S7-300 Software Redundancy Problems, Any Help Appreciated!

RenX09

Member
Join Date
Apr 2008
Location
East Coast US
Posts
3
Hey Ladies and Gents,

I'm new to PLCS.net and have a problem with working with the software redundancy of Siemens.

What I have:

2 - 315-2 PN/DP

Three remote I/O racks and each have the dual 153's as well as the Main rack with active backplane.

Also have an MP370 15" Touch.

Has anyone done this redundancy with the 300's yet? The more myself and another programmer speculate how to achieve this actually working the more we think the hardware should have bee the 400 series H systems for true redundancy. But we're stuck with this hardware so I'm here asking for assistance.

Concerns/Questions(many taken from software redundancy manual):

-Where does the software actually install and reside? Is a PC required on the network available to both processors like shown in the manual?

-Data transfer has to happen at a maximum size of 240 bytes and will use a minimum time of 48ms per block of data transferred (limited to a total of 8k data)

-When using PID loops will the transition from the Master PLC to the Reserve PLC cause errors/shutdown/lagging operation to weary of?

-With the MP370, as soon as the Master PLC fails the data would not continue to display (currently connected via Ethernet). Should the panel be connected MPI or DP and would that allow to somehow initiate node address change to maintain HMI functionality?

-It's said FDL communication happens across the profi cable between processors and is at a slower rate than the 48ms per move even.

-Am I realy just developing a stand alone program that incorps. IEC timers and holds my data needing update every scan to a max of 8k, then that program runs on both processors (or actually only the master until the built in blocks detect failure to trigger the switch-over) ???

I apologize for the amount in this post but it all intertwines in and around this software redundancy software that seems to be more effor than it's worth. What's the cost of the 412H? I'll put two on my corp. card and make my boss approve it..haha.

If anyone can give me some pointers and explainations that can help me weed through the do's and don'ts it is Severly Appreciated.

Thanks for SURE in Advance! If I missed something than let me know as well?!

Chad "RenX09"
 
Reliable reduncancy is very difficult to build. I have seen many systems built with two plc:s, and it never works
as expected. You need not two, but three full systems to achieve something uselful. One method is called
'voting'. The two systems that are most close to eachother kicks out the third one. For example if
system A say its 25 degrees outside, system B say its 23 and system C say its 98 degrees. Then C will be ignored.
Most airplanes and ships works this way.
 
Hi Chad, it's been a few years since i did this one so am a little rusty, but i can vaguely recall what i did...(see attached pdf).

Yes, (IMHO) you are right re the S7300 Vs 400 discussion. The 400 solution is a truer redundancy option as it is achieved via the HW, the 300 attempts it with the SW (i found it to be a little temperamental to say the least!)

Hope this helps point you in (a) direction...!

Regards


Rob
 
Thanks Rob,

I do actually have all the hardware setup and assembled. Really that is the reason for the question, since I didn't order the hardware.....the programmers were never asked about how to achieve the overall goal when the customer asked for "Redundancy". I was much more curious looking for tips and tricks on the programming side and where the limitations are when using the software on the 300 for redundancy. Is the software package supposed to work in conjunction with the S7 Pro.?

Our system's process isn't too overly complicated, but has sequencing that will not "be happy" if due to a failure on the Master PLC the reserve PLC picks up operation but has data (machine states) that is possibly more than a few seconds old due to the block moves for updating the reserve PLC.

Thanks again for the response, if you remember anymore I would most appreciative to learn of your implementation and it's difficulties.

Regards,

Chad
 
Hi Chad,

I'll share my little experience with you.
I've done a project using software redundancy. 2 CPU 315-2DP + MPI redundant link + 3 ET200M remote I/Os.

About your concerns,

1st. You must buy a software package for software redundancy.
It's not included in SIMATIC MANAGER pro.

The software you write for PLC will be on both CPU. The Master one will execute the software and transfers the result data to the reserve CPU.
Reserve CPU does not execute the software as long as the Master one is healthy and redundant link is OK.
the notebook as you could see in the diagram is used for engineering (configuration and programming) but once your system works well, there's no need for it.


I don't know where you had read the number 240 bytes you mentioned. I think it's related to Profibus communication.
What kind of redundant link do you intend to use?

In Software redundancy, There is a time for switching over from the Master to the reserve. In my project it was less than 2 seconds.
In these 2 seconds all the outputs are freezing even the analog outputs of PIDs are freezed at their last value before Master fails.
BUTTTTTTTTTTTTTTTTTTTTTTTTTTTT
There's another time for transferring data between the Master and the reserve. In my project, it was about 10 SECONDS!!!
Take care, if the operator changes a set point, the PID block in the Active CPU will change the output based on this new setpoint. If he Active CPU fails before (10 SECONDS in my project), The reserve one will be still having the old setpoint.

You will have to take care of many things just to reduce this long period for transferring data.



The HMI,
In my project, I had a WinCC-PC station. When you buy the software redundancy package, you will get blocks for programming in SIMATIC MANAGER and you will also get blocks to be integrated in the HMI (WinCC).
They don't give you blocks for any WinCC flexible or Protool. However, The manual says it's possible to integrate a Protool or WinCC flexible HMIs in your system.
I'll tell you something and you can try it.
For a long time I kept wondering what's the use of CHANGE CONTROLLER function in Protool.
CHANGE CONTROLLER function switches all tags from one communication address of PLC to another one which means if you are displaying the value in MD10 from the Master one (e.g. MPI Add. 3) and you trigger CHANGE CONTROLLER function, the MP370 will get the contents of MD10 but from the reserve PLC (e.g. MPI add. 4).
So, you can use this function in MP370 to change the controller and switch to the reserve one when the Master fails.
Maybe you can achieve automatic switching with some scripting and scheduled tasks. I don't know if MP370 has a windows CE or not but you can check the catalog.



Some advices:
1- Try to make you redundant link via EHTERNET.
2- If not, do it with PROFIBUS.
3- Do not make your link using MPI unless it's your last choice but I'm telling you, it's really slow.
4- Minimize the number of data blocks to be transferred.
5- Don't ever start the plant unless you are sure everything is ok and redundancy works well.
6- The required block you will get from the package put in OB100 will have a data block which has a description (Working DB for redundant software backup. Contains internal data only).
Every time you modify in your program like extending data blocks to be transferred, you MUST DELETE this data block from both CPUs and redownload it again.
7- Don't forget to put the Master/Reserve status bit to disable the execution of the software in the reserve CPU.
8- Don't forget to follow the sequence for online modification. The sequence is in the software redundancy manual.


If I ever remember anything else, I will tell you.

Sorry for making it too long.
Have a nice day.
 
Hi Hossam,

According to the software redundancy manual (SWR_E.pdf),
4.8 Altering Configuration and Application Program in RUN Mode
In order to make alterations while the system is running it is normally necessary to de-activate redundant backup. To do so, you must set the ‘De-activate redundant backup’ bit in the control word at user level. After that bit has been set, the master unit continues to process the application program as
before. In that situation, the master unit has the same characteristics as a standard S7-300 or S7-400 unit. [HIGHLIGHT]Once redundant backup has been de-activated, you modify the application program on the reserve unit first and then on the master unit. Once the modified application program has been reloaded onto both CPUs, you set the ‘Activate redundant backup’ bit in the control word.[/HIGHLIGHT] After that bit has been set, redundant-backup link is restored and the system operates with increased availability again.

The procedures for modifying the program and the configuration of the redundant-backup software are described below along with integration mechanisms. Making Alterations to the Redundant-backup Section of the Program in RUN Mode
Proceed as follows:
1. De-activate redundant backup (set bit 11.0 of control word)
2. Modify and test out application program on reserve CPU.
3. Re-activate redundant backup (set bit 11.1 of control word)
4. Perform master-reserve change-over if necessary

Result: following master-reserve change-over, the CPU runs the modified application program (and you can now modify the application program on the second CPU in the same way).

My interpretation to the sequence of modification for the first part is different from the itemized steps. The top part says we modify both CPU then activate the redundant link, but below that saying we can modify reserve CPU first, activate link, and perform master reserve switch-over. Which step is correct? thanks
 
Dear friend,

Your changes determine the way you should make them.

The steps are good but they are itemized because there are more important steps to do.
I prefer to deactivate the redundant link as long as I'm modifying program.

If you just want to change the code of a FC or general code in OB1 or OB35 for example, then you can change your program on the fly in the master CPU and then in the reserve one and I believe deactivating the redundant link is not necessary. You can change in master and then change in the reserve.

The problem appears when you change the hardware configuration or when you want to add a data block or delete a data block.
In this case, I believe
1- You must deactivate the link,
2- Change program in the reserve CPU (B) and restart it (Changing program has some steps listed below).
3- Make it master ( if you STOP the master (A), the ET200M will listen to the new master (B) which has the new code).
4- Change program in the new reserve (A) and restart it.
5- If everything is working fine, you can activate the redundant link again.


Please take care because when you create or delete data blocks,
1- You must change parameters in OB100.
2- Then DB_WORK_NO, DB_SEND_NO & DB_RCV_NO data blocks must be deleted from PLC memory.
3- Load your new program to the CPU.
4- Restart the CPU. When you restart CPU, deleted data blocks will be created again.
Then CPU should be working without any errors.

Please don't forget to load OB121 which doesn't allow CPU to go in STOP mode in case of programming error.
I think that existence of OB121 is the most important condition that prevents sudden STOP when you try to modify your program.

Best regards.
 
Thank you Hossam,

I did follow the itemized stps and i ran into problem, the steps are as follow:
1. Disable redundant link on 2 414-3 CPU, and let the master controlling the plant.
2. Modify the reserve, that includes changes name and added attributes in global DB (these are shared DB), added FC, modiy OB1, added few FB
3. Downloaded these modification. t this stage no error.
4. Activated redundant link (the reserve INTF shows internal error).
5. When i tried to switch to the reserve, the WinCC showing some arts as active and some parts as inactive, and not controlling the plant at all.
6. When i check block consistency, all FB using the modified DB showed time stamp conflict.

At this stage switching back to the reserve, previously master cpu also fal, s i have to reload the backup. it seem to me i have modified some invalid DB and by chance loaded it back to cpu. perhaps you can shed some light, cheers.
 
Dear Rayleigh, vbmenu_register("postmenu_296764", true);

Did you change parameters in OB100? You said you added new FB which means more instance data blocks. Do you try to transfer these new data blocks between master and reserve?
If you don't mess with FC100 parameters in OB100, there should be no problem.
If you change any parameter in FC100 then you must delete DB_WORK_NO, DB_SEND_NO & DB_RCV_NO data blocks from PLC memory and load your new program then restart your CPU to create new DB_WORK_NO, DB_SEND_NO & DB_RCV_NO data blocks.

However, I don't like step 4 because you did it before modifying the program in Master CPU.
You should finish downloading new program in both CPUs before activating redundant link again.


(for step 6),
If you have problems with modified FB and IDB, Delete instance data blocks and let the Simatic Manager create these IDB(s) again with the appropriate structure before you download your new program.
You must make sure that there's nothing wrong with your program before downloading it.
Whenever you have INTF, you should read the diagnostic buffer to determine the reason behind INTF.


WinCC can't control the plant!!
This may happen if WinCC communicates with fake master CPU thinking that it's the real master.
When you disable redundant link, both CPUs become master but ET200M listens to only one of them.
So, WinCC might be talking to MASTER but this master (fake) is not controlling anything.

Please don't forget to read diagnostic buffer whenever you have INTF.

Best regards.
 
Thank you Hossam,

I did not change the parameters in OB100, i already defined 200 DB for redundant user program and i modified one of the DB (change the name and attribute for wincc), could this possibly cause DB corruption after i enable the redundant link as i only modify the DB name and attribute in one of the 2 CPUs? went online to inspect these DB, they seems to show strange values, i did not go to any further inspection as i have to put the plant back to service.

When i did consistency check on the offline modified blocks, all instant block of FB have time stamp conflict whenever they use the DB that i modified. Sorry, i did not add any new FB, just modify the existing. I did modify OB1, symbol table and add new FC which is called every second from OB1.

My conclusion after this problem is i'll do the following:
1. Disable redundant link.
2. Modiy reserve CPU.
3. Copy the modification to the running master CPU.
4. Enable the redundant link.
(all assuming i did not change any h/w, sdb, add new fb, i need to change the name and attribute of shared DB)

Do you think this should work?

cheers,
rayleigh
 
Dear Rayleigh,

I wish if more members here in this forum would interact with your thread but it seems SWR hasn't got much fans here.

Before you do anything, you must make sure that your program is ok and works fine in offline mode.
You should have no time stamp errors.
Try deleting all instance data blocks regarding the FB you changed and let SIMATIC MANAGER create them again with the right length.
Try to open FB and make change and update access.
Try to open every block that calls this FB and make change and update access.

The steps you mentioned in your last post should work.

In all cases I hope OB121 is already loaded (Your plant should not stop in this case).
Don't forget to read the diagnostic buffer whenever you have an INTF.

Best regards
 
Hi Hossam,

I agree with you, SWR is not as popular as hardware redundant. I am just trying to get into term with Siemens manual. The itemised items that I followed seems different from the non-itemised, there are conflicts in the way we can activate redundant. One said anytime, the other said activate when we already make both change. My conclusion is we can have different FB (I already swapping them, but we can't have different DB that are globally shared. The SWR manual does not cover details on regarding different approach for different cases.

How do you delete instance data blocks regarding the FB? I thought if we have time stamp error, we should compile the blocks and download to PLC?

cheers,
rayleigh
 
Hi Rayleigh,

Please take a look at this FAQ and also at this thread.

About deleting instance data blocks,
I just delete them from blocks folder in S7 program and go at each FB and assign new data block.
It is created again with new structure.
I just do this when I give up solving my problem by check and update access.
 

Similar Topics

Hello! I haven't worked with software redundancy before, so I was wondering if I could use the CP343-1 Lean modules (which I'm using for the...
Replies
0
Views
1,753
Dear Experts, I am working on a system with S7-300 software redundancy due to high availability requirements of the control logic. My question...
Replies
3
Views
2,102
Anbody ever used S7300 with the software redundancy blocks FC100, FB101 etc? I am told that the declaration of IEC timers and associated DB's...
Replies
2
Views
4,040
Hi All, I am using S7-300 CPU-317-2DP with IM 153-2 for Software Redundancy. I am using Ethernet as Redundant Link. When the Master PLC is...
Replies
1
Views
6,552
Hello all, The S7-3xx PLCs can be connected via Software Redundancy to the redundant ET200M 153-2. This is clearly explained in the Siemens...
Replies
0
Views
2,024
Back
Top Bottom