S7-400H

In many areas of automation technology, there is a continually increasing demand for the availability and thus the fail-safety of the automation systems. There are areas where a plant standstill can result in extremely high costs. Here, only redundant systems can do justice to the availability requirements.

The high-availability SIMATIC S7-400H meets these requirements. It continues to operate even when parts of the controller have failed due to one or more faults. The availability thus achieved makes the SIMATIC S7-400H especially suitable for the following application areas:

• Processes with high restart costs following a controller failure.
• Processes with expensive standstill times.
• Processes involving valuable materials.
• Processes in which no data must be lost in the event of an error.
• Unsupervised applications.
• Applications with reduced maintenance personnel.

Ordering data

The ordering data of the components for the S7-400H can be found with the relevant modules under "S7-400/S7-400H/S7-400F/FH".

• High-availability automation system with redundant design.
• For applications with high fail-safety requirements.
  Processes with high restart costs, expensive downtimes, little supervision, and few maintenance options.
• Redundant central functions.
• Increases availability of I/O: switched I/O configuration.
• Also possible to use I/Os with standard availability: single-sided configuration.
• Hot standby: automatic reaction-free switching to the standby unit in the event of a fault.
• Configuration with two separate or one divided central rack.
• Connection of switched I/O via redundant PROFIBUS DP and/or PROFINET.
  

Catalog ST 70:

You can also find information about SIMATIC S7-400 in Catalog ST 70:

http://www.automation.siemens.com/salesmaterial-as/catalog/en/simatic-st70-chap06-english-2015.pdf

The SIMATIC S7-400H consists of the following components:

• 2 central controllers:
  Either 2 separate UR1/UR2 central controllers or 2 areas on one divided central controller (UR2-H).
• 2 sync modules per central controller for linking both devices via fiber optic cable.
• 1 CPU 412-5H, 1 CPU 414-5H, 1 CPU 416-5H or 1 CPU 417-5H per central controller.
• S7-400 I/O modules in the central controllers.
• UR1/UR2/ER1/ER2 expansion units and/or ET 200M distributed I/O devices with I/O modules.

Central functions are always redundant in design.

I/O can be configured with normal availability or switched.

Normally available I/O (one-sided configuration)

In a one-sided configuration, I/O modules are single-channel in design and are addressed by only one of the two central controllers. One-sided I/O modules can be plugged into

• a central controller and/or
• expansion units/distributed I/O devices

.

Information read in on one side is always available to both central controllers, provided the device addressing the I/O is working correctly. In the event of a fault, the I/O modules of the affected central controller are out of service.

One-sided configuration is used:

• For plant sections that do not require increased availability.
• for connecting a user-program-based, redundant I/O. The system has to be set up symmetrically here.

Increased availability (switched configuration)

In a switched configuration, I/O modules are single-channel in design but they are addressed via a redundant PROFIBUS DP by both central controllers. Switched I/O modules can only be plugged into

• ET 200M distributed I/O devices

.

Redundancy of the I/O

The redundancy of the I/O is supported in operating system version 3.1 or higher.

Redundant I/O modules are configured redundantly in pairs. The use of redundant I/O offers maximum availability because in this way, the failure of a CPU, a PROFIBUS or a signal module is tolerated.

The redundant I/O on the system side is only supported if it is connected via PROFIBUS DP. If I/O modules that are connected to PROFINET are to be operated, this is can done via the user program.

Configuration options

The following configurations are possible:

• Redundant I/O in single-sided DP slaves
• Redundant I/O in switched DP slaves

Suitable I/O modules

The mutually redundant modules must be of the same type and design (e.g. both centralized or both distributed). The slots are not stipulated. However, use in different stations is recommended for availability reasons. Please refer to Customer Support or the manual to see which modules can be used.

Redundancy of the FMs and CPs

Function modules (FMs) and communications processors (CPs) can be used redundantly in two different configurations:

• Switched redundant configuration:
  The FMs/CPs can be connected in duplicate to separate ET 200Ms or one switched ET 200M.
• Two-channel redundant configuration:
  FMs/CPs can be plugged into both subunits or into expansion units connected to the subunits (see one-sided configuration).

The redundancy of the modules is achieved in different ways here:

• Programming by the user:
  On the function modules and the SIMATIC CPs, the redundancy function can generally be programmed by the user.The active module is determined and a possible fault is detected to initiate a switchover. The required program corresponds to the program for a single CPU with redundant FM/CP:
• Direct support from the operating system.
  In the case of SIMATIC NET-CP 443-1, the operating system supports the redundancy direct. For further details, see under Communication.

High-availability communication

With high-availability communication SIMATIC offers a type of communication with the following features:

• Increased availability:
  In the event of a fault, communication can be continued via up to 4 redundant connections. The necessary switchover goes unnoticed by the user.
• Simple operation;
  high-availability is invisible from the user's perspective. User programs for standard communication can be adopted without changes. The redundancy function is defined only at the parameterization stage.

High-availability communication is currently supported by the S7-400H (redundant and non-redundant configuration) and by PCs. On PCs, the Redconnect program package is required (see "SIMATIC NET communication systems").

Depending on availability requirements, different configuration options can be used:

• Single or redundant bus.
• Bus in linear or ring topology.

Functional principles

The operating system of the CPU 417-5H, CPU 416-5H, CPU 414-5H and CPU 412-5H executes all the necessary additional functions of the S7-400H autonomously:

• Data exchange
• Fault response (failover to standby device)
• Synchronization of both subunits
• Self-test

Redundancy principle

The S7-400H works according to the principle of active redundancy in "hot standby" mode (reaction-free automatic switchover in the event of a fault). According to this principle, both subunits are active during fault-free operation. In the event of a fault, the intact device assumes control of the process alone.

To guarantee this transfer bumplessly, fast and reliable data exchange via the central controller link is required.

In the course of the failover, the devices automatically retain

• the same user program
• the same data blocks
• the same process image contents
• the same internal data such as timers, counters, bit memories, etc.

This means both devices are always completely up-to-date and can continue control alone in the event of a fault.

For redundant operation of the I/O this results in the following:

• During fault-free operation, both modules are active, that is, in the case of redundant inputs, for example, the shared sensor (two sensors are also possible) is read in via two modules, and the results are compared and made available to the user as a unified value for further processing. In the case of redundant outputs, the value calculated by the user program is output by both modules.
• In the event of a fault, e.g. the failure of one or both of the input modules, the defective module is no longer addressed, the fault is reported, and operation continues with the intact module only. Following the repair, which can take place online, both modules are addressed again.

Synchronization

For reaction-free switchover, synchronization of both subunits is necessary.

The S7-400H works with "event-driven synchronization".

This involves a synchronization operation whenever events could result in different internal states in the subunits, e.g. in the case of

• Direct access to the I/O
• Interrupts, alarms
• Updating of the user times or
• Modification of data by means of communication functions.

The synchronization takes place automatically by means of the operating system and can be ignored at the programming stage.

Self-test

The S7-400H executes extensive self-tests. This involves testing the following:

• Connection of the central controllers.
• CPUs.
• Processor/ASIC.
• Memory.

Every detected fault is reported.

Self-test at startup

At startup, each subunit executes all self-test functions completely.

Self-test in cyclic operation

The complete self-test is spread over several cycles. A short section of the self-test is executed per cycle so that the load on the actual controller is insignificant.

Configuring, programming

The S7-400H is programmed like an S7-400. All the STEP 7 functions available there can be used.

Programming the S7-400H with PROFINET requires STEP 7 V5.5 with SP2.

Configuring of I/O modules

When configuring the hardware, users must specify via HW Config which modules are mutually redundant. This only requires the specification of the modules to be operated in redundant mode and the second module that is to be the "redundancy partner". In the user program, the module with the lowest address is to be accessed. The second address remains hidden from the user and programming of the control section with redundant and non-redundant I/O is identical. The only difference with regard non-redundant I/O are two FBs (RED_IN and RED_OUT) from the block library that are to be called at the start and at the end of the user program.

In STEP 7 V5.3 or higher, the library is integrated as standard into STEP 7.