Highavailable SIMATIC S7400H

1
Automation and Drives
S
IMATIC S7-400H
The Fault-tolerant Automation System
2
Benefits

• Avoidance of control system failures due to
  individual faults
• This is attained primarily through a redundant
  configuration
• Fault-tolerance is required in the following
  cases
• When processing valuable materials
• When downtimes or production failures would be
  expensive
• When a control system failure would result in
  high restart costs
• In order to enable operation without supervisory
  or maintenance personnel

Overview
3
Industries (1)

• Power generation and distribution(oil, gas,
  electricity)
• Power plants
• Pipelines
• Offshore
• District heating systems
• Chemical, electrochemical, petrochemical and
  pharmaceutical industries
• Mining
• Environmental engineering
• Water treatment
• Refuse incineration
• Pulp and paper
• Steel and metal

Overview
4
Industries (2)

• Food and beverages
• Glass industry
• Semiconductor industry (utilities)
• Transport
• Tunnel automation
• Marine automation
• Airports
• Runway lighting
• Baggage transport

Overview
5
System architecture
Overview
Clients Parallel redundancy
Management level
Server Parallel redundancy With archive-matching
PC network/terminal bus
Fault-tolerantcommunication
Ethernet
Media redundancy
Process level
H CPUs Hot stand-by
SW redundancy Warm stand-by
Redundant power supply
ET 200M
Field level
Redundant PROFIBUS
Redundant IM 153
6
System integration

• Hidden redundancy
• Transparent programming(programming same as for
  non-redundant systems)
• Standard system parameterization
• Standard handling
• All SIMATIC programming languages can be used
  without
  restriction
• Platform for F andFH systems

Overview
7
Redundancy principle (1)
Redundancy with identical components(homogeneous
redundancy)
Redundancy features
Passive redundancy
Active redundancy
Majority redundancy
A
B
m-v-n
A
R
?1
1-v-2
1-v-2
2oo2
2oo2
A
B
C
Fault-tolerant
Hot stand-by automatic switchover lt 100
ms Warm stand-by automatic switchover in
seconds range
Redundancy principle S7-400H
m-of-n Fault-tolerant and failsafe
A
B
?
2-v-2
A
R
1-v-2
1oo2
HW or SW voting
2oo2
Cold stand-by manual switchover
Failsafe
8
Redundancy principle (2)
Synchronization, information and status exchange
Redundancy features
IM
DI
AI
AO
DO
IM
FM
Process
9
Bumpless master-stand-by switchover

• Switchover time
• Switchover time lt 100ms
• Outputs are retained during switchover
• No information or alarm/interrupt is lost
• Switchover criteria
• Master failure
• Power supply
• Rack
• Sync module
• Sync cable
• CPU
• Failure of a DP string or DP slave interface
  module does not force a switchover

Redundancy features

• Switchover

10
Automatic event synchronization

• Synchronization procedure

Event synchronization
Redundancy features
Cycle synchronization
Time synchronization
Command synchronization
No synchronization

• Synchronization

Subcontroller B
Subcontroller A
Subcontroller A
Subcontroller B
Subcontroller A
Subcontroller A
Subcontroller B
Subcontroller B
11
Automatic event synchronization

• Principle

Redundancy features
Synchronization, Information and status exchange

• Synchronization

A
I 10.0
A
I 10.0
S
O 8.0
S
O 8.0






Value
Synchronization
L
PW100
L
PW100
Ackn.
L
DW 10
L
DW 10

F

F
Synchronization
T
PW130
Switchover

12
Automatic event synchronization

• Cycle

Redundancy features

• Synchronization

Self-test
Self-test
PII exchange
PII
PII
Synchronization

User program
User program
Match-up
PIO
PIO
13
Automatic event synchronization

• Customer benefits
• Transparent programming
• All standard SIMATIC-S7 programming languages
• No command restrictions
• Easy porting of the user programfrom standard
  CPU to fault-tolerant CPU
• Bumpless switchover
• No loss of information
• No loss of alarms/interrupts
• Because all redundancy-specific functions are
  handled by the operating system, the user can
  feel assured that he/she has done everything
  right as far as redundancy is concerned

Redundancy features

• Synchronization

14
Comprehensive self-test functions

• Self-test
• Scope
• CPU
• Memory
• Synchronization link
• Organization
• Startup self-test
• Complete test
• Self-test in cyclic mode
• Executes permanently as
  background task
• Executes in its entirety within a specifiable
  amount of time (default 90 minutes)

Redundancy features

• Self-test

15
Online programming

• Online modifications same as for standard system
• All modifications are automatically copied to
  both CPUs
• Connecting a PG
• At MPI interface
• Via bus

Redundancy features

• Programming

PROFIBUS/Ethernet
MPI/DP
16
Online programming

• Programming/parameter assignmentSIMATIC Manager
  H-station view

Redundancy features

• Programming

17
Online Programming

• Programming Hardware configuration

Redundancy features

• Programming

18
Configuration in RUN (CIR)

• CPU memory configuration
• Adding or removing
• Central I/O or CP
• DP slaves
• PA interface and PA slaves
• Y-link and slaves
• Modules in modular DP slaves
• CPU parameter

Redundancy features

• CIR

19
Automatic CPU re-incorporation following repair

• Connect and update stand-by CPU (1)

MASTER
STAND-BY
Redundancy features
RUN solo
STOP
Stand-by requests link-up
DisableDelete, Copy and Generate Blocks functions
Master copies all data to stand-by
Execute start routine and self-test

• Online repair

CPU 1 requests update
Terminate communication via configured
links. Disable low-priority alarms
Master copies dynamic data
User program
OS
20
Automatic CPU re-incorporation following repair

• Connect and update stand-by CPU (2)

MASTER
STAND-BY(link-up)
Redundancy features
Disable all alarms/ interrupts
Dynamic data which have changed since the last
update
Inputs, outputs, timers, counters, memory bits

• Online repair

Enable alarms/interrupts and communication
Redundant, synchronous operation
21
Replacing modules in RUN mode

• Modules which can be removed and inserted in Run
  mode
• I/O and CP
• Sync module
• Redundant IM 153-2
• Redundant power supplies
• Redundant components which can be replaced with
  the power off
• Standard power supplies
• Central IM
• CPU
• CPU is automatically updated following
  replacement(program and data)

Redundancy features

• Online repair

22
ConfigurationHighlights new CPUs

• Performance Increase
• Average Increase
• 417-4H appr. x 2,5-3
• 414-4H appr. x 1,2-2,2
• More Memeory
• 417-4H from 4 MB to 20MB
• 414-4H from 768KB to 1,4MB
• Higher Reliability
• Memory with automatic Ewrror Detection and
  Correction (EDC)
• New Feature
• Distance between the Controller up to 10km
  (before 500m)

Konfiguration
23
ConfigurationTechnical specifications for the
CPUs

• Two CPU types available
• CPU 417-4H with 20MB onboard
• CPU 414-4H with1,4MB onboard
• General technical specifications,e.g. CPU 417-4
  or CPU 414-3
• 4 integrated interfaces
• Two for the Sync modules
• One DP interface
• One MPI/DP interface

Configuration
24
ConfigurationRedundant link
Replaceable Sync modules
Fiber-optics (FO)
Configuration
Fiber-optics (FO)
25
Central Controller Configuration

• Distance between the Controller up to 10m
• Use of the Sync-Modules for Patch Cables up to
  10m
• MLFB Module 6ES7 960-1AA04-0XA0
• MLFB FO-Cable 1m 6ES7 960-1AA04-5AA0
• MLFB FO-Cable 2m 6ES7 960-1AA04-5BA0
• MLFB FO-Cable 10m 6ES7 960-1AA04-5KA0
• Distance between the Controller up to 10km
• Use of the Sync-Modules for Cables up to 10km
• MLFB Module 6ES7 960-1AB04-0XA0
• Monomode FO-Cable LC/LC Duplex crossed 9/125µ

Konfiguration
26
Central controller configurations

• With two standard subracks

Redundant power supply (PS) optional
PS
PS
CPU
PS
PS
CPU
Max. cable length 10km
With H subrack (with split backplane bus)
Configuration
PS
PS
CPU
PS
PS
CPU
27
I/O configurationSwitched I/O
Redundant IM 153-2
PROFIBUS DP
ET 200M with active backplane bus
L
L
Configuration
Special bus module (BM)
IM
Active backplane bus
IM
28
I/O configurationSwitched I/O mode of operation

• Both DP masters are active
  and functioning properly
• Reading inputsThe inputs are read only from
  the preferred channelside (active IM)
• Writing outputsThe data are accepted by both
  channels.Only the data in the preferred channel
  are forwarded to the outputs.

Configuration
29
I/O configurationConnecting PROFIBUS PA via PA
link
PROFIBUS DP
2 x IM 157
DP-PA link
Configuration
30
I/O configurationY-Link
Rack 0
Rack 1
IM 153-2 with ET 200M

• The Y-link bus coupler creates a network portal
  from the redundant DP master system to a
  one-channel DP master system

Configuration
IM 157 with PA bus
Y-Link with DP bus
31
I/O configurationY-Link hardware configuration

• IM 157
• 6ES7 157-0AA82-0XA0
• Y-Link
• 6ES7 197-1LB00-0XA0
• Bus module BM IM 157
• 6ES7 195-7HD80-0XA0
• Bus module BM Y-Link
• 6ES7 654-7HY00-0XA0
• Collective Order No.
• 6ES7 197-1LA02-0XA0

Y-Link
IM 157
Configuration
32
I/O configurationY-Link configuration
Configuration
33
Redundant communicationPrinciple

• Redundant communication is attained through
  redundant connections, which are then used when a
  problem occurs. Redundant connections can be
  created from H stations to
• Other H stations (one- or two-channel)
• HMI PCs (software Redconnect required)

Active connection
Stand-by connection
Communication
34
Redundant communicationConfiguration with
redundant bus (1)
Ethernet
H-CPU in single mode
Equivalent circuit diagram
Communication
PS
Bus
CP
CP
PS
CPU
CPU
PS
Bus
CP
CP
PS
CPU
CPU
35
Redundant communicationConfiguration with
redundant bus (2)
Ethernet
H-CPU in single mode
Equivalent circuit diagram
Communication
CP
CP
PS
CPU
CPU
PS
Bus
CP
CP
CP
CP
Bus
PS
CPU
CPU
PS
CP
CP
36
Redundant communicationConfiguration with single
bus
Ethernet
H-CPU in single mode
Equivalent circuit diagram
Communication
PS
CPU
CP
CP
CPU
PS
Bus
PS
CPU
CP
CP
CPU
PS
37
Redundant communicationConfiguration with ring
bus
Ring bus
S7-400H
S7-400H
H-CPU in single mode
Equivalent circuit diagram
Communication
PS
CPU
CP
CP
CPU
PS
Bus
PS
CPU
CP
CP
CPU
PS
Bus
38
Redundant I/O
New Redundant IO
Redundant Communication
Redundant Controller
PROFIBUS DP
Redundant Profibus
Sensor/control element
Redundant I/O
Redundant IM
39
Redundant I/OPossible redundancy structures (1)
Central I/O modules
Distributed I/O modules
Redundant I/O
40
Redundant I/OPossible redundancy structures (2)
Distributed switchedI/O modules
H-CPU in single mode
Redundant I/O
41
Redundant I/ORedundant quality stages

• Highest quality level
• Use of F-IO by exploiting the high-quality
  diagnostic functions required for failsafe
  operation
• E.g. when it is necessary to control duration-1
  faults associated with output signals
• Medium quality level
• Use of modules with diagnostic functions
• Low-cost quality level
• Use of modules without diagnostic functions

Redundant I/O
42
Redundant I/OHardware configuration

• Slot
• DP address
• Redundant DI
• Time discrepancy in ms
• Response time followingdiscrepancy
• Possible options
• AND gate
• OR gate
• Use last valid value

Redundant I/O
43
Redundant I/OHardware configuration

• Redundancy tabAppears only for
  redundancy-capable modules.
• Type of redundancy(none or 2)
• Station 2,PROFIBUSaddress 3,slot 4 contains a
  compatiblemodule. This module is selected as
  
  redundant
  DI

Redundant I/O
44
Redundant I/O Wiring digital inputs
With two sensors
With one sensor
DI
Master I/O
Both Inputs are read in parallel. The correct
value is selected and processed automatically
Redundant Profibus
Redundant I/O
Redundant I/O
DI
Since the function is not suitable for all module
types, the manual or Internet should be
consulted to find out which modules can
currently be used.
45
Redundant I/O Wiring analog inputs
With voltage sensor
With current sensor
With 2 sensors
With current sensor
AI-I
AI-I
I
4-wire transducers only
AI
Master I/O
The CPU reads both inputs. The correct value is
selected and processed automatically
I
R
Redundant Profibus
Redundant I/O
Redundant I/O
AI
Since the function is not suitable for every
module type, the manual or Internet should be
consulted to find out which modules can
currently be used.
46
Redundant I/O Wiring digital outputs
Without diodes
With diodes
Dependant on the module type
DQ
DQ
DO
Master I/O
Actuator
Both Outputs are set
Redundant Profibus
Redundant I/O
Redundant I/O
DO
Since the function is not suitable for every
module type, the manual or Internet should be
consulted to find out which modules can
currently be used.
47
Redundant I/O Wiring analog outputs
Each Output outputs half the value. When one of
the modules fails, the output that is still
intact provides the full value
AO
Master I/O
Actuator
Both Outputs are set
I
Redundant Profibus
Redundant I/O
Redundant I/O
AO
Since the function is not suitable for all module
types, the manual or Internet should be
consulted to find out which modules can
currently be used
48
Redundant I/O Integrating the user program

• The user program is integrated with the
  "Functional I/O Redundancy" library, which is
  part of STEP7 V5.3
• The redundant I/O are available to the user for
  programming as transparent I/O
• The rules state that the lowest address must
  always be used for programming.
• Method of operation
• The inputs are read by FB RED_IN and copied back
  to the POI following the discrepancy analysis
• The user writes the outputs to the lowest address
  in the usual manner. FB RED_OUT automatically
  copies the relevant value to the second address.

Redundant I/O
49
Thank you