SIMATIC PCS 7 V6.1. GMP - Engineering Manual. Guidelines for implementing automation projects in a GMP environment

Transcription

1 s SIMATIC PCS 7 V6.1 Guidelines for implementing automation projects in a GMP environment Introduction Contents Prerequisites for Configuring Automated Systems in a GMP Environment Requirements for Automated Systems in a GMP Environment 1 2 Specification 3 Guidelines for Implementation in a GMP Environment with Standard SIMATIC PCS 7 4 Software Supporting Functions during Qualification 5 Additional Hardware / Software Components 6 Glossary Index Edition 12/2006 A5E

2 Safety-Related Notices Notices that you should observe to ensure your own personal safety and to avoid damage to property and equipment can be found in the relevant technical manuals. The safety of pharmaceutical products of prime importance to the pharmacist must be evaluated by the pharmaceutical company itself. This document provides information on this topic. Qualified Personnel Only qualified personnel should be allowed to install and work on this equipment. Qualified persons are defined as persons who are authorized to commission, to ground, and to tag circuits, equipment, and systems in accordance with established safety practices and standards. Trademarks SIMATIC, SIMATIC HMI, SIMATIC IT and SIMATIC NET are registered trademarks of Siemens AG. Third parties using for their own purposes any other names in this document which refer to trademarks might infringe upon the rights of the trademark owners. Copyright Siemens AG 2006 All rights reserved The reproduction, transmission or use of this document or its contents is not permitted without express written authority. Offenders will be liable for damages. All rights, including rights created by patent grant or registration of a utility model or design, are reserved. Siemens AG Automation and Drives Group Competence Center Pharma (A&D CC P) D Karlsruhe Siemens Aktiengesellschaft Siemens AG 2006 Technical data subject to change. A5E

3 Introduction Purpose of the Manual This manual describes what is required of the system, the software and the procedures for configuring SIMATIC PCS 7 from a GMP perspective. The relationship between requirements and implementation is illustrated based on practical examples. Intended Audience The manual is intended for all planners, plant operators, developers of branchspecific control system concepts, project leaders and configuration engineers, maintenance and service personnel who implement process control systems in a GMP environment. It describes approaches to the implementation of automation solutions with SIMATIC STEP 7 where GMP is mandatory. Basic Knowledge Required To understand this manual, you should be familiar with the basics of SIMATIC PCS 7. Experience of GMP as practiced in the pharmaceutical industry is an advantage. Disclaimer This manual is a guide for system users and configuration engineers that will assist them in integrating the SIMATIC PCS 7 process control system in a GMP environment with regard to validation and taking into account the aspects 21 CFR Part 11. We have checked the contents of this manual for agreement with the hardware and software described. Since deviations cannot be precluded entirely, we cannot guarantee full agreement. The information in this document is checked regularly for system changes or changes to the regulations of the various organizations and necessary corrections will be included in subsequent issues. We would be thankful for any proposed improvements that should be sent to the Competence Center Chemical, Pharma in Karlsruhe (Germany). A5E iii

4 Introduction Validity of the Manual The information in this manual is valid for SIMATIC PCS 7 V6.1 incl. SP1. The components examined are PCS 7-ES, PCS 7-OS, SIMATIC BATCH and the options Central Archive Server, StoragePlus and SIMATIC IT Historian. Information relating to the precise compatilbility between the individual components and PCS 7 V6.1 SP1 can be found on the CD-ROM Catalog CA01. The CD-ROM Catalog is available on the Internet at: Further Sources of Information The system documentation of the process control system SIMATIC PCS 7 V6.1 is an integral part of the SIMATIC PCS 7 system software. It is available to all users as online help (HTML Help) or as electronic documentation in Acrobat Reader format (PDF): Electronic manuals SIMATIC PCS 7 V6.1 SP1 - The electronic manuals are on the PCS 7 Toolset DVD Structure of the Guidelines This manual supplements the existing SIMATIC PCS 7 manuals. The guidelines are useful not only during configuration, but are also intended to provide an overview of the requirements for configuration and what is expected of automation systems in a GMP environment. Laws and guidelines, recommendations and mandatory specifications that represent the basis for configuration of automation systems are explained. All the necessary functions and requirements for hardware and software components are also described and this should make the selection of components easier. Based on examples, the use of hardware and software is explained and how it is configured or programmed to meet the requirements. More detailed explanations can be found in the standard documentation. In the appendix, you will find a Glossary in which all the important terms are described again briefly and an index of topics. Conventions The following conventions are used in this manual. Activities involving several steps are shown in the form of a table and numbered in the order in which the activities should be performed. Activities involving only a few steps are indicated by a bullet ( ). References to other relevant literature are shown in bold italic. iv A5E

5 Introduction Further Support If you have questions on the use of the products described in the manual and cannot find answers here, please speak to your Siemens contact in your local office. You can find addresses of contacts at: You will find the guide to the range of technical documentation available for the individual SIMATIC products and systems at: The online catalog and the online ordering system is available to you at: If you have questions on the manual, please contact the Competence Center Pharma: Fax: You will find more information on the range offered by Siemens for the pharmaceutical industry at: Training Center To familiarize you with the SIMATIC S7 automation system, we offer a range of courses. Please contact your regional training center or the central training center in D Nuremberg, Germany. Phone: +49 (911) Internet: Technical support You can contact Technical Support for all A&D products using the Web form for a support request Phone: Fax: You will find more detailed information on our technical support on the Internet at A5E v

6 Introduction Service & Support on the Internet In addition to our documentation services, you can also make use of our know-how on the Internet. Here, you will find: The Newsletter that keeps you constantly up to date with the latest information on the products you use. The documents you need using the search features in Service & Support. A forum in which users and specialists worldwide exchange information and experience. Your local contacts for Automation & Drives. Information on local service, repairs, and spare parts. If you look in "Services", you will find much more information on a wide range of topics. vi A5E

7 Contents Introduction Contents iii vii 1 Prerequisites for Configuring Automated Systems in a GMP Environment Life Cycle Model Regulations and Guidelines Responsibilities Approval Process Software Categorization of Control Systems Requirements for Automated Systems in a GMP Environment Software Categorization Software Creation Use of Typicals for Programming Identification of Software Modules / Typicals Changing Software Modules / Typicals Hardware Categorization Configuration Management Configuration Identification Configuration Control Version Control Change Control Access Protection and User Management Using Access Protection in a System Requirements for the User ID and Password Chip Cards and Biometric Systems Electronic Signatures Conventional Electronic Signatures Electronic Signatures Based on Biometrics Security Measures for User IDs/Passwords Audit Trail Time Synchronization Archiving Data Data Backup Application Software Process Data Retrieving Data Backups Use of Third-Party Components A5E vii

8 Contents 3 Specification Criteria for Selecting Hardware Criteria for Selecting Software Basic Software for User Management Additional Software - Image & Partition Creator Basic Software for the Engineering System Process Control Libraries Multiproject Engineering Additional Software - Engineering System Version Cross Checker Import/Export Assistant Controller Tuning with the PCS 7 PID Tuner Simulation with S7-PLCSIM Basic Software - Operator Station Additional Software for an Operator Station Basic Software - SIMATIC BATCH Interfaces to Process Data with OS Software Connectivity Pack Additional Software for Long-term Archiving Central Archive Server (CAS) StoragePlus SIMATIC IT Historian Basic Software of Higher-level Systems User Requirements Specification Functional Specification Design Specification Specification of Automation Hardware Specification of Automation Software Guidelines for Implementation in a GMP Environment with Standard SIMATIC PCS 7 Software Introduction Software Categorization of SIMATIC PCS Software Installation Operating System SIMATIC PCS 7 Software Installation of Utilities and Drivers Printer Drivers Virus Scanners Multiproject Engineering Views SIMATIC NET Settings Setting up the OS, OS Client, OPC Server, and SIMATIC BATCH Automation System (AS) Engineering Station (ES) Industrial Ethernet PROFIBUS Configuration Management Changes to the System Software Updates, Service Packs, and Hotfixes Upgrades (Migration) How to Update System Software Versioning the User Software Initial Creation of the User Software Initial Creation of the OS Versioning Project Data with "SIMATIC PCS 7 Version Trail" viii A5E

9 Contents Changing the User Software Creating Software Modules General Example of a Process Tag Type Setting up Process Value Archives Import/Export Assistant (IEA) Automatic Generation of Block Icons Activating and Deactivating Simulation Software OS Project Editor Creating Overview Pictures Integrating SIMATIC BATCH BATCH Definition of Terms Conformity with the ISA Standard ISA Software Model SIMATIC PCS Implementation of the ISA Concept Configuring SIMATIC BATCH Setting up Access Protection How Access Protection Works under Windows and in PCS 7 Process Mode Permission Management in Windows User Management Security Settings of Password Policy Security Mechanisms for Account Lockout Policies Security Settings for Audit Policy Configuring SIMATIC Logon Disabling the Windows Level in Process Mode (Runtime) Disabling on the SIMATIC PCS 7 OS Lockout by Configuration Security with Configuration Settings in WINDOWS Audit Trail PCS 7 OS SIMATIC BATCH Time Synchronization Concepts for Time Synchronization Example of Configuring Time Synchronization over Ethernet (OS Server as Time Master) Lifebeat Monitoring SIMATIC PCS Third-Party Systems Use of SIMATIC BATCH Reports Backing up the System/User Software Backing up the User Software Backing up the Operating System and SIMATIC PCS Long-term Archiving Long-term Archiving with the Central Archive Server (CAS) How It Works Integration in PCS Access Protection Time Synchronization Network Security Integrating the CAS in Lifebeat Monitoring OS Client for Visualizing CAS Data Audit Trail Archiving and Transferring to the CAS Data Display Long-term Archiving with StoragePlus How StoragePlus Works Software Packages of StoragePlus A5E ix

10 Contents Installation of StoragePlus Security and Access Concept Time Synchronization Network Security Audit Trail Configuration of Long-term Archiving Configuration of the StoragePlus Database Transferring Archive Data (Backup) Retrieving Data Backups Restoring the System Data Displays Long-term Archiving with SIMATIC IT Historian Data Exchange with the Plant Management Level Uninterruptible Power Supply Configuration of Uninterruptible Power Supplies UPS Configuration over Digital Inputs Creating SCL, C, VB Scripts SIMATIC PCS 7 Add-Ons Supporting Functions during Qualification Introduction Qualification of Automation Hardware Qualification of Automation Software Qualification of Standard Software System Programs from SIMATIC PCS Installed Authorizations of SIMATIC PCS Qualification of the Application Software Additional Hardware / Software Components 6-1 Glossary 6.1 Time Synchronization Solutions for Special Automation Tasks SIMIT Simulation Software Using MASTERGUARD UPS Systems Glossary-1 Index Index-1 x A5E

11 1 Prerequisites for Configuring Automated Systems in a GMP Environment Before automated systems can be configured in a GMP Environment, approved specifications such as the user requirements and Functional Specification must exist. When creating these specifications, requirments stipulated in standards, recommendations and guidelines must be taken into account. This chapter lists the most important of these regulations as well as various specifications (URS, FS, DS). A5E

12 Prerequisites for Configuring Automated Systems in a GMP Environment 1.1 Life Cycle Model Good engineering practice (GEP) means the use and adherence to defined guidelines in the planning and configuration of systems. GEP includes the entire life cycle of a system. The schematic below shows the life cycle model of a system. This manual is oriented on the information contained in the GAMP 4 Guide for Validation of Automated Systems. The procedures stipulated in GAMP 4 are explained and illustrated by practical examples. 1-2 A5E

13 Prerequisites for Configuring Automated Systems in a GMP Environment Key to the life cycle model Abbreviation/Acronym Description VP Validation Plan 1 QP QPP URS FS DS FAT SAT IQ OQ PQ VR QR Qualification Plan Quality and Project Plan 2 User Requirements Specification Functional Specification Design Specification (this includes, for example, P&I charts, software and software module specification and hardware design specification, etc.) Factory Acceptance Test Site Acceptance Test Installation Qualification Operational Qualification Performance Qualification Validation Report Qualification Report 1 2 To improve readability and recognition of familiar terminology, not all terms and abbreviations/acronyms were translated in the German version. The meaning of the terms used in GAMP 4 "User Requirements Specification" and "Functional Specification" do not correspond to the German terms "Lastenheft" or "Pflichtenheft" as used, for example, in VDI 3694 and VDI A5E

14 Prerequisites for Configuring Automated Systems in a GMP Environment Validation Plan The Validation Plan is used to specify the methods used for validation or qualification and measures for validating, for example, an automation system. A Validation Plan should specify all validation activities and name those responsible for their implementation. Further topics that should be covered by a Validation Plan include: Documentation of the results of the validation activities All standard operation procedures (SOP) that relate to the system Preservation of the validation status of the system A system-specific Validation Plan may be preceded by a generic Validation Master Plan (VMP or MVP). Qualification Plan In contrast to the Quality and Project Plan, a Qualification Plan (QP) describes all the qualification measures while the Quality and Project Plan deals mainly with project and quality management. The Qualification Plan contains detailed descriptions of the necessary test measures and a description of the interdependencies of the individual tests. References to other test documents such as FAT or SAT and a description of the deviation management must also be integrated in the Qualification Plan. Quality and Project Plan In contrast to the Qualification Plan, the Quality and Project Plan (QPP) documents project and quality management. It documents, for example, procedures for managing documents or the procedures for change control. It should also contain a description of the individual test phases during the life cycle of a system. The responsibilities within the project and the milestones must also be specified. Specification: The specification phase begins with the creation of a user requirements specification. The User Requirements Specification is normally created by the user and describes the requirements that the system should meet. On completion of the user requirements specification, the Functional Specification is created, usually by the supplier. The Functional Specification (FS) describes the implementation and the functions of the system set out in the user requirements specification. This is followed by the detailed planning and implementation in the Design Specification (DS). 1-4 A5E

15 Prerequisites for Configuring Automated Systems in a GMP Environment The functional and Design Specification also form the test basis for later qualification. The following aspects should also be specified in the functional and Design Specification phase: Software structure Programming standards Name convention File naming convention Implementation The functions described in the Design Specification are implemented in the implementation phase. The requirements of the pharmaceutical industry, in particular, must be taken into account at this stage. Based on the naming and file naming conventions decided in the specification phase, the software, software blocks and variables must be named and documented so that the program code can be structured clearly. Blocks or software modules must be labeled uniquely with author, date created, version, and comment. Versioning of these blocks is important to allow easier tracking of subsequent changes. Software source code must be explained in comments. "Dead code", in other words parts of the user program that are no longer called due to changes in the programming must be removed or commented out. User program code must be commented accordingly. To be able to restore the last project engineering status if data is lost, regular backups must be made: Backup of the user program Following changes to the settings of PC components - full backup of the component involved Project Change Control Changes (deviations from the specification) during editing of the project must be documented. Depending on the changes made, it may be necessary to agree the changes with the system user. If errors occur or if changes are required, change requests should be used as documentation. During the project engineering phase, numerous small changes become necessary. The changes should also be subject to a structured change control process. Due to their numbers and the often minor effects, suitable handling must also be devised for such changes. Here, for example, the grouping of several changes or simplified documentation and procedure (for example in the form of lists) would be conceivable. A5E

16 Prerequisites for Configuring Automated Systems in a GMP Environment FAT On completion of the implementation, a Factory Acceptance Test (FAT) is often performed at the supplier's site. The purpose of this is to find and eliminate any errors in the programming prior to delivery. The aim of the FAT is the acceptance by the customer to allow the system to be delivered in the tested status. The customer should follow the FAT and confirm that it was completed correctly in a concluding report. SAT The Site Acceptance Test (SAT) shows that an automated system works within its operating environment with interfaces to the instrumentation and plant sections according to the specification. The SAT can contain additional tests during the course of the FAT that are possible for the first time with connected field instruments and plant sections as well as interfaces to neighboring systems. The SAT can be combined with commissioning. Qualification The FAT is followed by the technical commissioning 3 (commissioning phase). In this phase, the system along with the user program that has been created is installed at the system user's site, the technology is commissioned, tested and qualified. The commissioning phase and qualification phases can run sequentially or simultaneously. It is advisable to synchronize the activities of commissioning and qualification to save both time and costs. The Qualification Plan should therefore be created in good time so that it is possible to check whether or not tests already made during FAT or SAT need to be repeated during qualification. In this case, the documented FAT / SAT tests must be referenced in the qualification documents. When creating the test documentation, tests and acceptance criteria must be described so that they are easy to understand. Test documentation, for example for FAT, SAT or qualification phases must be created according to the defined methodology so that the system user will accept it as material that can be referenced for qualification. Referencing previously performed tests during qualification saves tests being repeated and reduces qualification costs. One requirement for referencing test documentation is, however, that the test documentation is approved according to schedule. 3 The technical commissioning must not be confused with the pharamceutical commissioning. The aim is to put the technical system into operation for the first time, for example to be able to run functional tests on the operational target system during the OQ. 1-6 A5E

17 Prerequisites for Configuring Automated Systems in a GMP Environment To be able to reference test documentation, it must be completed in accordance with GMP principles and handed over to the qualification team. Correctly labeled software backups and the complete technical documentation such as the process description, manuals etc. according to the agreed scope of the delivery, must be handed over to the system user. Among other things, the archiving must be verified in the course of qualification. Qualification Report Based on the Qualification Plan, the qualification report (QR) sums up the test results of the tests performed and confirms the successful completion of the qualification phases. Validation Report The Validation Report (VR) sums up the results of the individual validation steps and confirms the validated status of the system. The creation of both the Validation Plan and the Validation Report is the responsibility of the customer. Operation Following successful qualification and subsequent operation (start of production) of the system, the plant must be serviced and maintained by the user. The maintenance and service cycles must be defined and adhered to. A5E

18 Prerequisites for Configuring Automated Systems in a GMP Environment Change Control during Operation If changes are made to an existing system, the procedures of the user for change control during operation must be used. Such changes must be clearly identified, described before they are made and the planned change approved for implementation. After making the change and completing the defined accompanying measures (for example repeating tests), the revision of the software must be incremented and the as-built documentation must be updated. This is where good documentation of the software with suitable comments and logically structured application software prove their value. After approval of the change requests, change specifications must be created and the life cycle is run through again. Depending on the extent and effects of the planned change to the existing documentation and the risk assessment of the change related to the existing plant, the effort involved during the life cycle and, in particular, the effort required for testing may vary greatly. Risk Analysis Risk analysis is a methodical procedure in which the process, the system or programs are analyzed in sufficient detail. The risks identified by the analysis for new installations and changes to plants are examined in terms of their results and effects on the (pharmaceutical) product are examined. 1-8 A5E

19 Prerequisites for Configuring Automated Systems in a GMP Environment 1.2 Regulations and Guidelines Regulation / Guideline Title 21 Code of Federal Regulations (21 CFR) Annex 11 of the EU GMP Guideline Annex 18 of the EU GMP Guideline When configuring automated systems requiring validation in a GMP environment, the recommendations and guidelines of various organizations should be adhered to. These are usually based on general guidelines such as Title 21 Code of Federal Regulations (21 CFR) of the American Food and Drug Administration (FDA) or the EU GMP Guideline Annex 11. Issued by / Organization FDA European Commission Directorate General III European Commission Directorate General III Title Regulation / Recommendation Part 11 Electronic records, electronic signature Part 210 Current good manufacturing practice in manufacturing, processing, packing, or holding of drugs; General Part 211Current good manufacturing practice for finished pharmaceuticals Computer-aided Systems Good Manufacturing Practice for Active Pharmaceutical Ingredients GAMP 4 ISPE GAMP 4 Guide for Validation of Automated Systems NAMUR Recommendation NE 58 NAMUR Recommendation NE 71 NAMUR Recommendation NE 72 NAMUR NAMUR NAMUR Execution of Process Control Projects Subject to Validation Operation and Maintenance of Validated Systems Validation Support by Use of Control Systems Regulation Guideline Guideline Guideline Recommendation Recommendation Recommendation Where Applicable USA and importers into the USA Europe Europe Worldwide Europe Europe Europe Note This manual is based on the requirements of GAMP 4 and FDA 21 CFR Part 11. A5E

20 Prerequisites for Configuring Automated Systems in a GMP Environment Code of Federal Regulations Title 21 (21 CFR), Food and Drugs The Code of Federal Regulations, Title 21 includes parts such as Parts 210 and 211. Part 11 (known as 21 CFR Part 11 is of particular importance for computer validation). This part deals with electronic records and electronic signatures. Annex 11 of the EU GMP Guideline Annex 11 of the EU GMP guideline is divided into 19 points and covers topics ranging from requirements for configuration, operation and change control for computerized systems in a GMP Environment. An interpretation of Annex 11 can be found in the GAMP 4 Guide in the form of an APV guideline for the validation of automated systems. Annex 18 of the EU GMP Guideline Annex 18 of the EU GMP guideline deals with good manufacturing practice for active pharmaceutical ingredients. This is intended as a GMP manual for the manufacture of active pharmaceutical ingredients within the framework of a suitable quality management system. Chapter 5 of Annex 18 deals with the process equipment and its use. GAMP Guide for Validation of Automated Systems "GAMP 4" The GAMP (Good Automated Manufacturing Practice) Guide for Validation of Automated Systems was compiled as a recommendation for suppliers and as a manual for users of automated systems in the manufacturing pharmaceutical industry. The current version "GAMP 4" was published in December NAMUR Recommendations NAMUR Recommendations are reports of the experience of the "Process Control Systems Special Interest Group of the chemical and pharmaceutical industry" for optional use by their members. They do not have the status of standards or directives. The following NAMUR recommendations are of particular interest with regard to configuration and the use of automated systems in a GMP Environment: NE58 "Execution of Process Control Projects Subject to Validation" NE71 "Operation and Maintenance of Validated Systems" NE72 "Validation Support by Use of Control Systems" 1-10 A5E

21 Prerequisites for Configuring Automated Systems in a GMP Environment 1.3 Responsibilities When configuring automated systems in a GMP environment and creating the appropriate specifications, the responsibilities during the life cycle are defined as follows. Documentation Location Responsibility User requirements specification User User creates and approves Functional Specification Supplier Supplier creates / user approves Hardware Design Specification Supplier Supplier creates / user approves Software Design Specification Supplier Supplier creates / user approves System implementation Supplier Supplier creates / ideally checked by user Factory Acceptance Test FAT Supplier Supplier performs / user approves Site Acceptance Test SAT Installation Qualification IQ Operational Qualification OQ Performance Qualification PQ Change control during operation User User User User User User performs / supported by supplier User responsible / supplier and/or user performes User responsible / supplier and/or user performes User performs / supported by supplier User performs / possibly supported by supplier Shutdown User User performs / possibly supported by supplier A5E

22 Prerequisites for Configuring Automated Systems in a GMP Environment 1.4 Approval Process When changes are made to existing systems or when new systems are installed, certain approvals must be obtained during the various phases of system configuration. Several pertinent documents are listed below and the significance of their approval explained. Quality and Project Plan In contrast to the Qualification Plan, the Quality and Project Plan (QPP) documents project and quality management. It documents, for example, procedures for managing documents or the procedures for change control. It should also contain a description of the individual test phases during the life cycle of a system. The responsibilities within the project must be defined. Change control Changes to an existing system (hardware / firmware, user software etc.) are proposed by the system user in a change request. This is approved and released by the user. This forms the basis of such a project. User Requirements Specification The User Requirements Specification describes the new requirements that the system is intended to meet based on the request described above. The User Requirements Specification is generally created by the system user but can also be created by the system supplier or a third party. The User Requirements Specification must always be checked and approved by the system user and the quality assurance department. The User Requirements Specification should be adapted to the current situation during the planning phase and, if necessary, approved and released as a new version A5E

23 Prerequisites for Configuring Automated Systems in a GMP Environment Functional Specification The Functional Specification is normally created by the system supplier. Based on the User Requirements Specification or the change request, it describes the functions of the system in detail. The Functional Specification is created in consultation with the system user and must be approved and released by the user. The approved Functional Specification is used as the basis for creating the detailed specifications and for subsequent configuration. Design Specification The Design Specification (DS) like the Functional Specification is normally created by the system supplier. This is based on the Functional Specification and supplements this with detailed descriptions, for example, of the hardware and software used, process variable lists etc. The Design Specification is created with the co-operation of the system user and must be approved and released by the system user. Qualification documents (test documents) The test documents must provide evidence that the requirements are met and that all functions were implemented as specified. This is done by creating suitable test documents that document test planning, test execution and the test results. The test documents must be created by the system supplier according to the specifications of the Functional Specification or the detailed specification. The test documents must be checked and approved by the system user. If tests performed previously in the FAT or SAT are referenced within the framework of qualification, this must be included in the Qualification Plan and approved by the user. A5E

24 Prerequisites for Configuring Automated Systems in a GMP Environment 1.5 Software Categorization of Control Systems As described in Section 2.1 "Software " and Section 4.2 "Software Categorization of SIMATIC PCS 7", the software of a system can be divided into five software categories according to the GAMP Guide for Validation of Automated Systems. The software categories have a major influence on the effort involved during the test and qualification phase and should be defined during the specification phase for the software to be used A5E

25 2 Requirements for Automated Systems in a GMP Environment In the context of GMP, automated systems must meet certain requirements. Section 2 "Requirements for Automated Systems in a GMP Environment" lists the main requirements that an automated system must meet in a GMP environment. These requirements must be stipulated in the specification and implemented during configuration. In general, it must always be ensured that proof of all changes (who did what, when, to change what) is recorded at all times ("why" is optional). The requirements involved in this task are implemented by various functions and are described in the following sections. The graphic below shows the life cycle model. The requirements focused on in this section can be assigned to the specification area. This is illustrated in the following graphic by the marking in the area on the left. A5E

26 Requirements for Automated Systems in a GMP Environment 2.1 Software Categorization According to the GAMP Guide for Validation of Automated Systems, the software components of a system can be divided into five software categories. The five GAMP software categories are listed below: Category 1, Operating Systems Category 1, operating systems, covers established commercially available operating systems. These are not subject to validation themselves, the name and version of the operating system must, however, be documented and verified during Installation Qualification (IQ). Category 2, Firmware Category 2 covers the firmware that is configured to match the local conditions. Once again the name and version of the firmware and its configuration must be documented and verified during an Installation Qualification (IQ). The functionality of the software must be verified in an Operational Qualification (OQ). Category 3, Standard Software Packages Category 3 covers commercially available, standard software packages and "offthe-shelf" solutions for certain processes. The configuration of the software packages should be limited to adaptation to the runtime environment (for example network and printer connections) and the configuration of the process parameters. The name and version of the standard software package should be documented and verified in an Installation Qualification (IQ). Special user requirements, such as security, alarms, messages, or algorithms must be documented and verified in an Operational Qualification (OQ). Category 4, Configurable Software Packages Category 4 covers configurable software packages that allow special business and manufacturing processes. This involves configuring predefined software modules. These software packages should only be considered as belonging to Category 4 if they are well-known and mature. Normally, a supplier audit is necessary. If this is not available, the software packages should be handled as Category 5 and the supplier should use the GAMP 4 guide to provide the foundation for establishing a suitable quality system. The name, version, and configuration should be documented and verified in an Installation Qualification (IQ). The functions of the software packages should be verified in terms of the user requirements in an Operational Qualification (OQ). The Validation Plan should take into account the lifecycle model and an assessment of suppliers and software packages. 2-2 A5E

27 Requirements for Automated Systems in a GMP Environment Category 5 User-specific (tailored) Software Category 5 covers user-specific software developed specifically to meet the needs of the user company. A supplier audit is normally required to confirm the quality systems to control development and subsequent maintenance. Otherwise, the supplier should use the GAMP 4 guide as the basis for a suitable quality system. The name, version, and configuration should once again be documented and verified in an Installation Qualification (IQ). A detailed software specification must be created and the function of the software verified in an Operational Qualification (OQ). The Validation Plan should specify a full life-cycle approach to validation. The test effort when using software belonging to Category 5 is far higher than when using software of the lower categories. The effort required for validation and testing can be reduced by using standardized software packages. The following graphic illustrates the effort required for validation related to the software category being used Software Kategorie A5E

28 Requirements for Automated Systems in a GMP Environment Software Creation When creating software, guidelines documented in the Quality and Project Plan must be adhered to (GEP awareness). Guidelines on software creation can be found in the GAMP 4 Guide for Validation of Automated Systems and in the relevant standards and recommendations Use of Typicals for Programming As seen in Section Fehler! Verweisquelle konnte nicht gefunden werden. "Software CreationFehler! Verweisquelle konnte nicht gefunden werden.", the validation effort increases considerably from GAMP software category to category. While the validation effort for software of category 1 simply involves checking software names and versions, the effort for validation of software in category 5 involves verification of the entire range of functions and a supplier audit. To keep the validation effort to a minimum, whenever possible only predefined standard function blocks should be used during configuration. User-tailored typicals are created from standard function blocks and tested according to Design Specifications Identification of Software Modules / Typicals During software creation, individual software modules should be given a unique name, version number, and a brief description of the corresponding block. Changes to software modules should be reflected in the identification Changing Software Modules / Typicals Changes to software modules should be indicated in the identification of the relevant module. Apart from the incremented version ID, the date and name of the person making the change should also be included in the software module identification. The program sections to be modified should, where necessary, be identified with comments referencing the corresponding number of the change request / order. See also Section 4.20 "Time Synchronization". 2-4 A5E

29 Requirements for Automated Systems in a GMP Environment 2.2 Hardware Categorization According to the GAMP 4 Guide, the hardware components of the system fall into two hardware categories. The two hardware categories are listed below: Category 1, Standard Hardware Components Category 1, standard hardware components, covers established commercially available hardware components. This hardware must also be subjected to relevant quality and test mechanisms. The hardware is accepted and documented by the IQ test. Category 2, Custom-built (bespoke) Hardware Components The functionality must be specified in documentation and tested and documented in suitable documented tests. 2.3 Configuration Management According to the GAMP Guide, configuration management is defined as the activity necessary to define an automated system precisely at every point in its life cycle from the first steps in development to its retirement. Configuration management consists of the application of administrative and technical procedures through the life cycle of a system to: identify, define, and baseline system components and to specify them in general control modifications and releases of items record and report the status of the items and modifications to them ensure the completeness, consistency, and correctness of the items control storage, handling, and delivery of items. Configuration management consists of the following activities: Configuration identification (WHAT is to be kept under control) Configuration control (how the control will be implemented) Configuration status accounting (how the control will be documented) Configuration evaluation (how the control will be verified). This chapter covers the activities of configuration identification and configuration control. A5E

30 Requirements for Automated Systems in a GMP Environment Configuration Identification Version and change management is only practicable with a suitable configuration environment. Every software and hardware package must therefore be identified by a unique product identifier (MLFB number) and a version number. For the user software, the parts of an automated system that are subject to configuration management must be clearly identified. The system should therefore be broken down into configuration items. These should be identified at an early phase of development so that a complete list of configuration items is defined and maintained. The application-specific items should have a unique name or version ID. The depth of detail when specifying the elements is decided by the needs of the system, and the organization developing that system Configuration Control The upkeep of the configuration items should be checked at regular intervals, for example in reviews. Here, particular attention must be paid to the change control and the related version control. Archiving and release of individual configuration items should also be taken into account Version Control To ensure correct change management, the configuration elements must be versioned. The version must be updated with every change Change Control During configuration, there must be suitable control mechanisms to achieve transparency by documenting the current status. The control mechanisms are described by SOPs and should include the following points. Software versioning Information such as programming guidelines, naming conventions etc. Guaranteeing the traceability of program changes Unequivocal identification of software and all the components it contains 2-6 A5E

31 Requirements for Automated Systems in a GMP Environment 2.4 Access Protection and User Management To guarantee the security of automated systems in the context of GMP, these systems should be provided with an access control system. In addition to physical access control (locked rooms etc.), access control systems also provide the option of protecting systems from unauthorized access. Users should be put together in user groups with which the user permissions are managed. The access rights of individual users can be established in different ways: Combination of unique user ID and password. Configuration is described in Section 4.17 "Setting up Access Protection". Chip cards in conjunction with a password Biometric systems To ensure security, the assignment and management of the access permissions should be controlled by the system owner or by an administrator named by the user Using Access Protection in a System Actions that can be performed on an automated system should always be protected. Depending on the task, the user can be assigned various permissions. Access to user administration should only be possible for the system owner or an employee named by the system owner. Access by unauthorized persons to the recording of electronic data must be prevented. An automatic logout function should be installed in the system. The logout time should be defined in consultation with the user and stipulated in the Functional Specification.! Note It is important to make sure that only authorized persons can access PCs. This can be achieved by suitable mechanisms such as remote kits. Process control system PCs should be installed in control rooms with restricted access or integrated in lockable switching cabinets. A5E

32 Requirements for Automated Systems in a GMP Environment Requirements for the User ID and Password User ID: The user ID of a system should have a minimum length agreed with the customer and should be unique within the system. Password: A password should always consist of a combination of numeric and alphanumeric characters. When setting up passwords, the number of characters and a period after which a password expires should be stipulated. The structure of the password is normally selected to suit the specific customer. The configuration is described in the section Security Settings of Password Policy. Criteria for the structure of a password are as follows: Minimum length of the password Use of numeric and alphanumeric characters Case sensitivity Chip Cards and Biometric Systems Apart from the traditional methods of identification with a user ID and password, users can also identify themselves with chip cards or with biometric systems, such as fingerprint scanners. 2-8 A5E

33 Requirements for Automated Systems in a GMP Environment 2.5 Electronic Signatures Electronic signatures are computer-generated character strings that count as the legal equivalent of a handwritten signature. The regulations for the use of electronic signatures are set out in 21 CFR Part 11 of the FDA. Each electronic signature must be assigned uniquely to one person and must not be used by any other person. It must be possible to confirm to the authorities that an electronic signature represents the legal equivalent of a handwritten signature. Electronic signatures can be biometrically based or the system can be set up without biometric features.! Caution When exporting pharmaceuticals into the USA, the regulations according to 21 CFR Part 11 of the FDA must be adhered to Conventional Electronic Signatures If electronic signatures are used that are not based on biometrics, they must be created so that persons executing signatures must identify themselves using at least two identifying components. This also applies in all cases in which a chip card replaces one of the two identification components. These identifying components, can, for example consist of a user identifier and a password. The identification components must be assigned uniquely and must only be used by the actual owner of the signature. When owners of signatures want to use their electronic signatures, they must identify themselves by means of at least two identification components. The exception to this rule is when the owner executes several electronic signatures during one uninterrupted session. In this case, persons executing signatures need to identify themselves with both identification components only when applying the first signature. For the second and subsequent signatures, one unique identification component (password) is then adequate identification. A5E

34 Requirements for Automated Systems in a GMP Environment Electronic Signatures Based on Biometrics An electronic signature based on biometrics must be created in such a way that it can only be used by one person. If the person making the signature does so using biometric methods, one identification component is adequate. Possible biometric recognition systems include systems for scanning a fingerprint or the iris of the eye. Note The use of biometric systems is currently considered a secure identification method. Nevertheless, there are reservations about the use of biometric identification characteristics in the pharmaceutical industry (for example poor face recognition due to protective clothing covering the face, no fingerprint scans with gloves, the expense involved and the reaction times of retina scans) Security Measures for User IDs/Passwords To guarantee the security of electronic signatures when using a user ID and password, the following points are important: Uniqueness of the user ID and password Supervised issue of user IDs Cancellation of rights if a user ID or password is no longer secure or compromised Security measures to prevent unauthorized use of user IDs / passwords and to report misuse Training of personnel with documented proof of courses 2-10 A5E

35 Requirements for Automated Systems in a GMP Environment 2.6 Audit Trail The audit trail is a control mechanism of the system that allows all data entered or modified to be traced back to the original data. A reliable and secure audit trail is particularly important in conjunction with the creation, change or deletion of GMPrelevant electronic records. In this case, the audit trail must archive and document all the changes or actions made along with the date and time. Typical contents of an audit trail must be recorded and describe the procedures "who changed what and when" (old value/new value). The archiving period must match the period stipulated in the specification. There must be adequate hard disk space to allow the entire audit trail to be stored until the next transfer to an external data medium. Systems must be used that ensure adequate data security (for example redundant systems, standby systems, RAID 5). The audit trail of the SIMATIC PCS 7 process control system documents all actions and entries made by the plant operator. All actions and entries are documented and archived by SIMATIC PCS 7 with the date, time, user name, time of the entry, and detailed information about which data was changed. 2.7 Time Synchronization Within a system, a uniform time reference must be guaranteed to allow messages, alarms etc. to be archived with unequivocal time stamps. Time synchronization to a standard time is desirable, however not absolutely necessary. Time synchronization when archiving data, analyzing problems, and optimizing a plant is strongly recommended. A5E

36 Requirements for Automated Systems in a GMP Environment 2.8 Archiving Data Archiving data involves the data backup of all the cgmp-relevant process data during the manufacture of a batch. These include process values (often in the form of trends), messages (alarms, warnings etc.), the audit trail (who undertook which action and made which entries when) and, if applicable, other batch report data. The storage space on the data media of a system is finite. To keep space available on these data media, data such as measured values, message archives, or reports should be transferred regularly to external data media. Apart from keeping storage space available within a system, the archiving of cgmp-relevant data, such as process data, batch reports, or trends is obligatory. The period for which such data must be retained is generally laid down in Legal regulations (for example for the retention of pharmaceutical documentation) Customer requirements International regulations 2.9 Data Backup In contrast to the archiving of electronic data, data backup makes data available in emergency situations, for example a defective hard disk. The aim of data backup is to be able to recover a system completely following a system crash. Data backups are created on external data media. The data media used should comply with the recommendations of the device manufacturer. When backing up electronic data, a distinction is made between software backups (for example application software, hard disk backups) and archive data backups. Here, particular attention is paid to the storage of data backup media (storage of the copy and original in different locations, protection from magnetic fields, and elementary damage) A5E

37 Requirements for Automated Systems in a GMP Environment Application Software Software backups should be created following any software change to the system. They must document the last valid software version of a system. If changes are made to software components, it is adequate to back up the modified components of the application software. A complete backup of the software should nevertheless be made at regular intervals. If software backups need to be created when changes are made to the software of an existing system or during the installation of a new system, they should be created after the installation. During the course of a project, the software version should be backed up and documented in conjunction with defined milestones, for example at the end of the FAT (in other words before the system is supplied), on completion of the Installation Qualification (IQ) as a basis for the tests for Operational Qualification (OQ) and, of course, on handover of the system to the user. Software generations should also be recorded during the creation of new software versions at regular intervals in the form of software backups. Software backups must be created for both the application software and the configuration parameters. Labeling Software Backups According to the GAMP 4 Guide for Validation of Automated Systems, software backups should be documented both on the label of the backup medium itself and in a separate report containing the following information: Date of creation System designation Software designation Software or version designation Current number of the backup Reason for software backup Date of first usage Date of backup Date and signature of the person responsible Identity of the operator Retention of Software Backups At least the last two software backups should be archived. For reasons of safety, these should be stored at a different location from the system (according to the recommendations of the BSI (German authority responsible for security in informtion technology), for example in a fire compartment separate from the system). A suitable backup strategy must be defined depending on the frequency at which changes are made. The storage life of the data medium should be defined (for example based on the manufacturer's information or on publications of the relevant national authorities for information technology) and before this expires, the backup should be migrated, for example by copying it to a new data medium. A5E

38 Requirements for Automated Systems in a GMP Environment Process Data The data saved in the system, such as trends, measured values or alarms should be backed up on external data media at periodic intervals. This measure can minimize data loss if problems occur. Labeling Data Backups According to the GAMP 4 Guide for Validation of Automated Systems, data backups should be documented either on the label of the backup itself or in a separate report containing the following information: System designations Software / data designation Version and/or software/firmware build number, if available Date of creation Date of first usage Current number Date of the data backup Reason for the data backup Identity of the operator Retention of Data Backups The same guidelines apply as in the section with the same name in Chapter "Application Software". Since process data, in contrast to software, is not normally stored in "overlapping" versions, suitable measures must be taken to ensure data integrity Retrieving Data Backups Archived data must be retrievable at all times. Following system updates, care must be taken that the data transferred to archive prior to the update remains compatible A5E

39 Requirements for Automated Systems in a GMP Environment 2.11 Use of Third-Party Components When using predefined third-party components (hardware and software), a supplier audit should always be performed and the supplier's quality management system verified. The compatibility of the hardware components must be confirmed. Even when using standard hardware and software components of other manufacturers, compatibility must be confirmed. Note For auditing a product supplier, the NAMUR Recommendation 72 contains a considerable amount of information. Approaches to auditing a service provider or solution provider can also be found, for example, in the GAMP 4 Guide, Annex M2. A5E

40 Requirements for Automated Systems in a GMP Environment 2-16 A5E

41 3 Specification This section focuses on the criteria for selecting hardware and software. The activities involved in selecting products, product variants and system constellations take place in the specification phase of an automated system. This is illustrated in the lifecycle model shown below by the marking in the area on the left.. A5E

42 Specification 3.1 Criteria for Selecting Hardware Using hardware components from the PCS 7 catalog, guarantees the long-term availability of hardware and spare parts. Particularly during the design of PC-based systems such as ES, OS single stations and OS or BATCH servers, attention should be paid to system availability and the protection of data security/integrity, for example by using RAID systems higher than class 1. Note Only released hardware from the current PCS 7 catalog must be used because this has been tested by Siemens. If PCs are distributed in switching cabinets, make sure that suitable hardware components, such as operator channel extensions are used. Among the automation systems (AS), a distinction is made between standard, fault-tolerant and fail-safe systems. Standard automation systems (AS) consist of one or more S7-4xx CPUs. Fault-tolerant automation systems (AS) consist of at least two redundant subsystems synchronized over fiber-optic cable. Active redundancy means that all the redundant controllers are permanently in operation and are also involved in the execution of the control task. The loaded user program is identical on both CPUs and is executed by both CPUs synchronously. If the active CPU fails, the automation system automatically fails over to the redundant CPU (CPU 414-4H, CPU 417-4H). The failover has no effect on the active process that continues uninterrupted. The function of fail-safe automation systems (AS) in plants with high safety requirements is to detect errors/faults in the process as well as internal errors and to bring the plant to a safe status if an error/fault occurs. To configure fail-safe programs, the S7 F System engineering tool is required. This provides the programmer with blocks approved by the TÜV (technical inspection agency in Germany) that handle fault detection and the reaction if a fault occurs. Fail-safe automation systems (AS) must be accepted by the TÜV or similar agency following commissioning. To achieve this, S7 F Systems provides a reference sum of the fail-safe program section that detects any change in the program. This sum is recorded during acceptance by the TÜV and allows the detection of changes in the fail-safe program. 3-2 A5E

43 Specification 3.2 Criteria for Selecting Software The aim of this chapter is to simplify the selection of standard PCS 7 V6.1 hardware and software that meets the requirements described in Chapter 2 "Requirements for Automated Systems in a GMP Environment" Basic Software for User Management Access to the SIMATIC PCS 7 system components and to third-party components connected via the API is controlled by SIMATIC Logon, a user management system based on Windows mechanisms. SIMATIC Logon meets the requirements of 21 CFR Part 11 regarding access control and completes these requirements with the additional tools described below. SIMATIC Logon Service With the SIMATIC Logon Service, the logged-on user can display the SIMATIC Logon Service dialog. The logoff, user change, and password change functions are then available. The SIMATIC Logon Service is required on all operator stations. SIMATIC Logon Admin Tool The SIMATIC Logon Admin Tool allows assignment of roles from the SIMATIC PCS 7 applications to the Windows user groups. It is also possible to edit Windows users and user groups. SIMATIC Electronic Signature With SIMATIC Electronic Signature, it is possible to enable operations by suitably assigned Windows users or user groups. SIMATIC Electronic Signature must be installed on all computers and is supported by SIMATIC BATCH Additional Software - Image & Partition Creator The optional additional software "SIMATIC PC/PG Image & Partition Creator" allows creation of data backups of hard disk contents. Fast recovery of the system is then possible with these system and application software backups. Backed-up hard disk contents can also be transferred to identically configured devices. This simplifies replacement of computers or expansion of systems. Apart from creating hard disk images, the Image & Partition Creator can also be used to create, modify, and delete hard disk partitions Basic Software for the Engineering System The SIMATIC PCS 7 engineering software includes the basic functions for engineering with PCS 7. Some of the most important functionalities are described below. A5E

44 Specification Process Control Libraries The process control libraries contain predefined and tested objects (blocks, faceplates, and symbols). When using these libraries, project engineering is generally restricted to the configuration of the corresponding objects. One major advantage of using preassembled objects in the project engineering of automated systems in the pharmaceutical industry is the lower-level software categorization (see Section 4.2 "Software Categorization of SIMATIC PCS 7") of the blocks according to the GAMP 4 Guide for Validation of Automated Systems. Rating software as belonging to higher software categories means greater validation effort Multiproject Engineering Multiproject engineering allows a project to be divided into several projects so that it can be worked on by more than one person. The multiproject is created in the SIMATIC Manager. New projects can be added to the multiproject and other projects removed from it Additional Software - Engineering System Version Cross Checker The Version Cross Checker (VXC) is an additional, standard software component. The Version Cross Checker is used to compare versions of two AS programs with each other. Differences in parameters, interconnections, and blocks are reported and displayed. Case 1: The Version Cross Checker can, for example, be used to verify the correct implementation of a change within the framework of the change control procedure. Comparing the software version with the current program version on the CPU of the automation system prior to the change indicates changes in the system that must match the change specification. Case 2: A further application of the Version Cross Checker is to verify that the archived software version matches the current program version on the CPU of the automation system. A comparison of the current software backup and the automation system must not reveal any discrepancies between the software backup and the CPU of the automation system unless there is a change request Import/Export Assistant The Import/Export Assistant (see Section 4.10 "Import/Export Assistant (IEA)") is a tool for configuring systems that include plant sections that exist several times within the plant. Process variable lists or CAD charts already created in the planning phase are imported into the engineering system during configuration. These are evaluated and used for the largely automatic creation of CFC charts for process variables. Apart from importing process variable lists or CAD charts, complete models consisting of CFC and SFC charts can be imported. During import, replicas of the models are generated and then supplied with specific data. 3-4 A5E

45 Specification Controller Tuning with the PCS 7 PID Tuner The PCS 7 PID Tuner optimization tool is an additional software component. The function integrated in the CFC editor is used to optimize controlled systems with the CTRL_PID and CTRL_S software controllers. Based on the acquired controller parameters, the response of the controllers can be tested by setting step changes. Control parameters can be saved and called up again when necessary Simulation with S7-PLCSIM The S7-PLCSIM simulation tool is a software component that must be installed extra. User programs can be tested on a PG/PC using S7-PLCSIM. A SIMATIC S7-CPU on a PG/PC is simulated with the aid of the software package. The configured application software can then be tested without the use of AS hardware (CPU and / or signal modules). You can test configured S7 user programs without needing to download to an automation system. S7-PLCSIM is simply a simulation tool for the S7 user programs. Hardware components such as communication processors cannot be simulated. A5E

46 Specification Basic Software - Operator Station Systems for control and monitoring of automation systems (AS) are implemented either as single or multiple workstation systems. From a single workstation system, the entire operation and monitoring of an automation system can be performed on one PC. A multiple workstation system (client / server architecture) is made up of operator stations (OS clients) and one or more OS servers that supply the OS clients with data. By setting up systems redundantly, availability can be increased compared with single workstation systems. Apart from selecting the single workstation system, OS client, or OS server, the number of variables managed by the operator station also plays a role in the selection of OS software. To make the selection easier, the OS software is offered based on the number of process objects (PO). Process objects are objects such as valves, motors, controllers etc displayed on the operator stations. To visualize these objects, a number of variables must be managed on the operator stations. The number of managed variables per process object differs but is taken as an average of 32 variables for one process object. License keys for operator stations are available in different sizes and depending on the size of the project. Note The size of the variable archive of the operator stations can be increased later using suitable power packs. OS Archiving OS archiving (short-term archives) uses a high-performance archive system based on Microsoft SQL server technology. The licensing of the archive system is scalable. Process values, messages, OS reports and batch data can be stored in long-term archives (see Section Additional Software for Long-term Archiving) Additional Software for an Operator Station SFC Visualization An SFC (Sequential Function Chart) is used for sequential control (also known as a sequencer) of processes. SFCs consist of a sequence of steps separated by the relevant step enabling conditions (known as transitions). Using SFC Visualization, the configured SFC charts can be displayed on the operator station and operator control can be enabled. With SFC Visualization, processes can be displayed more clearly. No extra effort is required to configure SFC Visualization. 3-6 A5E

47 Specification Basic Software - SIMATIC BATCH The SIMATIC BATCH software is integrated in SIMATIC PCS 7. It can be operated as a single workstation system or as a client-server configuration and can be used in plants of different sizes thanks to its modular architecture and scalability. BATCH servers can also be structured redundantly. The basic software for all SIMATIC BATCH system configurations is the basic package with 150 Batch POs (instances of units and equipment modules), one BatchCC (Batch Control Center) and one recipe system (recipe editor). This meets all the requirements for implementing a small SIMATIC BATCH project on the hardware of a single station or a client-server configuration consisting of one BATCH client and one BATCH server. Options for SIMATIC BATCH To extend the client-server configuration with further BATCH clients, a suitable number of the BatchCC and Recipe System optional packages are necessary. With the aid of optional packages, single stations, BATCH clients and BATCH servers can be functionally expanded. The following table shows an overview of the various optional packages for single stations, BATCH servers, and BATCH clients: ROP Library X X Hierarchical Recipe X X Separation Procedures/ Formulas SIMATIC BATCH API X X X Single Station BATCH server BATCH Client Batch Planning X X X SIMATIC BATCH works with the operator station and communicates with the automation systems (AS) over the operator station. In small process cells, SIMATIC BATCH can be installed along with the OS software on a single station. ROP Library The management of recipe operations (ROP) can be created using a ROP library. Library recipe operations can be installed as references (software modules) in recipe procedures. This guarantees that changes are made centrally and reduces the effort for engineering and validation. Modified recipe operations are passed on to all instances. By resolving the references, the recipe operation becomes a fixed part of the recipe procedure and is therefore independent of further central changes. A5E

48 Specification Hierarchical Recipe Structure In complex recipes/plant structures, a hierarchical recipe structure improves clarity since the recipe consists of recipe unit procedures that are processed and displayed at the same time. The sequence of the unit recipes is coordinated by synchronization lines (see SIMATIC BATCH manual). Recipe procedure for controlling the process or production of a process cell Recipe unit procedure for controlling a process stage in a unit Recipe operation/recipe phase for achieving the process engineering task/function in an equipment module Separation of Procedures and Formulas The option of separating the procedure and formula adds a further degree of flexibility. Several sets of parameters (formulas) can be linked together with a single recipe procedure to form a master recipe. Procedural modifications can be made centrally in the recipe procedure representing a considerable saving in terms of configuration and validation. The structure of the formula is defined by the formula category defined by the user. Menge Menge Temperatur Temperatur Zeit Zeit Salz Salz Pfeffer Pfeffer Zucker Zucker Formula 1 Formula Kg 1000 Kg 90 C 90 C 10 min 10 min Ja Ja Nein Nein 100 g 100 g Formula 2 Formula Kg 500 Kg 80 C 80 C 15 min 15 min Ja Ja Nein Nein 150 g 150 g Formula 3 Formula Kg 900 Kg 95 C 95 C 12 min 12 min Nein Nein Ja Ja 50 g 50 g Grundrezept#1 Grundrezept#1 Grundrezept#2 Grundrezept#2 Grundrezept#3 Grundrezept#3 3-8 A5E

49 Specification SIMATIC BATCH API The application programming interface SIMATIC BATCH API is an open interface for customer-specific expansions. The SIMATIC BATCH API provides the user with access to data and functions of SIMATIC BATCH and allows the programming of special industry segment-specific or project-specific applications. A5E

50 Specification Interfaces to Process Data with OS Software Connectivity Pack PCS 7 allows access to the following process data via OPC: Alarms and events (messages) Process value archive (trends) Process variables (states) PCS 7 ensures that access to alarms and events and process archives is readonly. Connectivity Pack The Connectivity Pack allows standardized access by computer systems at the process level to computer systems at the factory and enterprise level with OPC. Since the PCS 7 operator system is OPC-compliant, operator stations as OPC servers can serve as the data source for other applications. The Connectivity Packs provide further interfaces for access to archive data and messages of the operator system A5E

51 Specification OPC Direct Access (OPC DA) OPC is the name of a vendor-independent software interface based on Windows technology. The OPC standard was defined by the OPC Foundation. Further information on the OPC Foundation can be found on the Internet at " Process variables can be read or written using OPC DA (Direct Access). OPC DA is used, for example, in status queries, parameter exchange, or handshakes. OPC Historical Data Access server (OPC HDA) With the OPC HDA server, the PCS 7 server provides other applications with historical data from the PCS 7 process value archive system (Tag Logging). The OPC client, for example a reporting tool or higher-level MES system, can request specific data from the historical process value archives by specifying the start and end of a time period. OPC Alarm & Events server (OPC A&E) With the OPC A&E server, the PCS 7 operator station makes historical data from the PCS 7 message archive system along with all associated process values available to other applications (Alarm Logging). The OPC client, for example a reporting tool or higher-level MES system, can request specific data from the PCS 7 message archive system by specifying the start and end of a time period. Note The basics of operation and working with the Connectivity Pack are described in Section 4.25 "Data Exchange with the Plant Management Level". A5E

52 Specification Additional Software for Long-term Archiving Central Archive Server (CAS) The central archive server (see also Section "Long-term Archiving with the Central Archive Server (CAS)") is used for long-term archiving of process values, messages, batch data and reports from up to 11 servers. The archives managed with CAS (process values, messages, BATCH batch data) can be cataloged and transferred to an external medium. Process data can be accepted at a maximum rate of 1,000 per second per server, from more than one server the overall rate is a maximum of 10,000 per second StoragePlus StoragePlus (see also Section ) is used for long-term archiving of process values, messages, BATCH batch data and reports from up to four servers. The archives managed with StoragePlus (process values, messages, BATCH batch data) can be cataloged and transferred to an external medium. Process data can be accepted at a maximum rate of 1,000 per second per server, from more than one server the overall rate is a maximum of 1,600 per second SIMATIC IT Historian SIMATIC IT Historian belongs to the MES family. It allows long-term archiving and evaluation and provides the basis for preparing customer-specific reports, data analysis, trend analysis, tracking, and tracing etc. (see Section "Basic Software of Higher-level Systems" and Section "Long-term Archiving with SIMATIC IT Historian"). Integration of SIMATIC IT Historian in PCS 7 or SIMATIC BATCH represents no problem. Both real-time and long-term data can be managed directly by the PCS 7 OS servers and archives. Real-time data can be acquired with PCS 7 tag browsers and long-term data over an interface with WinCC tag archives. By using the process cell information of SIMATIC BATCH, the integration of SIMATIC BATCH is also possible. SIMATIC IT Historian saves all procedural elements and parameters for each executed batch and therefore ensures electronic batch recording (EBR). SIMATIC IT Historian allows reports to be created using the SIMATIC IT Report Manager. This provides predefined reports that can be used as templates and adapted to the project-specific requirements A5E

53 Specification Basic Software of Higher-level Systems SIMATIC IT With its numerous components, SIMATIC IT forms an MES (Manufacturing Execution System) complying with the ISA 95 standard. SIMATIC IT is used to optimize the interaction of planning, development, and procurement within the framework of manufacturing and business processes. The main elements of SIMATIC IT are: SIMATIC IT Framework (Plant Modeling) SIMATIC IT Components (Specific Functionality) SIMATIC IT Framework connects the automation level to the operational management and production control levels, as well as to the company management and planning levels. SIMATIC IT Framework is the cross-industry integration and coordination platform for operating processes, data, and functions. It also includes options for plant and production modeling in addition to the basic functions for internal sequences, user administration etc. SIMATIC IT Framework is capable of integrating SIMATIC IT Components as well as vendor-independent IT products. Examples of SIMATIC IT Components include: Production Suite (basic MES functions such as material management, production order management etc.), SIMATIC IT Historian (plant performance analysis and long-term archiving), SIMATIC IT Unilab (LIMS - laboratory information management system), SIMATIC IT Interspec (product specification management system). A5E

54 Specification 3.3 User Requirements Specification The user requirements specification (URS) describes the requirements that a system should meet. Writing the User Requirements Specification is the responsibility of the user. The user requirements specification is the basis for the creation of a functional specfication and should not therefore contain any design solutions. The User Requirements Specification should include the following points: Introduction - Purpose of the user requirements specification - Author - References Overview - Description of the process / system - Aim of the project - Regulations to be used Requirements - System functions - Interfaces - Detailed process description Note For more information on the requirements, refer to GAMP 4, Annex D A5E

55 Specification 3.4 Functional Specification The Functional Specification describes the implementation and the functions of the system set out in the user requirements specification. Requirements contained in the User Requirements Specification that will not be implemented must be listed in the Functional Specification. The Functional Specification is normally created by the supplier. The Functional Specification should include the following points: Introduction - Purpose of the functional specification - Author - References Overview - Aims and uses of the system - System interfaces - Deviations from the user requirements specification (including differences in functions) Functions - Information on the performance of the system - Access protection - Response to failures - Startup behavior after failure - Disaster recovery - xxxx Data - Definition of data / critical parameters - Data access protection - Data archiving Interfaces - Interfaces to other systems - Interfaces to equipment, such as sensors and plant equipment - User interfaces Service - Availability - Maintenance Note For more information on the requirements, refer to GAMP 4, Annex D2. A5E

56 Specification 3.5 Design Specification Specification of Automation Hardware The Design Specification of the hardware used serves as the basis for successful automation in a GMP environment. The hardware design specification (HDS) describes the architecture and configuration of the hardware. It defines the equipment used ranging from the number of input and output cards to the OS server and OS client to be used. Functions, serial numbers, order numbers, destination location etc. are documented and can therefore be used as a test basis for IQ and OQ. Since the hardware is normally used in conjunction with other components, hardware overview plans of the plant to be installed are an advantage. The HDS can be formulated in the function specification or in a separate document. The HDS should contain the following points: Introduction - Purpose of the HDS - Author - References Overview - Overview / configuration of the hardware system Specification - Specification of the hardware used - Specification of the inputs and outputs - Specification of the operating environment - Specification of the supply systems - Specification of the grounding concept - Specification of lightning protection measures The description of the hardware required for automation serves as the basic information. The implementation can be made in HW Config (the hardware configuration of SIMATIC PCS 7). In HW Config, amounts, order numbers, address areas, physical connections etc. must be configured exactly. The hardware used must match the switching cabinet documentation.! Note The information in the hardware overview plan and the naming of hardware components must be unequivocal. The name of each hardware component must only exist once in the automation system A5E

57 Specification Specification of Field Devices The description of field devices must include at least the following: Manufacturer Order number Function of the field device Destination location Tag name Type of connection electrical / bus type Physical connector type Address number Unit of measure Measuring range Specification of the Network Structure The description of the network structure is used as a basis, it is implemented in SIMATIC NetPro. There, the network structures are mapped. The minimum information that must be available is the station name, communications module, frame etc. Specification of the PC Hardware Used A description of the hardware and software of each PC used in the process control system must be created. The description of this PC hardware can, for example, take the form of a PC pass. All hardware and software components along with the necessary licenses are listed here. Configuration settings such as the TCP/IP address, maximum monitor resolution etc. may also be listed. A5E

58 Specification Specification of Automation Software The Design Specification of the software used serves as the basis for successful automation in a GMP environment. It describes all the software components used for configuration, for example with their version numbers, order numbers etc. The description serves as a template for tests (FAT, SAT) for IQ and OQ. The standard software includes the following: Operating system The following are recommended for new systems (you will find the current recommendations in the relevant PCS 7 documentation): - Windows XP Professional - Windows Server 2003 The components of the PCS 7 Toolset DVD SIMATIC PCS 7 Bundles (standard basic packages, for example, for OS server, OS client, CAS, engineering system, BATCH server, BATCH client, SIMATIC IT server etc.) Standard libraries (part of the engineering system) SIMATIC optional packages (SIMATIC BATCH, SIMATIC PDM, SIMATIC Logon, SFC Visualization etc.). Separate license keys are necessary to use some of the optional packages (if they are not included in the bundle) The software design specification (SDS) or software module design specification (SMDS) should cover the following aspects: Introduction - Purpose of the software design specification - Author - References Overview - Listing and purpose of the software modules - Description of the software modules - Interfaces Specification: - Definition of data / data types - Detailed description of the software modules - Description of the subprograms Note The engineering software SIMATIC PCS 7 includes import/export functions with which I/Os, parameters, CFC charts etc. can be adopted simply and without errors. In the design phase, software tools (for example MS Office, EXCEL) can be used to describe the plant to be automated A5E

59 Specification Software Design Specification The Software Design Specification describes the architecture and configuration of the software. The Software Design Specification must describe at least the following: Name of the application software Plant hierarchy (process cell, unit, equipment module, single control element etc.) Communication with other nodes (third-party controllers, MES systems etc.) The relationships between modes (MAN/AUTOMATIC changeovers, interlocks, start, running, held, aborting, completed etc.) Tag names Visualization structure (P&I representation) Operator input philosophy (access control, group permissions, user rights) Archiving concepts (short- and long-term archives) Message concepts Trends, curves Description of the software structure (continuous / discontinuous process) Time synchronization Reporting Description of the Software Structure The process engineering requirements of the plant are the basis for the software structure. When discussing software structure, a distinction is made between the following: Continuous processes such as the manufacture and distribution of water for injection in medicine Discontinuous processes such as the manufacture of batch products. Detailed functional sequences must be defined in the software structure. These include: Control module level (valves, pumps, motors, closed-loop controls etc.) Equipment phases as the modular sequence of single control elements (SFCs) Recipe hierarchy Note There are standards governing the description of software structures such as ANSI/ISA (1995) Batch Control, Part1: Models and Terminology. SIMATIC PCS 7 uses the model of the ANSI/ISA standard as the basis for configuration of batch control. Refer to Configuration, Section ISA Software Model SIMATIC PCS A5E

60 Specification 3-20 A5E

61 4 Guidelines for Implementation in a GMP Environment with Standard SIMATIC PCS 7 Software 4.1 Introduction Chapter 4 "Guidelines for Implementation in a GMP Environment with Standard SIMATIC PCS 7 Software explains configuration in a GMP environment based on examples. The graphic below shows the life cycle model. This focus of this section is indicated by the marking in the lower area. 4.2 Software Categorization of SIMATIC PCS 7 According to the GAMP 4 Guide for Validation of Automated Systems, the software components of a system can be assigned to five software categories. Below you will find examples illustrating how this categorization relates to SIMATIC PCS 7. Category 1: Permitted operating systems Windows XP Professional, Windows Server 2003, (Windows 2000 Professional, Windows 2000 Server) A5E

62 Category 2: Firmware, for example in the CPU, modules etc. Category 3: PCS 7 software / PCS 7 library (the PCS 7 libraries are part of the PCS 7 software (PCS 7 Toolset DVD)) Category 4: User software on the basis of the standard PCS 7 software/library Category 5: Freely programmed user software Kategorie 1 Betriebssystem wie - WINDOWS WINDOWS XP - WINDOWS 2003 Kategorie 2 Firmware - in der CPU befindlich Firmware - in Kommunikationsprozessoren befindliche Firmware Kategorie 3 SIMATIC PCS 7 Standardsoftware/ Standardbibliotheken - SIMATIC Manager, CFC-/SFC-Editor, etc. - PCS 7 Library, Faceplates, etc. Kategorie 4 SIMATIC PCS 7 Konfiguration Erstellung der Applikationssoftware auf Basis der Standardbibliotheken mit PCS 7 Editoren Kategorie 5 SIMATIC PCS 7 freie Programmierung - Projektspezifische Bausteine, Funktionen, Applikationen, etc. 4-2 A5E

63 4.3 Software Installation PCS 7 PC stations can be single station systems or part of client-server configurations. When a SIMATIC PCS 7 bundle is supplied, the customer receives a PC with fully installed software for a PCS 7 PC station suitable for the particular application (operating system, SIMATIC PCS 7 software, service packages). All the components of a bundle have been tested. If a SIMATIC PCS 7 PC comprising components that have not been released is used (they are not included in the current SIMATIC PCS 7 catalog), the user bears the responsibility and will not receive free support if compatibility problems are encountered Operating System All the information relating to operating system installation can be found in the current function manual "PCS 7 PC Configuration and Authorization". The readme file on the SIMATIC PCS 7 Toolset DVD also contains information on the hardware and software requirements. The following table shows an overview of the operating systems to be installed for SIMATIC PCS 7 PCs. Engineering station PCS 7 PC stations Operator system - single station system Operator system - terminal (client) Operator system - server SIMATIC BATCH - server Microsoft Installation Windows XP Professional Windows Server 2003 (Windows 2000 Server) (Windows 2000 Professional) Windows XP Professional Windows Server 2003 (Windows 2000 Server) (Windows 2000 Professional) Windows 2000 Professional Windows XP Professional Windows Server 2003 (Windows 2000 Server) Windows Server 2003 (Windows 2000 Server) Central archive server, Web server Windows Server 2003 A5E

64 ! Note The mixed use of operating systems within a plant is permitted only as of version SIMATIC PCS 7 V6.1 SP1. The mixed use of operating systems within a redundant server pair is not permitted. Note You will find additional information relating to hardware and software requirements of SIMATIC PCS 7 on the PCS 7 Tool Set DVD in the "pcs7-readme.wri" file.! Note When using domain servers, remember that following the installation of the operating system, the domain clients are set up according to the specified requirements (URS, FS, DS). 4-4 A5E

65 4.3.2 SIMATIC PCS 7 Software To install SIMATIC PCS 7, follow the on-screen setup instructions. SIMATIC PCS 7 Engineering System To install the engineering system, select the PCS 7 Engineering check box in system setup in the PCS 7 Setup: Packages dialog box. The screenshot below shows the setting to be made to install "PCS 7 Engineering". The installation program is started within the SIMATIC PCS 7 system setup. The user has the option of making a package installation or a customized installation. A5E

66 PCS 7 Single Station, Process Device Manager, BATCH Engineering and BATCH Single Station Installing the following components is analogous to the installation of a SIMATIC PCS 7 engineering system: PCS 7 Single Station (OS, BATCH, Route Control) Process Device Manager, Engineering (BATCH, Route Control) The system components you want to install must be selected in the "Setup" dialog box, in the section "Program Packages". 4-6 A5E

67 SIMATIC PCS 7 Operator System Server The system setup of SIMATIC PCS 7 must be started for the installation. OS Server To install an OS server (applies also when using a redundant server pair), select the "OS Server" check box in the "PCS 7 Setup: Packages" dialog box. The screenshot below shows the setting to be made to install the OS server software. OS-Single Station, OS Client, BATCH Single Station, BATCH Client and BATCH Server The procedure for installing an OS single station, OS client, BATCH single station, BATCH client, and BATCH server is analogous the procedure described above. Note Optional packages such as Simatic Logon Service, Electronic Signature etc. must be installed in a user-defined installation. A5E

68 4.4 Installation of Utilities and Drivers Printer Drivers It is advisable to use the printer drivers integrated in the operating system and therefore released for use. If external drivers are used, there can be no guarantee that the system will operate trouble-free Virus Scanners The use of virus scanners in process mode (runtime) is permitted. For more information on configuration and selecting virus scanners, refer to the PCS 7 readme files. 4-8 A5E

69 4.5 Multiproject Engineering When creating the project, care must be taken that the project name of the application software matches the project name specified in the Software Design Specification (see also GAMP 4). The "New Project" SIMATIC PCS 7 Wizard supports you when you create projects. A5E

70 In many projects, functions are used such as valve, motor, analog value, and sequencer functions that will be required several or even many times within the project. According to GAMP 4, these functions should be pretested in a software module test and the results documented. Following this, instances of such functions can be created. To allow software module instances to be created, SIMATIC PCS 7 offers the option of duplicating process tag types and models according to a defined software procedure. Instances can, however, only be created in conjunction with a multiproject with a master data library. This means that it is absolutely necessary to work in the multiproject mode. Master Data Libraries Generating a master data library is important because this provides a defined version of software modules and models that can be copied by everyone involved in the project. For more detailed information, refer to Section 2.3 Configuration Management. A multiproject is a structure encompassing the individual segments of an automation solution. In a multiproject, it is possible to work over a common network or to check out individual segments and work locally A5E

71 4.5.2 Views When configuring with SIMATIC PCS 7, the configuration engineer has three views available. Component view Plant view Process object view Component View The hardware of the control system made up of the following individual components is configured in the component view: OS server ES I/O modules CPU Bus systems The following screenshot illustrates the structure of the component view. A5E

72 Plant View Here, the plant is configured hierarchically according to process engineering aspects, for example in the hierarchy: Plant (process cell) Unit Function (phase) The plant view is used to store flow charts and to structure individual functions and CFC and SFC charts. The assignment of Batch objects is also made in this view. The following screenshot illustrates the structure of the plant view A5E

73 Process Object View The process object view is used for detailed editing of process variables, CFCs and SFCs. It is the central development environment for the following: Parameters Signals Messages Picture objects Configuration and release of archive tags Reading back in-out and input parameters for example of valves, closed-loop controllers, analog values etc. Configuring MIS/MES-relevant parameters Filter functions can be used here for the parameter assignment or the assignment of comments. The following screenshot illustrates the structure of the process object view. Overview of the Areas of Application of the Process Object View A5E

74 4.6 SIMATIC NET Settings The SIMATIC NET network addresses and the settings for the AS, OS, distributed I/O etc. described in the Functional Specification must be used. SIMATIC NET reflects the gateways used in the project. The gateways are configured using the "Advanced PC Configuration" tool. With Windows, all the automation systems (AS) and operator stations can be configured on a central engineering station and the configuration files can be downloaded. You will find more detailed information in the SIMATIC NET documentation. The following screenshot illustrates the basic structure of a project in NetPro A5E

75 4.6.1 Setting up the OS, OS Client, OPC Server, and SIMATIC BATCH Each SIMATIC PCS 7 OS, each SIMATIC PCS 7 OS client, each OPC server and each SIMATIC BATCH server is managed and configured as a SIMATIC PC station in the SIMATIC Manager. After they have been inserted and configured in the SIMATIC Manager, these PC stations are handled in the same way as automation systems (AS). In SIMATIC NET, S7 connections must be configured to guarantee the data exchange between the individual stations Automation System (AS) Each SIMATIC PCS 7 AS is configured and managed in the SIMATIC Manager. Data is exchanged between the individual AS systems over configured, logical S7 connections. Fault-tolerant connections are also possible. The user programs communicate with each other over standard function blocks (SEND and RECEIVE) Engineering Station (ES) To allow central OS test operation with the AS data from the engineering station, an S7 connection or a fault-tolerant S7 connection must be configured between each automation system (AS) and the ES system Industrial Ethernet Industrial Ethernet is used as the system bus. The Industrial Ethernet network uses the access method CSMA/CD (Carrier sense multiple access with collision detection) standardized in IEEE Industrial Ethernet provides a wide range of network components for electrical and optical data transmission. In SIMATIC PCS 7, a distinction is made between the plant bus and the terminal bus. To guarantee a high degree of security and performance, the separate installation of both buses is recommended. Industrial Ethernet Plant Bus The automation systems (AS) are connected with the OS servers and the engineering station over the plant bus. The ISO protocol is usually used as the transport protocol for route control servers and maintenance servers. Industrial Ethernet Terminal Bus The PCS 7 servers with the clients, archive servers and higher-level MES systems are connected over the terminal bus. The TCP/IP protocol is normally used as the protocol. A5E

76 4.6.5 PROFIBUS To connect the distributed I/O, a communication network with PROFIBUS should be used. Access is implemented with the Token Bus and master slave mechanisms according to EN For more detailed information, refer to the SIMATIC NET PROFIBUS Networks manual. Note All existing configured and programmed automation and operator systems are stored in a common project in the SIMATIC Manager on the engineering system. A backup of the engineering project therefore contains the entire user software. From the perspective of validation, the advantage of this is that verification within the framework of the IQ/OQ is restricted to a central backup A5E

77 4.7 Configuration Management SIMATIC PCS 7 distinguishes between the system software SIMATIC PCS 7 and the application software. The software version provides information on the current version of the system and application software. Change control provides information on changes made to the application software (who changed what, when, where). The version of the standard software cannot be influenced by the user. Configuration of the application software would be extremely difficult to trace back without version or change management. Right from the start of software creation, professional configuration management should therefore be used. The configuration management should be described in a SOP. All the persons involved in the project must be trained to use the SOP so that there is a common basis for creating software. Note The following sections contain an example of software versioning and change control. The procedure for changes made to a plant/process cell during operation must always be agreed with the plant user. A5E

78 4.7.1 Changes to the System Software Updates, Service Packs, and Hotfixes A PCS 7 update is an update within a PCS 7 version, for example, incrementing from version 6.0 to 6.1. A service pack is a bug fix that includes several hot fixes. A hotfix fixes bugs temporarily. Hotfixes are prepared only in special situations. The validation effort relating to the changes is specified within the framework of a risk assessment Upgrades (Migration) When a version is incremented, for example, from version 5.x to 6.x, this is achieved by migration. In this situation, only the software released by Siemens must be used. When migrating, follow the installation instructions from Siemens (for example the migration guidelines for PCS 7). Existing projects implemented with SIMATIC PCS 7 V6.x can be migrated to version V6.1 without any configuration effort as long as no new functions are used. Apart from full migration to PCS 7, mixed configurations, for example automation systems (AS) with version V5.x and operator stations (OS) or engineering stations (ES) with a higher version are possible. Migrating operator stations (OS) is also possible online with redundant OS servers. It is not necessary to stop the automation system. The validation effort must be specified in a risk assessment in consultation with the system user. Possible test points are the new functions available in PCS 7 and the correct installation of the software components required for migration.! Note: Further information on migration to PCS 7 can be found in the manual "SIMATIC Process Control System PCS 7 Software Update V6.0 to V6.1 with Utilization of the New Functions" A5E

79 How to Update System Software When updating PCS 7 system software (and/or system hardware), certain measures are necessary to retain the validated status of the plant: The basis of a change is always the change request of the user Description of malfunctions or restrictions Description of the new functions Information on compatibility with the previous version Updating of the technical documentation Installation according to manufacturer's instructions It is advisable to perform a risk assessment prior to the update to specify the main test points for the qualification. Qualification A5E

80 4.7.2 Versioning the User Software Initial Creation of the User Software During software creation, make sure that the author is entered in the "Author" field and the configuration management (version, function, date etc.) is entered in the "Comment" field. This applies to the following components Hardware Config SIMATIC NET CFC and SFC charts STL, SCL Additional text fields for a more precise description of functions should also be included. The version number must be assigned in the object properties of the CFC/SFC chart. Note The author and comment fields can be written using the IEA File Editor. The following screenshot shows the dialog box of the "Plant View"; entries have been made in the Author and Comment fields A5E

81 The following screenshot shows the dialog box of a CFC chart with a text box Initial Creation of the OS During software creation, care must be taken that all the graphics, reports, C scripts, VB scripts created by the user have the entries for author, date, comment, and version ID in Tag Logging. You must also make sure that all the configuration settings are described in the configuration management so that a reference is possible for validation/qualification. In OS runtime mode, it is possible to make changes to parameters such as valve monitoring times, controller constants etc. The following table describes step 2 of the flow chart (see previous page) in detail. No. Action Remarks 1 Check the current user program by activating the test mode 2 Comparison with Version Cross Checker Activating the test mode checks whether the current backup matches the version of the automation system. To use this function, the current parameters must be uploaded. The online DBs are written back to the offline ES project. The Version Cross Checker is then used to compare the current backups with ES project Versioning Project Data with "SIMATIC PCS 7 Version Trail" Will follow in the next version of this document. A5E

82 4.7.3 Changing the User Software When application software is changed, this must be versioned and described. With the Version Cross Checker (VXC), PCS 7 provides the ability to compare changes made in CFC and SFC charts in different version of a user program.. Operational Changes The following flowchart describes an example of the procedure for implementing a change while the plant is in operation. The stipulations of the user must be taken into account. 1. Initative und Freigabe der Änderungsspezifikation durch Anlagenbetreiber 2. Überprüfung der aktuellen Software durch Version Cross Checker und Online-Vergleich 3. Beschreibung der Softwareänderung (z.b. FS) 4. Durchführung der Softwareänderung inkl. Dokumentation auf Basis der akuellen Version 5. Test der Änderung inkl. Dokumentation (z.b. FAT) 6. Sicherung der Anwendersoftware 7. Einspielen der gesicherten Anwendersoftware im Automatisierungssystem 8. Test der Änderung inkl. Dokumentation (z.b. SAT) 9. Überprüfung der gesicherten Software mit der eingespielten Software durch Version Cross Checker und Online-Vergleich 4-22 A5E

83 4.8 Creating Software Modules General The use of software modules is common in process control engineering. They are used in the form of function blocks or complex sequencers that can be copied and duplicated within the projects. In SIMATIC PCS 7, a distinction is made between process tag types, models and SFC types, for example: Process tag type Model SFC Type A CFC chart Valves Pumps Motors Several CFC and/or SFC charts PID temperature control of a tank Level monitoring including safety shutdown to prevent overflow of a tank SFC instance / representation of a CFC block as interface to SIMATIC BATCH to operate equipment phases / equipment operations. Heating Stirring Draining The mode of operation of the modules must be described in a specification in which the parameter assignments (MES-relevant, archiving, block comment, unit of measure etc.) and interconnections are defined. For more detailed information, refer to Chapter "Use of Typicals for Programming". Before instances of the blocks are created, they must be put through a module test. Process Tag Type/Model With SIMATIC PCS 7, process tag types/models can be created consisting of one or more CFC and/or SFC charts for subcomponents of the same type. Creating process tag types or models for similar parts of the plant saves engineering effort. After testing a process tag type or a model, these can be duplicated quickly as often as required in the multiproject in the form of replicas (instances). For each replica, the plant hierarchy, CFC name, messages, I/Os for parameters or signals as well as the general, parameter, signal, and message properties of the module can be adapted. It is also possible to assign a picture icon to each instance, which can then be copied automatically along with its tag interfacing into the flow chart defined in the SIMATIC Manager by deriving it from the screen hierarchy. This saves work and ensures that the icon is connected to the correct instance. Models can contain pictures and reports. A5E

84 Note The color coding of the graphics modules and the representation of the faceplates (for example for valves, motors, closed-loop controllers, etc.) must be defined in the specification in consultation with the user. Faceplates that differ from the standard, should be edited in the Faceplate Designer editor as a copy of the standard or as a newly created faceplate. These faceplates should be tested as a process tag type/typical along with the corresponding software module and approved by the customer before they are instantiated and used in large numbers! SFC Type With SIMATIC PCS 7, types of sequential control systems can be created using the type/instance concept of SIMATIC PCS 7. In SFC, there is not only the object type "SFC chart" but also "SFC type". The SFC type allows the definition of sequential control systems including an interface in the form of a CFC block. The sequence logic of the SFC type is based solely on the interface I/Os of the SFC type; in other words, in contrast to an SFC chart, an SFC type cannot access all process signals. For more detailed information, refer to the manual "SFC for S7 Sequential Function Chart". Alone, the SFC type cannot execute. An SFC type, just like a function block type, must be placed in a CFC chart before it contains an executable object, in this case an SFC instance. The SFC type and the SFC instances are compiled when the program is compiled. To run an SFC instance, both the SFC type and the SFC instance are downloaded to the automation system. Seven messages requiring acknowledgment and five messages not requiring acknowledgment can be configured for an SFC type. The SFC type itself requires the remaining available messages (one per message type and 10 notify messages for SIMATIC BATCH). Note The naming and functionality of the modules is uniform according to the stipulations in the Functional and the Design Specification. Note When using software modules, a document should be created and maintained that lists the modules and identifies their versions for each AS (configuration management) A5E

85 4.8.2 Example of a Process Tag Type In the first step, the CFC chart is created as the template for each software module. After the software module test, this CFC chart is released for instantiation and can be used within the framework of the configuration. For a spring-closing valve, the module might appear as follows. The valve to be controlled has an activation signal for the OPEN function and two return messages for the statuses opened and closed and monitoring of the module I/O errors for the statuses of the return messages open/closed. For the example above, the following blocks from the "PCS 7 Library V61" standard library were used: VALVE (FB73) CH_DI (FC277) CH_DO (FC278) The parameter assignment and the interconnection of the inputs and outputs must be described in detail in a suitable specification (for example, "Software Module Design Specification") according to the GMP requirements and checked in a test ("Software Module Test" or "Typical Test"). A5E

86 In the second step, the IEA file editor (IEA = Import/Export Assistant) is used to enter the parameters and signal processing in a table for each instance according to the stipulations in the URS, FS or DS.! Note The interconnections and parameter settings meet the project-specific requirements that must be defined in the URS, FS or DS. In the third step, the instances are included in the project according to the P&I flow charts taking into account the requirements defined in the URS/FS. The inclusion of type instances should be assigned for the specific instance using the automatic generation of block icons, in other words, each instance-specific module (valve, pump, controller etc.) is assigned a block icon in the flow diagram being implemented via the IEA file. Block icons can only be generated when the picture and the charts for the blocks represented in the picture are configured in the same plant hierarchy folder or in a folder of the same name A5E

87 4.9 Setting up Process Value Archives The configuration of a process value archive involves the following steps: Creating the new process value archive and selecting the tags to be stored in the short-term archive. Configuring the process archive by specifying or selecting the permission levels for access to the storage location. In every plant structure, tag-related process values (analog and binary values) are recorded in a database. This is achieved with the process value archive. The process value archive is a short-term archive. The size of the short-term archives is stipulated by the specifications (URS, FS, DS). A5E

88 How It Works in Principle Process values and messages are sent from the sensors to the SIMATIC OS server and/or to the BATCH server over the I/O modules and the automation system and stored in the process value and message archive. The process values and messages received at the OS server can be transferred to the archive server for long-term archiving. Batch data and reports can also be passed on to the archive server by the BATCH server. The graphic above is further explained in the following table. Order Device Signal form Remarks 1 Sensor 1 through 10 V PT Transducer 1 through 10V -> 4 through 20 ma Signal conversion 3 ET 200M 4 through 20 ma -> digits Signal conversion 4 AS Digits -> -10 C through 140 C 5 OS server BATCH server Archiving in SQL server process value archive Processing in Batch reports Signal conversion Short-term archive Short-term archive 6 Archive server Long-term archiving Long-term archiving on suitable medium Note If the connection to the archive server is interrupted, the data is buffered in the short-term archive of the station involved. The size of the database is decided by the number of process value archives and the process variables they contain. The size of the process value archive depends on the measurement with the fastest acquisition cycle. The cycle acquisition should be uniform within a process value archive It is therefore advisable to store process tags with the same acquisition cycle in one process value archive (for example 500 ms, 1 s, 10 s., 1 min). A separate process value archive is therefore configured for each acquisition cycle A5E

89 Configuration from CFC to the Archive Server: The configuration of process values begins in the CFC chart. When creating the software module, you must specify whether archiving is necessary or not (see graphic). The archiving cycles are specified in the process object view (see graphic). When the OS is compiled, PCS 7 automatically stores the process values in the tag logging archive of the server so that archiving is always guaranteed. A5E

90 Stipulations The stipulations for process value archives are made by the plant owner and suppliers in the specifications in the EMSR process tag list or Functional Specification. The following parameters can be defined in the stipulations. Classification into quality-relevant and non quality-relevant measurements Scaling 4 through 20mA with a range of values of for example -10 C through 140 C The type of acquisition (cyclic, cyclic-continuous, on changes, etc.) Cycle time Frequency of archiving Type of value (instantaneous value, mean value, maximum value etc.) Note For further information, refer to the SIMATIC PCS 7 product documentation manuals "WinCC". The settings must be agreed with the plant user A5E

91 4.10 Import/Export Assistant (IEA) The Import/Export Assistant is used for two tasks. The Import/Export Assistant is used to reproduce process tag types or models. This is achieved by defining project-dependent typicals from standard libraries that can then be copied as often as required with the instantiation options of the Import- Export Assistant. You will find an example in Section 4.8 "Creating Software Modules".! Caution The IEA is a separate optional package in SIMATIC PCS 7. The IEA, the plant hierarchy and the process object view are part of the PCS 7 Toolset DVD and are installed with the general setup. It does, however, require a separate license. A5E

92 4.11 Automatic Generation of Block Icons By automatically generating block icons, errors can be avoided when creating software. The following table describes an example of the assignment of a block icon. Order Functionality Activity 1 Make the assignment to the function block 2 Derive the icons from the structure of the plant hierarchy Assign icon to graphic, for example by entering a 1 in the block icon field for VALVE FB73, the vertical valve is selected (@Valve/1) With the Create/Update Block Icons command, the block icons are assigned to the higher-level hierarchical pictures A5E

93 By entering the block icon, the picture is accessed. The valves in the graphic have the If the value "1" is assigned, a vertical valve is derived from the technological hierarchy and assigned to the graphics of the higher-level hierarchical folders (if the value "2" is assigned, a horizontal valve is obtained). Central Changeability of Objects In the type definition, SIMATIC PCS 7 provides the option of central changeability of objects, in other words, subsequent changes to SFC types, models and process tag types that are then adopted automatically for all instances and their replicas. This applies to ES, OS and SIMATIC BATCH data. A5E

94 4.12 Activating and Deactivating Simulation Software SIMATIC PCS 7 allows input and output variables of various blocks to be simulated. The simulation is important for test purposes, for example within the framework of FATs, because it allows the configuration engineer to influence digital and analog inputs and outputs to represent and check complex functions (for example temperature control). Activating Simulation Simulation for test purposes can be activated in the channel input drivers or channel input driver blocks. Sample valve Simulation is activated at the inputs SIM_ON and the input can be simulated at the input SIM_I. Deactivating Simulation! Caution The activated simulations should be noted according to GEP. A table allows an overview of the active simulations. On completion of the test phase, make sure that all simulations are deactivated again. Ideally all simulation inputs are connected to an OP_D allowing simulation to be turned on and off. Recommendation Where possible, central switches can be configured for specific units to disable/enable simulation and be interconnected with all input drivers. On completion of the test, this central switch can be deleted and simulation turned off centrally A5E

95 4.13 OS Project Editor The OS Project Editor is used as a basis for creating the operator input philosophy. The screen layout, screen resolution etc. are specified in the OS Project Editor. The requirements for the functionalities listed below are described in the Design Specifications. All important functionalities such as those below are set in the OS Project Editor: Creating the PCS 7 message classes and message types Creating the message blocks Creating the PCS 7 messages Display of PCS 7 messages Configuring the startup lists and the start picture Copying the dynamic wizards and the actions Creating tags for controlling the response in process mode Copying screen layouts Creating the process mode configuration file Layout of the hierarchical structure and the area to be displayed Number and appearance of the process windows Management of basic data such as pictures, actions and libraries A5E

96 When creating an OS project in the SIMATIC PCS 7 ES, the OS Project Editor is started in the background and initialized with the default settings. Modifications due to customer requirements are made in the configuration of the Project Editor. The following screenshot shows the layout of the OS Project Editor Creating Overview Pictures The overview graphics must be created based on the stipulations in the specifications (for example URS, FS and P&I). After creating the graphics these should be presented to the customer for approval in the form of screenshots. Note You should only start to create the overview graphics for visualization when the module test of the project is completed A5E

97 4.15 Integrating SIMATIC BATCH BATCH Definition of Terms The following information is recorded in recipes: Method or procedure for manufacture Relevant process variables Setpoints Commonly used BATCH terminology is described below. Master Recipe Set of rules and information required to define how a product is manufactured. Control Recipe Copy of the master recipe with extra information specific to a process cell. Batch Equipment-dependent amount of a product manufactured in a defined discontinuous production sequence. Process A sequence of chemical, physical, or biological activities for the manufacture materials or products Conformity with the ISA Standard ISA-88 is an international standard. This consists of models and technologies that separate products from the process of production. The standard allows the reuse and flexibility of equipment and software. SIMATIC BATCH was developed based on the ANSI/ISA (1995) Batch Control, Part 1: Models and Terminology standard. In the "Technical Report" ISA-TR , the use of SFC (Sequential Function Charts, DIN/IEC 1131) as a graphic language for describing recipe procedures is also recommended. The creation of recipes with the BATCH Recipe Editor follows the structures and functionalities described in this standard. A5E

98 ISA Software Model SIMATIC PCS 7 ISA describes various models that can be implemented completely with PCS 7 and SIMATIC BATCH. Anlage Anlage Rezept Prozedur Rezept Prozedur Teilanlage Teilanlage Teilrezept Prozedur Teilrezept Prozedur Technische Einrichtung Technische Einrichtung Rezept Operation Rezept Operation Einzelsteuer Einzelsteuer Einheit Einheit Rezept Funktion Rezept Funktion The process cell model describes the process cell, unit, equipment module and control module level that is mapped using the plant hierarchy in the plant view of the SIMATIC Manager. The process cell model described above is provided by SIMATIC BATCH so that the procedural model in the form of recipes can be mapped on it. Recipe Procedure A recipe procedure runs on a process cell to control a process and to create a batch of a product. Recipe Unit Procedure A recipe unit procedure runs on a unit to control a recipe stage. A unit can only be occupied by one batch at any one time. Recipe Operation A recipe operation or a recipe phase runs on an equipment module to implement a process engineering task or function. Control Module Level The control module level is not within the scope of the Batch system and is addressed only over the equipment module. The control module level exists completely within the automation system A5E

99 Implementation of the ISA Concept The ISA S88.01 software model divides the process into various modules simplifying the process of validation and qualification. The process model is split up hierarchically into the following parts. General Implementation According to ISA A5E

100 Practical Implementation in SIMATIC PCS 7: Physical model Control module (CM) Equipment module (EM) Graphics Procedural elements Implementation in PCS 7 - CFC component: Use of the PCS 7 library and use of CFC charts. Phase/ Operation Component SFC (SFC type) and CFC (SFC instance): Use of SFC types to allow instantiation. (equipment phases, equipment operations) Unit Unit procedure Batch component: Unit recipe Implemented as Supplier Supplier User / supported by supplier Process cell Procedure Batch component: Recipe User / supported by supplier SIMATIC BATCH can be integrated in two ways: Equipment phase with SFCs and the interface blocks IEPH/IEOP These ae interface blocks that control the sequence of the process. They must be inserted in the sequences in the CFC chart before the processing block. Equipment phase with SFC types The SFC type or the instances of SFC types are the preferred interfaces of PCS 7 / SIMATIC BATCH versions.! Note The names and functionality of the modules are uniform according to the stipulations in the URS, FS or DS. Further Information How to create this equipment phase is described in "SIMATIC BATCH Getting Started". The "SIMATIC BATCH Getting Started Part 3 and Part 4" documents describe the interaction between the various levels (control module level and phase) A5E

101 4.16 Configuring SIMATIC BATCH "SIMATIC BATCH Getting Started Part 2" describes the configuration steps in detail. Configuration can be divided into tasks as follows: SIMATIC Manager Creating and configuring BATCH systems Creating the plant hierarchy Compilation of OS data Generating BATCH types (SFC type) Propagation of BATCH types Compilation of instances Transfer of data to OS Downloading process cell data Working in the BATCH Control Center (BCC) and Recipe Editor (RP) Reading in process cell data from the SIMATIC Manager Creating ROP libraries (typicals) Creating the master recipes Creating the recipe structure Releasing master recipes for production Creating an order Releasing a batch A5E

102 4.17 Setting up Access Protection A major requirement in the pharmaceutical industry is the security of the system (see 21 CFR Part 11 Section 1.2 "Regulations and Guidelines" and Section 2.4 "Access Protection and User Management"). This includes setting up user groups. SIMATIC Logon allows process input within the SIMATIC PCS 7 system including SIMATIC BATCH and the transfer of software modifications from the engineering system to the automation components to be divided into levels. SIMATIC Logon is structured on the basis of Windows user management. SIMATIC OS, SIMATIC BATCH, and the engineering system of SIMATIC PCS 7 use SIMATIC Logon for access protection. OS SIMATIC BATCH ES andere SIMATIC Logon Konfiguration Windows 2000 Benutzerverwaltung Administration der Benutzerverwaltung!! Note The setting up of access protection must be completed before configuration starts and must also be integrated in the typical description. All password levels of the visualization interface (faceplates, input boxes, buttons etc.) must be set up according to the specifications in the URS and FS. Note The access security of the monitoring mechanisms (password age, password length, password generation, password disable threshold etc.) must be configured and set in Windows. The operating system user should also only have power user or user rights but should not have administrator privileges. This ensures that only PCS 7 has access to the database. Access by the operating system to the SQL database is not therefore possible A5E

103 The following order must be adhered to: Setting up access protection under Windows (creating user groups and users) Setting up SIMATIC Logon Following this, the individual applications should be configured (any order): Setting up access protection in PCS 7 OS Setting up access protection under SIMATIC BATCH (SIMATIC Logon Admin Tool on the BATCH client for role management) A5E

104 How Access Protection Works under Windows and in PCS 7 Process Mode The mechanisms of the Windows user management are used to administer operating system users and PCS 7 process mode (runtime). In a productive SIMATIC PCS 7 system, there are generally to users logged on. One is the operating system user who controls coordination of the SIMATIC PCS 7 runtime software, the other is the SIMATIC PCS 7 runtime user who controls and monitors the process. Operating System Users Operating system users are those who a) change the application software under SIMATIC PCS 7 (OS server, OS client, BATCH server, BATCH client etc.) to an active (process mode) status. In this status, the applications must have at least power user rights under Windows so that the applications have read and write permissions for drives, folders, databases etc. b) can make changes to the engineering system, can shut down the process control system, have access to all drives, can create, modify and delete directories and set up new users. SIMATIC PCS 7 Runtime Users SIMATIC PCS 7 runtime users are those who a) operate the process in the productive system (runtime), check processes, write or change recipes, create batches etc. b) have only guest rights under Windows in the operating system and must not have the opportunity of ending the runtime of SIMATIC PCS 7. Note When the Windows audit trail is activated (see Section Permission Management in Windows), all changes made by an operating system user are recorded. SIMATIC PCS 7 runtime users with Windows guest rights cannot start any SIMATIC PCS 7 applications, delete directories or shut down PCs A5E

105 Permission Management in Windows Since the user management of SIMATIC Logon is based on the mechanisms of the Windows operating system, two options are available for permissions management in Windows: in a domain in a workgroup Windows Domain Within a domain, the AGLP strategy recommended by Microsoft is used (Access Global Local Permission, basic principle in the management of access to resources using trusts in Windows), in other words, if users of a domain with the same tasks are placed in one global group, they are also placed in a local group and then adopt the necessary permissions. If a domain server is used in the working environment, the advantages of the group and user management can be used in conjunction with SIMATIC Logon. The central administration of groups and users on the domain server allows all computers that belong to the domain access to the groups and users. To increase availability, domains can be set up with multiple domain servers. Windows Workgroup Within a workgroup, local users with the same tasks should be placed in a local group and the group should then be given the required permissions and rights. If a computer is a member of a Windows workgroup, the computer acting as server of the workgroup must be specified. All user data is created and managed on this server. From here, it is made available to other computers in the system. When selecting the server, the PCS 7 OS server can be considered, for performance reasons however separate computers are often selected that are used only to manage users. In the Login list box, the local computer or a domain can be selected. This displays all groups of this server. Administration of the groups and users of the computers belonging to the workgroup is not necessary. A redundant configuration is not possible in this case. Emergency operation is possible using the local user management. A5E

106 SIMATIC PCS 7 supports the Windows permissions model. As soon as SIMATIC PCS 7 is installed, the following local groups are also set up: SIMATIC HMI SIMATIC HMI CS SIMATIC HMI VIEWER SIMATIC BATCH?? SIMATIC PCS 7 manages the security settings and enable permissions automatically. During configuration, only the local users and global users must be made members of the SIMATIC user groups. You will find further information in the manual Simatic Process Control System PCS 7 - Security Concept PCS 7, Chapter 3 "Managing Computers and Users".! Note The Windows domain must be used when several servers or redundant servers are involved to make sure that if a domain server fails, operator control and system access of users can be guaranteed User Management Users and groups are configured in the user management of Windows as specified in the URS or FS. With the PCS 7 PC logon assigned to the particular tasks, the following is achieved: a) When logging on in Windows, users are assigned exactly the permissions that are required to execute the particular task, for example, they must be members of the power users and SIMATIC HMI group to edit the PCS 7 project. b) With the login in process mode, users have the right to control the plant according to their group permissions A5E

107 The following screenshot shows the "Local Users and Groups" dialog box in which the users and user groups are defined. To open Computer Management, select the Start menu followed by Settings and then click on Control Panel. Then select Administrative Tools and double-click on the Computer Management menu command to open the following window. To operate correctly, the following settings must be made for SIMATIC Logon: To configure SIMATIC Logon, a Windows group with the name "Logon_Administrator" must be created. All users assigned to this group have permissions to configure SIMATIC Logon. The full name of every user must be entered in "Local Users and Groups" in the Windows Computer Management. This name is used by the application for display in SIMATIC PCS 7 after logging on. Further Information Manual SIMATIC Process Control System PCS 7 - Security Concept PCS 7 ; Chapter 4 "User and Access Management in PCS 7 and Integration in Windows Management" A5E

108 Security Settings of Password Policy For the monitoring mechanisms of the password policy of Windows, the previously specified settings (URS, FS or DS) must be made. The following security settings and password policy settings must be configured in the operating system. Guideline Enforce password history Passwords must meet the complexity requirements Description of the security setting Specifies the number of unique new passwords that must be assigned to a user account before an old password can be used again. When activated, the password must be made up of at least three or four of the following categories: 1. A-Z uppercase letters 2. a-z lowercase letters numeric characters 4.!,$,%, etc. special characters Maximum password length Maximum password age Minimum password age Specifies the minimum number of characters in a password. Specifies how long a password may be used unchanged (maximum time). Specifies how long a password must be used (minimum time). The following screenshot shows the "Password Policy" dialog box. The settings are simply examples. You can open Computer Management with the following menu command: Start > Settings > Control Panel > Administrative Tools > Security Settings A5E

109 Security Mechanisms for Account Lockout Policies For the monitoring mechanisms of the account lockout policy of Windows, the settings as required in the user requirements or Functional Specification must be made. The following security settings must be configured in the account lockout policy. Guideline Description of the security setting Account lockout threshold Specifies the number of failed logons before the account becomes locked out. Account lockout duration Reset account lockout counter after Specifies how long an account remains locked out before the lockout is canceled automatically. If the value 0 is set, the account remains locked out until the administrator unlocks it. This is the recommended setting. Specifies how many minutes it takes after failed logon attempts before the account lockout counter is reset to zero. The following screenshot shows the "Account Lockout Policy" dialog box. A5E

110 Security Settings for Audit Policy For the audit policies of Windows, the following settings must be made to create an audit trail of logon attempts. The audited events are stored in the Event Viewer in the security report and are available for analysis. Guideline Audit logon events Audit account management Audit account logon events Audit policy change Description of the security setting Specifies whether or not the instance of a user logon on at a computer is audited Specifies whether or not the individual events of account management are audited (creating or changing a user account, changing or setting passwords) Specifies whether or not each instance of a user logging on or off at a computer is audited. Specifies whether or not the occurrence of changes to the policy for assignment of user rights, audit policy or policy for trust settings is audited You can open Computer Management with the following menu command: Start > Settings > Control Panel > Administrative Tools > Security Settings. Note To monitor the Logon activity, the required settings must be made in the audit policy of the local policies of Windows.! Note After installing Windows, default parameters are set for the password policy, account lockout policy and audit policy. The settings must be checked and adapted to the requirements of the current project A5E

111 Further Information For more detailed information on setting up Windows workgroups and Windows domains, refer to the online help of the Microsoft Windows operating system or the Windows 2000/XP manual Windows 2000/2003 Server - Technical Reference. A5E

112 Configuring SIMATIC Logon Note To configure SIMATIC Logon, a Windows group with the name "Logon_Administrator" must be created. All users assigned to this group have permissions to use the "Configure SIMATIC Logon" tool for configuration purposes. The basic settings for configuring SIMATIC Logon are made with the "Configure Simatic Logon" tool. When the tool is started, the following dialog opens. The language is specified in the "General" tab. You can also define whether a default user should be logged on (by the user or automatically by the system) after the user logs off. You can also set the number of days after which the user will be reminded that a change of password will be required.! Note In contrast to all other users, the "default user" does not need to be created as a Windows user. The "default user" is a member of the "DefaultGroup" "Emergency_Operator" roles. The rights for these groups are specified in the relevant PCS 7 OS (server/client) applications A5E

113 In the "Working Environment" tab, the user specifies whether the information relating to groups and users relates to a Windows domain or a Windows workgroup server. The name of the domain or workgroup server must be entered. In the "Logon Device" tab, the user specifies whether the logon is via the keyboard, chip card or other procedure such as biometric user identification, for example by fingerprint. The "Automatic Logoff" tab is used to specify whether or not the automatic logoff function is used. If this is selected, the delay before a user is automatically logged off must also be specified. A5E

114 If automatic logoff is enabled, the user is logged off automatically if there is no activity within the specified time. Before the user is logged off, a dialog warns of the automatic logoff - this prevents inadvertent logging off.! Caution Activating a screensaver is not permitted in conjunction with SIMATIC Logon. Integration in SIMATIC PCS 7 ES If the SIMATIC Logon optional package is installed on the ES, the option for tracking changes must be activated. The change log can be activated in the object properties of the chart folder: SIMATIC Manager > Component View > Project > Chart Folder > Properties Select the "Change log active" check box. Software modifications can be made by the configuration engineer as follows. Download With the Download function, the modification can be downloaded to the AS. Logon After calling the Download function, SIMATIC Logon requests a logon. Only persons with suitable permissions can use the Download function. Comment field The software programmer is automatically prompted to enter the type of modification in the comment field A5E

115 Below, you will see an example of the change log showing a change made by the user administrator. Note The change log records the user, the timeand the comment entered by the configuration engineer. A5E

116 Integration in SIMATIC PCS 7 OS Since SIMATIC Logon is an option, the following project-specific adaptations must be made. These adaptations are made using the "WinCC Adapter" tool. Procedure: Open the "OS Server" in the SIMATIC Manager Open the "User Administrator" and activate SIMATIC Logon Open "WinCC Adapter" The adaptations are then made automatically (see dialog box) The following selections can be made: 1. John (full user name) 2. (user ID) 3. The first option should ideally be used. The changes in the project must be confirmed in the "Adapt project" list box A5E

117 The following screenshot shows the "WinCC Adapter" dialog after successful project adaptation. Note To ensure that operator input in the productive system is possible, user groups must also be configured in the WinCC User Administrator. In the PCS 7 OS "User Administration" of the relevant PCS 7 OS computer, the check mark for activating SIMATIC Logon must be set. Windows groups are assigned to PCS 7 OS groups by creating groups with the same name. If, for example, a Windows group called "Operator" is required, a group with the same name "Operator" must be created in the PCS 7 OS User Administrator and the required permissions assigned. A5E

118 The following procedure must be adhered to: Open PCS 7 OS project Open the User Administrator in the WinCC Control Center Create the group(s) Assign the permissions per group Integration in SIMATIC BATCH The SIMATIC Logon Admin tool is used to assign permissions and roles in the SIMATIC BATCH application. Role management is fully integrated A5E

119 You assign the individual roles to the operator rights directly in SIMATIC BATCH. Here, the assignment of rights can be made in groups. A5E

120 Electronic Signature An Electronic Signature optional package is available for SIMATIC BATCH, however this can also be used with other applications as a basis for developing an electronic signature function. The following screenshot shows a configuration dialog for setting up electronic signatures. In the following example, two electronic signatures are required. These are specified in the SIMATIC BATCH Recipe Editor in the "Configured roles" box Recipes, formulas, and recipe operations can also be released using the electronic signature of the SIMATIC BATCH Recipe Editor A5E

121 In electronic signatures, a distinction is made between plant-wide settings and object-specific signature rules. The graphic below shows the signature rules for a batch. The settings are made in the recipe properties. The electronic signatures made are entered in the change log of SIMATIC BATCH and are available there for analysis. For more information, refer to the What's New in SIMATIC BATCH V6.1 manual. Further Information Manual Process Control System PCS 7 SIMATIC Logon; Section SIMATIC Logon Admin Tool A5E

122 4.18 Disabling the Windows Level in Process Mode (Runtime) Since access to the Windows operating system level should be avoided for security reasons, additional configuration settings are required. These settings prevent illegal access out of SIMATIC PCS 7 process mode to sensitive data of the operating system.! Note Access to the operating system level should be reserved solely for administrators or technical maintenance personnel Disabling on the SIMATIC PCS 7 OS Access to the operating system during process mode can be configured using the parameter properties of the OS. The necessary settings are shown in the screenshot below. Make sure that clicking the button for disabling process mode (system change) is possible only with the appropriate permission. After disabling and restarting, the operating system can be accessed A5E

123 Lockout by Configuration Make sure that no OLE objects are configured that, for example, call the Windows Internet Explorer etc. With Windows OLE objects, unauthorized access to folders, files and programs may be possible Security with Configuration Settings in WINDOWS You must also make sure that any hot key assignments are deactivated. Normally, hot keys are used, for example, to influence the properties of the graphics card. By influencing the graphics card properties, it is possible to go to the operating system user interface. A5E

124 4.19 Audit Trail PCS 7 OS Audit trail of operator input SIMATIC PCS 7 records all operator input and parameter changes in process mode. The archiving of operator input and messages takes place in the message system. All entries made by the operator are stored in the operator input message class and are available for further evaluation. The following screenshot shows an extract of the operator input list. In row 24, a parameter change is shown. The operator Siemens_MT changed the setpoint 0 to 1. The previous value was 0. The user ID of the currently logged-in user can be seen in the overview area. Note Select the hard disk capacity so that it is possible to store the entire audit trail until it is transferred to an external data medium. Audit Trail of Alarm Acknowledgments SIMATIC PCS 7 archives the acknowledgment of all alarms, warnings, system messages, etc. All messages are available for further research in the chronicle of the process control system A5E

125 SIMATIC BATCH In SIMATIC BATCH, there is a distinction between the online and offline audit trail. In the online audit trail, a batch report is created containing the information on operator input (who, when, what). In the offline audit trail, the changes to recipe data and batch data (for example deleted batches) are logged in the change log. Here, the user, the time and the action are entered. To log changes to recipes, it is necessary to increment the recipe version automatically. For this reason, the property Allow editing of recipes in the "Release revoked" status can be selected; see screenshot below. While changes are being made, the recipe is available to only one person. Saving a change to a recipe forces a new version of the recipe. A5E

126 Deleting recipes is recorded in the log; see screenshot below A5E

127 4.20 Time Synchronization In SIMATIC PCS 7, the default time transmitted on the bus always corresponds to the standardized UTC (Universal Time Coordinated). This corresponds to standard Greenwich meantime. Time stamps are generated in UTC and stored in the archive of the OS server. In runtime, all the process data stored in the archive (messages and trends) are displayed converted to local time from UTC. This allows a system configuration in PCS 7 to extend beyond time zones. Activating time synchronization in PCS 7 means that an active time master takes over the synchronization of all servers, operator stations, automation systems (AS) and the engineering station. To ensure synchronized time, all the stations belonging to the PCS 7 system must be synchronized so that messages can be processed in the correct chronological order throughout the plant (archiving of trends, messages, redundancy synchronization of servers). Note Activating time synchronization is an absolute necessity in plants subject to GMP and this must be taken into account and implemented even in the basic configuration (HW Config, OS etc.) to ensure a correct audit trail in process mode (runtime).! Note Time synchronization must be activated on the engineering stations otherwise problems may be encountered when downloading changes. A5E

128 Concepts for Time Synchronization The structure of time synchronization must be carefully planned. Each time synchronization in the project depends on the requirements. The requirement for time synchronization must be described in the Functional Specification. Time synchronization can be implemented as described below: Time Synchronization in a Windows Workgroup Time synchronization in a workgroup should be implemented over the OS server. Time synchronization of the OS server can also be implemented using a time master, for example the DCF77 service or GPS service. Time Synchronization in a Windows Domain If the automated system is operated in a Windows domain, the domain must be used as the time master. Time synchronization of the domain server can also be implemented using a time master, for example the DCF77 service or GPS service. If a less accurate time is used, this can result in domain clients being rejected in the domain. This would make further operator input to the process control system impossible. If a time difference of 5 minutes between domain and clients is exceeded, the operating system assumes that an attacker has decoded the logon and is attempting to take over the session. This is prevented by the logon of the client being rejected in the domain. Note Time synchronization of the domain clients uses Microsoft system services. Further Information How to configure time synchronization is described in the following documents: Configuration manual "Process Control System PCS 7 Operator Station" in the section "Time Synchronization and Lifebeat Monitoring" OS online help in Release Notes > Process Control Options > Time Synchronization PCS 7 online help in Configuration Engineering Station > Performing PCS 7 Configuration > Configuring Hardware > Setting Time Synchronization Refer to the manual SIMATC PCS 7 Security Concept Chapter 5 "Planning and Time Synchronization" A5E

129 Example of Configuring Time Synchronization over Ethernet (OS Server as Time Master) The following example explains the configuration of time synchronization over Ethernet. The OS server is declared as time master. It is, however, also possible to supply the OS server with an external time signal. The automation system and the OS clients then obtain the time from the OS server. 1.Configuration on the AS (HW Config) The following settings must be made in the properties of the CP communications processor. The "Activate SIMATIC time synchronization" check box must be selected A5E

130 The procedure for configuring the CPU as a time slave is as follows: The type of synchronization (as slave) is set in the properties of the S DP CPU in the "Diagnostics/Clock" tab. Note If other automation systems (AS) are used, the settings must be transferred to all other hardware systems. The settings must be saved, compiled and downloaded to the hardware A5E

131 2.Configuring in the OS (PCS 7 OS Explorer) A5E

132 In the WinCC Explorer, the time synchronization must be set with the "Time Synchronization" tool A5E

133 a) Time synchronization over the plant bus (OS server is time master). By selecting the "Synchronization over Plant Bus (Master, Slave)" check box, you can define the access point of time synchronization. You then also define the OS server as time master. b) Time synchronization of the clients By activating the "Synchronization via Terminal Bus (Slave)" check box, you can specify, for example, that the client is synchronized over the terminal bus. As the source, you can specify whether the time is obtained from a connected OS server or from a defined computer (in this case, from the computer with the name "OS").! Note When using domain controllers, make sure that the domain controller acts as the time master. A5E

134 In the properties of every operator station, time synchronization must be configured to be activated before process mode (runtime). To achieve this, the "CCTMTimeSync.exe" application must be linked into the runtime properties A5E

135 The time basis for the time must also be set to Universal Time Coordinated (UTC) in the properties of the computer in the "Parameters" tab. When using communication processors of the type SIMATIC CP 1613, additional settings must be made in HW Config in the engineering system to ensure time synchronization. A5E

136 The time mode must also be selected in the properties of the CP 1613 in the "Options" tab. After compiling and downloading the hardware again, time synchronization is activated A5E

137 4.21 Lifebeat Monitoring SIMATIC PCS 7 SIMATIC PCS 7 Lifebeat Monitoring allows the monitoring of the functionality of automation systems (AS) and operator stations. To allow this, all automation systems (AS) and operator stations must be configured in HW Config and the OPC connections to the operator stations must be created. The nodes to be monitored are configured in the WinCC Explorer with the menu command Editor > Lifebeat Monitoring > Open. Here, you can set up all the nodes to be monitored along with the monitoring cycle with which lifebeat monitoring is performed. Lifebeat Monitoring is activated automatically when the OS starts up. As an alternative, all the process control equipment can also be managed using PCS 7 Asset Management. A maintenance station (MS) can be used to provide an overview of the diagnostic and service information of all equipment. Asset Management does not involve any additional configuration. The configuration data is generated from the hardware and software configuration data. A5E

138 Third-Party Systems Lifebeat Monitoring for third-party systems must be configured manually. Its use depends on the communication partner of the third-party system. If the third-party system represents an important interface to SIMATIC PCS 7, Lifebeat Monitoring is absolutely necessary. The graphic shows an example of a solution for Lifebeat Monitoring with a thirdparty system. SIMATIC PCS 7 sets a defined OPC variable bit from logical 0 to 1. After a defined time X, the third-party system must reset the OPC variable bit from logical 1 to 0. This is repeated cyclically. If the third-party system does not bring about a state change within the specified time, a process control message is generated in the SIMATIC PCS 7 Process Control System. This indicates to the operator that communication between SIMATIC PCS 7 and the third-party system is not functioning A5E

139 4.22 Use of SIMATIC BATCH Reports Within SIMATIC BATCH, recipes and batch data can be logged and reported. The following graphic shows an example of the structure of a batch report. SIMATIC BATCH stores the batch data in XML format allowing straightforward processing of the data by external systems. This data can be archived or processed with a different report system for batch reports. The XML files are protected by checksum. The batch data is available either as a file in an area "protected" by the Windows security mechanism on the hard disk or in a database and is accessible only to authorized persons or systems. For more detailed information, refer to the Windows manual. The batch data report can be printed out or displayed with an integrated browser while the batch is running or after the end of the batch. A5E

140 4.23 Backing up the System/User Software To be able to access software created by the user, backup copies of the software versions must be made at regular intervals during the configuration phase. It is also advisable to make a backup of the system partition containing the operating system, SIMATIC PCS 7 process control system software, etc Backing up the User Software Backing up Application Software in the Engineering System It is advisable to create a backup of the project data following modifications using the SIMATIC Manager only. Archiving is started in the SIMATIC Manager with the menu command file > Archive. By specifying the required project in the tab and the path in the next dialog the selected project is saved in a ZIP file. Backing up Recipe Data in SIMATIC BATCH It is recommended that you make a backup of the configured user data following changes (libraries, master recipes, materials, user rights, etc.). The backup is made from within the SIMATC BATCH Control Center. Select the "Backup" command from the Options menu and the data will be stored in SBB format. With the "Restore" command that is also available in the Options menu, you can copy the backup data back again in the BATCH Control Center Backing up the Operating System and SIMATIC PCS 7 Hard disk images should be used to backup the operating system and the PCS 7 installation. Using such images, it is relatively simple to restore the original status of the PC. Which images are necessary? Create an image of the operating system installation with all drivers and all settings relating to the network, user management, etc. without SIMATIC PCS 7 Create an image of the installed PCs with SIMATIC PCS 7 the Create an image of the installed PCs with SIMATIC PCS 7 including all projects 4-80 A5E

141 How to Create an Image You create an image in DOS mode. Make sure that the image is written to a free partition. Note The backups of the application software and the backup of the operating system with and without SIMATIC PCS 7 should be stored on external storage media (for example MOD, CD, DVD, network backup).! Note An image can only be copied back to a PC with identical hardware. For this reason, it is advisable to document the hardware configuration of the PCs. Images of individual partitions cannot be exchanged between PCs since various settings, for example in the registry, differ from PC to PC. A5E

142 4.24 Long-term Archiving Long-term Archiving with the Central Archive Server (CAS) The Central Archive Server is a dedicated server PC without a direct connection to the process. It is used for long-term archiving of message archives, process value archives and reports within PCS How It Works Among other things, the central archive server also uses the StoragePlus software (see also Section ) although in this case with other, much higher performance data. Through the integration of the CAS in PCS 7, the currently implemented standard allows access to the process archive values by displaying them in trends and tables (Tag Logging) on the OS clients. The only requirement for this is that the server data (package) of the CAS is stored on the OS clients. Access to archive data of Tag Logging with a selected time period is handled internally and automatically in the system. This means that the user does not need to worry whether selected archive data is still on the OS servers or has already been transferred to the CAS. If selected archive data has been transferred to an external storage medium as a backup and is therefore no longer "connected" to the database of the CAS (see also Section ), a message is generated to reconnect the relevant time period of the external storage medium back to the CAS A5E

143 The example shown in the schematic below illustrates the access possibilities for displaying trends and tables (Tag Logging) on the OS clients. A5E

144 Integration in PCS 7 Integration in SIMATIC Manager Due to the integration as the central archive server of PCS 7, the required configurations as standardized for the system concept are made at a central point in the engineering system. To allow this, a suitable WinCC application "CAS" must be inserted in SIMATIC Manager using HW Config. The CAS can only be used once for an existing plant project A5E

145 In the "Properties" dialog of the CAS, the configurations required for the implemented PCS 7 standard as mentioned above (common area of StoragePlus) are made in the "CAS Options" tab. A5E

146 To be able to keep the database files resulting in the CAS in the "connected" status for as long as possible, making access to them possible it is, for example, possible to select a particular percentage of the hard disk capacity as the limit at which the automatic storage of the long-term segments starts. Other activities relating to the destination paths, creation of server data (packages), start and execution of the Project Editor in the WinCC Explorer and finally download to the CAS computer are essentially the same as for an OS server. The OS clients must be supplied with the package created by the CAS to allow access to the long-term archive data of Tag Logging. Runtime can be activated after the download to the CAS. If the central archive server is deactivated, the PC must be restarted before the central archive server can be activated again A5E

147 Access Protection The central archive server is a dedicated server; in other words, it is not a station at which the process can be controlled or monitored as, for example, is possible on a PCS 7 OS server. CAS is used only for archiving data. The access protection of the CAS must be implemented using standard Windows mechanisms. Here, the following Windows security settings are particularly important. Security settings of password policy Security mechanisms for account lockout policy Security settings for audit policy Using the security settings of Windows, all access to the CAS is protected, audited and changes recorded in the Windows event log. The settings are projectdependent. You will find additional information in Section 4.17 "Setting up Access Protection" and in the Simatic Process Control System PCS 7 Security Concept PCS 7, Chapter "User and Access Management in PCS 7 and integration in Windows Administrative Tools". An OS client can be used to visualize the data of the CAS. The client itself has the access protection provided by Simatic Logon Time Synchronization The CAS must be included in the project-dependent time synchronization concept. In this time synchronization concept, a time master must be declared that supplies all components of the system including the CAS with a uniform time. For more detailed information on setting up the time synchronization concept with a time master, refer to Section 4.20 "Time Synchronization" Network Security The central archive server requires access to the PCS 7 terminal bus to obtain data from the OS servers. To allow this, there is only one shared folder called "ArchivDir" on the CAS to which the completed database segments of the OS servers are transferred. Îf there is access from outside an OS system, for example by displaying StoragePlus views in an Internet Explorer window (see Section ), the information in the SIMATIC PCS 7 Security Concept manual must be taken into account. A5E

148 Integrating the CAS in Lifebeat Monitoring By running the Project Editor, the standard process control messages are also generated for the CAS and can be viewed by all OS clients in the message display. If a central archive server is operated in a plant in which Lifebeat Monitoring is configured, the following internal tags must be configured manually on the central archive server: Tag "@OPCServer_WinCC", type unsigned 32-bit value", start value Tag "@LBMRTConfigState", type unsigned 32-bit value", start value The integration of the CAS is analogous to the integration of SIMATIC PCS 7 components in Lifebeat Monitoring as described in Section 4.21 "Lifebeat Monitoring". An OPC connection to the CAS must simply be set up over which Lifebeat Monitoring can take place OS Client for Visualizing CAS Data The process archive values of the CAS can be displayed on OS clients in the form of trends or tables. To visualize messages already stored on the CAS, the integrated StoragePlus Viewer software package is required. With this software package, it is possible to define views of the databases of the CAS. The data made available in this way is then published using the Internet Information Server and can be viewed over an intranet Audit Trail It is not technically possible to modify the data archived by the CAS. With the StoragePlus Viewer, users only have read access to the archived data. For this reason, the CAS does not support an audit trail in the sense of 21 CFR Part 11. All events such as the transfer of data to external media or failed transfers are nevertheless saved in the log file folder of the CAS A5E

149 Archiving and Transferring to the CAS Process data is initially archived in single segments locally on the PCS 7 OS servers in Tag Logging or Alarm Logging. Once a single segment is completed, it is copied to the CAS. On the CAS, data that has accrued during a specified period is first stored in a temporary archive. Once the data is older than a specified period, it is moved to long-term segments of the long-term archive on the CAS. Data in the long-term archive can be transferred to external media at regular intervals or when certain events occur. The following mechanisms are available for automatic transfer: Directly following creation of a long-term archive Regularly at a defined time When a certain level is reached on the hard disk When a certain event occurs Note The period for the single segments on the OS servers in Tag Logging must be selected so that it is significantly shorter than the period of temporary archiving on the CAS. The period for the entire archive on the OS servers in Tag Logging must be selected so that it is at least one day longer than the period of temporary archiving on the CAS. The period for all segments of the message archive on the OS servers in Alarm Logging should be selected so that it is long enough to allow all historical messages that must still be directly accessible to be kept on the OS servers Data Display As shown in the previous sections on StoragePlus, the Internet Explorer is used to display views even though it can only be used locally on the StoragePlus PC. With the CAS, it is, however, possible to use this to display long-term data of Alarm Logging / reports of the CAS A5E

150 Long-term Archiving with StoragePlus How StoragePlus Works StoragePlus collects completed archive data segments from the servers in a separate database according to chronological criteria so that they can be backed up on CD or DVD when a certain size has been reached. The database segments resulting from archiving by StoragePlus have the status "connected" and this changes to "disconnected" when they are transferred for backup. For StoragePlus to display archive data, the database segments must be "connected". Archive data that has already been transferred to backup can be "connected" to the database of StoragePlus again. The "Catalog" call integrated in the administrator console in StoragePlus provides an overview of the current status of the database segments A5E

151 Software Packages of StoragePlus StoragePlus consists of three software components: The Administrator console (server application) allows the user to assign rights to use various users / groups in StoragePlus. The database settings are configured here and the way in which backups are handled is specified. Administrator privileges are required for access. Since the settings are made and the system initialized here, access should be restricted to an authorized group of people. The View Editor is used to configure trends, message displays and batch reports that are saved in a view. The Web Viewer is used to display views created with the View Editor and published for this display Installation of StoragePlus Operating Systems StoragePlus can be used with three different Microsoft operating systems. Windows Server 2003 (Standard Edition) SP1 Windows XP SP2 Windows 2000 SP4 The MS SQL Server software must also be installed. Note The updates and service packs for Windows or MS SQL Server and other software components necessary to install StoragePlus can be found in the installation instructions. When installing, make sure that you keep to the specified order. You will find the relevant documentation on the PCS 7 Toolset DVD in the "StoragePlus/Install/Documentation" folder. A5E

152 General Order of Installation: The general insallation rules for von PCS 7 apply. For more information, see the "Readme file" on the PCS 7 Toolset DVD. Internet Information Service (IIS) and Message Queuing Server function (IIS and Asp.net for Windows Server 2003) MS SQL Server 2000 SP3a PCS 7 packages Microsoft components StoragePlus Note We recommend that you set up at least two partitions on the hard disk. Partition C contains the operating system, the StoragePlus software components and the path for storage of the archive data of the OS servers / SIMATIC Batch servers. The second partition should contain the database files created by StoragePlus Security and Access Concept The security and access concept involves two levels as illustrated in the graphic below. Betriebssystem Benutzer mit Zugriff auf das Betriebssystem und Applikationen StoragePlus Benutzer mit Zugriff auf die StoragePlus Applikation. - Administrator - Power User - User - Administrator - Power User - User 4-92 A5E

153 The following default user groups exist in the administrator console of StoragePlus: Administrator - full access to the StoragePlus system Power user - can read and create StoragePlus views User - can read StoragePlus views Guest - no rights. Neither access to StoragePlus views nor to the StoragePlus system To install StoragePlus, administrator privileges are required at the operating system level. The user who performs the installation is automatically the default user who can make the administrative settings for the first time in the administrator console of StoragePlus. We recommend that the individual users planned for StoragePlus have equivalent group rights at the operating system level (see graphic). This ensures that the functions associated with the rights required or assigned in StoragePlus can be performed from the perspective of the operating system. The user rights assigned reflect the maximum access rights. Assuming that a user is a member of the "Administrator" group and also a member of the "User" group, the "Administrator" group has greater access rights than the "User" group. In this case, such a user would always have administrator rights in StoragePlus. Note We recommend that users are only assigned to one group. Note Do not delete all the groups to which an existing user is assigned in StoragePlus. There should always be at least one group to which the user belongs. For more detailed information on user access, management and the Windows security settings, refer to Section 4.17 "Setting up Access Protection" Time Synchronization StoragePlus generates events in its own log files. To ensure precise time information, the StoragePlus computer must be integrated in the PCS 7 time synchronization of the entire plant. For descriptions of the concepts and the use of the DCF77 client software, refer to Section 4.20 "Time Synchronization". A5E

154 Network Security StoragePlus requires access to the PCS 7 terminal bus to be able to receive archive data and reports from the OS servers / Batch servers. To allow this, there is a shared folder called "ArchivDir" in which this data is stored using file transfer Audit Trail It is not technically possible to modify the data archived by StoragePlus. With the StoragePlus Viewer, users only have read access to the archived data. For this reason, the CAS does not support an audit trail in the sense of 21 CFR Part 11. User activities in the View Editor and StoragePlus application events are nevertheless recorded. The recording of both activities can be reviewed in the "Log Viewer". There are two log files provided by StoragePlus and that can be displayed with the Log Viewer in the administrator console: Application log; This presents the events recorded by StoragePlus when, for example, a backup is created or archives are connected or disconnected. Activity log: This contains the events recorded by StoragePlus as a result of operator input such as changes to the configuration or publishing views A5E

155 Configuration of Long-term Archiving Transferring the Archive Data of OS Servers for Backup The size of the entire short-term archive and the size of a single segment are set in the archive configuration of the OS servers. The backup is also activated here in the Backup Configuration tab. The default share name of the target folder following installation of StoragePlus is ArchiveDir. These settings need to be made for Slow Archive (Tag Logging) Fast Archive (Tag Logging) Messages/Events (Alarm Logging) An alternative destination path should not be specified otherwise transferred data will no longer be accessible to StoragePlus. If the target computer (StoragePlus computer) is not available for the transfer of completed segments for a limited time, the PCS 7 OS will attempt the transfer again later. This is possible without any loss of data for the time until segments in the short-term archive are overwritten again. A5E

156 Transfer of OS Reports With the report editor, PCS 7 OS allows configuration and online data to be printed out in the form of documentation. To make such reports available to StoragePlus as well, additional output in the form of *.emf files (printer settings) is necessary in the OS project used for the logging. For the transfer, there is a C script in Global Script Standard Functions Split Screen Manager with the name "StoragePlus_ExportReports". This standard script must be called by the user with a global action and cyclic trigger. The destination path for StoragePlus in this case is: " \\\<destinationcomputername>\\archivedir\\" At cyclic intervals, the standard script checks whether a report has been output in the PRT_OUT folder of the project. Any *.emf files found are transferred and then deleted in the OS project. The long-term storage of OS reports would only be useful in the case of one-off reports that could not be recreated from individual archived events using suitable views in StoragePlus A5E

157 Transferring SIMATIC Batch Reports To integrate SIMATIC Batch reports into the long-term archiving of StoragePlus, the batch data must be transferred manually on completion of a batch. The default in the SIMATIC Batch Control Center (BCC) can be found in "Options Settings" in the "Customize" dialog. The option of saving as an XML file must be set in the "Archive" tab. The storage location is once again the shared folder of StoragePlus: \\<targetcomputername>\archivedir An alternative destination path is not used for the reasons explained in section on the OS servers Configuration of the StoragePlus Database Common area in the administrator console A5E

158 The backup size in MB relates to the space available on the intended memory medium such as a CD or DVD. The StoragePlus database than creates the database segments with approximately this size. A transfer is always straightforward if, for example, (keeping to the example of a CD) a backup size of 650 MB is selected while the medium to be used has 700 MB available. The interval for the online archiving segment relates to the part of the database that integrates and arranges the incoming transferred files of the individual OS servers. When this time expires, a further database segment is opened until the set backup size is reached. This is then closed and a new segment created with the "opened" status. All the database files have the status "connected" to the StoragePlus database and created Views can access them. As of PCS 7 version V6.1, it is possible to add an identifier at the signal source in the CFC chart or in the process object view of the SIMATIC Manager that indicates how measured values will be archived. No archiving Archiving (short-term, storage on OS) Long-term archiving (storage on StoragePlus archive computer) The setting "only long-term data" in StoragePlus filters out only the signals with this identifier.if this setting is missing, all the data of Tag Logging archived and transferred by the OS servers is included Transferring Archive Data (Backup) "Closed" database segments can be transferred manually or automatically. Database segments are given the status "backed up & disconnected". As can be seen in the screenshot above, a device with a suitable writing program can be specified as the primary storage location. The data is transferred to an alternative location, for example a hard disk area on the secondary storage location only when this primary device is not available. The criteria for automatic storage include time periods that range from immediate transfer to delayed transfer, for example, only when a certain percentage of the hard disk is full. They must be selected taking into account their availability (status "connected") and the need to be able to display them in views A5E

159 In the Archive area of the administrator console, it is possible to transfer to backup manually using the "Backup" button. An overview of the content and statuses within the database is possible with the "Catalog" button. A5E

160 Backing up Configuration Data StoragePlus maintains a table of contents (AMT table) of all database files that have been created without which access to backed up data (CD / DVD) is not possible. This data is necessary if the system needs to be restored (hard disk defective). To restore the system, the created views and other system settings are also necessary. All this configuration data is stored with the "Configuration Data", "Save" button. Recommendation Backup this configuration data regularly, for example each time archive data is transferred to backup A5E

161 Retrieving Data Backups Database files that have already been transferred to backup can be returned to the database with StoragePlus using the "Connect" button (status backed up & connected). This allows views to access the time period of this data again. Data connected to the system again in this way can be disconnected again with the "Disconnect" button (status backed up & disconnected). Taking into account the available hard disk space, the user must decide how long data should be accessible to the system Restoring the System To avoid data losses due to defects on hard disks, RAID systems must be considered first since they allow work to continue with the currently available data. Regular checks of the event log by the operating system and a RAID controller with adequate performance are additional requirements. Restoration on a new hard disk with a new installation of StoragePlus is also possible if the configuration data of StoragePlus is currently available. Data that has not yet been transferred to backup by StoragePlus is not lost, at least the part originating from the OS servers, since (depending on the overlapping of the times) it normally still exists in the part of the short-term archive on the OS servers that has not yet been overwritten. Manual transfer of the period in question to segments of the OS archive *.ldf- / *.mdf files) can reconnect this data to StoragePlus Data Displays Views are preprogrammed and exist as Diagram (trend display) Alarm (message display) Report (OS reports) Batch report These off-the-shelf views are displayed using the Web Viewer. This means that the views must be "published" before they can be displayed on the StoragePlus computer. Created views adopt the rights of the user who created them. Changes can therefore only be made by this user. In View Management in the Administrator Console, however, other users can also be given this right. For more detailed information, refer to the documentation "SPViewEditor" and "SPAdmin" that can also be found on the PCS 7 Toolset DVD in the "StoragePlus/Install/Documentation" folder. Since it is only possible to access the local PC with StoragePlus, the address for the Internet Explorer is at the start of the WebViewer.exe application. A login is necessary here if the user is not already logged on with the Windows operating system. A5E

162 Long-term Archiving with SIMATIC IT Historian Will follow in the next version of this document A5E

163 4.25 Data Exchange with the Plant Management Level Data exchange with the plant management level must be handled by system functionality. To do this, various possibilities are available. Starting with the standard OPC connection, OPC Direct Access connection up to OPC Historical Data Access connection. Data exchange with Connectivity Pack The Connectivity Pack from SIMATIC PCS 7 allows standardized access to the plant management level to the process control system. The following mechanisms are used. OPC Direct Access (online access to process values and process states) OPC DA. Process parameters can be modified and current states queried OPC Historical Data Access (historical access to the process value archive) OPC HDA. All or selected process value archives can be read out. The process value archives can be read out cyclically or user-controlled to correspond to certain events or at certain specific times. It is not possible to write to the process value archives. OPC Alarms and Events (historical access to the message archive) OPC A&E. All or selected messages can be read out. The message archive can be read out cyclically or user-controlled to correspond to certain events or at certain specific times. It is not possible to write to the message archive. The data exchange is handled as shown in the schematic below. Process values and control statuses are recorded online. Depending on the specifications,the online process values and messages (alarm, warning, system message, operator messages etc.) are entered in the short-term Tag Logging and Alarm Logging archive for the defined short-term archiving time and are then available to be read from the plant management level. Configuration of the Connectivity Pack It is not necessary to configure the Connectivity Pack in SIMATIC PCS 7. A5E

164 4.26 Uninterruptible Power Supply An uninterruptible power supply (UPS) is a system for buffering the main power supply. If the power supply fails, the battery of the UPS supplies the required power. When the power supply returns, the UPS battery stops supplying power and is recharged. Some UPS systems provide the option of main power supply monitoring in addition to the buffering function. They guarantee an output voltage at all times without interference voltages. UPS systems are necessary so that process and audit trail data can continue to be recorded during power failures. The design of the UPS must be agreed with the system user and must be specified in the URS, FS or DS. The following points must be considered: Energy requirements of the systems to be supplied Power of the UPS Required duration of UPS buffering The energy requirements of the systems to be buffered decide the size of the UPS. A further selection criterion is the priority of the systems. Systems with high-priority include: Automation system (AS) Archive server Operator station (OS) server Operator station (OS) clients Network components Field devices that generally have relatively high energy requirements may also be included in the buffering depending on the power of the UPS. This must be decided in consultation with the system user and related to the classification of the process. Whatever is decided, it is important that the systems for logging data are included in the buffering. The time at which the power failure occurred should also be recorded. The use of UPS systems involves the installation of software. This must be installed and configured on the PC-based computers of the process control system to be buffered. Configuration of the power failure alarms Stipulation of the time before the PC is shut down Stipulation of the time during which UPS buffering is provided The automation systems (AS) must be programmed so that the process control system changes to a safe state after a selectable buffer time if a power failure occurs. Due to the different requirements of the various devices involved, three classes have established themselves as stipulated by the International Engineering Consortium (IEC) in product standard IEC and the European Union EN : A5E

165 Standby or offline IPS Eingang Filter Schalter Ausgang Gleichrichter Ladung Batterie Wechselrichter The simplest and least expensive UPS systems (according to IEC , UPS class 3) are standby or offline UPS systems. They protect only against power outages and brief voltage fluctuations and peaks. Undervoltage and overvoltage are not compensated. Offline UPS systems switch to battery supply automatically if there is overvoltage or undervoltage. Line-interactive UPS Eingang Filter Elektronischer Umschalter Spannungsregulierer Ausgang Batterie Ladung Wechselrichter / Ladekontrolle Wechselrichter The way in which line-interactive UPS systems (according to IEC , class 2) function is similar to standby UPS systems. They protect against power outage and brief voltage peaks and can compensate voltage fluctuations continuously using filters. Online UPS Eingang Filter Bypass Ausgang Gleichrichter Ladung Batterie Wechselrichter Double conversion or online UPS systems (according to IEC , class 1) count as genuine power generators that continuously generate their own line voltage. Connected consumers are therefore supplied permanently with line power without restrictions. At the same time, the battery is charged. A5E

166 Configuration of Uninterruptible Power Supplies Uninterruptible power supplies (UPS) must be configured for the specific case and described in the URS, DS or FS. The two screenshots below are examples of the configuration of a UPS in Windows 2000/2003/XP A5E

167 The following table describes an example of the configuration of an uninterruptible power supply for an operator station in a process control system. The same basic procedure can be used with the automation systems (AS). Cas e Action 1 Power outage <10 seconds 2 Power outage >20 minutes. Power returns after 25 minutes 3 Power outage > 1 hour Reaction The process control computers are buffered by the UPS. An alarm using a digital input in the process control system documents the power down. The process control computers are buffered by the UPS, for example for 20 minutes. An alarm in the PCS documents the power outage and the shutdown of the process control computers after 20 minutes. The UPS stops supplying power after a defined time (for example 25 minutes) so that an independent restart of the process control system computers is possible following return of the power supply. The process control computers are buffered by the UPS, for example for 20 minutes. An alarm in the PCS documents the power outage and the shutdown of the process control computers after 20 minutes. The USP stops supplying power after a defined time so that an independent restart of the process control computers is possible when power returns. A5E

168 UPS Configuration over Digital Inputs In addition to the standard backup provided by UPS devices, the option of monitoring the power supply should be used. This is done by monitoring the phase over one or more digital inputs. The advantage of this is that power downs can be registered, signaled and archived. L1 L2 L3 N Phasenüberwachungsmodul USV-Modul 24V Phasenüberwachung 24V / Faild Safe Eingang USV-Modul 220V PS-Baugruppe 24V AS CPU 41x Ethernet CP Digital Eingangskarte OS-Server USV backup load voltage The automation system CPU is supplied with power by the UPS, for example 24 V, module during voltage dips and longer power outages. The phase monitoring module monitors the status change during a power down from a digital input that should be designed as a fail-safe input signal. If a power down occurs, an additional alarm is available to inform the operator of the power down (alarm message). By logging it in the message system, this power down can then be used for subsequent investigations. With power down concepts, safety-related statuses can also be implemented immediately or after a certain delay (for example, equipment phase hold, establishing a safe plant status even after return of power etc.) A5E

169 USV backup main power supply As well and phase monitoring, the OS server is also backed up by standard UPS modules, for example 220 V.. This ensures that the server remains operational even following a power down. The operator is made aware of the power down by the UPS backup, for example by an alarm message. Safe statuses can be initiated by the operator or by automated concepts. The reliable shutdown of the OS server can be indicated and initiated by PCS 7 alarm messages if the power does not return within a specified time. This functionality increases the availability of the system when power returns. A5E

170 4.27 Creating SCL, C, VB Scripts SCL, C, und VB scripts are programs written by the user that count as class 5 in the software categorization. This type of software is developed to meet customerspecific requirements that cannot be covered by the standard library. Sequence of creating category 5 software: 1. Creation of a functional description for the software 2. Specification of the function blocks used 3. Specification of the inputs and outputs used 4. Specification of the operator control and monitoring capability of the block! Caution The creation of category 5 software should be avoided because it significantly increases the test and validation effort A5E

171 4.28 SIMATIC PCS 7 Add-Ons Install only released and approved add-ons on a SIMATIC PCS 7 system. For more detailed information, refer to Chapter 5 "Supporting Functions during Qualification ". Note You will find an overview of the approved SIMATIC PCS 7 add-ons in the current Add-Ons catalog ST PCS 7.A or CA01 catalog. More detailed information is available on the Internet at: A5E

172 4-112 A5E

173 5 Supporting Functions during Qualification 5.1 Introduction The graphic below shows the life cycle model. The focus of this chapter, selection criteria, is typified by system test / qualification. The aim of qualification is to provide documented proof that the system was set up according to the specifications and that all specified requirements have been met. The qualification describes, executes and finally evaluates all the activities necessary for this. Various standard functionalities of SIMATIC PCS 7 can be used as support in qualification during IQ and OQ. A5E

174 Supporting Functions during Qualification 5.2 Qualification of Automation Hardware The design specification of installed hardware is used to set up the system according to detailed stipulations and adherence to these specifications must be verified during the subsequent system tests. The design specification describes all the hardware components used with information such as order number, firmware version, installation location, serial number etc. Components such as the servers and clients used, interfaces to automation systems etc. are also listed. Qualification of Field Devices In the qualification of field devices, checks are necessary to ensure that the stipulations of the Hardware Design Specification were implemented. This means verifying the following: Manufacturer Order number Serial number Function of the field device Destination location Tag name Type of connection electrical / bus type Physical connector type Address number Unit of measure Measuring range Note The asset management of SIMATIC PCS 7 can be used in support to verify that the hardware used matches the Design Specifications. A visual inspection of the field device can be performed at the same time. 5-2 A5E

175 Supporting Functions during Qualification Qualification of the Automation Hardware In the qualification of automation hardware, checks are necessary to ensure that the stipulations of the Hardware Design Specification were implemented. All the hardware components as specified in the hardware configuration of SIMATIC PCS 7 must be configured. This includes: Number of racks Verifying the hardware components used (CPU, CP, etc.) Number of distributed I/O stations Interfaces to other systems Verifying the order numbers of the hardware used Address description Symbolic naming of inputs/outputs etc. Note The hardware configuration (HW Config) can be printed out and used to verify qualification (IQ/OQ) of the installed hardware components. A visual check of the installed hardware can be made at the same time. The hardware used must match the switching cabinet documentation. Qualification of the Network Structure In the qualification of the network structure, checks are necessary to ensure that the requirements defined in the Hardware Design Specification were implemented. All the connections must be configured in the SIMATIC NetPro configuration of SIMATIC PCS 7. This includes: Name of: station, PC, AS, clients etc. Communications modules, type of connection and communication partner (Ethernet, PROFIBUS, serial etc.) MAC address (when using the ISO protocol on the plant bus) TCP/IP address and subnet mask (when using clients) PROFIBUS addresses etc. Note The SIMATIC NetPro configuration can be printed out and used to verify qualification (IQ/OQ) of the configured network structure. A visual check of the configured network structure can be made at the same time. A5E

176 Supporting Functions during Qualification Specification of the PC Hardware Used In the qualification of the PC hardware used, checks are necessary to ensure that the stipulations of the Hardware Design Specification were implemented. The PC pass is useful for qualification. The PC pass should list all installed hardware and software components. This includes: Order number of the PC hardware used Additionally installed hardware components (additional network card, printer, etc.) Checking the configured network addresses, screen resolution, etc. Note The PC pass can be printed out and used to verify qualification (IQ/OQ) of the PC hardware used. A visual check can be performed at the same time. 5-4 A5E

177 Supporting Functions during Qualification 5.3 Qualification of Automation Software Qualification of Standard Software In the qualification of the standard software used, checks are necessary to ensure that the requirements defined in the Software Design Specification were implemented. This includes: Operating system SIMATIC IT server, SIMATIC PCS 7 standard basic packages (OS server, OS client, CAS, Engineering system, BATCH server, BATCH client etc.) SIMATIC standard options (SIMATIC PDM, SIMATIC Logon, SFC Visualization etc.) Standard libraries Note (operating system) The installed software can be verified by operating system functions. The information can be found in the Control Panel > Add/Remove Programs. All installed software components are displayed here. A screenshot can be printed and used for the qualification (IQ/OQ). Note (SIMATIC software) The verification of installed SIMATIC software can be performed with the "Installed software" software tool. The tool provides information on the currently installed SIMATIC software on the computer. The installed components can be printed and used for the qualification (IQ/OQ). For more information, refer to Section System Programs from SIMATIC PCS 7. A5E

178 Supporting Functions during Qualification Note (software licenses) The "Automation License Manager" SIMATIC tool, provides information on the licenses currently installed on the process control system PC. To view the licenses, open the Automation License Manager and select the PC partition on which the licenses are installed on the left hand side of the Explorer bar. On the right-hand side of the window, all available licenses of the system are now displayed. The installed licenses can be printed and used as documentation for the qualification (IQ/OQ). For more information, refer to Section Installed Authorizations of SIMATIC PCS A5E

179 Supporting Functions during Qualification System Programs from SIMATIC PCS 7 When SIMATIC PCS 7 is installed, the current status of the installed system programs is saved in the "citamis.str" file. Reinstallations are also documented. The "citamis.str" file is located in the WINNT folder. The following screenshot shows an excerpt of the "citamis.str" file. The file is structured so that the product name is recorded first. This is followed by the version, the time, and the date stamp of the installation. The ----> symbol means that the installation was completed successfully. If this symbol is missing, installation was not completed successfully and must be repeated. A5E

180 Supporting Functions during Qualification The Simatic>Product Notes>Installed software software tool provides information on the currently installed SIMATIC software on the computer. The following screenshot "Installed SIMATIC software" shows the installed software products, software components, and DLLs on the local computer. This information can, for example, be used to include the installed software in the Installation Qualification Installed Authorizations of SIMATIC PCS 7 The Automation License Manager program provides information on the installed licenses on the PCS computer. The installed licenses must match the requirements defined in the specification. 5-8 A5E

181 Supporting Functions during Qualification Qualification of the Application Software In the qualification of application software, checks are necessary to ensure that the requirements defined in the Software Design Specification were implemented. Test descriptions must be agreed with the user (for example for FAT/SAT) and generated. These test descriptions must be created individually to meet the software design stipulations. As a minimum, the following must be checked and tested and can be used as a reference for the qualification: Checking the name of the application software Checking the plant hierarchy (process cell, unit, equipment module, single control element etc.) Software module test (typical test) Checking communication with other nodes (third-party controllers, MES systems etc.) Checking all inputs and outputs Checking all control modules (control module level) Checking all equipment phases and equipment operations (equipment phase) Checking the relationships between modes (MANUAL/AUTOMATIC changes, interlocks, start, running, held, aborting, completed, etc.) Checking the process tag names Checking the visualization structure (P&I representation) Checking the operator input philosophy (access control, group permissions, user rights) Checking archiving concepts (short-term archives, long-term archives) Checking the message concept Checking trends, graphs Checking time synchronization A5E

182 Supporting Functions during Qualification 5-10 A5E

183 6 Additional Hardware / Software Components 6.1 Time Synchronization Time synchronization is an important feature in automated systems in a GMP environment. During the interaction between several automation systems (AS) and/or several operator stations (OS), messages, alarms, trends, and audit trail data must be archived with synchronized time stamps. The Siemens SICLOCK system provides the option of time synchronization by receiving highly accurate time signals (GPS or DCF77). When using GPS, the time information (Greenwich Meantime) of the GPS satellite system is evaluated. Due to the high operating frequency (1.574 GHz), there is good reception even in rough environments. The reception of time information provided by the German time signal transmitter DCF77 on long wave 77.5 khz in Mainflingen near Frankfurt is restricted to central Europe within a radius of approximately km around Frankfurt/Main. It is suitable for industry due to the extremely narrow bandwidth of the installed receiver. In small to medium sized automated systems, the PCS 7 operator station can be used as the time master. In this case, a suitable antenna is connected directly to the COM port of the personal computer. In larger systems, the time is synchronized using SICLOCK TM/TS. The SICLOCK TM/TS central system clocks supply several PCs or automation systems (AS) with a highly accurate time over Industrial Ethernet. SICLOCK TS provides the same functions as SICLOCK TM, but does not have the additional interfaces for IRIG A, B and J. If the antenna fails, the SICLOCK TM/TS central clocks switch automatically to quartz operation and therefore still retain a high degree of accuracy.! Note When using time signals (GPS or DCF77) with automatic daylight-saving / standard time adjustment, the automatic daylight saving / standard time adjustment must also be activated in the operating system of the process control computer so that all messages are archived with the correct time stamps. This adjustment must be activated in the Control Panel > Date/Time > Time Zone tab. A5E

184 Additional Hardware / Software Components 6.2 Solutions for Special Automation Tasks The modularity, flexibility, scalability and openness of SIMATIC PCS 7 lay the foundations for the use of additional hardware components or the use of software packages for special processes. SIMATIC PCS 7 offers numerous additional components known as PCS 7 add-on products. PCS 7 add-on products are software packages and hardware components tailored to the requirements of specific applications. Hardware Components Special solutions are required to interface hardware components that do not exist in the SIMATIC hardware manager. These components can be integrated using specially created device master data (GSD). Examples of the integration of these hardware components include: Integration of weighing modules (SIWAREX) Integration of frequency converters for drives (master drives, micromaster etc.) Integration of user-specific field devices To keep the validation effort to a minimum, tested and described hardware components from the PCS 7 Add-on catalog should be given preference. Software Packages For the configuration phase, a variety of blocks are available in the PCS 7 standard libraries. If additional blocks are necessary to configure special processes or functions, whenever possible, the block libraries (function blocks FBs, functions FCs and data blocks DBs) from the PCS 7 Add-on catalog should be used. Compared with user-created blocks, these significantly reduce the validation effort. The PCS 7 block libraries for technological functions are examples of software packages of the PCS 7 Add-on catalog. These blocks cover a wide spectrum and were developed specially for the requirements of the pharmaceutical and chemical branches. Among other things, the block library provides functions for controlling valves, motors and closed-loop controllers.! Note The "SIMATIC PCS 7 Add-ons for the Process Control System SIMATIC PCS 7" catalog, contains solutions for various areas of application such as the pharmaceutical industry. If special solutions are required that cannot be handled by these functions, you will find addresses of persons to contact in the catalog. The scope of validation of SIMATIC PCS 7 add-on products in terms of validation stability must be checked and specified in cooperation with the system user. 6-2 A5E

185 Additional Hardware / Software Components 6.3 SIMIT Simulation Software The SIMIT simulation software allows a software test on a simulation platform without needing the actual field devices. SIMIT simulates field devices and allows not only simple signal tests at the touch of a button but also complex tests at the drive level. Along with the S7-PLCSIM programmable controller simulation software for simulating the CPU of an automation system, cost-effective software tests can be performed without automation systems (AS) and field devices. This means, for example, that a Factory Acceptance Test (FAT) can be performed by the software provider. The Factory Acceptance Test is used to detect and fix possible bugs prior to commissioning and brings about a reduction in the commissioning time. A5E

186 Additional Hardware / Software Components 6.4 Using MASTERGUARD UPS Systems ll MASTERGUARD UPS systems belong to the online UPS category. They supply an output voltage free of noise, electromagnetic interference, frequency variations, and voltage distortion. For more detailed information on MASTERGUARD, refer to the CA01 catalog. USV systems from Masterguard can be ordered directly from Siemens in the A&D Mall on the Internet: MASTERGUARD USP systems are available in the following series: Series A: The online MASTERGUARD UPS devices kva as standalone device. Series A-19: Suitable for installation in 19-inch racks; power range: (0.7-3 kva); Advantage low installation height, simple expansion and system integration Series E I : Powerful online technology (6-20 kva) with single- or three-phase current input; the backup time can be extended by using suitable battery packs. Series E I 19: Online technology with 6 kva output power for compact installation in 19" racks requiring only 3 height units. Series C: Online technology (10-60 kva) with 3-phase input and output; technical peak values and optimum connectivity (extremely cost-effective). Additional variant with input transformer and integrated batteries or available as 208 V version. Series S III : Top of the range MASTERGUARD USP devices ( kva) with 12-pulse rectifier and input filter (standard for kva); for greater power requirements and particularly critical applications; connected in parallel supplying up to 6400 kva. When selecting USP systems, not only the performance but the installation site is important. The UPS system can be included in the rack planning or can be used as a "standalone" device in control rooms. When using small to medium sized process control systems, UPS systems of series A are suitable. These are used to back up computers of both the switching cabinet types and desktop types. For larger process control systems in which the field devices are also included in the backup, UPS systems of series E, C and S III should be used. 6-4 A5E

187 Glossary A Access Protection Access protection involves the enabling or disabling of certain functions for the user at the operator stations of the process control system. Audit trail The audit trail is a system control mechanism that monitors access to data. Every access must be documented. Automation system (AS) An automation system is a programmable logic controller (PLC) in SIMATIC S7, a complete device (PLC with integrated control unit) in SIMATIC C7 or a SIMATIC M7 automation system. B Block Blocks are separate parts of a user program that are distinguished by their function, their structure or purpose. CFC operates with "off the peg" block types that can be inserted in a CFC chart. When you insert the block, an instance of the block type is created. These block instances and their graphic representation are blocks in the sense of CFC. Bus A path for electrical systems allowing the exchange of data and control information between various components of a computer architecture. Bus system Generic term for hardware components and the transmission specification for buses. A5E Glossar-1

188 Glossary C Chart Software object in which continuous automation functions can be created with the CFC configuration tool or sequential control systems with SFC. CFC Continuous Function Chart. 1. Continuous function chart (CFC chart)with the graphic interconnection of technological functions (blocks). A software package (CFC editor) for plant-oriented, graphic configuration of an automation task. Using CFC, ready-made blocks are put together to form an entire software structure (CFC chart). CFR Code of Federal Regulations. The Code of Federal Regulations is the statute book of the United States of America. Title 21 (abbreviated to 21 CFR) deals in particular with the regulations for the branches foodstuffs, drugs, and cosmetics. 21 CFR Part 11 that deals with electronic records and electronic signatures is particularly important for process control engineering. Cycle time The cycle time is the time that the operating system requires to execute the program once; in other words, one OB 1 run through and all the interrupting program sections and system activities. Component View Device-oriented view in the SIMATIC Manager. The project is displayed with its components (station, module, program...); alternative to the plant view. CPU Central Processing Unit - Module in a programmable controller or automation system with control and arithmetic unit, memory and operating system. The user programs are stored and executed in the central processing unit. D DCF 77 Time transmitter in Frankfurt/Mainflingen. This provides the highly accurate official time for the Federal Republic of Germany based on a cesium clock. Glossar-2 A5E

189 Glossary E Electronic records Electronic records are recordings that are stored in electronic form. Electronic signature Electronic signatures are computer-generated characters or strings that count as the legal equivalent of a handwritten signature. ES Engineering Station. Station for configuring an automation process. ET 200M This is a modular I/O system for single-tier configuration with the degree of protection IP 20. The ET 200M can be extended with the signal, function and communication modules of the S7-300 programmable controller. Communication between ET 200M and the AS is over PROFIBUS DP. F Faceplate A software block written in Visual Basic or Visual C that allows a block instance to be controlled and monitored during run-time on an operator station. FAT Factory Acceptance Test. The factory acceptance test is an initial verification of the automation system at the system provider's premises. The test is carried out prior to commissioning so that bugs can be fixed before starting the installation. FDA Food and Drug Administration. The Food and Drug Administration (FDA) is the organization responsible for regulations regarding food and medicines in the United States of America. Fault-tolerant connection An AS (S7-400H) in which all the essential components exist twice. If one of the subsystems fails (for example a component failure) the other takes over automation of the plant without any interruption. A5E Glossar-3

190 Glossary Function (FC) According to IEC , functions are logic blocks without memory. A function allows parameters to be passed on in the user program. Functions are ideally suited for programming commonly occurring complex functions, for example calculations. Note: As there is no memory available, the calculated values must be processed immediately following the FC call. Function block (FB) According to IEC , a function block is a logic block with static data. An FB allows you to pass parameters in the user program. This means that function blocks are suitable for programming complex functions that are required frequently, for example controllers, operating mode selection. As function blocks have a memory (instance data block) its parameters (for example outputs) can be accessed at any time and any point in the user program. G GAMP Good Automated Manufacturing Practice. The GAMP 4 guideline for validation of automated systems provides instructions and templates to help and support companies from the pharmaceutical, biotechnical and medical equipment industries to set up qualified or validated automation systems. GMP Good Manufacturing Practice Good manufacturing practice ensures that products are produced and tested according to consistent quality standards. GPS Global Positioning System satellite system for precise localization of positions on the earth. GPS satellites orbit the earth at a height of approximately km in different orbits. Each satellite has a highly accurate atomic clock. Glossar-4 A5E

191 Glossary H Hot Restart When an S7 CPU starts up ( for example after changing the mode selector from STOP to RUN or when the power supply is turned ON), before cyclic program execution (OB1) is started either the organization block OB 100 ( warm restart) or organization block OB 101 (hot restart, only on the S7-400) or OB102 (cold restart) is executed (( Startup of an S7-CPU). In a warm restart the process image of the inputs in read in and execution of the STEP 7 user program is continued at the point at which it was last stopped (STOP, power down ). The "hot restart" is only possible when the CPU is battery-backed. Note: All data areas (timers, counters, memory bits, data blocks) and their contents are retained. I I/O Input and output signals of the controller. I&C process tag list Instrumentation and control process tag list. Standardized name for graphic symbols and identification letters in process control engineering. Import/Export Assistant (IEA) Software component in PCS 7 for handling models and generating replicas of the models. Interconnection (CFC) Connection between an interface I/O and another element. The value of an interconnected input is fetched from the other end of the interconnection during runtime. IQ Installation Qualification. The purpose of an installation qualification (IQ) is to verify the correct installation of an automation system. A5E Glossar-5

192 Glossary L Library A folder for objects that can be used more than once and that is not project-related. Blocks are made available according to certain criteria (block families, alphabetical arrangement etc.) in block libraries. Different block libraries are used depending on the target system or particular situation. Lifebeat Monitoring Program belonging to the run-time system (operator station) for monitoring the automation systems, OS servers and OS clients connected to an OS server. The connected systems are visualized in a plant picture. M Master Data Library Library in a multiproject for storing project master data. The project master data are Block types Process tag types Models that will be used in the project and may need to be adapted. Message types (OS message system) Message types are subgroups of message classes and can differ from each other in the color selected for the message status. You can create up to 16 message types in each message class on the OS. Message blocks (OS message system) Status changes of a message are displayed in run time in a message line. The information to be displayed in the message line is specified using message blocks. There are three different types block: System blocks (for example, date, time, period, comment,...) allow predefined and not freely usable information to be specified. They are displayed in the message line. User text blocks allow you to assign up to ten freely definable texts to a message that are displayed in the message line when the message occurs. Using process value blocks, you can display the values of variables in the message line. You can also define the formatting used. Glossar-6 A5E

193 Glossary Messages A message system is used for the chronological signaling and archiving of sporadic events occurring in the process at a central location. The cause of a message can be an event or a message frame. In general, a distinction is made between operating messages, fault messages, and system messages. Operating messages are used to indicate a status in the process. Fault messages are used to indicate a problem in the process. System messages are used to indicate error messages from other applications. In the message system (Alarm Logging), messages that behave in a similar way (acknowledgment philosophy, color scheme for message states) can be grouped together in message classes and message types. MOD Magneto Optical Disc, storage medium for data archiving of the process control system Model A model consists of hierarchy folders with CFC/SFC charts, pictures, reports, and additional documents from which any number of replicas can be created. Multiproject Folder for all projects of an automation solution. Cross-project functions can be used in projects that are part of a multiproject. N NAMUR NAMUR is the process control engineering association of the chemical and pharmaceutical industry. It is an organization of users in process control engineering. Manufacturers of process control technology are not represented in NAMUR. NAMUR recommendations The NAMUR recommendations and work sheets are reports of experience and working documents that the NAMUR association for process control engineering in the chemical and pharmaceutical industry prepares for its members. A5E Glossar-7

194 Glossary O Operating message Following a change made to a parameter on the operating station, the parameter, the old value, the new value, and, if applicable, the unit of the value is displayed in a message page. Operating System A collective term for all functions which, in conjunction with the hardware, control and monitor the execution of the user programs, the distribution of the operational equipment among the individual user programs, and the maintenance of the operating mode (for example standard operating systems Microsoft Windows, realtime operating system M7 RMOS32). OQ Operational Qualification. The purpose of the operational qualification (OQ) is to verify the correct functioning of the automation system. OS Operator Station. A station for controlling and monitoring the process. In PCS 7, the WinCC software system is used for the OS with which all the process monitoring and control functions can be implemented. P Parameters A parameter is: the value of a CFC block/chart I/O. a variable of an S7 logic block (actual parameter, formal parameter) P&ID Piping and instrumentation diagram. A diagram in which the components required for a plant and the connections between them are stipulated. PCS Process Control System. A process control system consists of at least one automation system (AS) and at least one operator station (OS) networked over a bus system. Glossar-8 A5E

195 Glossary Plant Hierarchy (PH) Program structure organized in the form of a hierarchy according to technological aspects. Plant View View in the SIMATIC manager according to technological aspects ( plant, unit, function...); an alternative to the component view. PQ Performance Qualification. The purpose of the performance qualification (PQ) is to verify the performance of the automation system. Process tag type A process tag type is created to duplicate process tags. The process tag type can be instantiated in the form of replicas. PROFIBUS PROcess Field Bus A fieldbus complying with EN Vol. 2 PROFIBUS (DIN 19245; bus system for industrial application based on PROFIBUS). Project A folder containing all the objects belonging to an automation solution regardless of the number of stations, modules and how they are networked. R Replicas During import with the Import/Export Assistant, replicas are created from the models. Each line in an import file creates a replica in the destination project. Among other things, a replica differs from the model (or from a copy of the model) because it has an assignment to a model instead of to an import file. Runtime Process control; the operator controls and monitors the process online on the operator station (OS). A5E Glossar-9

196 Glossary S SAT Site Acceptance Test. The purpose of the site acceptance test is to verify the automation system at the premises of the system user during the commissioning phase. SCL High-level language complying with IEC and resembling Pascal for programming complex tasks on a PLC, for example algorithms, data processing tasks. Script A program written in ANSI-C for solving user tasks. Scripts run cyclically/acyclically in the background of the OS run-time or following an event (for example mouse click) on a picture object within a plant picture. SFC Sequential Function Chart. An SFC chart represents a sequential control system that runs as an independent sequence on the programmable logic controller. Sign-of-life monitoring see Lifebeat Monitoring SIMATIC BATCH Software for automating recipe-controlled batch processes. As a functional unit, SIMATIC BATCH and SIMATIC PCS 7 fully cover the models described in the ISA S88.01 standard. SIMATIC Manager The SIMATIC Manager is the central engineering tool. With the SIMATIC Manager, for example, you create projects and access libraries. Source Part of a program created with a graphic or textual editor and from which the executable user program is produced following compilation. Statement List (STL) Statement List is a text-based programming language resembling machine code (complying with IEC ). Glossar-10 A5E

197 Glossary T Tag Logging An editor in the control center of the OS for creating and editing trends. Time synchronization An editor in the control center of the OS. Time synchronization makes sure that all the PLCs and operating stations of the bus operate with the same time of day ( time of day synchronization). U UPS Uninterruptible Power Supply. An uninterruptible power supply (UPS) is a system for buffering the main power supply. If there is a power outage, the power supply remains available for a certain time. Some UPS systems also provide the option of line voltage monitoring and therefore an output voltage free of interference. User Administrator Editor in the control center of the OS for creating and editing access permissions for operator control and monitoring during runtime. User program The user program contains all the statements and declarations and the data required for signal processing to control a plant or a process. The program is assigned to a programmable module (for example, CPU, FM) and can be structured in smaller units. In S7, the user program on the ES consists of the symbol table, the source files, the blocks and the charts. A5E Glossar-11

198 Glossary Glossar-12 A5E

199 Index 2 21 CFR Part A Access Protection 2-7, 4-42 Access protection StoragePlus 4-92 Access protection under Windows and SIMATIC PCS Account security setting 4-49 Archiving 2-12 Archiving operating system 4-80 Audit trail 2-11 Audit trail CAS 4-88 Audit trail OS 4-64 Audit Trail security setting in Windows 4-50 Audit trail StoragePlus 4-94 Automation system (AS) 4-15 B Backing up user software 4-80 Backup 2-12 Backup process data 2-14 Backup StoragePlus 4-98 Backup user software 2-13 Batch report 4-79 Biometric systems 2-8 C CAS access protection 4-87 Central archive server 3-12, 4-82 Change control 1-12, 2-6 Change Control during Operation 1-8 Change control user software 4-22 Chip card 2-8 Configuration control 2-6 Configuration identification 2-6 Configuration management 2-5, 4-17 Conformity with ISA standard 4-37 Connectivity Pack 3-10 Criteria for selecting hardware 3-2 Criteria for selecting software 3-3 D Data display CAS 4-89 Data display StoragePlus Data exchange with the plant management level Design Specification 3-16 Disabling the Windows level 4-62 E Electronic Signature 2-9, 4-60 Engineering Station (ES) 4-15, 4-54 EU GMP Guideline 1-9, 1-10 F FAT 1-6 FDA 1-9 Functional Specification 1-13, 3-15 G GAMP 1-9, 1-10 H Hardware categorization 2-5 I Implementation 1-5 Import/Export Assistant 3-4, 4-31 Industrial Ethernet 4-15 Integration of third-party systems 4-78 Interfaces to Process Data 3-10 ISA implementation in SIMATIC PCS ISA software model SIMATIC PCS L Life cycle model 1-2 Lifebeat Monitoring 4-77 Lifebeat Monitoring CAS 4-88 Long-term archiving 4-82 A5E Index-1

200 Index M Master Data Libraries 4-10 Multiproject Engineering 4-9 N NAMUR 1-9, 1-10 O OPC Alarm & Events server 3-11 OPC Direct Access 3-11 OPC Historical Data Access server 3-11 Operating System 4-3 Operator station (OS) 4-56 OS archiving 3-6 OS Project Editor 4-35 P Password 2-8, 2-10 Password security setting 4-48 PCS 7 PID Tuner 3-5 Printer Drivers 4-8 Process value archives 4-27 PROFIBUS 4-16 Project change control 1-5 Q Qualification 1-6, 5-1 Qualification documents 1-13 Qualification Plan 1-4 Qualification report 1-7 Quality and Project Plan 1-4, 1-12 R Retrieving CAS data 4-88 Retrieving data backups 2-14 Retrieving data backups StoragePlus Risk analysis 1-8 S S7-PLCSIM 3-5 SAT 1-6 SFC Visualization 3-6 SIMATIC BATCH 4-37, 4-58 SIMATIC BATCH audit trail 4-65 SIMATIC BATCH configuration 4-41 SIMATIC Electronic Signature 3-3 SIMATIC IT 3-13 SIMATIC IT Historian 3-12, SIMATIC Logon 3-3, 4-42 SIMATIC Logon Configuration 4-52 SIMATIC NET 4-14 SIMATIC PCS 7 add-ons Software categorization 1-14, 2-2 Software categorization of SIMATIC PCS Software installation 4-3 Software module 4-23 Software updates 4-19 Specification 1-4 Specification - Design Specification 1-13 StoragePlus 3-12, 4-90 T Third-party component 2-15 Time synchronization 2-11, 6-1 Time synchronization CAS 4-87 Time synchronization concept 4-68 time synchronization configuring 4-69 Time synchronization StoragePlus 4-93 Typicals 2-4, 4-23 U Uninterruptible power supply (UPS) Uninterruptible power supply configuration Updates, Service Packs, and Hotfixes 4-18 Upgrades (migration) 4-18 User ID 2-8, 2-10 User management 4-46 User Requirements Specification 1-12, 3-14 V Validation Plan 1-4 Validation report 1-7 Version control 2-6 Version Cross Checker 3-4 Version Trail 4-21 Versioning the user software 4-20, 4-21 Virus Scanners 4-8 W Windows Domain 4-45 Windows Workgroup 4-45 Index-2 A5E