET 200M ET 200M Redundant switched I/O Factor fiber-optic cables Active backplane bus S7-400H Programmable Controller Fault-Tolerant Systems A5E00068197-04...

  • Page 186: A.2.3 Comparison Of System Configurations With Standard And Fault-Tolerant Communications

    Characteristic Values of Redundant Programmable Logic Controllers A.2.3 Comparison of System Configurations With Standard and Fault-Tolerant Communications The following section shows a comparison between standard and fault-tolerant communications for a configuration consisting of a fault-tolerant system, a fault-tolerant CPU 417-4 H and a single-channel OS. By comparison, only the communication components CP and cable were taken into account.
  • Page 187 Separate Operation Overview The present appendix provides the information necessary for separate operation of a CPU 417-4H. You will learn in the following how separate operation is defined when separate operation is necessary what you have to take into account with separate operation how the H-specific LEDs respond how you configure a CPU 417-4H for separate operation how you can expand it to form a fault-tolerant system...
  • Page 188 Separate Operation What you have to take into account with the separate operation of a CPU 417-4H Note Synchronization submodules must not be inserted when a CPU 417-4H is operated separately. Compared to a standard S7-400 CPU, a CPU 417-4H features additional functions, but is does not support certain functions.

  • Page 189: Index

    Separate Operation Function Standard S7-400 CPU CPU 417-4H in Separate Operation Specify the rack number and the CPU in the OB start information SSL ID W#16#0019 (status of all No data records for the Data records for all LEDs LEDs) H-specific LEDs SSL ID W#16#0222 (data record No data record for the...
  • Page 190 Separate Operation Configuring separate operation Requirement: The “S7 Fault-Tolerant Systems” option pack must be installed. Perform the following steps: Insert a SIMATIC-400 station in your project. Configure the station with the CPU 417-4H in accordance with your hardware configuration. For separate operation, you must insert the CPU 417-4H in a standard rack (Insert >...
  • Page 191 Separate Operation Installing and starting the fault-tolerant system We recommend you to perform the following steps when installing and starting up the fault-tolerant system. Save the configured fault-tolerant system to a flash memory card. When installing the synchronization submodules, make sure the rack numbers are set correctly.
  • Page 192 Separate Operation S7-400H Programmable Controller Fault-Tolerant Systems A5E00068197-04...

  • Page 193: C.1 General Information

    Converting from S5-H to S7-400H This appendix will help you to convert to fault-tolerant S7 systems if you are already familiar with fault-tolerant systems of the S5 family. Generally speaking, knowledge of the STEP 7 configuration software is required for converting from the S5-H to the S7-400H. General Information Documentation The following manuals are available for familiarization with the STEP 7 standard...

  • Page 194: C.2 Configuration, Programming And Diagnostics

    Converting from S5-H to S7-400H Configuration, Programming and Diagnostics Configuration In STEP5, configuration was performed with a separate configuration package – for example, COM 155H. In STEP 7 we use the standard software in conjunction with the option package “S7 H Systems” to configure the fault-tolerant CPUs. Using SIMATIC Manager, create an H station and configure it with HWCONFIG.
  • Page 195 Differences between Fault-Tolerant Systems and Standard Systems Certain differences from standard S7-400 CPUs have to be taken into account when you configure and program a fault-tolerant programmable logic controller containing a CPU 417-4H. On the one hand, compared to a standard S7-400 CPU, a CPU 417-4H has additional functions, while on the other hand a CPU 417-4 does not support certain functions.
  • Page 196 Differences between Fault-Tolerant Systems and Standard Systems Function Additional Programming Information on the system You also obtain data records for the H-specific LEDs by status list means of the partial list with the SSL ID W#16#0019. You also obtain data records for the redundancy error OBs by means of the partial list with the SSL ID W#16#0222.
  • Page 197 Differences between Fault-Tolerant Systems and Standard Systems Function Constraint with CPU 417-4 H Direct communication Cannot be configured in STEP 7 between DP slaves Equidistance of DP slaves No equidistance for DP slaves in the fault-tolerant system Synchronizing DP slaves The synchronization of DP slave groups is not possible.
  • Page 198 Differences between Fault-Tolerant Systems and Standard Systems S7-400H Programmable Controller Fault-Tolerant Systems A5E00068197-04...
  • Page 199 Function Modules and Communication Processors Used on the S7-400H You can use the following function modules (FMs) and communication processors (CPs) on a S7-400H programmable logic controller: FMs for central use Caution At present you cannot use FMs centrally with the S7-400H. CPs for central use Module one-...
  • Page 200 Function Modules and Communication Processors Used on the S7-400H Module one- redun- Order no. Release dant Communications processor hardware version 1 or later CP342-2 (ASI bus interface 6GK7342-2AH01-0XB0 with firmware version V1.10 module) or higher Communications processor 6GK7443-5FX01-0XE0 hardware version 1 or later CP443-5 Basic (PROFIBUS;...

  • Page 201: Glossary

    Glossary 1–out–of–2 system See two-channel fault-tolerant system Comparison error An error that may occur while memories are being compared on a fault-tolerant system. ERROR-SEARCH An operating mode of the standby CPU of a fault-tolerant system in which the CPU performs a complete self-test. Fail-safe systems Fail-safe systems are characterized by the fact that they remain in a safe state when certain failures occur or go directly to another safe state.
  • Page 202 Glossary I/O, redundant We speak of a redundant I/O when there is more than one input/output module available for a process signal. It can be connected as a one-sided or switched I/O. Terminology: “redundant one-sided I/O” or “redundant switched I/O” I/O, single-channel We speak of a single-channel I/O when –...
  • Page 203 Glossary Redundancy, functional Redundancy with which the additional technical means are not only constantly in operation but also involved in the scheduled function. Synonym: active redundancy. Redundant link A link between the central processing units of a fault-tolerant system for synchronization and the exchange of data.
  • Page 204 Glossary Two-channel fault-tolerant system A fault-tolerant system having two central processing units Update In the system mode update a fault-tolerant system the master CPU updates the dynamic data of the standby CPU. S7-400H Programmable Controller Fault-Tolerant Systems Glossary-4 A5E00068197-04...
  • Page 205 Index Applications, 2-7 Fail-safe, 1-2 Availability Failure of components, 9-1 communications, 2-6 in central racks and expansion racks, 9-2 definition, A-3 of distributed I/O, 9-12 I/O, 6-2 Fault-tolerant system, faults, 3-5 of systems, 1-4 Fault-tolerant, 1-2 Fault-tolerant communications, 7-2 Fault-tolerant connections configuration, 7-8 programming, 7-8, 7-13 Base system, 2-3...
  • Page 206 Index Operating objectives, 1-2 Operating system update, 10-51 Link-Up Organization blocks, 2-8 process, 5-7 process diagram, 5-4 time behavior, 5-17 Link-Up and update block, 5-13 Partial connection, active, 7-4 effects, 5-2 Power supply, 2-4 Programming device functions, 8-6 Master CPU, 4-2 Master/standby assignment, 4-2 Readme file, 8-2 Maximum blocking time for priority...
  • Page 207 Index System modes, 4-5 User program, 2-8 system, 4-5 WinCC, 7-12 Time response, 4-12 Update process, 5-9 process diagram, 5-5 time behavior, 5-17 S7-400H Programmable Controller Fault-Tolerant Systems Index-3 A5E00068197-04...
  • Page 208 Index S7-400H Programmable Controller Fault-Tolerant Systems Index-4 A5E00068197-04...
  • Page 209 Siemens AG A&D AS E 81 Oestliche Rheinbrueckenstr. 50 D-76181 Karlsruhe Federal Republic of Germany From: Your Name: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _...
  • Page 210 Your comments and recommendations will help us to improve the quality and usefulness of our publications. Please take the first available opportunity to fill out this questionnaire and return it to Siemens. Please give each of the following questions your own personal mark within the range from 1 (very good) to 5 (poor).

Table of Contents