S7- 400H

Function Fault-tolerant communication With fault-tolerant communication SIMATIC offers a new communication type with the following features: Increased availability: In the event of a fault, communication can be continued via up to 4 redundant connections. The necessary switchover is not visible to the user. Simple operation; fault tolerance is invisible from the user's perspective. User programs for standard communication can be adopted without changes. The redundancy function is defined only at the parameterization stage. Fault-tolerant communication is currently supported by the S7-400H (redundant and non-redundant configuration) and by PCs. On PCs, the Redconnect program package is required (see "SIMATIC NET communication systems"). Depending on availability requirements, different configuration options can be used: Single or redundant bus. Bus in linear or ring topology.

Mode of operation The operating system of the CPU 417-4H, CPU 414-4H and CPU 412-3H executes all the necessary additional functions of the S7-400H autonomously:
Page 1340 Mar 2008 Siemens ITS

Data exchange Fault response (failover to standby device) Synchronization of both subunits Self-test

Redundancy principle The S7-400H works according to the principle of active redundancy in "hot standby" mode (reaction-free automatic switchover in the event of a fault). According to this principle, both subunits are active during fault-free operation. In the event of a fault, the intact device assumes control of the process alone. To guarantee this transfer bumplessly, fast and reliable data exchange via the central controller link is required. In the course of the failover, the devices automatically retain the same user program the same data blocks the same process image contents the same internal data such as timers, counters, bit memories, etc.

This means both devices are always completely up-to-date and can continue control alone in the event of a fault.

Page 1341

Mar 2008

Siemens ITS

For redundant operation of the I/O this results in the following: During fault-free operation, both modules are active, that is, in the case of redundant inputs, for example, the shared sensor (two sensors are also possible) is read in via two modules, and the results are compared and made available to the user as a uniform value for further processing. In the case of redundant outputs, the value calculated by the user program is output by both modules. In the event of a fault, e.g. the failure or one or both of the input modules, the defective module is not longer addressed, the fault is reported, and operation continues with the intact module only. Following the repair that can take place online, both modules are again addressed.

Synchronization For reaction-free switchover, synchronization of both subunits is necessary. The S7-400H works with "event-drive synchronization". This involves a synchronization operation whenever events could result in different internal states in the subunits, e.g. in the case of Direct access to the I/O Interrupts, alarms Updating of the user times or Modification of data by means of communication functions.

Page 1342

Mar 2008

Siemens ITS

The synchronization takes place automatically by means of the operating system and can be ignored at the programming stage. Self-test The S7-400H executes extensive self-tests. This involves testing the following: Connection of the central controllers. CPUs. Processor/ASIC. Memory.

Every detected fault is reported. Self-test at startup At startup, each subunit executes all self-test functions fully. Self-test in cyclic operation The complete self-test is spread over several cycles. A short section of the self-test is executed per cycle so that the load on the actual controller is insignificant. Configuring, programming The S7-400H is programmed like an S7-400. All the STEP 7 functions available there are used.
Page 1343 Mar 2008 Siemens ITS

STEP 7 V5.2 is required for programming the S7-400H. Configuring of I/O modules When configuring the hardware, users must specify via HW Config which modules are mutually redundant. This only requires the specification of the modules to be operated in redundant mode and the second module that is to be the "redundancy partner". In the user program, the module with the lowest address is to be accessed. The second address remains hidden from the user and programming of the control section with redundant and non-redundant I/O is identical. The only difference to non-redundant I/O are two FBs (RED_IN and RED_OUT) from the block library that are to be called at the start and at the end of the user program.

Page 1344

Mar 2008

Siemens ITS