simatic wincc v6.2 requirements of computer 2 gmp ... · pdf filesimatic wincc v6.2...

s

Introduction, Contents Prerequisites for Configuring Computer Systems in a GMP Environment

1 Requirements of Computer Systems in a GMP Environment 2 System Specification 3 System Installation 4 Project Settings and Definitions 5 Creating the Application Software 6 Support for Qualification 7 System’s productive mode 8 System Software Updates and Migration 9 Additional Harware/Software Components 10 Index

SIMATIC WinCC V6.2

GMP-Engineering Manual Guidelines for Implementing Automation Projects in a GMP Environment

01/2008 A5E01100604-02

Siemens AG Industry Sector Industry Automation D- 76181 KARLSRUHE GERMANY

A5E01100604-02 01/2008

Copyright © Siemens AG 2008 Technical data subject to change

Safety-Related Notices Notices that you should observe to ensure your own personal safety and to avoid damage to property and equipment can be found in the relevant technical manuals. The safety of pharmaceutical products of prime importance to the pharmacist must be evaluated by the pharmaceutical company itself. This document provides information on this topic.

Qualified Personnel Only qualified personnel should be allowed to install and work on this equipment. Qualified persons are defined as persons who are authorized to commission, to ground, and to tag circuits, equipment, and systems in accordance with established safety practices and standards.

Guidelines for Implementing Automation Projects in a GMP Environment A5E01100604-02 iii

Introduction

Purpose of this manual This manual describes what is required from the pharmaceutical, regulatory viewpoint for Good Manufacturing Practice (GMP environment), of the computer system, the software and the procedure for configuring SIMATIC WinCC. The relationship between the requirements and system build is explained based on practical examples.

Intended audience This manual is intended for all plant operators, those responsible for control system designs for specific industries, project managers and programmers, servicing and maintenance personnel who use the process control technology in the GMP environment. It describes solutions for implementing automation projects with SIMATIC WinCC in situations where the principles of GMP are mandatory.

Required basic knowledge Basic knowledge of SIMATIC WinCC is required to understand this manual. Knowledge of GMP as practiced in the pharmaceutical industry is also an advantage.

Disclaimer

This manual contains instructions for system users and programmers for integrating SIMATIC WinCC into the GMP environment. It covers validation and takes into account special aspects such as the requirements of FDA 21 CFR Part 11.

We have checked that the contents of this document correspond to the hardware and software described. Nevertheless, as deviations cannot be precluded entirely, we cannot guarantee complete accuracy of the information contained herein. The information in this document is checked regularly for system changes or changes to the regulations of the various organizations and necessary corrections will be included in subsequent issues. We welcome any suggestions for improvement and ask that they be sent to the A&D Competence Center Pharma in Karlsruhe (Germany).

Introduction

Guidelines for Implementing Automation Projects in a GMP Environment iv A5E01100604-02

Validity of the manual The information in this manual applies to SIMATIC WinCC V6.2. The components investigated are SIMATIC WinCC (CS/RT) in conjunction with the WinCC Central Archive Server (CAS), SIMATIC Logon V1.3 SP1 and higher, SIMATIC Version Trail, WinCC Audit, WebNavigator, DataMonitor options and the WinCC premium add-ons PM-CONTROL and PM-QUALITY. Refer to the CD-ROM catalog CA01 for information about the exact compatibility of WinCC V6.2 with the individual components. The CD-ROM catalog is available online at: www.siemens.com/automation/ca01. A list relating to the compatibility of the various product versions can be accessed under entry ID 21927773 (http://support.automation.siemens.com).

Suppliers should be contacted directly regarding compatibility between premium add-ons and SIMATIC WinCC (contact via http://www.automation.siemens.com/hmi/html_76/products/software/wincc_addons/index.htm).

Position in the information landscape The system documentation of the SIMATIC WinCC V6.2 operator control and monitoring system is an integral part of the SIMATIC WinCC system software. It is available to every user as online help (HTML help) or as electronic documentation in Acrobat Reader format (PDF):

• SIMATIC WinCC V6.2 electronic manuals

You can find the electronic manuals on the CD-ROM as the “SIMATIC HMI Document Collection”.

Structure of the manual This manual supplements the existing SIMATIC WinCC manuals. The guidelines are not only useful during configuration; they also provide an overview of the requirements for configuration and what is expected of computer systems in a GMP environment.

The rules and guidelines, recommendations and mandatory specifications are explained, that represent the basis for configuration of computer systems.

All the necessary functions and requirements for hardware and software components are also described, which should make the selection of components easier.

The use of the hardware and software and how they are configured or programmed to meet the requirements is explained using examples. More detailed explanations can be found in the standard documentation.

In the appendix of this manual, you will find an index listing all the important terms.

http://www.siemens.com/automation/ca01�

http://www.automation.siemens.com/hmi/html_76/products/software/wincc_addons/index.htm�

http://www.automation.siemens.com/hmi/html_76/products/software/wincc_addons/index.htm�

Introduction

Guidelines for Implementing Automation Projects in a GMP Environment A5E01100604-02 v

Conventions The following conventions are used in this manual.

Activities involving several steps are numbered in the order in which the activities should be performed.

Procedures involving only a few steps are indicated by a bullet (•).

References to other manuals are shown in bold italic.

Menu commands are shown in bold face.

Additional support If, once you have read the manual, you have any questions about the products described in it, please contact your local Siemens representative.

You will find information on who to contact at:

http://www.siemens.com/automation/partner

You will find a guide to the technical documentation we offer for individual SIMATIC products and systems at:

http://www.siemens.de/simatic-tech-doku-portal

The online catalog and ordering system are available at:

http://mall.automation.siemens.com/

If you have questions on the manual, please contact the A&D Competence Center Pharma:

E-mail: [email protected]

Fax: +49 721 595 6930

Additional information about the products, systems and services from Siemens for the pharmaceutical industry can be found at:

http://www.siemens.com/pharma

Training centers Siemens offers a number of training courses to familiarize you with the SIMATIC WinCC operator control and monitoring system. Please contact your regional training center or the central training center in D90327 Nuremberg, Germany. Phone: +49 (911) 895-3200. Internet: http://www.sitrain.com

Technical support You can reach the technical support for all A&D products

• Using the Support Request form on the web: http://www.siemens.de/automation/support-request

• Phone: + 49 180 5050 222

• Fax: + 49 180 5050 223

You can find additional information about our technical support online at http://www.siemens.de/automation/service

http://www.siemens.com/automation/partner�

http://www.siemens.de/simatic-tech-doku-portal�

http://mall.automation.siemens.com/�

mailto:[email protected]�

http://www.siemens.com/pharma�

http://www.sitrain.com/�

http://www.siemens.de/automation/support-request�

http://www.siemens.de/automation/service�

Introduction

Guidelines for Implementing Automation Projects in a GMP Environment vi A5E01100604-02

Online service & support In addition to our pool of documentation, we offer you a comprehensive online knowledge base. http://www.siemens.com/automation/service&support

There you can find:

• The Newsletter, which provides the latest information on your products

• The right documents for you, using our Service & Support search engine

• A forum where users and experts from all over the world exchange experiences

• Your local Automation & Drives representative

• Information about on-site services, repairs, spare parts. Much more can be found on our "Services" pages.

http://www.siemens.com/automation/service&support�

Guidelines for Implementing Automation Projects in a GMP Environment A5E01100604-02 vii

Table of Contents

Introduction iii Table of Contents vii 1 Prerequisites for configuring computer systems in the GMP environment 11 1.1 Life cycle model 12 1.2 Regulations and Guidelines 17 1.3 Responsibilities 19 1.4 Approval and change procedure 20 1.5 Software categorization of control systems 21 2 Requirements of computer systems in a GMP environment 23 2.1 Hardware categorization 24 2.2 Software categorization 25 2.3 Configuration management 27 2.3.1 Configuration Identification 28 2.3.2 Configuration control 28 2.3.2.1 Versioning 28 2.3.2.2 Change control 28 2.4 Software creation 29 2.4.1 Use of typicals for programming 29 2.4.2 Identifying software modules/typicals 29 2.4.3 Changing software modules/typicals 29 2.5 Access protection and user management 30 2.5.1 Applying access protection to a system 30 2.5.2 User ID and password requirements 31 2.5.3 Case sensitivity Smart Cards and Biometric Systems 31 2.6 Electronic signatures 32 2.6.1 Conventional electronic signatures 32 2.6.2 Electronic signatures based on biometrics 33 2.6.3 Security measures for user IDs/Passwords 33 2.7 Audit trail 34 2.8 Time synchronization 35 2.9 Archiving Data 36 2.10 Batch reporting 37 2.10.1 Components of batch documentation 37 2.10.2 Components of the manufacturing Log 37 2.10.3 The uses of electronic batch data 38 2.10.4 Requirements of electronic records 38 2.11 Data backup 39 2.11.1 Application software 40 2.11.2 Process data 41 2.12 Retrieving archived data 42 2.13 Use of third-party components 43

Table of Contents

Guidelines for Implementing Automation Projects in a GMP Environment viii A5E01100604-02

3 System specification 45 3.1 Specification of system hardware 47 3.1.1 System structure 47 3.1.2 Hardware specification 47 3.1.3 Selecting the hardware components 48 3.2 System network security 49 3.3 Application software specification 51 3.3.1 Operating system 52 3.3.2 Access protection and user management 53 3.3.3 Electronic signature 53 3.3.4 Audit Trail 54 3.3.5 Engineering software 55 3.3.5.1 Tag management 55 3.3.5.2 WinCC configuration tool 56 3.3.5.3 Change control 56 3.3.5.4 Project version control 57 3.3.6 Online archiving 58 3.3.7 Long-term archiving 59 3.3.8 Reporting 60 3.3.9 Add-on software packages 60 3.3.9.1 Availability 61 3.3.9.2 Batch control 61 3.3.9.3 Batch-oriented reporting 63 3.3.10 Interfaces to process data 65 3.3.11 Software components, manufacturing execution systems (MES) 67 3.4 Utilities and drivers 68 3.4.1 Print drivers 68 3.4.2 Virus scanners 68 3.4.3 Image & partition creator 68 4 System installation 69 4.1 Installation of the operating system 70 4.2 Installation of SIMATIC WinCC 71 4.3 Installation and configuration of SIMATIC Security Control 73 4.4 Installing the SIMATIC WinCC options 74 4.5 Installing utilities and drivers 75 4.6 Setting up user management 76 4.6.1 Function principle of access protection 77 4.6.2 User management in Windows 78 4.6.3 Security settings in Windows 79 4.6.4 Configuring SIMATIC Logon 84 4.6.5 Configuring the user administrator 87 4.6.6 Setting up SIMATIC Logon for the Audit option 88 4.6.7 Setting up SIMATIC Logon for PM-QUALITY / PM-CONTROL 89 4.7 Setting up a long-term archive server 90 4.8 Installing the Central Archive Server 91 4.9 Security vulnerability in configuration 92

5 Project settings and definitions 95 5.1 Startup behavior 95 5.2 Diagnostics for communication connections 97 5.3 System information channel 98 5.4 Object-oriented configuration 100 5.5 Creating process pictures 106 5.5.1 Symbol library 107 5.5.2 Project library 108 5.6 Project functions in the form of VB / C scripts 109

Table of Contents

Guidelines for Implementing Automation Projects in a GMP Environment A5E01100604-02 ix

5.7 SIMATIC NET settings 110 5.8 Redundancy configuration 111 5.9 Time synchronization 114 5.9.1 Concepts for time synchronization 115 5.9.2 Example configuration in WinCC 116 5.9.3 Central Archive Server (CAS) time synchronization 119 5.9.4 Time stamping 119 5.10 Support for configuration management 121 5.10.1 Definition of configuration elements 121 5.10.2 Versioning the configuration elements 121 5.10.3 Versioning the application software 121 5.10.3.1 General information about versioning 122 5.10.3.2 Versioning pictures in Graphics Designer 123 5.10.3.3 Versioning VB / C scripts 125 5.10.3.4 Versioning reports 127 6 Creating the application software 129 6.1 Introduction 129 6.2 Creating overview pictures 130 6.3 Creating operator input messages 132 6.4 Electronic signature 135 6.5 Audit trail 138 6.5.1 WinCC Audit 138 6.5.2 Audit trail via WinCC Alarm Logging 143 6.6 Archiving data: Setting up process value archives 148 6.7 Setting up user archives 149 6.8 Long-term archiving 150 6.8.1 Long-term archiving in SIMATIC WinCC 150 6.8.2 Long-term archiving with SIMATIC Central Archive Server 152 6.8.2.1 Method 152 6.8.2.2 Configuring the Central Archive Server 154 6.8.2.3 Archiving and transfer to the CAS 160 6.8.2.4 Retrieving archived data 160 6.8.2.5 Data displays 161 6.8.3 Batch-oriented long-term archiving with PM-QUALITY 161 6.9 Reporting 164 6.9.1 Reporting with WinCC Report Designer 164 6.9.1.1 Page layout editor 165 6.9.1.2 Print jobs 168 6.9.1.3 Logging the Audit Trail entries from WinCC Audit 169 6.9.2 Batch-oriented reporting with PM-QUALITY 174 6.10 Lifebeat monitoring 177 6.11 Data communication with the plant management level 178 6.11.1 Data communication with the connectivity pack 178 6.11.2 Data communication with the connectivity station 178 6.11.3 Data communication with Industrial Data Bridge 179 6.11.4 Data communication via the ODK programming interface 179 6.12 Creating C and VB scripts 180 6.13 Connecting to a Web client 181 6.13.1 Configuring web access on the WinCC server for process operator input 181 6.13.2 Setting up operator permissions on the WinCC server 184 6.13.3 Remote access via the network 185 6.13.4 Configuring web access on the WinCC server to display data 185 6.14 Connecting SIMATIC WinCC flexible 190 6.15 Connecting SIMATIC S7 191 6.16 Connecting third-party components 193

Table of Contents

Guidelines for Implementing Automation Projects in a GMP Environment x A5E01100604-02

7 Support for qualification 195 7.1 Introduction 195 7.2 Planning qualification 196 7.3 Qualification of the system hardware 197 7.4 Qualification of automation software 199 7.4.1 Software categorization according to GAMP Guide 199 7.4.2 Qualification of standard software 200 7.4.3 Qualification of application software 202 7.5 Configuration control: Versioning and archiving projects 203 7.6 Tracking configuration changes 207 7.7 Backing up the operating system and SIMATIC WinCC 209 8 System’s productive mode 211 8.1 Operational Change Control 211 8.2 System recovery 212 9 System software updates and migration 215 9.1 Updates, service packs and hot fixes 215 9.2 Migration of the application software 216 10 Additional hardware/software components 217 10.1 Uninterruptible power supply 217 10.1.1 Configuration of uninterruptible power supplies 219 10.1.2 UPS configuration over digital inputs 221 Index Index-1

Guidelines for Implementing Automation Projects in a GMP Environment A5E01100604-02 11

1 Prerequisites for configuring computer systems in the GMP environment

The availability of approved specifications, such as User Requirements Specification and Functional Specification, is a prerequisite for the configuration of computer systems in the GMP environment. Requirements contained in standards, recommendations, and guidelines must be observed when creating these specifications. This chapter deals with the most important of these sets of regulations and various specifications (URS, FS, DS).

Prerequisites for configuring computer systems in the GMP environment

Guidelines for Implementing Automation Projects in a GMP Environment 12 A5E01100604-02

1.1 Life cycle model A central component of Good Engineering Practice (GEP) is the application of a recognized project methodology, based on a defined life cycle. The aim is to deliver a solution that meets the relevant requirements and is also cost-effective.

The figure below shows the development life cycle model used in this manual (known as the life cycle model for short). It is based on the recommendations of the latest GAMP ® Guide for Validation of Automated Systems. It begins with the planning phase of a project and ends with the start of pharmaceutical production following completion of qualification and validation. Once production has started, the system life cycle continues until the product is taken out of service.

TraceabilityMatrix

ModuleTesting

URSPQ

PQDevelopment Life Cycle of Automated Production Plant / Equipment

Development Life Cycle of Computer System

FS

DS FAT

ApplicationDevelopment

ModuleDevelopment

SAT

OQ

IQ

Test

ing

/ Qua

lific

atio

nSpecification

System Build

QR

VRVP

QP

QPP



Legend for the life cycle model

Abbreviation Description

VP Validation Plan

QP Qualification Plan

QPP Quality and Project Plan

URS User Requirements Specification

FS Functional Specification

DR Design Specification

FAT Factory Acceptance Test

SAT Site Acceptance Test

IQ Installation Qualification

OQ Operational Qualification

PQ Performance Qualification

VR Validation Report

QR Qualification Report



Validation plan The validation plan (VP) specifies the overall strategy and specifies the parties responsible for the validation of a system in its operational environment [PDA, GAMP®4].

• In the case of complex plants (for example a production line with several process cells and computer systems), there may also be a master validation plan (MVP) as well as VPs valid only for specific process cells and systems.

• See also GAMP ® 4, Appendix M1 "Guideline for Validation Planning".

Quality and project plan The quality and project plan (QPP) defines the scope of and procedures relating to project and quality management, with document and change control procedures, for example, being specified. The life cycle is defined in such a way in the QPP that it not only includes project phases which are relevant for validation, but also other organizational relationships (e.g. different time schedules from the various sections, for example).

Due to their similar structures and contents, a combination of the QPP and QP is possible.

• See also GAMP ® 4, Appendix M6 "Guideline for Quality and Project Planning".

Qualification plan In contrast to the validation plan, a qualification plan (QP) describes the qualification activities in detail. It defines the tests to be performed and indicates the dependencies.

The qualification plan follows a validation plan. Due to the similar contents of both documents, it is possible to combine the QP and the QPP.

Specification The specification phase starts with the creation of the URS. As a rule, the URS is created by the user and describes the requirements which the system has to meet. Once the URS has been created, an FS is created, usually by the supplier. The FS describes the requirements defined in the URS more precisely on a functional level. The subsequent DS contains detailed requirements as regards system build.



The function and design specifications both form the basis for later qualification and validation tests. The following issues also have to be addressed during the function and design specification phases:

• Software structure

• Programming standards

• Naming conventions

• File naming convention

User requirements specification (URS) The URS describes the requirements the system has to meet from the user's point of view. The URS is generally created by the system user possibly with the support of the system supplier. It is the basis of all subsequent specifications.

• See also GAMP®4, Appendix D1 "Example Procedure for the Production of a URS".

Functional specification (FS) As a rule, the FS is created by the system supplier, occasionally in collaboration with the end user. It describes in detail the functions of the system, based on the URS. The approved FS is the basis for creating detailed specifications.

• See also GAMP®4, Appendix D2 "Example Procedure for the Production of a FS".

Design specification (DS) The design specification is usually created by the system supplier. It is based on the FS and expands this with detailed descriptions, for example, of the hardware and software to be used, process tag lists, etc.

• See also GAMP®4, Appendix D3 "Example Procedure for the Production of a Hardware Design Specification" and GAMP®4, Appendix D4 " Example Procedure for the Production of Software Design Specifications and Software Module Design Specifications".

System Build The system is implemented in accordance with the design specification during the system build stage. Along with the procedures defined in the QPP and additional guidelines (coding standards, naming conventions, and data backups, for example), change management, which aims to enable changes to and deviations from the original specifications to be traced, plays an important role.

See also GAMP ® 4, Appendix M8 "Guideline for Project Change Control" and GAMP ® 4, Appendix M10 "Guideline for Document Management".



FAT Once the system build steps have been completed, a factory acceptance test (FAT) is often carried out on the supplier's premises and documented, enabling any programming errors to be identified and remedied prior to delivery.

The aim of the FAT is for the customer to accept the system for delivery in its tested state.

SAT The site acceptance test (SAT) shows that an computer system works within its target operating environment with interfaces to the instrumentation and plant sections according to the specification. Depending on the project, the SAT can be combined with commissioning (and therefore with the IQ or OQ).

Test phase / qualification The FAT is followed by technical commissioning (commissioning phase). This involves installing the system at the system operator's premises along with the application software created, followed by technical commissioning, testing, and qualification.

The commissioning and qualification phases can follow on from one another or can be combined. To save time and money, it is recommended that commissioning and qualification activities are coordinated.

The test planning should therefore be created in good time so that it is possible to check whether or not tests undertaken beforehand during FAT or SAT need to be repeated during qualification. In this case, the documented FAT / SAT tests become part of the qualification documentation.

When test documents are created, tests and acceptance criteria must be clearly described.

Qualification report The qualification report (QR) summarizes the results of the tests performed, based on the qualification plan, and confirms that the qualification phases have been completed successfully.

Validation report The validation report (VR) sums up the results of the individual validation steps and confirms the validated status of the system. The creation of both the validation plan and the validation report is the responsibility of the customer.



1.2 Regulations and Guidelines The recommendations and guidelines of various organizations have to be taken into account when configuring computer systems requiring validation in the GMP environment. These are usually based on general guidelines, such as Code of Federal Regulations Title 21 (21 CFR) of the US Food and Drug Administration (FDA) or the EU GMP Guide Annex 11.

Ordinance / policy

Author/organization

Title Ordinances / recommendation

Scope

21 CFR Part 11 US FDA Electronic records, electronic signature

21 CFR Part 210 US FDA Current good manufacturing practice in manufacturing, processing, packing, or holding of drugs; general

21 CFR Part 211 US FDA Current good manufacturing practice for finished pharmaceuticals

Ordinance

Manufacturers and importers of pharmaceutical products for the US market

Annex 11 of the EU-GMP Guide

European Commission Directorate General III

Computerized Systems Policy Europe

Annex 18 of the EU-GMP Guide

European Commission Directorate General III

Good Manufacturing Practice for Active Pharmaceutical Ingredients

Policy Europe

GAMP ® 4 ISPE GAMP ® 4 Guide for Validation of Automated Systems

Policy Worldwide

GAMP Good Practice Guide

ISPE Validation of Process Control Systems

Recommendation

Worldwide

NAMUR Recommendation NE 71

NAMUR Operation and Maintenance of Validated Systems

Recommendation

Europe

Note

This manual is based on the requirements of GAMP ® 4 and US 21 CFR Part 11.



Code of Federal Regulations Title 21 (21 CFR), Food and Drugs Code of Federal Regulations Title 21 is comprised of different Parts, such as Parts 11, 210, and 211. Part 11 is of particular significance for computerized systems (and is known as 21 CFR Part 11). This Part deals with electronic records and electronic signatures.

Annex 11 of the EU-GMP Guide Annex 11 of the EU-GMP Guide contains 19 points which describe the configuration requirements, operation, and change control of computer systems in the GMP environment. An interpretation of Annex 11 can be found in the GAMP ® 4 Guide for Validation of Automated Systems in the form of an APV (International Association for Pharmaceutical Technology) guideline.

Annex 18 of the EU-GMP Guide Annex 18 of the EU GMP Guide deals with good manufacturing practice (GMP) for active pharmaceutical ingredients. It is designed to be used as a GMP guide when manufacturing active pharmaceutical ingredients in the context of a suitable quality management system. Section 5 of Annex 18 deals with process equipment and its use.

GAMP ® Guide for Validation of Automated Systems "GAMP ® 4" The GAMP ® (Good Automated Manufacturing Practice) Guide for Validation of Automated Systems was compiled to be used as a recommendation for suppliers and a guide for the users of computer systems in the pharmaceutical manufacturing industry. The current version "GAMP ® 4" was published in December 2001.

NAMUR recommendations NAMUR recommendations are reports of the experience that were produced by the "Process Control Systems Special Interest Group of the Chemical and Pharmaceutical Industry" for optional use by its members. They should not be viewed as standards or guidelines. The NAMUR recommendations below are of particular interest for the configuration and use of computer systems in the GMP environment:

• NE 71 "Operation and Maintenance of Validated Systems"



1.3 Responsibilities Responsibilities for the activities included in the individual life cycle stages must be defined when configuring computer systems in the GMP environment and creating corresponding specifications. As this definition is usually laid down on a customer- and project-specific basis and requires a contractual agreement, it is recommended that the definition is integrated into the quality and project plan. See also GAMP ® 4, Appendix M2.



1.4 Approval and change procedure When new systems requiring validation are set up or when existing systems requiring validation are changed, the top priority is to achieve or retain validated status.

Setting up new systems If a new system is set up, document approval and the transitions between life cycle stages are defined prior to commencement of the project. This is usually carried out in conjunction with the definition of responsibilities contained in the quality and project plan. A life cycle like the one described in Chapter 1.1 "Life cycle model" is used.

Changing validated systems Changes to an existing, validated system are regulated as per the company's change control procedures. Before any changes are carried out they must be described, potential consequences must be identified, and associated steps (performing tests, updating as-built documentation, for example) must be defined. Once final approval has been received, the planned change is carried out, as are the defined steps.

If comprehensive changes are needed, a life cycle similar to the one shown in this manual may be used if required.



1.5 Software categorization of control systems As described in Chapter 2.2 "Software categorization" and chapter 7.4.1 "Software categorization according to GAMP Guide", a system's software can be classified into five software categories in accordance with the GAMP ® 4 Guide for Validation of Automated Systems. The software categories have a considerable effect on the amount of work required during the test and qualification stage and must be determined during the specification stage for the software used.


2 Requirements of computer systems in a GMP environment

This chapter describes the essential requirements which a computer system must meet in the GMP environment in terms of using computer systems. These requirements must be defined in the specification and implemented during configuration. In general, proof of who has changed or performed what and when they have done it must always be recorded (the "why" is optional). The requirements of this task are implemented in various functions and described in the following chapters.

The following graphic shows the life cycle model. The requirements focused on in this chapter can be assigned to the Specification area in the graphic.

TraceabilityMatrix

ModuleTesting

URSPQ

PQDevelopment Life Cycle of ‚Automated Production Plant / Equipment


FS

DS FAT


ModuleDevelopment

SAT

OQ

IQ

Test

ing

/ Qua

lific

atio

nSpecification

System Build

QR

VRVP

QP

QPP

Requirements of computer systems in a GMP environment


2.1 Hardware categorization A system's hardware components are assigned to one of two hardware categories in accordance with the GAMP ® 4 Guide, Appendix M4. The hardware categories are listed below:

Category 1, standard hardware Category 1, standard hardware includes established, commercially-available hardware components. This type of hardware is also subject to the relevant quality and testing mechanisms.

The hardware is accepted and documented by means of an IQ test.

Category 2, customized hardware The functionality of such hardware must be specified, then checked and documented in detail by means of appropriate, documented tests.



2.2 Software categorization According to the GAMP ® Guide for Validation of Automated Systems, the software components of a system are assigned to one of five software categories. The five GAMP ® software categories are listed below:

Category 1, operating systems Category 1, operating systems, covers established commercially available operating systems. These are not subject to validation themselves, the name and version of the operating system must, however, be documented and verified during installation qualification (IQ).

Category 2, firmware Category 2 includes the firmware, for example in field instruments or compact controllers, whose configuration has been adapted to e.g. the on-site conditions. Here too, the name and version of the firmware must be documented, along with its configuration, and checked in the context of an installation qualification (IQ). The device functionality must be checked by means of an operational qualification (OQ).

Category 3, standard software products Category 3 includes commercially-available standard software packages, as well as standard solutions for particular processes. Configuration of these software packages should be restricted to the adaptation of the runtime environment (e.g. network and printer connections) and the configuration of process parameters. The name and version of the standard software package must be documented and checked in the course of installation qualification (IQ). Customer requirements (such as access protection, interrupts, alarms, or calculations) must be documented and checked in the context of an operational qualification (OQ).

Category 4, configurable software products Category 4 includes configurable software packages, which facilitate specific business and manufacturing processes. Standard software modules need to be configured for such packages. These software packages should only be considered to be Category 4 if they are well known and fully developed, otherwise Category 5 would be more suitable. If critical and/or complex applications are involved, a supplier audit is usually carried out.

The name, version, and configuration must be documented and checked as part of an installation qualification (IQ). The functions of the software packages must be checked against the user requirements in an operating qualification (OQ). The validation plan must take the life cycle model and an assessment of suppliers and software packages into account.



Category 5, customized software Category 5 includes customized software, which has been developed in order to meet the specific needs of the customer.

A supplier audit is usually required in order to verify that suitable quality systems were used to check the development and subsequent maintenance of the software. Otherwise, suppliers must use the GAMP ® 4 Guide as a basis for their own development life cycles.

Once again, the name, version, and configuration must be documented and checked as part of an installation qualification (IQ). A detailed software specification must be created and the function of the software verified in an operational qualification (OQ). The validation plan should define a complete life cycle for validation.

The amount of test work involved is considerably greater if software of higher categories is used, as opposed to software of lower categories.

The amount of validation and testing work can be reduced by making use of standardized software wherever possible.



2.3 Configuration management The GAMP ® 4 Guide defines configuration management as the process which needs to be followed in order to precisely define an automated system at any point during its life cycle, from initial development right through to decommissioning of the system.

Configuration management involves using administrative and technical procedures in order to:

• Identify and define basic system components and to specify them in general

• Control changes to and approvals of elements

• Record and document element statuses and modifications

• Ensure elements are complete, consistent, and correct

• Control the storage, treatment, and delivery of elements.

Configuration management comprises the following activities:

• Configuration identification (what is to be kept under control)

• Configuration control (how the control is performed)

• Configuration status report (how the control is documented)

• Configuration evaluation (how the control is verified)

This chapter deals with configuration identification and configuration control.



2.3.1 Configuration Identification Version and change management is only practicable with a suitable configuration environment. Siemens therefore identifies every software and hardware package using a unique product label (Machine-Readable Product Code - MLFB) and version identifier. For the application software, the parts of an automated system that are subject to configuration management must be clearly specified. The system must be divided into configuration elements to this end. These must be defined at an early stage of system build to ensure that a complete list of configuration elements can be created and maintained. Application-specific elements should have a unique ID (name or identification number). The amount of detail required when defining elements is determined by the requirements of the system and the supplier who is developing the application.

2.3.2 Configuration control The maintenance of configuration elements must be checked at regular intervals by means of reviews, for example. Here, particular attention must be paid to the change control and the related versioning. Archiving and release of individual configuration items should also be taken into account.

2.3.2.1 Versioning To ensure correct change management, the configuration elements must be versioned. The version must be updated each time a change is made.

2.3.2.2 Change control Suitable control mechanisms must be in place during configuration in order to ensure that changes are documented and transparency achieved. The control mechanisms can be described by means of SOPs and must cover the following:

• Software versioning

• Specifications such as programming guidelines, naming conventions, etc.

• Safeguarding of the traceability of changes to program codes

• Unique identification of software and all components contained within



2.4 Software creation Certain guidelines must be followed during software creation, which must be documented in the quality and project plan (GEP idea). Software creation guidelines can be taken from the GAMP ® 4 Guide for Validation of Automated Systems and from relevant standards and recommendations.

2.4.1 Use of typicals for programming As shown in Chapter 2.2 "Software categorization", the amount of validation work required increases enormously as you go up through the GAMP ® software categories. While the validation of category 1 software only calls for the software name and version to be checked, category 5 software validation requires the entire range of functions to be checked and a supplier audit to be performed.

To keep validation work to a minimum, preference should be given to standardized function blocks during configuration (products, standard company components, standard project components). Customer-tailored typicals are created from standard function blocks and tested according to design specifications.

2.4.2 Identifying software modules/typicals During software creation the individual software modules must be assigned a unique name, a version, and a short description of the module. If changes are made to software modules, this must be reflected in the module ID.

2.4.3 Changing software modules/typicals If changes are made to software modules, this must be noted in the corresponding module ID. As well as incrementing the version identifier, the date of the change and the name of the change initiator must also be included in the software module's ID. If required, the software modules to be changed must be indicated by means of a comment and a reference to the corresponding change request/order. See also Chapter 8.1 "Operational ".



2.5 Access protection and user management To ensure that computer systems in the GMP environment are secure, such systems must be equipped with an access-control system. Access-control systems can not only deny or permit users access to certain rooms, but can also protect systems against unauthorized access. Users are put into groups which are in turn used to manage user rights. Individual users can be granted access authorization in various ways:

• A combination of unique user ID and password - a description of the configuration can be found in Chapter 2.5.2 "User ID and password requirements ".

• Chip cards together with a password

• Biometric systems

The system owner or an employee (administrator) nominated by the end user controls the assignment and management of user authorizations to ensure that access is suitably protected.

2.5.1 Applying access protection to a system In general, actions which can be executed on an computer system must be protected. Depending on his or her particular field of activities, a user can be assigned various rights. Access to user administration should only be given to the system owner or to specified employees. Recorded electronic data must still be protected against unauthorized access.

An automatic logout function must be installed on the system. The logout time should be agreed and defined with the operator and noted in the FS.

! Note Please note that only authorized persons must be able to access PCs and the system. This can be ensured by using appropriate measures such as mechanical locks and hardware and software for remote access.



2.5.2 User ID and password requirements User ID:

The user ID for a system must be of a minimum length defined by the customer and be unique within the system.

Password:

A password should usually be a combination of numeric and alphanumeric characters. When defining passwords, the minimum number of characters and the expiry period for the password should be defined. Generally, the password structure is defined on a customer-specific basis. The configuration is described in the Chapter 4.6 "Setting up user management".

Password structure criteria:

• Minimum password length

• Use of numeric and alphanumeric characters

• Use of uppercase and lowercase letters

• Use of numerals (0-9)

• Use of special characters

In order to comply with the Windows guidelines for password complexity, at least three of the criteria listed must be taken into account in the password alongside the minimum length.

2.5.3 Case sensitivity Smart Cards and Biometric Systems Apart from the traditional methods of identification with a user ID and password, users can also identify themselves with smart cards along with a password/PIN or with biometric systems, such as fingerprint scanners.



2.6 Electronic signatures Electronic signatures are computer-generated character strings, which act as legally binding equivalents to handwritten signatures.

Regulations concerning the use of electronic signatures are defined in US FDA 21 CFR Part 11, for example.

Electronic signatures are of practical relevance when it comes to manual data input and operator intervention during runtime, approving process actions and data reports, and changing recipes, for example.

Each electronic signature must be assigned uniquely to one person and must not be used by any other person.

It must be possible for a pharmaceutical company to confirm to the authorities that an electronic signature represents the legal equivalent of a handwritten signature.

Electronic signatures can be biometrically based or the system can be set up without biometric features.

! Note The regulations found in 21 CFR Part 11, published by the FDA, must be satisfied in the manufacture of all pharmaceutical products and medical devices intended for the US market.

2.6.1 Conventional electronic signatures If electronic signatures are used that are not based on biometrics, they must be created so that persons executing signatures must identify themselves using at least two identifying components. This also applies in all cases in which a smart card replaces one of the two identification components. These identifying components, can, for example, consist of a user ID and a password. The identification components must be assigned uniquely and must only be used by the actual owner of the signature.

When owners of signatures want to use their electronic signatures, they must identify themselves with at least two identification components. The exception to this rule is when the owner executes several electronic signatures during one uninterrupted session. In this case, persons executing signatures need to identify themselves with both identification components only when applying the first signature. For the second and subsequent signatures, one unique identification component (password) is then adequate identification.



2.6.2 Electronic signatures based on biometrics An electronic signature based on biometrics must be created in such a way that it can only be used by one person. If the person making the signature does so using biometric methods, one identification component is adequate.

Possible biometric recognition systems include systems for scanning a fingerprint or the iris of the eye.

Note

The use of biometric systems is currently considered a secure identification method. Nevertheless, there are reservations about the use of biometric identification characteristics in the pharmaceutical industry (e.g. poor face recognition due to protective clothing covering the face, no fingerprint scans with gloves, the expense involved and the reaction times of retina scans).

2.6.3 Security measures for user IDs/Passwords The following points must be observed in order to safeguard the security of electronic signatures where user IDs and passwords are used:

• Uniqueness of user ID and password

• Monitored output of user IDs

• Permissions retracted if user IDs/passwords are lost or found to be insecure or compromised

• Security precautions used to prevent the unauthorized use of user IDs/passwords or to report any misuse

• Personnel trained and provided with proof of such training



2.7 Audit trail The Audit Trail is a control mechanism of the system that allows all data entered or modified to be traced back to the original data. A secure Audit trail is particularly important as regards the creation, modification, or deletion of GMP-relevant electronic records.

In this case, the Audit Trail must archive and document all changes or actions performed, together with the corresponding date and time. The typical content of an Audit Trail must be specified and must cover "who" has changed "what" and "when" (old value/new value).

The archiving period must correspond to the period stipulated in the specification.

There must be adequate hard disk space to allow the entire Audit Trail to be stored until the next transfer to an external data medium.

Systems which provide adequate data security must be used (e.g. redundant systems, standby systems, mirrored hard disks based on RAID 1).



2.8 Time synchronization A consistent time reference (including a time zone reference) must be guaranteed within a system, in order to be able to assign a unique time stamp for archiving messages, alarms, etc.

Time synchronization is especially important for archiving data and analysis of faults. UTC (Universal Time Coordinated, defined in ISO 8601) is recommended for the time base for saving data. The time can be displayed in local time with a note regarding summer / winter time.



2.9 Archiving Data Archiving means the permanent storage of electronic data and records of a computer system in a long-term storage system.1

The customer is responsible for the definition and checks involved in storing electronic data.

Based on the predicate rules (GMP Guide, 21 CFR Part 210, 21 CFR Part 211, etc.), the customer must decide how electronic data will be retained and, in particular, which data will be affected by this procedure. This decision should be based on a justified and documented risk assessment that takes into account the significance of the electronic records over the archiving period.

The customer should define the following requirements2:

• Whether any archiving is even required for the application in question (backup/restore function may be kept separate from the archive function)

• Required archiving duration for the relevant data types, based on legal and commercial requirements

• An archiving procedure; the restoration capability, data format, practicality, life of the media and the platform If electronic storage is selected, the electronic data can be stored in a standard format such as PDF, XML, SGML, etc.

• A procedure for recording metadata used to correctly interpret saved data

• Demonstration of ongoing controls on the contiguous recording of electronic data and of the authenticity of electronic signatures

Process values (often in the form of trends), alarms (interrupts, warnings, etc.), Audit Trails, and, under certain circumstances, other batch data can be archived for SIMATIC systems.

The memory space on a system's data carriers is restricted. Data can be swapped out to external data carriers at regular intervals in order to free up space on these system data carriers.

When migrating or converting the archived data, the integrity of the data must be assured over the entire conversion process.3

1 "Good Practice and Compliance for Electronic Records and Signatures. Part 1, Good Electronic Records Management". ISPE/PDA 2001. 2 "Good Practice and Compliance for Electronic Records and Signatures. Part 3, Models for Systems Implementation and Evolution". PDA 2004. 3 "Good Practice and Compliance for Electronic Records and Signatures. Part 3, Models for Systems Implementation and Evolution". PDA 2004.



2.10 Batch reporting When producing pharmaceuticals and medical equipment, batch documentation takes on a special significance. For a pharmaceutical manufacturer, methodically created batch documentation is often the only documented evidence within the framework of product liability.

2.10.1 Components of batch documentation The components of batch documentation are as follows:

• Manufacturing formula / processing instructions and manufacturing log

• Packaging instructions and packaging log (from a pharmaceutical point of view, the packaging of the finished medicinal product is part of the manufacturing process)

• Test instructions and test log (relating to quality checks, e.g. example analysis)

The manufacturing log (or packaging log) has a central significance here and this is defined below:

• The manufacturing log is always both product-related and batch-related

• It is always based on the relevant parts of the valid manufacturing formula and processing instructions

• It records all measurement and control procedures relevant to the process as actual values

• It compares these with the specified desired values

2.10.2 Components of the manufacturing Log Mandatory parts of the manufacturing log include:

• Name of the product and number of the produced batch

• Date and time of commencement, significant interim stages and completion of production

• Name of the person responsible for each stage of production

• Initials of the operator involved in all significant production steps and, when applicable, the person checking the operations (double-check when weighing materials, for example)

• The batch number and / or the analytical control number and the actual quantities of all constituent materials

• All relevant processing steps, any unusual events and the major equipment used

• Recordings of in-process controls, including initials of the person performing them and the results obtained

• The yields of the relevant interim stages

• Information on special problems, including details of any deviation from the manufacturing formula and processing instructions and the signature of the person who authorized the deviation.



2.10.3 The uses of electronic batch data Since the term "electronic batch record" (acronym: EBR) is not clearly defined in this context, there are two ways of using electronic records in the documentation of pharmaceutical production:

1. The electronic records form part of the batch documentation or

2. The entire manufacturing log is created electronically.

Since all the requirements listed above must be met by an electronic manufacturing log and data from different systems (for example, PCS, laboratory data, remarks by operators) also often needs to be integrated, the situation is often as in case 1. In other words, the data is used as part of the batch documentation, often in conjunction with data from other systems and records on paper.

2.10.4 Requirements of electronic records When electronic records are used as part of the batch documentation or even as the manufacturing log itself, the following additional requirements apply (see also EU GMP Guide, Section 4.9; 21 CFR Part 11 Electronic Records, Electronic Signatures):

• The initials and signatures required by the regulations must be implemented as electronic signatures

• "Relevant" production steps / processes, "significant" interim stages and "major" equipment must be defined in advance by the person responsible from a pharmaceutical perspective; this definition is often process-specific

• The system must be validated

• Only authorized persons should be able to enter or change data (access protection)

• Changes to data or deletions must be recorded (Audit Trail)

• The electronic records must be protected by back-up copies

• If an electronic manufacturing log is used, its structure and contents must match the structure and contents of the manufacturing formula / processing instructions. As an alternative, the manufacturing instructions and log can also be combined in one document



2.11 Data backup In contrast to the archiving of electronic data, data backups are used to create backup copies which allow the system to be restored if the original data or entire system is lost.4

The backup procedure must cover the periodic backup of volatile information to avoid total loss of data due to defective system components or inadvertent deletion of data. Backup procedures must be tested to ensure that data is saved correctly. Backup records should be labeled clearly and intelligibly and dated.5

Data backups are created on external data carriers. The data carrier used should comply with the recommendations of the device manufacturer.

When backing up electronic data, a distinction is made between software backups (for example application software, partition images) and archive data backups.

Here, particular attention is paid to the storage of data backup media (storage of the copy and original in different locations, protection from magnetic fields, and elementary damage).

4 "Good Practice and Compliance for Electronic Records and Signatures. Part 1, Good Electronic Records Management". ISPE/PDA 2001. 5 "Electronic Records and Electronic Signatures Assessment". Chris Reid & Barbara Mullendore, PDA 2001.



2.11.1 Application software Software backups have to be created following every software change on a system and must document the system's last valid software version. If parts of the software are modified, it is sufficient to only back up the modified part of the application software. Complete software backups still have to be created at regular intervals, however. If software backups are to be created as part of a software change on an existing system or a system reinstallation, they must be created once the installation has been performed. During the course of the project the software version must be backed up and documented at defined milestones, such as at the end of the FAT (i.e. prior to delivery of the system), once the installation qualification (IQ) has been completed, prior to the tests involved in the operational qualification (OQ), and, of course, when the system is handed over to the operator.

Software versions must also be retained in the form of software backups at regular intervals during the creation of new software versions.

Software backups of the application software and configuration parameters must be created.

Labeling software backups According to the GAMP ® 4 Guide for Validation of Automated Systems, the following information about software backups must be provided, both on the label of the backup medium and in a separate log:

• Creation date

• System name

• Software or version name

• Serial number of backup

• Reason for the software backup

• Date of first use

• Date of backup

• Date and signature of the person performing the backup

• Identity of the user



Retaining software backups At least the two most recent software backups must be retained. For reasons of safety, these should be stored at a different location from the system (according to the recommendations of the BSI (German authority responsible for security in information technology), for example in a fire compartment separate from the system).

A suitable backup strategy must be defined, based on the frequency with which changes are made to the software.

The data carrier's shelf life must be defined (based on manufacturer documentation or on publications issued by the Bundesamt für Sicherheit in der Informationstechnologie, the German Federal Office for Information Security) and the software backup must be appropriately migrated by copying it to a new data carrier, for example, before this period expires.

2.11.2 Process data The data stored in computer systems, such as trends, measured values, or interrupts, should be backed up to external data carriers at regular intervals. This will minimize the risk of data being lost should a fault occur.

Labeling data backups According to the GAMP ® 4 Guide for Validation of Automated Systems, data backups should be documented either on the label of the backup itself or in a separate report containing the following information:

• System designations

• Software / data designation

• Version and/or software/firmware build number, if available

• Creation date

• Date of first usage

• Consecutive number

• Date of the data backup

• Reason for the data backup

• Identity of the user

Retention of data backups The same guidelines apply as in the chapter with the same name in Chapter 2.11.1 "Application software".

Since process data, in contrast to software, is not normally stored in "overlapping" versions, suitable measures must be taken to ensure data integrity.



2.12 Retrieving archived data Backed up data must be retrievable at all times. Following system updates, care must be taken that the data transferred to archive prior to the update remains compatible.



2.13 Use of third-party components If third-party components (hardware and software) specifically tailored to individual customers are used, a supplier audit must be performed in order to check the supplier and their quality management system. It must be confirmed that such hardware components are compatible.

Compatibility must also be confirmed when standard hardware and software components provided by other manufacturers are used.

Note

The GAMP 4 Guide in Appendix M2 contains a considerable amount of information on auditing a product supplier.


3 System specification

This chapter focuses on the selection criteria for the hardware and software. The activities for the selection of the products, product variants and system constellations are performed in the specification phase of a computer system. This is demonstrated in the following life cycle model by the marking in the left area.

TraceabilityMatrix

ModuleTesting

URSPQ

PQDevelopment Life Cycle of ‚Automated Production Plant / Equipment


FS

DS FAT


ModuleDevelopment

SAT

OQ

IQ

Test

ing

/ Qua

lific

atio

nSpecification

System Build

QR

VRVP

QP

QPP

Two specifications stages usually precede a detailed specification of the computer system which is defined in the Design Specification (DS):

System specification


User Requirements Specification (URS)

Note Information relating to the requirements of a user requirements specification can be found in GAMP ® 4, Appendix D1.

Functional Specification (FS)

Note Information relating to the requirements of a functional specification can be found in GAMP ® 4, Appendix D2.



3.1 Specification of system hardware

3.1.1 System structure The SCADA system SIMATIC WinCC is intended for all branches and can be adapted flexibly to specific customer requirements for a production plant.

With SIMATIC WinCC, you can implement a variety of different system configurations from single-user systems to multiple-user systems with a client/server structure.

With a single-user system, the entire operator control and monitoring of a production process can be handled on one PC.

A multiple-user system consists of operator stations (WinCC clients) and one or more WinCC servers that supply the WinCC clients with data.

Availability can be increased by setting up redundant systems.

To connect to the underlying automation level, for example, SIMATIC S7-300 / S7-400 or systems from other vendors, bus systems such as MPI, PROFIBUS or Industrial Ethernet can be used. The choice of bus system depends on the number of linked partners and the environmental conditions for data communication.

Note

The individual components can be selected from the current SIMATIC HMI catalog ST 80 to suit the specification of the production plant.

3.1.2 Hardware specification The Hardware Design Specification (HDS for short) describes the hardware’s architecture and configuration. The following aspects should be defined at this point. This will serve as the checking basis for IQ and OQ later on.

• Hardware overview diagram

• Network topology

• PC components for server and client

• Automation system with CPUs, I/O cards, etc.

• Field devices

The HDS can be recorded in the Functional Specification or in a separate document.

! Note The defaults in the hardware overview diagram and the names of the hardware components must be unique. The designation for each hardware component may only occur once in the computer system.

Note

More information relating to the requirements can be found in GAMP ® 4, Appendix D3.



3.1.3 Selecting the hardware components The SIMATIC WinCC software can be installed on any standard PC that meets the minimum requirements for the hardware and software configuration.

For production plants in a GMP environment (for example, in food and beverages or pharmaceutical industry) Siemens has developed particularly rugged panel PCs with touch screens and stainless steel fronts specially for installation on the shop floor. The SIMATIC WinCC software is available in conjunction with a Panel PC as a complete HMI system.

As an alternative to the Panel PC, the use of LCD monitors of the type SIMATIC Flat Panel is recommended. The monitors are rugged and designed for industry and they are intended for use directly on the machine separate from the PC. They are available both with and without control elements.

Using hard disks with a RAID system prevents data from being lost when a hard disk fails. In a RAID system (RAID = Redundant Array of Independent Disks) e.g. RAID 1 or RAID 5, the data are saved redundantly on several hard disks.

A particularly high level of availability is achieved with the WinCC server's redundant structure. All hardware components such as PC, screen, operator controls are set up in duplicate. If one system fails, the other automatically assumes functionality.

Details of the minimum requirements for the hardware and software configuration for the SIMATIC WinCC software and suitability of the recommended hardware for industrial use can be found in the current SIMATIC HMI catalog ST 80.

Note

We recommend using the approved hardware from the current SIMATIC HMI catalog ST80 since this has been checked by Siemens in system tests. When PCs are installed in switching cabinets, make sure that suitable hardware components are used, for example remote kits. SIMATIC PCs are available with the operating systems approved for WinCC.



3.2 System network security In modern SCADA systems, the boundaries between the office world and that of automation are increasingly disappearing. Automation solutions with connected WEB clients, MES connections, custom-made office networks and their office applications are growing in importance. In order to satisfy these demands and ensure as high a level of system security as possible, the planning and structure of networked WinCC automation solutions are key.

Note

The Siemens manual "SIMATIC WinCC Security Concept" contains recommendations and information on planning and setting up networks.

Scope for improving system security SIMATIC WinCC offers several ways of improving system security. These include:

• SIMATIC Security Control (SSC)

• SIMATIC NET SCALANCE S

SIMATIC Security Control The SIMATIC Security Control application checks the settings in the MS Windows operating system in terms of the requirements for the SIMATIC software installed. Registry keys and DCOM settings are evaluated and exceptions put forward for the Windows firewall. The settings needed are undertaken automatically in the Windows operating system by clicking on the "Accept" button. Documentation of the settings can be printed or saved in XML format.

SIMATIC Security Control is included in the scope of delivery for SIMATIC WinCC software.



SIMATIC NET SCALANCE S SCALANCE S security modules are at the heart of Siemens' ground-breaking security concept for protecting networks and data. The SCALANCE S protection function checks all data traffic to and from the cell.

With a combination of different security measures such as firewall, NAT/NAPT routers and VPN (Virtual Private Network) over IPsec tunnels, the SCALANCE S devices protect individual devices or even entire automation cells from:

• Data espionage

• Data manipulation

• Unauthorized access

Note

SCALANCE-S technology offers various applications. More information can be found in the manuals of the SCALANCE family.



3.3 Application software specification The Software Design Specification (SDS) describes the software’s architecture and configuration. Not only does this include a description of the application software but also a definition of the standard software components used in the system, by e.g. stating the designation, version number, etc. This description is used as a reference for subsequent tests (FAT, SAT, IQ, OQ).

This chapter introduces standard software components of SIMATIC WinCC and options/add-on packages to meet the "Requirements of computer systems in a GMP environment" as described in Chapter 2.

The following list shows an overview of the software components covered by this manual.

Basic WinCC software that is already contained in the WinCC system software

Designation Short description License in addition to WinCC license

Alarm logging Message archiving

Basic process control

Overview diagram and screen navigation,

time synchronization

Configuration tool WinCC configuration using MS Excel

Graphics designer Editor for producing graphics

Project duplicator WinCC tool for copying/duplicating a WinCC project

Redundancy Redundant WinCC server X

Report designer Creation of reports

Security control DCOM and firewall settings

Tag logging Process value archiving

User administrator User management in WinCC

User archive Production of user archives X

Tag management Tag management

WinCC server For the server in a server/client structure X



Options / add-on software packages

Designation Short description License

Central archive server

Central data archiving X

DataMonitor View of data via the web X

PM-CONTROL Recipe data management and order planning X

PM-QUALITY Batch-oriented data archiving and reporting X

SIMATIC Manager STEP 7

Configuration tool for S7 automation systems X

SIMATIC Logon Central user administration X

SIMATIC PC/PG image & partition creator

Hard disks, production of images X

Version trail Project versioning in conjunction with SIMATIC STEP 7

X

WebNavigator View of data and operation of the WinCC project via the web

X

WinCC audit Central Audit Trail for recording operator actions during operations and changes in the project configuration

X

3.3.1 Operating system In principle, the latest information relating to the operating system and WinCC installation can be found in the "Installation Notes" manual that is supplied with the software package. The Read me first menu item on the WinCC Installation DVD should also be observed along with the Installation Notes and Release Notes sections.



3.3.2 Access protection and user management Access protection for SIMATIC WinCC system components and the WinCC premium add-ons is implemented with the SIMATIC Logon software. SIMATIC Logon is a user management system based on Windows mechanisms that can be used both in workgroup and in a Windows domain. The use of SIMATIC Logon meets the requirements of the FDA regulation 21 CFR Part 11 for "Electronic Records and Electronic Signatures" regarding access control.

SIMATIC Logon The user logs on to the system using SIMATIC Logon. The logout, user change and password change functions are available to a logged-on user. SIMATIC Logon should be installed on all SCADA systems (WinCC server and WinCC client).

User administrator The permissions for controlling the process are configured in WinCC User Administrator. Controlling the process is divided into individual operator control functions that can be enabled for selected user groups. To be able to use these functions, the user must be a member of the appropriate user group. At runtime, the User Administrator checks the operator permissions in WinCC and SIMATIC Logon checks the authorizations.

3.3.3 Electronic signature An electronic signature is implemented in SIMATIC WinCC in conjunction with the SIMATIC Logon software. SIMATIC Logon provides the interface that can be addressed in WinCC using script functions for checking the user ID and password.



3.3.4 Audit Trail

WinCC Audit For production plants operated in a GMP environment, in 21 CFR Part 11, the FDA specifies the recording of changes to electronically managed records relevant for GMP including the time stamp, user ID, old value and new value in the form of an Audit Trail. The WinCC Audit option was developed for this functionality in SIMATIC WinCC. The option represents the various requirements that arise from the system architecture of WinCC as client/server system, as multiproject, etc., in terms of the Audit Trail. WinCC Audit allows the user to implement one central Audit Trail over several server/client systems and several WinCC projects. Furthermore, WinCC Audit not only records the operator responses during runtime, but also changes in the engineering phase.

WinCC Audit is sub-divided into the following software packages:

• WinCC Audit RC for configuration of the Audit Trail for operator responses during runtime and for engineering changes and recording the Audit Trail during operations

• WinCC ChangeControl RC is for configuration of the Audit Trail for changes during configuration, that have been carried out e.g. on an approved product version (see also chapter 3.3.5.3 "Change control")

• WinCC Audit RT is for recording the Audit Trail per station (server or client needed).



The following operations are recorded during runtime:

• All kinds of operator input during operations, such as login/logout, changes to I/O fields, dragging slider objects, selections in check boxes and text lists, etc.

• All changes in the User Archives

• Operations in external programs

The Audit Trail can be visualized with an Audit Viewer. A large number of standard and customized filters can be set in the Audit Viewer to specifically select or display the corresponding Audit Trail information. The Audit Trail information can also be exported or even printed out. The Audit Viewer is included in the scope of supply for the product.

The Audit Trail is stored in an SQL database. The WinCC Audit Trail database can be configured such that the Audit Trail of one or more WinCC stations or of one or more WinCC projects is recorded. It is also possible to store the Audit Trail database on a local computer or on a computer in the network.

WinCC Audit works together with the SIMATIC Logon software to provide access protection (see also chapter 4.6.6 "Setting up SIMATIC Logon for the Audit option“).

3.3.5 Engineering software SIMATIC WinCC is a modular system. Its basic components are the Configuration Software (CS) and Runtime Software (RT) Both software components are included in the full WinCC package (RC). The selection of the full package depends on the number of power tags (external tags) required to interface with the automation level.

The Configuration Software (CS) contains all the basic functions for engineering SIMATIC WinCC. The central component is the WinCC editor in which editors can be opened for configuring the various functions. Some functions that are recommended for a GMP environment are pointed out below.

3.3.5.1 Tag management

Tag management with Totally Integrated Automation In a complete automation solution from Siemens (HMI system and SIMATIC S7 automation system), the variables (tags) can be imported from the SIMATIC Manager into the tag management of WinCC. The variables are created and managed centrally in the SIMATIC Manager. This ensures consistency within the project. This reduces the effort involved in validating software (also see "GMP Engineering Manual SIMATIC Step7", chapter 4.4.2 "Integrated system").



3.3.5.2 WinCC configuration tool The configuration tool provides the option for configuring mass data with the Microsoft Excel standard software. This means that the editing options of Microsoft Excel such as automatic repetition of items can be used. The data is transferred to the active WinCC project in a download procedure. The configuration tool allows you to configure data from the tag management, alarm logging, tag logging and the text library. Data from projects that already exist, for example, can be used again. The WinCC configuration can be output as an overview and used for qualification. The use of the configuration tool therefore reduces the work required for engineering and qualifying the software.

3.3.5.3 Change control

WinCC Audit ChangeControl WinCC projects that have already reached a completed version accepted by the customer can be monitored for subsequent configuration changes by WinCC Audit RC or WinCC ChangeControl. This gives operators a complete understanding of when configuration changes were carried out after the accepted project status.

WinCC Audit distinguishes between changes:

• that are transferred into the WinCC database, for example adaptations to the tag management, in Alarm Logging, in Tag Logging, etc.,

• and changes that are carried out to WinCC configuration files, for example in plant pictures, reports, scripts or even customer documents. These changes are recorded by the document check.

and records them in the Audit Trail.

The following documents are managed by document management:

• Graphics screens (.PDL)

• C & VBS project functions (.FCT, .BMO)

• C & VBS global actions (.PAS, .BAC)

• Report layouts (.RPL)

• User documents

If one individual document is to be changed, it must be checked out, changed and then checked back in via document management. A copy of the document is produced before it is checked out. This is saved as a version in the database (see also diagram of WinCC Audit function overview in chapter 3.3.4 "Audit Trail"). This means that corresponding versions of the document can be reproduced at any time. It is essential that a comment is entered for each change to document the change undertaken. We would recommend entering a reference to the change request. In the Audit Trail, the file check out and check in is recorded with the time stamp, WinCC project name, file name, user ID and any comment that may have been entered. When checking in, the document control assigns documents write protection to protect them from changes.



Note When changes are made to documents, document control makes it possible to recognize that a document has been changed; details of the change are, however, not recorded and should be described in comments. Systems must be in place to ensure that the files’ write protection cannot be altered manually in Windows Explorer.

The various versions of the documents can be displayed in a history view.

The rollback function allows an older document version to be restored. The indicators used to distinguish versions are the time stamp and comments made when the document was checked in.

3.3.5.4 Project version control

SIMATIC Version Trail SIMATIC Version Trail is a software option for versioning libraries, projects and multiprojects that can be used universally in the context of Totally Integrated Automation with SIMATIC.

With SIMATIC Version Trail, project data, in other words complete multiprojects, single projects or libraries can be archived at a specified time and the data can be assigned a version ID. Project data that has already been versioned can also be reread and used again.

SIMATIC Version Trail also handles the entire management of the version history. This means, for example, that once a version has been completed, it can no longer be modified. The version ID is issued by the system following certain adjustable guidelines. Versions are always incremented by one digit (without gaps) and there can only be one valid version of a project under a single name in the version history.

Note

SIMATIC Logon is needed for SIMATIC Version Trail.



WinCC Audit Project Versioning The WinCC Audit RC and WinCC Audit ChangeControl options include the Project Versioning functionality. This allows versions of complete WinCC projects to be easily created in the form of one zip file. Data from linked WinCC premium add-ons, such as PM-QUALITY, are also included. The manually issued version ID is included in the name of the version created. An overview shows all versions along with the time stamps that have been produced for a WinCC project. If necessary, older project statuses can be recovered.

3.3.6 Online archiving The runtime software (RT) is used to control and monitor the production process.

This is possible in single-user or multiple-user (client-server structure) system configuration.

The following sections discuss the basic functions of the runtime software for recording and displaying runtime data.

Alarm Logging The entire message system is configured in Alarm Logging. This includes preparation, display, acknowledgment and archiving of messages. Alarm events from the process, from the automation system and from the WinCC system can be processed in the message system.

In production plants in a GMP environment, Alarm Logging can also be used for an Audit Trail. Operator input in process pictures (for example changing an I/O value or clicking a button) trigger an operator input message that is entered in Alarm Logging with its time stamp, user ID, old value, and new value,

To display messages during operation, the ActiveX Alarm control is linked into the process picture. At the same time, the message view is configured. The display of different message views is achieved by multiple linking of the Alarm Control and setting the appropriate message filters.

Messages are logged manually or automatically. Print jobs set up in the Report Designer control the logging.

Note

The Alarm Hiding functionality can be used to prevent selected messages from being displayed. This is used in for example start-up phases when there are huge numbers of messages to ensure that the less important ones are not displayed. Despite this, the messages are recorded in the WinCC Alarm Logging. More information on this can be found in the WinCC Information System. Use of this functionality is the responsibility of the system operator and should therefore be coordinated with him.

Tag Logging Archiving of process values is configured in the Tag Logging editor. Selected process values are recorded in definable acquisition cycles and stored in process value or compressed archives.



The recorded process values are stored in the archive database. Once the database reaches a defined database size or a specified interval has elapsed, the archive database is transferred to external storage. Long-term archiving is also an option (see chapter 6.8 "Long-term archiving").

During operation, current or previously archived process values can be displayed as trends or tables. To achieve this, the relevant ActiveX Control (Online Trend Control, Online Table Control) is linked into a process picture.

The report of the archived process values is configured in the Report Designer.

3.3.7 Long-term archiving Long-term archiving of process values and messages can be set up using a long-term archive server or using the WinCC Central Archive Server (CAS) option. Both concepts are introduced below.

WinCC long-term archive server Both in WinCC Tag Logging and in WinCC Alarm Logging, there are options for long-term archiving. Apart from the archive size and segment change, the configuration for transfer to another computer can also be set.

The WinCC DataMonitor option is used to view the data.

The contents of the archive files can also be reproduced in WinCC runtime using the WinCC standard tools (Alarm Control and/or Table Control). To do this, the archive files must be reloaded on the WinCC computer and linked to the WinCC project.

WinCC Central Archive Server (CAS) The process values and messages of up to 11 WinCC single-user systems, WinCC servers and even redundant WinCC pairs of servers can be saved on one Central Archive Server (WinCC CAS). The data are transferred to the CAS using the backup configuration. Compared with a long-term archive server, the key benefit of the Central Archive Server is easy access to transferred data. The saved process values and messages are depicted in the WinCC Online Trend Control or WinCC Alarm Control in process pictures as they usually would be in operation. Depending on the time setting range selected, data are read from the WinCC runtime database or the CAS and shown in the controls. The system automatically handles transparent access in the background.

Another benefit is the Store & Forward principle. The long-term archive server rejects archive data if the backup path and alternative backup path cannot be reached. In contrast, data security is provided in the CAS. If the CAS computer is unobtainable, the completed archives remain on the WinCC servers and are transferred later on when the link to the CAS is reactivated.

Furthermore, the CAS only archives those archive tags that are labeled as of long-term relevance in WinCC Tag Logging.

Defined interfaces provide direct access to archived process values and messages. This means that important production data is available throughout the company.



The WinCC DataMonitor option can be used as an analysis tool. The WinCC Connectivity Pack option can be used to run data analyses, for example with the assistance of the OLE DB interface.

The CAS and WinCC server and multiclients are configured on a separate engineering station in the SIMATIC NCM PC Manager or in the SIMATIC Manager. With WinCC version 6.2 SP2 and higher, the CAS can also be set up redundantly.

Batch-oriented long-term archiving with PM-QUALITY PM-QUALITY is a software package for batch-oriented acquisition of production data such as process values and messages.

The process values can either be taken from WinCC Tag Logging or recorded in a separate tag logging function, grouped according to the various acquisition cycles. Event-driven process values or those dependent on a trigger (for example setpoints/actual values) are read in as snapshots. Alarm events and Audit Trail entries are taken from WinCC Alarm Logging.

It is possible to configure automatic export of the batch data on completion of the batch. This can be in database format, in HTML format and/or in XML format. Each export can be activated separately. The export cycle is set in minutes and the destination for data storage must be set (for example any computer in the network).

The PM-QUALITY application Export View can be used to view the batch data exported in database format.

3.3.8 Reporting

Report designer The SIMATIC WinCC Report Designer is used both for documentation of the WinCC configuration and for logging the runtime data.

The configuration data can be documented for the WinCC Explorer and every configured editor, for example Tag Logging, Alarm Logging, etc. The pre-configured print jobs and report layouts ship with SIMATIC WinCC. The preconfigured report layouts can be opened with the page layout editor of the Report Designer and modified as necessary.

For runtime logging (for example, messages from Alarm Logging or process values from Tag Logging), there are preconfigured report layouts and print jobs that ship with the product. The user defines which runtime data will be logged in the pre-configured layouts. To define the contents, the layout is opened in the page layout editor of the Report Designer and edited as required.

The WinCC runtime components, for example Alarm Logging, use pre-configured print jobs. The output options, scope and layout of these print jobs can be modified. It is also possible to create application-specific print jobs.

3.3.9 Add-on software packages To enhance the functionality of SIMATIC WinCC, WinCC options and WinCC premium add-ons are available as supplementary software products.



The software packages presented below are particularly relevant for process visualization / automation in a GMP environment.

3.3.9.1 Availability

Redundant WinCC server Two networked WinCC servers can be run in parallel to increase availability. The redundancy is configured using the WinCC Redundancy option. Each WinCC server has its own process driver connection and has its own databases. During operation, both servers function in parallel and independently of one another and are available to the operator. Process values and messages are sent to each redundant server and processed there. Internal tags, internal messages (e.g. message acknowledgement) and user archives are calibrated directly online.

During operation, the servers monitor one another. In the event of a fault, the server running in parallel assumes complete SCADA functionality. If necessary, any connected clients are automatically switched over. Once the down server is repaired, an automatic archive calibration is run in the background. Any gaps that have occurred in the tag, message and user archives are filled and internal tags calibrated.

3.3.9.2 Batch control

PM-CONTROL PM-CONTROL is a batch-oriented parameter control for recipe/product data management. The integrated order control allows flexible handling of production orders in which the recipe, production location, scalable production quantity and the time of production can be specified.



The software package is divided into three applications:

• Topology manager for mapping the process cell topology, creating the required parameters and configuring the interface to the automation level.

• Recipe system for creating and managing recipes / products

• Order planning and order control, assignment and management of production orders

To achieve a cost-effective solution for both simple and more complex tasks, PM-CONTROL is available in the "Compact", "Standard" and "Professional" variants.

In the Topology Manager, user rights are specified for certain user groups. User access is checked by SIMATIC Logon.

In the recipe system, the recipes are signed with an electronic signature after they have been created. After each recipe change, a new signature is necessary. In the Topology Manager configuration, it is possible to decide whether the full signature for a recipe requires one electronic signature or two electronic signatures from different users.

The recipe data is recorded in an Audit Trail from the point in time at which it is created. Every recipe change is recorded along with time stamp, user ID, old value and new value. The implemented rollback function allows an older recipe version to be restored. The Audit Trail can be printed out or exported to an XML file.

Only fully signed recipes can be included in an order by the order control. Each scheduled order, in turn, has an electronic signature. During processing, only data from signed orders can be loaded on the computer system.

The processing of the orders is started, either automatically when requested by the automation level or manually with the required user rights.



Recipes and processed orders remain in the database until a configurable retention period elapses. Recipes and orders can be printed out or exported to a CSV file.

The recipe system and order control can also be operated without electronic signatures but with the Audit Trail function.

PM-CONTROL can be used both in a WinCC single-user system and in a WinCC multi-user system.

When using PM-CONTROL in conjunction with redundant WinCC servers, the function can be installed on one of the WinCC servers or on a remote computer (e.g. WinCC Client). In the latter case, PM-CONTROL always communicates with the WinCC master

User archive With the user archive option, recipe data or machine data records can for example be saved in the form of database tables.

To obtain an overview of the created data records in an archive, the ActiveX control WinCC User Archive – Table Element is inserted in a WinCC picture with read access. Detailed information about the User Archive option can be found in WinCC Information System > Options > User Archives.

Automatic versioning of the data records is not supported with the User Archive option. Versioning must be implemented during configuration. The User Archive can be exported manually in CSV format.

Note Operator input in the User Archive is recorded by WinCC Audit.

3.3.9.3 Batch-oriented reporting

PM-QUALITY The data recorded in PM-QUALITY can be displayed in trends (process values), printed as reports on a printer or exported as an HTML file, XML file or in database



format. It is also possible to configure the export of batch data for long-term archiving on a different computer (see chapter 6.9.2 "Batch-oriented long-term archiving with PM-QUALITY").

The software package includes the following applications:

• Topology Manager for mapping the plant topology and specifying the production data to be acquired

• Report Editor for creating the report layout for the acquired data and displaying batch logs on the screen

• Data Logging, a runtime component for acquisition of the data

• Data View / Export View and various ActiveX Controls for displaying batch data

• Data Center, for compiling the batch data (only in the redundant version)

Apart from the automatic acquisition of the configured batch data, manually entered values, for example laboratory values can be added to a batch report later. If the batch report is transferred to the archive automatically due to the set export option, no more changes can be made to the report if the "Complete automatically" option is set.

It is also possible to use a script in WinCC to configure an electronic signature of the batch reports by the logged-on user and with it the manual assignment of the batch status (released / locked).

PM-QUALITY can be used both in a WinCC single-user system and in a WinCC multi-user system.

For use in redundant systems, PM-QUALITY is also available with the PM-QUALITY Data Center option. This application merges the recorded batch data from two runtime databases in an export database. The Data Center can be installed separately from PM-QUALITY on any computer in the network.



3.3.10 Interfaces to process data

Web navigator The WinCC Web Navigator option is used to set up remote access to the WinCC project via Microsoft Internet Explorer. The name of the WinCC server is entered in the address bar to view the process pictures. A logon dialog automatically appears and a user with the necessary rights must authenticate himself here using his password. The details are checked by SIMATIC Logon. Operator input in the process pictures, for example changing I/O fields, is subject to access protection that is defined in the WinCC project under Editor User Administrator.



WinCC DataMonitor WinCC DataMonitor is a pure display and evaluation system for process data from WinCC, data from the WinCC long-term archive server and data from the WinCC Central Archive Server (CAS). WinCC DataMonitor provides a number of analysis tools for interactive data display and for analysis of current process values and historical data:

• Excel Workbooks allows the integration of current and historical messages and process values from WinCC in MS Excel and therefore supports online analysis.

• Published Reports for time- and event-controlled production of reports as Excel or PDF files

• Trends & Alarms is used to display and analyze historical data from WinCC runtime / the central archive server or from WinCC long-term servers. The data can be displayed in tables or in trends.

• Process Screens are simply used for monitoring and navigating using WinCC process pictures with MS Internet Explorer (view only client).

• Webcenter supports the distribution of system data online

Connectivity pack The connectivity pack provides interfaces for access to archive data and messages in WinCC. WinCC provides access to the following process data:

• Alarms and events (messages), OPC A&E, read and write (acknowledgments only) access

• Process value archives (trends), OPC HDA, read-only access

• Process tags (states), OPC DA, read and write access, ships with WinCC system software

• All archive data, WinCC OLE DB, read-only access

The connectivity pack provides standardized access with OPC and OLE DB from computer systems at enterprise and management levels to computer systems at the process level.



3.3.11 Software components, manufacturing execution systems (MES)

SIMATIC IT With its numerous components, SIMATIC IT forms an MES (Manufacturing Execution System) following the ISA 95 standard.

SIMATIC IT is used to optimize the interaction of planning, development, and procurement within the framework of manufacturing processes.

The main elements of SIMATIC IT are:

• SIMATIC IT Framework (plant modeling)

• SIMATIC IT Components (specific functionality)

SIMATIC IT Framework connects the automation level to the operational management and production control levels, as well as to the company management and planning levels.

SIMATIC IT Framework is the cross-industry integration and coordination platform for operating processes, data, and functions. It not only offers basic functions for internal processes, user management etc. but also the ability to model plants and production. SIMATIC IT Framework is capable of integrating SIMATIC IT components and existing and heterogeneous IT products.

Examples of SIMATIC IT Components include:

• Production Suite (basic MES functions such as material management, production order management etc.)

• SIMATIC IT Historian (plant performance analysis and long-term archiving)

• SIMATIC IT Unilab (LIMS - laboratory information management system)

• SIMATIC IT Interspec (product specification management system).



3.4 Utilities and drivers

3.4.1 Print drivers It is advisable to use the print drivers integrated in the operating system that have been approved for use with SIMATIC WinCC. If external drivers are used, there can be no guarantee that the system will operate problem-free.

3.4.2 Virus scanners The use of virus scanners during operation is permitted. More information about selecting and configuring virus scanners and updating them can be found in the WinCC Readme files.

3.4.3 Image & partition creator The SIMATIC PC/PG Image & Partition Creator enables the data content of hard disks on SIMATIC PCs to be backed up. Comparable software is available on the market for PCs from other manufacturers. Backing up system and application software makes it possible to restore the system quickly. Backed up contents of hard disks can be copied back to devices with an identical configuration. This simplifies replacement of computers or expansion of systems.

Apart from creating hard disk images, the Image & Partition Creator can also be used to create, modify, and delete hard disk partitions.


4 System installation

The WinCC system software is available as a complete package (engineering und runtime software) or as a runtime package on CD. The software is licensed using license keys graduated according to the number of power tags (external tags) for interfacing to the automation level.

In a multi-user system with server/client structure, the system software with the required number of power tags and the server option is installed on the WinCC server. With a basic configuration, the smallest RT license is adequate for clients.

Prior to installation on a PC, the specified hardware requirements and approved operating systems as listed in the WinCC Installation Notes must be checked.

System installation


4.1 Installation of the operating system For detailed information on the hardware requirements and the Windows operating systems, refer to the WinCC Information System, the documentation for the SIMATIC WinCC system software.

By selecting the entry "Read this first" in the start menu of the WinCC CD, you open the WinCC Information System.

You will find information on the operating systems, language variants, service packs, settings, security guidelines, networks, redundant systems, etc. in the "Release Notes" and "Installation Notes" sections.

! Note When issuing the computer name, WinCC project name and names for tags and objects, the list of "Impermissible characters" in WinCC must be noted. This list is stored in the WinCC Information System under Working with WinCC > Working with projects > Annex > Impermissible characters. The computer name must comply with the WinCC naming convention before the MS SQL server is installed. The computer name cannot be changed later on. This requires the MS SQL server and WinCC system to be fully reinstalled.

System installation


4.2 Installation of SIMATIC WinCC The procedure for installing the WinCC system software is described in detail in the WinCC Information System in the chapter "Installation Notes". The "Release Notes" section with important up-to-date information should also be read.

! Note WinCC is basically approved for operation in a domain or workgroup. Domain-group policies and domain restrictions can hinder the installation. In this case, remove the computer from the domain prior to installation. After the installation, the computer can be returned to the domain if the group policies and restrictions do not prevent operation of the WinCC software.

Before the WinCC system software is installed on the PC, setup checks whether certain system requirements are met.

• Operating system

• User permissions

• Security policies

• Graphic resolution

• Internet Explorer

The following is required for installation:

• MS Message Queuing that is included as an option in the operating system software.

• SQL Server that ships on a separate CD along with the SIMATIC WinCC system software.

• Once all the requirements have been met, the installation of SIMATIC WinCC is started. Follow the instructions of the setup.

The setup types typical installation, minimum installation and user-defined installation are available.

In a user-defined installation, additional WinCC functions can be selected or deselected compared with the functions of a typical installation. The Basic Process Control and AS/OS Engineering Mapper functions must be selected separately. The WinCC Server, Redundancy and User Archive options are also on the WinCC DVD, but require their own separate license.

System installation


WinCC functions / options can be installed at any time.

In a multi-user system or in a redundant system, the WinCC system software is installed on each separate computer. Information on setting up multi-user systems can be found in the WinCC Information System.

Note

For straightforward SCADA stations, install RT (runtime) only and not RC (configuration system).

System installation


4.3 Installation and configuration of SIMATIC Security Control SIMATIC Security Control is started automatically after the WinCC installation and has a dialog that indicates the proposed settings. The settings are either undertaken directly in the operating system using the Accept button or are saved using the Save button and undertaken by an authorized person later on.

If the computer is part of another workgroup or domain, the application has to be run again. The application is called up using Start > Programs > SIMATIC > SimaticSecurityControl. Selecting Accepted Settings displays all the settings in place. Selecting All Settings determines the settings required again and permits transfer into the Windows operating system.

SIMATIC Security Control is started again automatically if further settings are needed in the Windows operating system once WinCC options have been installed (e.g. after installing the WebNavigator option).

The settings are documented in XML format.

Note The proposed settings must be accepted in order for the SIMATIC WinCC system software to function properly.

System installation


4.4 Installing the SIMATIC WinCC options Further WinCC options and WinCC premium add-ons are installed only after the WinCC software has been installed.

Note

During installation care must be taken to make sure that the versions of the software products match up. For more information, refer to the release notes in the relevant documentation.

System installation


4.5 Installing utilities and drivers

Print drivers It is advisable to use the printer drivers integrated in the operating system that have been approved for use. If external drivers are used, there can be no guarantee that the system will operate problem-free.

Virus scanners The use of virus scanners during operation is permitted.

The following settings should be observed when using virus scanners:

• The real-time search is one of the most important functions. However, investigating incoming data traffic is sufficient.

• The time-controlled search must be deactivated because this greatly limits system performance in process mode.

• The manual search should not be run during process mode. It can be run at regular intervals, for example at maintenance intervals.

Descriptions of such definitions should be recorded in an SOP.

For more information on the use of virus scanners, refer to the WinCC "Release Notes" and in the WinCC Online Help in the path Working with WinCC > Setting for Runtime > External applications.

System installation


4.6 Setting up user management A crucial requirement for the pharmaceutical environment is access protection on the system (see “21 CFR Part 11” and “Annex 11“ of the EU GMP Guide“ in Chapter 1.2 “Regulations and Guidelines“ as well as Chapter 2 “Requirements of computer systems in a GMP environment“). This includes control of the process within the SIMATIC WinCC system and certain options and premium add-ons.

The WinCC SIMATIC Logon option is based on Windows user management. SIMATIC WinCC and the WinCC premium add-ons work with SIMATIC Logon to provide access protection.

Note The structure of the access protection must be specified at the start of configuration. All the permissions for working with the visualization user interface (faceplates, input boxes, buttons etc.) must be set up according to the specifications in the URS and the FS.

Note

The access security all the monitoring mechanisms (password age, password length, password generation, password lockout threshold etc.) must be configured and set in Windows. The operating system user should also only have power user or user permissions and should not have administrator privileges. This ensures that only WinCC has access to the database. This means that access by the operating system to the SQL database is impossible.

System installation


The following order must be adhered to:

• Setup of access protection in Windows (setting up of user groups and users)

• Installation and setup of the WinCC SIMATIC Logon option

• Setup of the access protection in SIMATIC WinCC > User Administrator

The individual applications can then be configured in any order:

• Assignment of permissions in the visualization user interface (picture window, input boxes, buttons)

• Setting up access protection for the Audit option

• Setup of access protection in PM-CONTROL or PM-QUALITY if the WinCC premium add-ons are used

4.6.1 Function principle of access protection The mechanisms of Windows user management are used to administer operating system users and WinCC runtime. Normally, at least two users are created in a WinCC system. Firstly there is the operating system user who coordinates SIMATIC WinCC runtime software, and secondly there is the SIMATIC WinCC runtime user who controls and monitors the process.

Operating system users Activities and permissions of operating system users:

• Changing application software to an active (during operation) state under SIMATIC WinCC (server, clients). In this state, the applications must have at least power user permissions under Windows so that the applications have read and write permissions for drives, folders, databases, etc.

• Making changes to the engineering system, shutting down WinCC runtime, access to all drives, creating, changing and deleting folders and setting up new users.

Note

When the Windows audit policies are activated (see chapter 4.6.3 "Security settings in Windows"), actions made by an operating system user in the operating system are recorded.

SIMATIC WinCC runtime users During operation the activities and permissions of SIMATIC WinCC runtime users include operating the process, checking processes, writing and changing recipes, creating batches, etc.

System installation


4.6.2 User management in Windows Since the user management of SIMATIC Logon is based on the mechanisms of the Windows operating system, there are two options are available for user management in Windows:

• In a domain

• In a workgroup

Windows domains Within a domain, the AGLP strategy (Access Global Local Permission) recommended by Microsoft for the management of resource access over trusted relationships in Windows) is used; in other words, if users of a domain with the same tasks are added to a global group, they are also added to a local group and then adopt the necessary permissions. If a domain server is used in the working environment, the advantages of the group and user management can be used in conjunction with SIMATIC Logon. The central administration of groups and users on the domain server allows all computers that belong to the domain access to the groups and users. To increase availability, domains can be set up with several domain servers.

Windows workgroup Within a workgroup, local users with the same tasks should be added to a local group and the required permissions assigned to the group.

If a computer is a member of a Windows workgroup, the computer acting as server of the workgroup must be specified. All user data are created and managed on this server. From here, they are made available to the other computers in the system. The WinCC server can be included in the server selection, however for performance reasons a separate computer is often selected and used only for managing users.

In the login selection box, the local computer or a domain can be selected. This displays all groups of this server. Administration of the groups and users of the computers belonging to the workgroup is not necessary. A redundant configuration is not possible in this case. Emergency operation is possible using the local user management.

SIMATIC WinCC supports the Windows permissions model. When SIMATIC WinCC is installed, the following local groups are set up:

• SIMATIC HMI

• SIMATIC HMI CS

• SIMATIC HMI VIEWER

SIMATIC WinCC manages the security settings and share rights automatically. To create and start a WinCC project, a user requires the administrator or power user status and must be a member of the SIMATIC HMI user group. The access rights within the WinCC project are checked by User Administrator.

System installation


You will find more information in the SIMATIC WinCC Installation Notes and "WinCC Security Concept" Manual, Chapter 4 "User and Access Management in WinCC and Integration into Windows Management".

! Note The Windows domain must be used when there are several servers or redundant servers to make sure that users can continue to input data or log on if a domain server fails.

4.6.3 Security settings in Windows In Windows user management, users and groups are configured as specified in the URS or FS. Assigning a logon for the relevant tasks on WinCC PCs achieves the following:

• When logging onto Windows, each user is assigned exactly the permissions required to perform the particular task. For example, in order to work on the WinCC project, the user must be a member of the local group Power User and SIMATIC HMI.

• When logging in during runtime, the operator is given exactly those rights required to operate the plant as defined in the UserAdministrator.

This completely separates computer access permissions, e.g., Windows users, from plant authorizations (plant operators). This is supported by the SIMATIC permissions model, although this requires that user authorizations are administered by the user in separate configuration dialog boxes.

The following screenshot shows the Windows Local Users and Groups dialog box in which the users and groups are defined.

Computer management is opened with Start menu > Control Panel > Administrative Tools (in the Windows XP operating system). After selecting Computer Management > Groups, all the groups created in the operating system are displayed.

Additional information • WinCC Information System, section Working with WinCC > Setting Up User

Administration > WinCC Options for the User Administrator > Option SIMATIC Logon

• Permissions management in Windows SIMATIC HMI, Process Visualization System WinCC V6, Security Concept WinCC, Chapter 4 "User and Access Management in WinCC and Integration into Windows Management".

System installation


Security settings of password policies For the monitoring mechanisms of the password policies of Windows, the previously specified settings (URS, FS or DS) must be made. The following security settings of the password policies are relevant and must be configured in the operating system.

Policy Description of the security setting

Enforce password history

Specifies the number of unique, new passwords that must be used before an old password can be used for the user account.

Password must meet complexity requirements

When it is activated, the password must contain at least three of the four following categories: 1. A-Z uppercase letters 2. a-z lowercase letters 3. 0-9 numerical characters 4. !,$,% etc. special characters

Minimum password length

Specifies the minimum number of characters a password must contain

Maximum password age

Specifies the maximum time that a password may be used before it is changed.

Minimum password age

Specifies the minimum time that a password must be used.

The following screenshot shows the Password Policy dialog box. The settings shown are examples:

Computer management is opened with the following menu command: Start > Settings > Control Panel > Administrative Tools > Security Settings.

System installation


Security mechanisms for account lockout policies For the monitoring mechanisms of the account lockout policy of Windows, the settings as specified in the URS or FS must be made. The following security settings in the account lockout policies are relevant and must be configured.


Account lockout threshold Specifies the number of failed attempted logons before the user account is locked out.

Account lockout duration Specifies how long an account remains locked out before the lockout is canceled automatically. If the value 0 is set, the account remains locked out until it is unlocked by the administrator. This is the recommended setting.

Reset account lockout counter after

Specifies how long it takes in minutes before the account lockout counter is reset following failed logon attempts.

The following screenshot shows the Account Lockout Policy dialog box.

System installation


Security settings for audit policies The following settings must be made in the audit policies of Windows to generate a recording (Audit Trail) of attempted logons. The monitored events are stored in the event viewer in the security log and are available for investigation.


Audit logon attempts Specifies whether the instance of a user logging onto a computer is monitored.

Audit account management

Determines whether to audit each event of account management (creating or changing a user account, changing or setting passwords)

Audit logon events Determines whether each instance of a user should be audited when logging on or off on a computer.

Audit policy change Determines whether to audit every incidence of a change to user rights assignment policies, audit policies, or trust policies

Computer management is opened with the following menu command: Start > Settings > Control Panel > Administrative Tools > Local Security Settings.

Note To monitor the logon activity, the required settings must be made in the audit policy of the local policies of Windows.

! Note After installing Windows, default parameters are set for the password policy, account lockout policy and audit policy. The settings must be checked and adapted to the requirements of the current project.

System installation


Additional information • Additional information on setting up Windows workgroups and Windows

domains can be found in the operating system help of Microsoft Windows or in the appropriate Windows manual.

• On setting up user administration, refer to the WinCC Information System, Section "Working with WinCC".

• On permissions management in Windows SIMATIC HMI, Process Visualization System WinCC V6, Security Concept WinCC, Chapter 4 "User and Access Management in WinCC and Integration into Windows Management".

System installation


4.6.4 Configuring SIMATIC Logon To operate correctly, the following settings must be made for SIMATIC Logon:

• To configure SIMATIC Logon, a Windows group with the name "Logon_Administrator" must be created. All users assigned to this group have permissions to configure SIMATIC Logon.

• The full name of every user must be entered in "Local Users and Groups" in Windows Computer Management. This name is used by the application for display in SIMATIC WinCC after logging on.

The basic settings for configuring SIMATIC Logon are made in the Configure SIMATIC Logon dialog.

The relevant language is set in the General tab. It is also possible to define whether a default user is logged on after a user has logged off (by the user or automatically by the system). It is also possible to set the number of days after which a user is reminded that a password change is necessary.

! Note In contrast to all other users, the "Default user" must not be created as a Windows user. The "Default user" is a member of the "Default group" and "Emergency_operator" groups. Which rights these groups have is specified in the WinCC User Administrator (server/client).

In the Working environment tab, the user specifies whether the information relating to groups and users relates to a Windows domain or a Windows workgroup server. The name of the domain or workgroup server must be entered.

System installation


In the Logon device tab, the user specifies whether the logon is via the keyboard, smart card or other procedure such as biometric user identification, for example by fingerprint.

In the Automatic logoff tab, the user specifies whether automatic logoff is used. If this is selected, the delay before a user is automatically logged off must also be specified.

System installation


If automatic logoff is enabled, the user is logged off automatically if there is no activity within the specified time. Prior to the logoff, a dialog indicates that the automatic logoff will take place. This avoids accidental logging off.

! Note Activating a screensaver is not permitted in conjunction with SIMATIC Logon.

Note

To allow operator input during operation, user groups are configured in the WinCC User Administrator.

System installation


4.6.5 Configuring the user administrator The assignment of Windows groups to WinCC user groups is based on names. For example, the "Operator" Windows group will be assigned to a group of the same name "Operator" set up in the WinCC User Administrator. The Operator group is assigned the rights necessary for operator control in the WinCC system. The following procedure must be adhered to:

• Open WinCC project.

• Open User Administrator using WinCC Explorer.

• Create group(s).

• Assign permissions for each group.

The check box for enabling SIMATIC Logon must also be selected in the User Administrator of the WinCC project.

Note In conjunction with SIMATIC Logon, it is not permitted to configure a time for an automatic logoff in the User Administrator. An automatic logoff is configured only in SIMATIC Logon. See Chapter 4.6.4 "Configuring SIMATIC Logon"

! Note The configuration and assignment of user permissions is described in detail in the WinCC Information System in the section Working with WinCC > Setup of a User Administration.

System installation


4.6.6 Setting up SIMATIC Logon for the Audit option If the SIMATIC Logon software is used, this should be set in WinCC Audit. To do this, the following dialog is opened in the WinCC Audit configuration editor via the menu Options > Options.

The operating permissions in WinCC Audit are governed via the Audit Admin and AuditDocControl user groups. The help system for WinCC Audit provides detailed information.

System installation


4.6.7 Setting up SIMATIC Logon for PM-QUALITY / PM-CONTROL Use of the SIMATIC Logon software for user management is activated for PM-QUALITY and PM-CONTROL in the PM-SERVER. The PM-SERVER software is automatically installed with PM-QUALITY and/or PM-CONTROL and serves as a data server.

System installation


4.7 Setting up a long-term archive server A separate computer should be set up in the network for long-term archiving. The MS SQL server and file server setup are installed from the WinCC-DVD. Both are included in the SIMATIC WinCC system software. The backup configuration of Alarm Logging and Tag Logging is configured such that the archive files are saved on this computer (also see Chapter 3.3.7 "Long-term archiving").

System installation


4.8 Installing the Central Archive Server The Central Archive Server is installed on a separate computer on which no other programs should be used.

Note

The paths defined when installing the CAS cannot be changed at a later date.

The CAS is configured via the CAS engineering station. See Chapter 6.8.2.2 "Configuring the Central Archive Server".

System installation


4.9 Security vulnerability in configuration

Disabling the Windows level during operation Since access to the Windows operating system level should be avoided for security reasons, additional configuration settings are necessary. These settings avoid unauthorized access from the process mode of SIMATIC WinCC to sensitive data of the operating system.

! Note Access to the operating system level should only be permitted for administrators or maintenance personnel.

Disabling the user interface Access to the operating system during process mode is configured in the WinCC project in the computer properties. All key shortcuts are disabled as shown below.

The Keep the taskbar on top of other windows setting must also be disabled in Windows.

System installation


It is important to ensure that operations can only be deactivated with suitable operator permissions. After disabling and restarting, the operating system level can be accessed.

For more detailed information on security of data and the system, refer to the WinCC Information System, Installation Notes section.

Preventing access to the Windows level Ensure that no objects that permit access to the Windows file system or exe. programs are used on the user interface. This risk exists with for example OLE objects, Internet links, online help system, etc.

Security with configuration settings in WINDOWS Any HOT KEY assignments must also be disabled. HOT KEYs are often used, for example, to influence the properties of the graphics card. By changing the graphic card properties, it is also possible to reach the operating system user interface.

System installation



5 Project settings and definitions

The SIMATIC WinCC system software allows flexible configuration of process control and monitoring. The configuration is fully customized. In WinCC a large proportion of the application software is configured. Additional functionality can be added using scripts.

This chapter includes basic settings and procedures for configuring a WinCC project in a GMP context, all of which contribute to meeting the GMP requirements for validating a system.

5.1 Startup behavior Once the configuration of a WinCC project has been customized, only the runtime component of WinCC is used for operator control and monitoring and for data archiving. To prevent unauthorized access to the system, the computer can be configured so that WinCC Runtime is activated automatically when the computer starts up.

When the operating system starts, one user who is a member of the SIMATIC HMI user group must be logged on automatically. This procedure is described on the Customer Support Internet page under Entry ID 15390777 (http://support.automation.siemens.com/).

The WinCC project to be opened when the computer starts up is specified in the "AutoStart Configuration" WinCC program. An alternative / redundant project can also be specified. If the "Activate project at startup" check box is selected, the WinCC project is activated immediately during operation. Clicking the "Add to AutoStart" button enters the settings in the computer autostart and these go into effect the next time the computer is started.

The "AutoStart Configuration" dialog is opened with Start >Programs > SIMATIC > WinCC > Autostart.

Additional settings for the startup characteristics are made in the WinCC project. To do this, open the properties of the Computer object from the shortcut menu.

http://support.automation.siemens.com/�

Project settings and definitions


Those WinCC components that were configured and must therefore be active during operation (for example Tag Logging, Alarm Logging, etc.) are activated in the "Startup" tab.

Other applications that are required to be active on the computer during process mode can be included in the list with the Add button as can be seen in the Additional Tasks/Applications box.



5.2 Diagnostics for communication connections WinCC provides the channel diagnostics application for monitoring communication connections to the lower-level controllers. The application can be integrated in a WinCC picture (e.g. diagnostics picture) via Start > SIMATIC > WinCC > Tools > Channel Diagnosis or as ActiveX Control. The status of the channels that support diagnostics is displayed in a window. Information on the start / end of the connection, version ID and error messages with time stamp are automatically recorded in a log file. This represents evidence of the quality of the communication connections provided by the system.



5.3 System information channel The system information channel is used to evaluate system information such as drive capacity, CPU load, server monitoring by a client, date, time and much more. The system information channel is configured as a separate connection. The relevant system function is linked to a system tag for display / evaluation.

In a GMP environment, it is often necessary to archive large amounts of data. By configuring the system information channel, the capacity of the hard disk can be monitored. If a definable limit value is exceeded, a reaction can be configured, for example a message in Alarm Logging.



The example shows how a system tag is set up to evaluate the hard disk capacity.

The display of the relevant system tag could, for example, be configured in a diagnostics picture along with the ActiveX control Channel Diagnosis.



5.4 Object-oriented configuration By using picture windows (for example for controlling process units such as valves, drives or similar) and user objects (for example for uniform visualization of objects) in WinCC, the configuration can be created object-oriented. The objects (picture window, user blocks) are created once for the various use cases. The design and control philosophy must be discussed with the customer, described in a specification and approved by the customer. The individual objects are then put through a function test and qualified. When configuring the process pictures, copies (user objects) or instances (picture windows) of the qualified objects are used.

User objects A user object is an object whose graphic representation and dynamic characteristics are tailored to the requirements of the system. The object properties and the events that cause a dynamic response in the object are specified individually in a configuration dialog. Structure tags are recommended for the dynamic response of the user objects (see structure tag below).

User objects are either entered in the project library or collected together in a standard picture.

The procedure for creating user objects is described in detail in the WinCC Information System.

Note

When a user object is duplicated, a copy is made. If a user object is changed, for example by adding an object property, all the linked user objects must be updated manually.



Picture windows The picture window smart object allows a picture to be called within a picture. This functionality is used, for example, to call a window for controlling a process unit (valve, drive). Such an operator control picture is configured once for a particular function and then opened as an instance in a picture window. When the picture is called, a tag prefix is transferred (see structure tag below).

The example shows the properties of a picture window. The picture name, tag prefix and title properties were configured.



Structure tag Structure tags are used to make picture windows and user objects dynamic. A structure type is defined for a process unit, for example a motor, and contains all tag types for the motor as structure elements.

The example shows a simplified form.



A new tag of the data type "Motor" is created in the WinCC tag management for the corresponding communication connection. The addressing is configured accordingly.

In integrated mode, tag management is adopted from the SIMATIC Manager. The address is thereby assigned automatically.



Based on the example, the following tags will be created for the communication connection:

The tag name is made up of the structure instance, for example the name of the motor, and the structure elements of the structure type separated by a period. The structure instance is transferred to the picture window as the tag prefix property (see example of picture window above).



The individual structure elements are linked to the relevant object properties to allow a dynamic response in the picture that is called in a picture window to control the motor.

By linking the structure elements, the picture is dynamically updated once. When the picture is called, only the tag prefix is transferred.

The procedure with user objects is similar. The structure elements are attached to the configured, user-defined object properties. To link to the tag instance, the dynamic Wizard "Change user object link" is used that is integrated in the WinCC Graphics Designer.



5.5 Creating process pictures The WinCC Graphics Designer editor is a combination of graphics program and process visualization tool. A series of utilities support both graphic creation and dynamization of the plant flowcharts.

To allow flexible graphic design, standard objects (graphic elements, static text), smart objects (bars, windows, etc.) and Windows objects (buttons, check boxes, sliders, etc.) are available in an object palette.



The following refers to a few tools and functions used to reduce the validation work required for an computer system in the GMP environment.

5.5.1 Symbol library The integrated global library contains numerous pre-configured graphic objects. Graphic objects such as machines and plant components, measuring equipment, operator control elements and buildings are thematically organized. The library objects can be inserted with drag-and-drop and adapted as required.

Note

To keep the work for qualifying process pictures to a minimum, it is advisable to use standard symbols from the symbol library.



5.5.2 Project library The project library can be used to store objects developed and defined by the user that can then be included in multiple process pictures. User-defined objects that have been tested and qualified individually are stored in the project library and are then available as a project standard for multiple use.

Note

The project library is part of the WinCC project and is located in the subdirectory "\library". To allow its use in other WinCC projects, the library.pxl file must be copied to the corresponding folder of the destination project.



5.6 Project functions in the form of VB / C scripts Functions required more than once in the WinCC project should be configured in the Global Script editor. The function code is created once either in VB script or C script and then tested and qualified. The function is then available throughout the entire project. The function call is simply programmed in the property for the picture object.



5.7 SIMATIC NET settings SIMATIC NET is used for industrial communication. SIMATIC NET supplies the communication drivers for interfacing WinCC to the automation level over PROFIBUS or Industrial Ethernet. Up to 8 industrial Ethernet connections are included in WinCC. The appropriate license must be bought for more connections.

For more detailed information, refer to the WinCC Information System > Installation Notes > Scope of Delivery.



5.8 Redundancy configuration The redundancy option is included in the WinCC system software, but has to be licensed separately on each computer. To install, the WinCC Setup is started, the Customized selection chosen and the Redundancy option selected.

The configuration dialog is opened using the Redundancy entry in WinCC Explorer.

This is where the computer name of the redundant partner server is stated, settings for data calibration are made and the connections to the redundant partner configured. Data calibration in redundancy mode is selected for the corresponding user archive in the User Archive tab.

With WinCC V6.2 and higher a second computer link is needed between the servers.

Data calibration in redundancy mode is approved by selecting the Activate redundancy check box.



Synchronization of the internal tags must be configured separately for each tag. The Tag synchronization check box in tag management is activated for this purpose in the properties dialog for tags.

Once redundancy has been configured and the corresponding internal tags have been synchronized, the Project Duplicator (Start > Programs > SIMATIC > Tools > Project Duplicator) is used to create the WinCC project for the redundant partner server and this is copied onto the computer. The computer name and standard master settings are adjusted automatically.

The WinCC project is first activated on the standard master, then on the redundant partner server. The value of the internal binary tags @RM-Master is 1 on the master server and 0 on the partner server.



Interaction with PM-QUALITY The PM-QUALITY Professional with Data Center variant ensures that batch data is recorded in full in a redundant WinCC system.

This variant is needed for every redundant WinCC server. The PM-QUALITY server is installed on every WinCC server. This means that the batch data are archived in parallel on every WinCC server. Once a batch has been completed and released, the Data Center application merges the batch data recorded from two PM-QUALITY runtime databases into one export database. If one WinCC server is not available, the Data Center only becomes active when both WinCC servers are again operating. The Data Center can be installed separately from the PM-QUALITY servers on any computer in the network. The export databases are stored on this computer. The data can be viewed using the PM-QUALITY client.

Interaction with WinCC Audit In order to record the Audit Trail entries in a redundant system, the Audit Trail database can be stored on one of the redundant WinCC servers or set up on a computer in the network. If the WinCC server with the Audit Trail database fails, the records are buffered on the redundant partner server and added to the Audit Trail database once the down WinCC server is up and running again.

When configuring WinCC Audit for a redundant system ensure that the this database receives audits from SEVERAL projects setting is selected when creating the database. This also has to be done if the database is stored locally on one of the redundant servers. This setting means that the partner server can access the WinCC Audit database and buffering is undertaken correctly.



5.9 Time synchronization In SIMATIC WinCC, the time transmitted on the bus as default is the standard world time UTC (Universal Time Coordinated). This corresponds to Greenwich Mean Time.

The time stamps are generated in UTC and stored in the archive of the WinCC server. During operation, the process data stored in the archive (messages and trends) are displayed with the timebase configured in the Properties dialog of the ActiveX control. This allows a system configuration in WinCC over different time zones.

Activating time synchronization in WinCC means that an active time master handles the synchronization of all servers, operator stations, automation systems (AS) and the engineering station. To ensure that times match, all the stations belonging to the WinCC system must be synchronized to allow chronological processing (archiving trends, messages, redundancy synchronization of servers).

Note

The activation of time synchronization is necessary in plants in which GMP is mandatory.

! Note

Time synchronization must also be activated on the engineering stations otherwise problems could arise when downloading changes.



5.9.1 Concepts for time synchronization The configuration of the time synchronization must be carefully planned. Every time synchronization activity in the project is subject to the requirements. The requirements of time synchronization must be described in the functional specification. The following sections introduce concepts in time synchronization.

Time synchronization in a Windows workgroup The time in a workgroup should be synchronized via the WinCC server. The time of the WinCC server can also be synchronized using a time master such as SICLOCK (More information can be found online at http://siemens-edm.de/siclock.0.html).

Time synchronization in a Windows domain If the computer system is operated in a Windows domain, the domain must act as time master. The time of the domain server can also be synchronized using a time master such as SICLOCK.

If the time is inaccurate, this can lead to clients being rejected in the domain. This would mean that operator input in process mode at these clients is no longer possible.

If a time difference of five minutes is exceeded between the domain and clients, the operating system assumes that an attacker has decrypted the logon and is attempting to take over the session. This is prevented by denying the client logon to the domain.

Note

The time on the clients in the domain is synchronized using Microsoft system services.

Additional information Procedures for configuring time synchronization can be found in the following documents:

• WinCC Information System > Options > Options for Process Control >Time Synchronization

• WinCC Information System > Release Notes > Process Control Options > Time Synchronization

• SIMATIC HMI manual, Process Visualization System WinCC V6.0 SP4, Security Concept WinCC, Chapter 5 "Planning Time Synchronization".

http://siemens-edm.de/siclock.0.html�



5.9.2 Example configuration in WinCC Time synchronization in a WinCC system configuration can be configured using the DCF77 client tool. This tool is located under the smart tools on the WinCC DVD. A detailed description of the configuration procedure can be found under entry ID 775131 (http://support.automation.siemens.com) and for redundant WinCC servers under entry ID 622814.

Alternatively time synchronization can be configured using the Time Synchronization editor. This editor is part of the WinCC Basic Process Control option (see chapter 6.2 "Creating overview pictures").


http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&objId=622814&objAction=csOpen&lang=de&siteid=csius&aktprim=0&extranet=standard�



Client/server 1. Time synchronization over the plant bus (WinCC server is time master).

By selecting the Synchronization via System Bus (Master, Slave) check box, the access point for time synchronization can be defined. The WinCC server is also declared as time master.



2. Time synchronization of the clients Selecting the Synchronization via Terminal Bus (Slave) check box, specifies that the client is synchronized over the terminal bus / local area network. As reference partner, it is possible to specify whether the time is taken from a connected WinCC server or from a defined computer (in this case from the computer with the name Server1).

Via Ethernet / system bus Time synchronization over the system bus/Industrial Ethernet is only available with WinCC server projects. If the computer being configured is a WinCC client, no settings are possible and the selection boxes are not available.



Via PROFIBUS / MPI Direct time synchronization on the system bus over PROFIBUS / MPI is not available in WinCC. Instead, the time can be set in the automation system. “Time setting“, however, does not have the same level of accuracy as time synchronization since message frames and script runtimes are included.

Detailed documentation of the procedure for setting the time can be found under entry ID. 7802886 (http://support.automation.siemens.com/).

Note

Other concepts for time synchronization are documented in the "SIMATIC WinCC Security Concept" manual.

5.9.3 Central Archive Server (CAS) time synchronization The CAS must be linked to the project-dependent time synchronization concept. A time master, that supplies all other system components, including the CAS, with an actual time, must be declared in this time synchronization concept.

5.9.4 Time stamping

WinCC Alarm Logging Messages archived from the automation system in WinCC Alarm Logging are given the time stamp either of the WinCC system or of the automation system SIMATIC S7-300/400.

With the bit message method, the message is detected due to a bit change in the message tag. Alarm Logging assigns the time stamp of the WinCC system. The time stamp has a certain inaccuracy due to the acquisition cycle, bus delay time and time required for processing the message. Messages are lost if they are shorter than the acquisition cycle.

If tags in WinCC violate a limit value, a message is generated in Alarm Logging when the defined limit value is violated. The time stamp is set as in the bit message method.

With chronologically ordered signaling, the automation system sends a frame with the data of the message. The time stamp of the message is assigned by the PLC. A standard function or function block is used on the automation system to generate the message frame. Alarm Logging evaluates the frames. The date and time are set according to the time at which the message was detected in the automation system.

Note

For information on the message procedure, refer to the STEP 7 help > Configuring Messages > Basics of the Message Concept > Selecting a Message Procedure.



Note The bit message procedure and limit value monitoring can be used with a single-user system in WinCC. In redundant systems or WinCC systems with several operator stations, chronological signaling is used for coordinated acknowledgment and transmission. For chronological signaling, the SFCs/SFBs Alarm, Alarm_S/SQ, Alarm_D/DQ, Alarm_8/8P are used on the SIMATIC S7. Refer to the respective CPU manuals and the block descriptions in the SIMATIC STEP 7 help to learn about restrictions regarding the system resources for simultaneously pending messages. To use the chronological signaling function, the SIMATIC S7-400 in conjunction with the Alarm and Alarm 8/8P blocks is recommended.

WinCC Tag Logging Process values acquired and evaluated in WinCC Tag Logging are given the time stamp either with the time they are acquired in WinCC or with the value from the automation system.

To read in the process values cyclically, acquisition cycles are defined. The shortest acquisition cycle is 500 ms. A time stamp assigned when the process value is acquired includes the inaccuracy of the acquisition cycle.

Note

SFB AR_SEND is available in SIMATIC S7-400 for rapid archiving. A description of the procedure can be found under entry IDs 23780904 and 23629327 (http://support.automation.siemens.com/).

Process values that receive their time stamp from the automation system are prepared in the form of a frame on the automation system and transferred as a raw data tag. The packet structure is described in the WinCC Information System in Working with WinCC > Archiving Process Values > Basics of Archiving Process Values > Process Values and Tags > Structure of a Frame with Raw Data Tags. The frames are evaluated in Tag Logging by format DLLs and entered in the archive. The date and time correspond to the time at which the process value was stored in the automation system.

The specification (URS, FS) of a GMP-compliant plant must describe the way in which time stamping will be performed. The accuracy necessary for message and process value acquisition must be checked in detail. The methods of time stamping mentioned above can be used alongside each other.




5.10 Support for configuration management Configuration of an computer system consists of various hardware and software components; these may be standard components or specially tailored user components. In accordance with configuration management according to GAMP 4, the current system configuration must be available in full and in a clear manner at all times. To achieve this, the system first has to be split into configuration elements, and it must be possible for these to be identified using a unique designation and version number and for them to be distinguished from the previous version.

5.10.1 Definition of configuration elements Standard components that are defined and documented with type designation, version number, etc. are predominantly used for hardware. When using customized hardware, more effort is needed, see chapter 2.1 "Hardware categorization".

The standard components for software include for example the SIMATIC WinCC system software, its libraries, other options and premium add-ons. Just like the hardware, these are defined and documented with designation, version number, etc.

The application software is configured and/or programmed on the basis of standard software. The individual configuration elements into which the application software should be split cannot be defined for all cases as it differs depending on different customer requirements and system characteristics.

5.10.2 Versioning the configuration elements While the version ID of standard software cannot be changed by the user / configuration staff, the issuing of version numbers and a procedure for change control must be defined in operating instructions etc. for configuring the application software. From when the application is first created, all configuration elements should be maintained following a defined procedure for configuration management.

Note Examples of how individual software elements can be versioned are shown in the Chapter below 5.10.3 "Versioning the application software". More information on checking the configuration in WinCC can be found in Chapter 7.5 "Configuration " while GAMP 4 (chapter 7.11.7 and Annex M9) contains general information about configuration management. Always consult the end user to agree upon a procedure for making changes to a plant in ongoing operation, see Chapter 8.1 "Operational ".

5.10.3 Versioning the application software The project policies must contain definitions of which elements are versioned and when, and whether a secondary or main version is incremented in the process, for example:



"The main version is set to 1.0 after the FAT and to 2.0 after commissioning. All other changes are incremented in the secondary version".

The distinction between main and secondary version changes can also be made for example by the scope or impact of the change.

5.10.3.1 General information about versioning The software version provides information on the current version of the system and application software.

The following data is specified for the versioning of the application software:

• Name

• Date

• Version number

• Comment on the change

The procedure for the versioning is part of the configuration management and must be described in a SOP, which is binding for all persons participating in the project.

The following describes examples and options for versioning in WinCC:



5.10.3.2 Versioning pictures in Graphics Designer When the Graphics Designer editor is selected in WinCC Explorer, all existing process pictures are listed in the right window. The properties of every process picture can be displayed using the shortcut menu. The data shown is generated automatically by the WinCC system.

Additional information on versioning, for example the version ID, date changed and name can be entered in a static text box. It is practical to place the text boxes for versioning in a separate picture level that can be shown or hidden as required. The display of the static text box during process mode is controlled by the Display object property.



Note Details of a change can, for example, be described in the relevant validation documents.

Note WinCC Audit RC or WinCC Audit Change Control feature a document check with automatic versioning for WinCC pictures.



5.10.3.3 Versioning VB / C scripts VB or C scripts are created to access tags and graphic picture objects during operation and to trigger actions that are not dependent on pictures.

Scripts are also used to link functions triggered during process mode to individual object properties in Graphics Designer (for example input using the mouse).

Two different methods of script creation are distinguished in WinCC:

• Picture-dependent VB / C scripts that are linked to the property of an object in the Graphics Designer WinCC editor. These scripts are part of the picture and are stored with the picture. Versioning is performed in the picture.

• Non picture-dependent VB / C scripts created in the Global Script WinCC editor.

VB / C scripts created with the Global Script editor provide boxes in the Properties dialog for entering the data Create By, Changed By, Version ID and Comment. The creation date and date of change are entered automatically by the WinCC system.

An optional password can also be assigned.

Note

If a password is used, this is not checked against the logged-on user. Knowing the password allows the script to be opened / edited. If the password is forgotten, access to the script is permanently denied.

It is advisable to maintain a history in the scripts indicating any changes made. The history is entered as comment before the start of the code. As an alternative, the



comment box of the Properties dialog (see above) can also be used to record the history.

Example of recording the history in a C script

Example of recording the history in a VB script

Note WinCC Audit RC or WinCC Audit Change Control feature a document check with automatic versioning for C / VB scripts.



5.10.3.4 Versioning reports The automatic issuing of version IDs in the report layouts is not supported. A static field can be inserted in the report layout for a version ID allowing manual versioning of different states. The version ID must be kept up-to-date as specified in the SOP for configuration management. The following picture shows an example of a report layout footer with a field added for versioning.

Note WinCC Audit RC or WinCC Audit Change Control features a document check with automatic versioning for report layouts.


6 Creating the application software

6.1 Introduction In a full automation solution, the SIMATIC WinCC SCADA system handles the operator input, monitoring and data archiving functions. The interface to the automation level is over powerful process links.

Chapter 6 explains the configuration of SIMATIC WinCC in a GMP environment based on examples. The configuration of the automation level in a GMP environment is not described in this chapter.

The following graphic shows the life cycle model. The configuration focused on in this chapter belongs to the System build area in the graphic.

TraceabilityMatrix

ModuleTesting

URSPQ



FS

DS FAT


ModuleDevelopment

SAT

OQ

IQ

Test

ing

/ Qua

lific

atio

nSpecification

System Build

QR

VRVP

QP

QPP

Creating the application software


6.2 Creating overview pictures To visualize a complex process for operator control and monitoring, a series of process pictures is created. This, however, means that a system is required for screen selection or screen navigation during process mode. The Basic Process Control option is a standardized system for process control available in SIMATIC WinCC.

Note

The option is included on the WinCC system software DVD but installation must be selected as an extra.

If the Basic Process Control WinCC option is installed, the following editors are added to the WinCC Explorer.

The OS Project Editor is used to configure the WinCC project for standardized operator control of the process among other things, the monitor layout, monitor resolution, operating philosophy for the buttons, and message presentation are configured.



The user interface is divided into three areas, the overview area, the work area and the button area.

For detailed information on configuration, refer to the WinCC Information System; section Options > Options for Process Control.

Both the overview graphics and the operator control philosophy must be described in the specification (for example URS, FS and P&I) and created accordingly. When completed, these should be shown in the form of screenshots to the customer for approval.

Note

The OS Project Editor should be configured before starting to create the process pictures because the size of the individual process pictures depends on the monitor resolution and screen layout.

Additional editors included in the Basic Process Control WinCC option are:

• Time Synchronization (see chapter 5.9 "Time synchronization")

• Acoustic horn for acoustic signaling of alarms

• Lifebeat Monitoring (see chapter 6.10 "Lifebeat monitoring")



6.3 Creating operator input messages For plants operated in a GMP environment, FDA regulation 21 CFR Part 11 requires that operator input to the process that affects data relevant to GMP can be traced.

GMP-relevant process input made using input/output boxes or buttons must be configured in the WinCC Graphics Designer so that an operator input message is generated. This operator input message is recorded in WinCC Alarm Logging with the time stamp, user ID, old value and new value. This means that such actions can be traced within the system.

The operator input message is a system message that is displayed in WinCC Alarm Logging. WinCC AlarmControl must be configured accordingly (see also chapter 6.5.2 "Audit trail via WinCC Alarm Logging").

Input/output field To create an operator input message for an I/O field object, the Operator input message property must be set to yes. If the Operator Activities Report property is also configured with yes, the system opens a window for entering comments after the value has been applied.

The I/O field is also assigned access protection. For the Operator permissions property, a function is selected that was configured earlier in the WinCC User Administrator (see chapter 4.6.5 "Configuring the user administrator"). Only persons authorized to use this function can make changes in the I/O field.

The figure shows the Properties > Miscellaneous selection for an I/O field in WinCC Graphics Designer.



Button As default in WinCC, an operator input message is generated only when a direct connection to a tag is configured. This means that if there is a direct connection, the mouse click event for the button writes the value specified for the constant to the defined tag. If the Operator Input Message check box is selected, the system generates a message. It is not possible to enter an operator input comment here.

Functions that are not offered here, for example entering comments, can be programmed using script functions. These functions belong to software category 5 and require more work for validation.



Script functions for changing values If the options described for creating an operator input message for I/O fields and buttons are not adequate, an operator input message can be generated using C scripts. The following project function was developed for this purpose:

ISALG_OperationLog int ISALG_OperationLog( char* pszSource, char* pszArea,

char* pszEvent, char* pszBatch, char* pszUnit, double fOld, double fNew, char* pszComment )

The transfer parameters in this function call have the following meaning:

pszSource Source (for example tag name or process tag name)

pszArea Area (for process cell area or unit)

pszEvent Event text (for example "Setpoint input" or "Motor ON")

pszBatch Batch name pszUnit Unit of measurement fOld Old value

fNew New value

pszComment Comment

This project function can be downloaded free of charge from Customer Support under entry ID 24325381 (http://support.automation.siemens.com/).

Note

The operator input message produced in this way distributes the message information to process value blocks 1 to 5. Compared with the automatically created operator input message, the information is therefore contained in different reporting columns.

! Note If the standard operator input message is used when creating the operator input message, this is also automatically adopted by WinCC Audit.



6.4 Electronic signature Operator actions in WinCC, for example, input via I/O fields or buttons, can be configured so that an electronic signature is required from the logged on user. The operator actions that require an electronic signature during operation must be specified in the specification (URS, FS).

Below, there is an example of configuring use of a button with an electronic signature.

In the example, the Start / Stop buttons turn the air-conditioning on or off. When the button is clicked, a picture window opens in which the password of the logged-on user is requested. The button function is executed only after the correct password has been entered.

Procedure:

1. Two buttons for Start and Stop are configured in a process picture. In the Object Properties > Miscellaneous, the operator control enable was set to No for every button. The status of the operator control enable Yes / No is controlled depending on the AirCond_Active tag. This is achieved by linking the tag or using a dynamic value dialog.

2. For the Authorization property, the Aircondition function was assigned to each button. This restricts the operator input permissions for the button to those users who are members of a user group to which the Aircondition function was assigned. This is configured in User Administrator (see chapter 4.6.5 "Configuring the user administrator").



In the object properties in the Events tab, the Mouse Action property is linked to a VB script. The SL_VerifyUser.bmo VB function which the SIMATIC Logon Service dialog displays is called up in this script. The function authenticates the logged-on user using the password entered. Depending on the outcome of this check, the functions which are to be triggered by pressing the button are programmed. In this example, the AirCond_Active tag is set to 1 for the Start button and reset to 0 for the Stop button. The SL_VerifyUser.bmo function can be downloaded free of charge from entry ID: 24458155 (http://support.automation.siemens.com/).

The InsertAuditEntry function inserted in the script produces an entry in the WinCC Audit Trail which reflects the operator action and logged-on user.




During operation the details of the electronic signature have the following appearance:



6.5 Audit trail To record an Audit Trail of user actions involving data relevant for GMP, the use of the WinCC Audit option is recommended, however, Alarm Logging of WinCC can also be used. Both variants are introduced below.

6.5.1 WinCC Audit

Configuring the Audit Trail for operator input The runtime monitoring components are enabled in the configuration dialog of the WinCC Audit option. Runtime Data / Archives monitors entries both in the message / process value archives and in the user archives. Enabling Operator Actions records operator input during operation in the Audit Trail. The logon/logoff procedures during operation are also saved in the Audit Trail.

In WinCC Audit Trail, operator input to standard objects such as I/O fields, sliders, check boxes, option buttons and text lists can be recorded. The recording of the operator control elements is enabled for each individual object in each process picture.

For I/O fields, text lists, and slider bars, the display of user comments can also be enabled.



Generation of an operator input message is enabled for WinCC tags described via a direct connection in WinCC (see chapter 6.3 “Creating operator input messages“).

The InsertAuditEntry function is also used to create Audit Trail entries. This function can be linked both in C scripts and VB scripts. This allows user-specific Audit Trail entries to be generated, for example due to events or changes in object properties.

The RC license is required to configure the Audit Trail with WinCC Audit. Once configuration is complete, this can be replaced with the RT license. This license is sufficient for records in the Audit Trail during operation.



Configuring a central Audit Trail database The Audit Trail database can be set up locally or remotely. WinCC Audit also supports a central Audit Trail database for several WinCC applications

The graphic contains a diagram of a central WinCC Audit database.

If the Audit Trail is stored on a network drive, it is first recorded on the local computer with the WinCC project and then transferred to the remote computer. If the connection between the remote and local computer fails, all incoming Audit Trail entries are buffered until the connection is established again. The buffered Audit Trail entries are then automatically transferred from the local to the remote computer. This avoids problems and loss of data if the network is disrupted.



The type of database is selected during configuration.

Displaying, printing and exporting the Audit Trail via Audit Viewer The Audit Viewer displays the content of the selected WinCC Audit Trail. The Audit Viewer is installed as an independent program under Windows and is part of the WinCC Audit product. A large number of different filters can be set to filter out important information for the application. WinCC Audit provides so-called Custom filters, which represent frequently needed inquiries. Beyond that you can define your own filters and store them in a file

Customers can also define their own filters and save them in a file.

If required for other purposes, the generated Audit Trail can be exported to an MS Excel file. This is only possible if MS Excel >= 2003 is installed on the computer. It is also possible to document the data on a printer. If a PDF writer is installed on the computer, the data can be stored in PDF format.

To allow viewing of the Audit Trail in plant pictures during WinCC runtime, the Audit Viewer application can also be linked into a WinCC picture as an OCX.

Note More information on configuring WinCC Audit can be found in the associated documentation.



Note The Audit Viewer only displays the data and there is therefore no possibility of entries being manipulated.

The Audit Viewer can access all Audit Trail databases located on the network.

If access using the standard Audit Viewer tool is not sufficient, access via the MS SQL Server Management Studio can be set up. This is done using the WinCCAuditViewer user account with read-only rights so that the Audit Trail database is protected from changes.

Backup configuration WinCC Audit - Audit Trails The MS SQL Server Management Studio is used to back up the Audit Trail database. This provides functions for exporting, importing, restoring, etc. Users with administrator privileges in the Windows operating system can use these functions. If the Microsoft SQL Server was installed with password protection, the password must be known.



6.5.2 Audit trail via WinCC Alarm Logging Operator input through input/output fields or buttons can be configured in the Graphics Designer in WinCC so that an operator input message is generated by the system (for configuration, see chapter 6.3 "Creating operator input messages").

To display login and logout activities in the WinCC system, the display of system messages is generally set up in WinCC Alarm Logging. This is done by selecting the WinCC System Messages entry in the Options menu. The following dialog opens in Alarm Logging:

The operator input message is a system message that cannot be configured user-defined. Values that are changed due to the operator input are automatically entered in process value 2 (old value) and in process value 3 (new value) by the system. We therefore recommend that you rename process value blocks 2 and 3. The tag designation is transferred in the tag system block.



To display operator input messages in a process picture, the WinCC Alarm Control is dragged from the object palette to a picture in the Graphics Designer.

Double-clicking on the control opens the Properties dialog. To ensure that only operator input messages are displayed, a selection must be made. The Selection button opens the configuration dialog. Under System Blocks > Message Classes, the System message, without acknowledgement is selected. On the right in the detailed window, the operator input message must simply be selected.



To allow entries for the login / logout of a user to be shown in the Audit Trail, the type must be changed from process control to operator input message by double-clicking in the Type column for the message numbers 1008000 through 1008007 in the WinCC Alarm Logging.

The display of the message blocks is also configured in the Message Lists tab.

The Audit Trail is displayed in the process picture as follows:

The X in the Comment column shows that a comment exists. This can be displayed with the button marked in the screenshot as follows:



The C function ISALG_OperationLog, to which reference is made in chapter 6.3 "Creating operator input messages" can also be used to generate operator input messages.



6.6 Archiving data: Setting up process value archives It is highly important to provide full quality verification relating to production data, especially for production plants operating in the GMP environment. This includes archiving production-relevant data.

In SIMATIC WinCC, the Tag Logging editor is used to archive data. Tag Logging is part of the WinCC system software. The editor is opened in WinCC Explorer for configuration.

Configuration of the process value archive is broken down into the following steps:

• Creating a process value archive and selecting the tags to be stored in the short-term archive.

• Configuration of the process archive, specifying the archive size, segment change and storage location for transfer to backup.

Data (analog and binary values) relating to process tags is stored in a database via the process value archive. A process value archive is created as a short-term archive. The size is decided in the specification (URS, FS, DS).

Basic principle of operation The process values are taken from a sensor via the I/O modules and transferred to the automation system, from there, they are transferred to the tag management of SIMATIC WinCC via the communication connection. Tag Logging handles the archiving of the value with date and time in the configured process value archive. For long-term archiving, the archived values can be transferred to an archive server by the backup configuration (see chapter 6.8 "Long-term archiving").



6.7 Setting up user archives The User Archive editor creates database tables (archives) containing several data records for parameter data (recipe data / machine data).

To meet the GMP requirements for an Audit Trail, the parameter data of a data record must be inserted in the database table using I/O fields. This is done by creating I/O fields in a WinCC picture and linking them with the relevant data fields. During configuration, a value input in one of the I/O fields replaces an operator input message. The interface to the automation system for loading and receiving data records takes the form of control variables that can also be linked to WinCC operator controls for triggering an operator input message.

Operator input messages are recorded in WinCC Alarm Logging with the time stamp, user ID, old value and new value.

When using the WinCC Audit option, the parameter data records can be entered directly in the User Archive OCX table. There is no need to divert the data input via I/O fields to create an operator input message. Entries in the table are transferred directly into the WinCC Audit database.

More information on the User Archive can be found in the WinCC Information System.



6.8 Long-term archiving In the archiving concept of WinCC, a distinction is made between online archiving (short-term) and offline archiving (long-term). Online archiving is handled by WinCC Alarm Logging and WinCC Tag Logging.

6.8.1 Long-term archiving in SIMATIC WinCC For long-term archiving in WinCC, it is advisable to use a separate server in the network. The long-term archive server stores the transferred database segments from WinCC Alarm Logging and WinCC Tag Logging as backup. The long-term archive server is a server without a connection to the process.

A minimum WinCC installation (fileserver setup) is installed on the server.

There are various ways of viewing the data:

• Copy backup files onto the configuration computer on which WinCC Runtime is run. In Alarm Logging or Tag Logging, the backup files are connected to the project so that the archived values can be displayed in operation.

• Access via OLE-DB (the MS SQL Server must be installed)

• Access via DataMonitor (see chapter 6.13 "Connecting to a Web client")



Backup configuration in Alarm Logging

In the properties of the message archive, a folder is entered as the destination path in the Backup Configuration tab. This folder is the folder set up on the long-term server. To avoid problems if the long-term server fails, a second alternative destination path can be specified.

The setting Signing off active is made in the backup configuration (Tag Logging Fast and Tag Logging Slow) for process value archives that archive data from a GMP environment. When the data is transferred, a checksum is generated. This allows subsequent manipulation to be detected by the system when a backup process archive database is reconnected to the WinCC system. If a manipulated database is reconnected, WinCC displays a warning.



Backup configuration in Tag Logging

The backup for the Tag Logging Fast and Tag Logging Slow archives is configured in Tag Logging. For more information, refer to Alarm Logging above.

6.8.2 Long-term archiving with SIMATIC Central Archive Server The Central Archive Server (CAS) is a dedicated server without a direct process connection. It is used for long-term archiving of message archives, process value archives and reports in conjunction with WinCC.

6.8.2.1 Method Archived data, like process values (Tag Logging) and messages (Alarm Logging) are collected in the Central Archive Server from the connected WinCC servers. The advantage of the CAS is that the data that are transferred from the WinCC servers and stored on the CAS are available for viewing and analysis purposes for longer than is the case with the WinCC long-term archive server.

The archived process values are displayed in the form of trends and tables and the alarms are displayed during operation (runtime) using the WinCC controls that are provided as standard and incorporated in the process picture. Accessing the archive data over a selected time period takes the form of transparent access that is handled automatically by the system. This means that the user no longer needs to concern himself with whether selected archive data are still available on the WinCC servers or whether they have already been transferred to the CAS.



The WinCC CAS software is used to automatically install the StoragePlus software package on the computer. StoragePlus provides tools for CAS administration, creating web views and a WebViewer. This allows various views of the archived data to be configured using Internet Explorer.

The example shown in the following picture shows the possible forms of access for displaying trends and tables (Tag Logging) and messages on the WinCC clients. The individual server segments are transferred to the CAS once complete. If this isn’t possible, for example if the connection is interrupted, the data segments remain on the server. Another transfer process is started later on. This procedure is known as Store & Forward and offers high levels of data security.



6.8.2.2 Configuring the Central Archive Server The configurations needed for the CAS and network with the WinCC system are undertaken in a central engineering system either in SIMATIC NCM PC Manager or SIMATIC Manager. Detailed descriptions can be found in the WinCC CAS Information System.

The SIMATIC NCM PC Manager software can be found on the SIMATIC NET CD that is supplied with the CAS software package. If the WinCC system is integrated in STEP7 during Totally Integrated Automation, the CAS configuration is handled in the SIMATIC Manager.

The details of how to configure the CAS using the SIMATIC NCM PC Manager are provided below.

In the example shown, the CAS is configured in conjunction with a WinCC server and WinCC client and separate computers are needed each for the CAS, WinCC server, WinCC client and CAS engineering station. Configuration is undertaken in the following order.

• Create a new project in the SIMATIC NCM PC Manager

• Import an existing WinCC server project via Menu Options > Import OS or insert a SIMATIC PC station, double-click on the Configuration object in the right-hand window (the hardware configuration is opened), select the Insert object context menu from the table to select the HMI application type > WinCC application

• Create one more SIMATIC PC station each with the WinCC CAS application type or the WinCC application client, as described above



The path to the destination computer on which the corresponding project is running in runtime is stated in the object properties for each application.



The Alarm Logging and Tag Logging are configured as usual in the WinCC project via the engineering system and no backup configuration is entered. This is done automatically by the system configuration.

The Long-term relevance option is automatically selected in Tag Logging for each configured archive tag. This option can be deactivated in either the corresponding column or properties dialog if long-term archiving is not needed in the CAS.



The archive settings for data management on the Central Archive Server (CAS) are configured in the CAS – Options tag.

With regard to the hard disk memory capacity available, the operator must assess the extent to which access – including long-term access – must remain for the system.

CAS data that are transferred using a backup configuration must be reconnected to the CAS for viewing.



Once all the WinCC applications have been configured, the server data for the WinCC server and CAS are created using the context menu.

The server data of the CAS are then assigned to the WinCC server and the server data of both the WinCC server and CAS assigned to the WinCC client. This is done using the context menu Assign OS server.

The Destination system > Load context menu is used to transfer the project data for every WinCC application to the destination computer. The WinCC project should now be opened on the destination computers and runtime activated.

Note

The preconditions and details relating to the CAS configuration described above can be found in the WinCC CAS Information System.

Note

Once the CAS project has been created, all configurations, including WinCC server configurations, are run on the engineering station (ES) and not on the destination computer. Each time the configuration is changed, a new server package is created and loaded on the destination computer.



Central Archive Server administration The CAS software includes the StoragePlus software. This software contains three software components:

• The Administrator Console (server application) allows rights to be issued for use of various users / groups in the CAS.

The database settings are also configured here and handling carried out to create the backup. You will, however, require Administrator Rights for access. Since system settings / initializations can be undertaken here, access should only be granted to an authorized circle of people.

• The View Editor is used to configure trends and message displays that are saved in a separate view.

• The Web Viewer is used to display views that are produced using the View Editor and have been published for this form of viewing.

Access protection The Central Archive Server is a dedicated server, i.e. it is not a station on which for example a process WinCC server can be operated and observed. It is simply used for archiving. CAS access protection therefore takes two forms:

• A WinCC client that has access protection thanks to SIMATIC Logon can be used to display the data that is still linked in the CAS.

• The archived data can be displayed on the CAS using the StoragePlus WebViewer. StoragePlus offers dedicated access protection for this.

Network security The Central Archive Server needs to access the WinCC terminal bus to receive data from the WinCC servers.

There is just one approved folder called ArchivDir on the CAS for this purpose. Completed database segments are transferred here from the WinCC servers.

The StoragePlus WebViewer is simply used to display the archived data on the local computer.

The Central Archive Server must be included in the entire system security concept (see chapter 3.2 "System network security").

Audit Trail CAS Technically speaking, the data archived by CAS cannot be changed. In the WinCC client or if using configured web views, users have read-only access to the archived data. CAS therefore does not support an Audit Trail in accordance with 21 CFR Part 11.

All events, for example the transfer of data to external media or failed transfers, are however saved in the log file directory on CAS.



6.8.2.3 Archiving and transfer to the CAS Process data are first archived locally on the WinCC servers in Tag Logging or in Alarm Logging. The archive data are divided into individual segments. Several individual segments make up a complete database segment. The size of the individual segments and database segments can be configured in both Alarm Logging and Tag Logging. See also chapter 6.8.1 "Long-term archiving in SIMATIC WinCC".

Transferring archive data (Backup) "Closed" database segments are automatically transferred from the WinCC servers to the CAS.

The database segments then attain "backed up & disconnected" status.

As can be seen in the previous diagram, a device with an appropriate burning program can be specified as the storage location. Only if this device is not available, is data transferred for example to a hard disk area via the secondary storage location.

The criteria for automatic saving cover time setting ranges that extend from immediate transfer to a delayed transfer, for example only when the hard disk memory capacity has reached a certain level.

They should be assessed in terms of availability ("connected" status) for a requirement relating to the possible display using views.

In the Common part of the administrator console, the configuration can be viewed for the archive transfer. The settings are undertaken on the engineering station when setting up the CAS. See chapter 6.8.2.2 "Configuring the Central Archive Server".

6.8.2.4 Retrieving archived data Database files already archived by backing up can be returned to the database using StoragePlus and the "Connect" button (backed up & connected status). This allows views to be accessed again for the time setting range of these data.

Data reconnected with the system in this way are disconnected using the "Disconnect" button (backed up & disconnected status).



6.8.2.5 Data displays Pre-assembled views are available as

• diagram (trend display)

• alarm (message display)

Views that have been fully produced are displayed on the CAS computer using the Web Viewer via Internet Explorer.

More information can be found in the WinCC CAS Information System documentation.

Since StoragePlus can only be used to access locally on your own PC, the address for Internet Explorer is http://localhost/ when launching the WebViewer.exe application.

As the Windows operating system user already logged in, you are automatically logged in.

6.8.3 Batch-oriented long-term archiving with PM-QUALITY PM-QUALITY offers several methods for archiving batch data.

• Exporting in database format

• Exporting in HTML format

• Exporting in XML format

Only completed batches can be archived. A batch has the status closed, when:

• The batch was completed manually or automatically.

http://localhost/�



• The batch was aborted, locked or reported as completed.

Automatic export of a batch is performed only once. Selecting the Automatic batch finalize check box in the Project Settings > Defaults dialog has the effect that changes to the batch data are no longer possible after the automatic export.

For export in HTML format or XML format, subsequent manipulation of the data can be prevented by assigning the appropriate rights to the drive (read-only).

PM-QUALITY checks if the completed batch is ready for export in the current acquisition cycle. The data must first be exported to a local hard disk. Transferring the batch data to an external drive, for example to the long-term archive server, can be configured with Following action.



The Export View application is used to view batch data in the database format. The tool is contained in the PM-QUALITY package.

The batch is selected in a batch list dialog; viewing on screen is started with a button in the toolbar.

For more detailed information on the WinCC premium add-on PM-QUALITY, refer to the product's online help.



6.9 Reporting

6.9.1 Reporting with WinCC Report Designer The Report Designer is integrated in the WinCC system software to allow documentation of the configuration data and the runtime data.

The following runtime data can be logged:

Message sequence report Chronological listing of all messages that have occurred

Message report Messages of the current message list

Archive report Messages from the message archive

Tag table Tag contents from process value / compressed archives in the form of a table

Tag trend / picture Tag contents from process value / compressed archives in the form of a trend

Note

WinCC Report Designer supports logging of continuous processes.

The contents of user archives can also be documented in the form of a table.

The design and output of the runtime data can be defined in page layouts. Print jobs control the printout. The output range and options are also specified in the print job.

A series of system layouts and system print jobs for various documentation requirements are supplied with the product. These can be used to create new layouts or print jobs but they should not be modified. Changing the system layout means additional test effort from a GMP perspective. If the system software is upgraded, the system layouts are overwritten by the installation.

Note

The WinCC Information System lists available layouts print jobs in Working with WinCC > Documentation of Configuration and Runtime Data > Appendix System Layouts and Print Jobs for Runtime Documentation.



6.9.1.1 Page layout editor The page layout editor of the Report Designer is used to modify system layouts to meet users' needs or to create new layouts. System layouts are opened in the page layout editor and saved under a new name so that they can be modified.

The layouts are divided into a static and a dynamic section. To design the layout, static and dynamic system objects are available in the form of an object palette. A title page, for example with the company logo and a back page can be created for each report.

Headers and footers are configured in the static section. A version ID can, for example, be configured in the footer that is changed manually in a variable.

The runtime data for output are configured in the dynamic section. The required object is selected from the Object Palette > Runtime Documentation and dragged to the work area (dynamic section) of the report layout.

In the following example, the Archive Report object under Alarm Logging RT is linked into the report to show the Audit Trail entries (user input messages). The column appearance is configured in the properties.



As a filter, either the number of the operator input message is specified (the message number is fixed by the WinCC system) or activated by clicking Message Class > System, without acknowledgment and selecting the Operator input check box.



6.9.1.2 Print jobs WinCC Report Designer documents data from continuous processes over a defined time. The period is set along with all other settings in the print job. During process mode and before the log starts, it is also possible to open a parameter assignment dialog in which the output selections, timebase, and time range for the output of archive tags can be changed for the log being output.

Note For more detailed information on the WinCC Report Designer, refer to the WinCC Information System, section Working with WinCC > Documentation of Configuration and Runtime data.

The Audit Trail entries are shown in the log as follows:



6.9.1.3 Logging the Audit Trail entries from WinCC Audit The Audit Trail entries from the WinCC Audit database can be printed via the Report Designer.

Creating an ODBC data source Before configuration in the Report Designer, an ODBC data source is created for the WinCC Audit database using the Windows control panel.

The ODBC data source administrator is opened via Start > Settings > Control Panel > Management > Data sources (ODBC).



The selected WinCC Audit database is added.

WinCC_Audit for example is entered as the name.

The following is specified under server: <Computer name with audit database>\WinCC

The wizard is continued by selecting Next.

The default database is changed to WinCC_Audit. Further settings are not necessary. The wizard is complete.



Creating the report layout for WinCC Audit A new layout is created in the Report Designer. This is set in Properties > Orientation > Landscape format.

The Database table object is selected from the standard objects and dragged into the layout using drag-and-drop.



The Database connection property is selected from the Connect tab in properties for the database table.



The Edit button opens a dialog in which the connection to the WinCC_Audit database is configured.

The data source previously created is selected under ODBC data source.

Activating Display column headers prints the WinCC Audit column headers in the report.

A user-specific selection for choosing the data to be displayed is specified under SQL Statement. The Test SQL statement button checks that the syntax is correct.

The column width can be adjusted under Geometry > Columns > in the database table properties.



6.9.2 Batch-oriented reporting with PM-QUALITY The WinCC premium add-on PM-QUALITY is used for batch-oriented archiving and reporting. The recording of the production-relevant data begins with the Batch start signal and ends with the Batch end signal. The data is assigned to a specific batch, which can be configured, and called back up again with the batch name.

The report layouts for printing the batch data can be customized in the Report Editor application.

Static objects for report designs and dynamic objects for displaying the batch data are listed in the highlighted area at the lower left.

The dynamic objects are configured for the specific plant beforehand in the Topology Manager application. The dynamic objects include batch header data, phase sections, snapshots, alarm events, Audit Trail entries, tag logging values, etc. A tabular horizontal or vertical display style can be selected.

Tag logging values are shown in the form of trend curves. This involves defining trend templates in which the values and the form of the trend graphic are specified. You can also display comparable trends with values from different batches.

The procedure for including Audit Trail entries (operator input messages) in a batch log is shown below based on an example.



The PM-SERVER application functions as the interface between the WinCC system software and PM-QUALITY. It is contained in the PM-QUALITY program package. A station is configured for the WinCC server in PM-SERVER in which the data from the WinCC project are imported (tags, alarm blocks, permissions and archive data). PM-SERVER can not only record data from one but from several WinCC servers with different projects. Based on the imported alarm blocks, a message column structure is configured in which the messages arriving from the WinCC projects are passed on to PM-QUALITY.

The operator input messages are recorded in WinCC Alarm Logging as Audit Trail (see also chapter 6.5.2 "Audit trail via WinCC Alarm Logging"). To receive the operator input messages, an Alarms object and an Alarm group is created in the Topology Manager below the relevant production unit, in this case with the name Audit Trail.

The alarm blocks to be shown in the batch report are selected in the properties of the Audit Trail alarm group. The message number for the operator input message as defined in the WinCC system is also entered in the Alarm filter dialog.

The Audit Trail alarm group is displayed in the area for the existing objects in the Report Layout editor. The Audit Trail alarm group is dragged to the right to be included in a report layout.



An Audit Trail can appear as follows in a batch report:

Change comments can be logged in the audit trail.

Note

For more detailed information on the WinCC premium add-on PM-QUALITY, refer to the product's online help.



6.10 Lifebeat monitoring The Lifebeat Monitor monitors all servers, clients and automation devices which can be reached over PC networks and industrial networks (Industrial Ethernet, PROFIBUS or OPC).

To configure the nodes to be monitored, the Lifebeat Monitoring editor is opened in WinCC Explorer. Here, all the nodes to be monitored and the monitoring cycle in which the lifebeat monitoring takes place can be set up.

Note

Lifebeat monitoring for third-party systems must be configured manually. Its use depends on the communication partner of the third-party system. If the third-party system represents an important interface to SIMATIC WinCC, Lifebeat Monitoring is absolutely necessary. For additional information, refer to the WinCC Information System > Options > Options for Process Control > Lifebeat Monitoring.



6.11 Data communication with the plant management level Data communication with the plant management level or other systems must be covered by system functionalities. Here, there are several options available, including the integrated OPC connection (OPC Data Access), the connections of OPC A&E and OPC Historical Data Access, or the WinCC OLE DB connection.

6.11.1 Data communication with the connectivity pack The WinCC Connectivity Pack option makes possible standardized access to the WinCC data. This option is installed on the WinCC server.

The following mechanisms are available:

• OPC Historical Data Access (access to the process value archive) OPC HDA. All or selected process value archives can be read. The process value archives can be read cyclically or user-controlled on certain events or at certain times. It is not possible to write to the process value archives.

• OPC Alarms and Events (access to the message archive) OPC A&E. All or only selected messages can be read. The message archive can be read cyclically or user-controlled for certain events or certain times. Apart from acknowledgments, it is not possible to write to the message archive.

• WinCC OLE DB allows read access to Tag Logging and Alarm Logging archive databases.

6.11.2 Data communication with the connectivity station The Connectivity Station software package offers the same functionality as the aforementioned Connectivity Pack. The difference is in the installation. The Connectivity Station does not require a WinCC installation and can therefore be installed on any PC in the network. It is configured via the SIMATIC NCM manager (free of charge on the SIMATIC Net CD) or the SIMATIC manager (STEP 7).



6.11.3 Data communication with Industrial Data Bridge The IndustrialDataBridge application offers various mechanisms for communicating data between WinCC and various applications, for example Oracle database. Archived data cannot be manipulated.

6.11.4 Data communication via the ODK programming interface The WinCC Open Development Kit (ODK) option describes the exposed programming interfaces that can be used to access data and functions of the WinCC configuration and WinCC runtime system. The interfaces are designed as C-Application Programming Interface (C-API).

Note

Due to the large amount of work involved, the ODK interface should only be used when there is no other way to implement certain functionalities.



6.12 Creating C and VB scripts C und VB source files are programs written by the user that count as class 5 in the software categorization. This type of software is developed to meet customer-specific requirements that cannot be covered by the standard library.

With category 5 software, the constraints governing the creation of software according to ISO 9001 2000 should be adhered to.

If category 5 software is used, the development and system build must comply with the stipulations of GAMP ® 4.

The procedure for creation of Category 5 software is as follows:

1. Creation of a functional description for the software

2. Specification of the function blocks used

3. Specification of the inputs and outputs used

4. Specification of the block for operator control and monitoring

! Note The creation of category 5 software should be limited to a minimum because it significantly increases the work involved for testing and validation.



6.13 Connecting to a Web client When talking about web access from a computer in the network to a WinCC project, a distinction is made between read-only access and read and write/user input access. Read-only access is set up using the WinCC DataMonitor option and operator inputs for the WinCC project, i.e. write access, is set up via the Web Navigator option. Operator input via the web client is checked by both the SIMATIC logon (user authentication) and the user administrator in WinCC (operator permissions).

Note

There are standard tools on the market for open systems that encrypt data transfer and make the "open path" secure. Descriptions and more information on security can be found in the "SIMATIC WinCC Security Concept" under entry ID. 23721796. (http://support.automation.siemens.com/)

6.13.1 Configuring web access on the WinCC server for process operator input The following installation and configuration steps are needed for operator input in a WinCC project via a web client:

The WinCC Web Navigator Server option is installed on the WinCC server or a multiclient and licensed for the corresponding number of web clients. The Web Navigator Client should be installed on the computer used for remote access. The installation on this computer is not licensed.

The wizard for configuring the web connection is started via the Web Configurator context menu for the Web Navigator object in WinCC Explorer.

In the first dialog the user chooses whether a new standard web page is to be created or an existing one added.

http://support.automation.siemens.com/)�



The web page is configured in the second dialog. The settings are preassigned by default. They can however be adapted by the user.

The Windows firewall is adapted in the third dialog. The settings needed are described in detail in the Help section for the Web Navigator (Start > Programs > SIMATIC > WinCC > DataMonitor > DataMonitor Information System).

The corresponding process pictures of the WinCC project must be published in the Web Navigator Server application for remote access. Another wizard that is launched in WinCC Explorer via the Web View Publisher context menu for the Web Navigator object is used for this purpose.



The WinCC project path and folder for web access are entered automatically in the dialog. The data can be preceded by a server prefix. This is needed when installing on a multiclient.

Those WinCC process pictures that are to be viewed or operated via remote access are published in the dialog.

The functions and pictures to which references are made in the process pictures selected are published in the other dialogs.



A completion report announces that all the information has been recorded.

Note

The corresponding client has to be installed and licensed on the computer for remote access in order to view the process pictures that are included in the controls of the WinCC premium add-ons PM-CONTROL and PM-QUALITY.

6.13.2 Setting up operator permissions on the WinCC server The operator permissions in the web client are set up in the WinCC User Administrator. The User Administrator editor is opened in WinCC Explorer for this purpose.

Checking the check box for SIMATIC Logon activates authentication of the user logged on via SIMATIC Logon. Also see chapter 4.6.4 "Configuring SIMATIC Logon".

Remote access is activated by selecting the check box for the Web Navigator. The start screen for the web client can be configured and may deviate from the start screen for runtime on the WinCC server. There is also an option for selecting the language for viewing in the web client.

The "DataMonitor – Monitor only" function controls operator permissions between WebNavigator and DataMonitor. If this function is not activated and the WebNavigator license is detected, the operator can control the process pictures. If this function is activated, the process pictures can only be monitored.



Note This configuration is undertaken separately for each user group. This means that the definitions for release for remote access, the start page, language and operator permissions may be different for each user group.

6.13.3 Remote access via the network The web client must be installed on the computer for remote access. In Windows Internet Explorer the link to the WinCC server is established and the computer name stated in the address (for example http://Rechnername).

When the connection is first made, a check is run to determine whether additional software is needed. Once the installation has been completed and the link to the WinCC server established, a logon dialog appears in which the user ID and password are demanded. SIMATIC Logon checks the logon. If the logon is successful, the start page is opened according to the User Administrator configuration. Operator input in the process picture is the same as operator input in the WinCC runtime. The logged-on user is assigned the rights of the user groups of which he is a member.

Note

The user cannot log off if using remote access. The time configured in SIMATIC Logon for automatic user logoff also has no effect when using remote access. We would therefore recommend closing the session after modifying data by exiting Internet Explorer.

6.13.4 Configuring web access on the WinCC server to display data To display and evaluate the archived data either from WinCC or from the long-term archive server, the Trends & Alarms application of the WinCC DataMonitor option is used. Trends & Alarms and the other tools available grant read-only access to the archived data.

The process screens with the WinCC Alarm Logging and/or Tag Logging controls can be used as an alternative for viewing data.

Using Internet Explorer, the archive data can be displayed on any computer in the network. To set up the functionality, the DataMonitor Server is installed on the WinCC server and licensed for the corresponding instances of remote access. The DataMonitor client has to be installed for the data to be viewed on the remote computer. No extra license is necessary for these computers because the license is integrated in the server license.

Details of the procedure for installation, required user rights, adaptation of the security policies in the network, etc. are described in the DataMonitor Information System.

The Archive Connector tool is used to connect/disconnect the archived database with/from the MS SQL server. The databases are grouped under a symbolic name. The archived databases must be located on the computer with the DataMonitor server for this to happen.

The Archive Connector is opened via Start > Programs > SIMATIC > WinCC > DataMonitor > WinCC Archive Connector.

http://rechnername/�



When the DataMonitor server is installed, the DM-ADMIN and DM-USER user groups are automatically created.

To configure and operate the DataMonitor, a Windows user must be created on the computer with the DataMonitor server and this user must either be a member of DM-ADMIN or DM-USER. Users who are assigned to the DM-USER user group have access to view the data.

A connection is established on the remote computer via Internet Explorer. The name of the PC on which the DataMonitor server is installed is entered under Address (http://Rechnername). A logon dialog for specifying user ID and password is displayed. Once the logon is complete, the DataMonitor start page appears.

http://rechnername/�



To display the archive data, the Trend & Alarms tool for example is started by clicking on the left-hand side.

The menu offers the following views:

• Process value table

• Trend (process values)

• Alarm table

• Alarm hit list

• Statistics functions for process values



Example of process values being displayed in tabular form:



Example of a plot:



6.14 Connecting SIMATIC WinCC flexible More information on the use of SIMATIC WinCC flexible in a GMP environment in conjunction with SIMATIC WinCC, can be found in the "SIMATIC WinCC flexible GMP Engineering Manual: Guidelines for Implementing Automation Projects in a GMP Environment".



6.15 Connecting SIMATIC S7

Connection via defined channels To exchange data between WinCC and the automation systems, the first thing that is required is a physical connection. Any communication connection is configured in SIMATIC WinCC suitable for the hardware being used. The WinCC system software includes a series of communication drivers for this purpose.

The SIMATIC S7-300 and S7-400 automation systems, for example, are linked using the communication driver (communication channel) "WinCC SIMATIC S7 Protocol Suite". Depending on the communication hardware in use, various channel units are available for the channel. The channel unit serves as an interface with exactly one underlying hardware driver and therefore to exactly one communication processor in the PC. A detailed list of the existing channel units can be found in the WinCC Information System in the section Communication > SIMATIC S7 Protocol Suite.

A connection is configured for the selected channel unit in the tag management by creating the tags with a name and data type. These tags are also known as external tags.

The tag management forms the data interface between the automation system and WinCC system. All the editors integrated in WinCC read / write data to the tag management.

An interruption to the communication connection is indicated in the WinCC Alarm Logging if system messages are enabled.

Evaluating the tag status and quality status To allow monitoring, a status value and a quality code are generated for each tag. Among other things, the tag status indicates configured limit value violations and the link status between WinCC and the automation level. The quality code is a statement about the quality of the value transfer and value processing.

The evaluation of the tag status or the quality code can be configured, for example in the dynamic values dialog in the properties of a graphic object.



The evaluation of the tag status in this example is shown by a color. If the described state occurs, the color changes according to the configuration. The quality code is configured in much the same way.

The checking of the quality code and tag status can also be performed in VB / C scripts and linked to a user-defined action.

Note

For more detailed information on using SIMATIC S7 in a GMP environment, refer to the "SIMATIC STEP 7 GMP Engineering Manual: Guidelines for Implementing Automation Projects in a GMP Environment".



6.16 Connecting third-party components

Connection via defined channels We recommend that the OPC channel is used as the communication connection between WinCC and third-party automation devices. The communication driver for OPC (OLE for Process Control) is certified by the OPC Foundation. The driver is included in the WinCC system software.

It is possible to link the OPC client with third-party control systems over an OPC server.

In tag management (data manager), a communication connection is configured for the OPC channel in which tags with name and type can be created. These tags form the interface between the automation system and WinCC. The WinCC system software uses the contents of the data manager for the configured functionalities.

WinCC also operates as an OPC DA server and transfers process values to other OPC clients.


7 Support for qualification

7.1 Introduction The following graphic shows the life cycle model. Qualification, which is the focus of this chapter, is assigned to the area of Test / Qualification in the graphic.

TraceabilityMatrix

ModuleTesting

URSPQ



FS

DS FAT


ModuleDevelopment

SAT

OQ

IQ

Test

ing

/ Qua

lific

atio

nSpecification

System Build

QR

VRVP

QP

QPP

The aim of the qualification is to provide documented proof that the system was set up according to the specifications and that all specified requirements have been met. Qualification describes, executes and finally evaluates all the activities necessary for this. Various standard functionalities of SIMATIC WinCC can be used as support in qualification during IQ and OQ.

Support for qualification


7.2 Planning qualification Defining a life cycle for project development determines various test phases. The basic qualification activities are then established at a very early stage in the project and put into detailed specific terms during later specification phases.

The definitions laid down at the start of the project include

• Responsibilities for planning, implementing and approving tests

• Scope of testing in the individual test phases

• Test environment (test structure, simulation)

Note

The amount of test work involved should reflect the results of the risk analysis and the complexity of the components to be tested.

In parallel to completion of the system specification (FS, DS), the individual tests are also planned in detail. This defines:

• Test procedures for the individual tests

• Test methods, for example structural (code review) and/or functional (black box test)



7.3 Qualification of the system hardware During the qualification phase, checks are run to establish whether the installed components and entire system structure match the requirements of the Design Specification. This includes details such as component name, firmware / product version, installation location, server and clients used, interfaces to the automation systems, etc.

Note

A visual inspection of the hardware can also be made. Printouts and screenshots can be used as evidence during qualification (IQ/OQ).

Qualification of field devices Field devices are specified and qualified with for example the following details:

• Identification of vendor and type

• Order number (MLFB)

• Function / desired destination

• Tag description / measuring range / unit

• Connection type

• Address number

Qualification of the automation hardware Automation stations are specified and qualified with for example the following details:

• Identification of vendor and type

• Order number (MLFB)

• Number of racks

• Verifying the hardware components used (CPU, CP, etc.)

• Number of distributed I/O stations

• Interfaces to third-party systems

• Address description

• Address number

• Etc.

Note

The documentation is supported by print-outs of the HW config. The switching cabinet documentation must also match this.



Qualification of the network structure When qualifying the network structure, the following details are for example specified and checked in the qualification:

• Name of station, PC, AS, clients, etc.

• Communications module, type of connection and communication partner (Ethernet, PROFIBUS, serial etc.)

• MAC address (when using the ISO protocol on the plant bus)

• TCP/IP address and subnet mask (when using clients)

• PROFIBUS addresses

Note

The SIMATIC NetPro configuration can be printed out.

Specification of the employed PC hardware In the qualification of the PVC hardware used, checks are necessary to ensure that the requirements of the hardware design specification were implemented. The so-called PC passport is useful for the qualification. All the installed hardware and software components should be listed in the PC passport.

These include:

• Order number of the employed PC hardware

• Additionally installed hardware components (additional network adapters, printers, etc.)

• Check for the configured network addresses, monitor resolution, etc.

Note

The PC passport is normally created manually. Some PC manufacturers provide a utility for automatic detection of the hardware information. The PC passport can be printed and used to verify the qualification (IQ/OQ) of the installed PC hardware. Visual inspection can be carried out at the same time.



7.4 Qualification of automation software

7.4.1 Software categorization according to GAMP Guide According to the GAMP® 4 Guide of Validation of Automated Systems, the software components of a system can be assigned to five software categories. Below you will find examples illustrating how this categorization relates to SIMATIC WinCC.



7.4.2 Qualification of standard software When qualifying the standard software used, a check is run to establish whether the installed software matches the requirements of the specification. These include:

• Operating system

• SIMATIC WinCC system software

• SIMATIC standard options (Audit, SIMATIC Logon, DataMonitor, UserArchive, etc.)

• SIMATIC WinCC premium add-ons (PM-CONTROL, PM-QUALITY)

• Standard libraries

Note (operating system)

The installed software can be verified by operating system functions. The information can be found in Control Panel > Add / Remove Programs). All installed software components are displayed here. A screenshot can be printed and used for the qualification (IQ/OQ).

Operating system The installed software can be verified by operating system functions. The information can be found under Control Panel > Install/Remove Programs. All installed software components are displayed here.

SIMATIC Security Control The settings required in the Windows operating system for the WinCC system software can be retrieved from the SIMATIC Security Control application. The current settings are displayed by selecting Start > Programs > SIMATIC > Security Control > Accepted settings. Printed documentation is started using the corresponding button (see also chapter 4.3 "Installation and configuration of SIMATIC Security Control").

System programs of SIMATIC WinCC In an environment in which GMP is mandatory, documentation listing the installed software packages (operating system, SIMATIC products, and other applications) with version and license should be created. Detailed documentation of the installed SIMATIC software can be found under Programs > SIMATIC > Product notes > Installed software.

Note

The installed components can be printed and used for the qualification (IQ/OQ).



Software licenses The Automation License Manager program provides information on the installed licenses on the WinCC computer. To view this information, open the Automation License Manager and select the partition of the PC on which the licenses are installed on the left in the Explorer bar. The available SIMATIC licenses of the system are now shown on the right.

Note The installed licenses must correspond to the requirements defined in the specification.



7.4.3 Qualification of application software For the qualification of application software, checks are necessary to ensure that the requirements of the software design specification were implemented. Descriptions of tests must be agreed on with the customer and generated. These test descriptions must be coordinated individually to meet the software design specifications.

As a minimum, the following must be checked and tested and can be used as a reference for the qualification:

• Check of the name of the application software

• Check of the technological hierarchy (plant, plant section, technical equipment, individual control element, etc.)

• Software module test (typical test)

• Check of the communication to other nodes (third-party controllers, MES systems, etc.)

• Check of all inputs and outputs

• Check of all control modules (individual control level)

• Check of all equipment phases and equipment operations (technical functions)

• Check of the relationships between modes (MANUAL/AUTOMATIC switchovers, interlocks, start, running, stopped, aborting, completed, etc.)

• Check of the process tag names

• Check of the visualization structure (P&I representation)

• Check of the operating philosophy (access control, group rights, user rights)

• Check of the archiving concepts (short-term archives, long-term archives)

• Check of the message concept

• Check of the trends

• Check of the time synchronization

! Note If extra blocks are needed in addition to the WinCC standard libraries in order to configure special processes or functions, the amount of validation work will increase greatly.



7.5 Configuration control: Versioning and archiving projects The concept for versioning and archiving WinCC projects is part of configuration management. A detailed description of the type of versioning, how it will be performed and how the version IDs will be assigned is required.

When the project status is versioned, archiving is also prepared at the same time. The proposed methods each produce a compressed project file which is to be saved on suitable media (e.g. network drive, burn to DVD) for archiving.

Versioning and archiving variants:

1. The SIMATIC Version Trail option for projects integrated in STEP 7

2. Software Project Versioning, part of WinCC Audit RC or WinCC ChangeControl.

3. Manual versioning: Backup of WinCC project directory either using the Project Duplicator or as a zipped file

SIMATIC Version Trail Within the framework of Totally Integrated Automation (TIA), the WinCC HMI system is integrated in the SIMATIC Manager. The WinCC project has been integrated in the STEP 7 project. In this case, the SIMATIC Version Trail option is used for versioning. SIMATIC Version Trail supports the archiving of projects and assignment of a version ID (name and version number). The version ID is entered in a dialog along with a suitable comment. A major version and minor version can be distinguished.

SIMATIC Version Trail manages all actions such as creating, archiving, deleting version statuses, etc. of a version project in the version history (Audit Trail). The version history can be called up using the Options > Version History menu. All actions relating to archiving projects and even deleting version statuses are also logged here. The following diagram shows the version history of creating the "Sample1" version project right up to archiving various version statuses.



When using SIMATIC Version Trail for continuous archiving, the version history provides a good way of documenting various software statuses during the life cycle of an computer system.

All software statuses along with archiving date and version are listed in chronological order.

The version statuses are stored in zip files and can be easily archived and retrieved.

More detailed information can be found in the "SIMATIC Step 7 GMP Engineering manual: "Guidelines for Implementing Automation Projects in the GMP Environment".

Note

To ensure traceable versioning with a version history, we recommend using SIMATIC Version Trail in integrated mode. More detailed information can be found in the "SIMATIC Step 7 GMP Engineering manual: Guidelines for Implementing Automation Projects in a GMP Environment".

WinCC Project Versioning When not in integrated mode, we would recommend the WinCC Audit Project Versioning option for versioning WinCC projects. The WinCC project must be closed for versioning.

The WinCC Project Versioning application is opened via Start > Programs > SIMATIC > WinCC Audit > Audit PV.

This application can be used to manage several WinCC projects.

A table-based list shows the versions created for the WinCC project selected on the left in the tree structure. A new archive is created or an older project version retrieved using the buttons positioned at the top. A wizard supports the



corresponding process. The project’s archive data are stored in zip files that can be easily archived in the long term.

Manual versioning In this storage concept, it might be specified, for example, that the project is backed up following a change. The project can be backed up using the WinCC Project Duplicator tool. The Project Duplicator tool is opened with Start > Programs > SIMATIC > WinCC > Tools. The Project Duplicator produces a direct copy of the WinCC project using the path specified.

Alternatively the folder containing the WinCC project is zipped in Windows Explorer to back up a project. When zipping, all data are reliably compressed.

Versioning can, for example, be included in the file name of the compressed file. When compressing the WinCC project, it is important that the folder hierarchy is retained so that the project can be read again later.

! Note The WinCC project must be closed before it is copied.



Versioning / backup up data of WinCC options / WinCC premium add-ons If WinCC options or WinCC premium add-ons such as PM-CONTROL / PM-QUALITY are used in the WinCC project, the corresponding databases must also be backed up. Before the data is backed up, a check must be made to make sure that the databases of the add-ons were disconnected from the MS SQL Server when the WinCC project was closed. If the databases were not disconnected automatically, an error message is displayed when the data is backed up. The databases can be disconnected either with the detachdb.exe application (in the Programs/Siemens/PMCOMMON folder) or with the MS SQL Enterprise Manager. During installation, WinCC options and WinCC premium add-ons automatically store their data in a separate folder below the WinCC project. In this case, the data are also backed up via the Project Duplicator, Version Trail and WinCC Audit Project Versioning. If a user defined storage path was specified during installation, the data must be backed up separately.



7.6 Tracking configuration changes

Change control with WinCC Audit Configuration changes in the WinCC project can be recorded using the WinCC Audit Change Control option. When tracking, a distinction is made between changes in the WinCC database and in the documents. The tracking of changes in both areas can be activated separately.

WinCC Explorer activation covers tracking changes in the following areas:

• WinCC Explorer

• Project properties

• Server properties – Properties on the "Graphics Runtime" tab; with Document Control (gracs.ini)

• Client properties – Properties on the "Graphics Runtime" tab; with Document Control (gracs.ini)

• Tag management – apart from System parameters

• Alarm logging

• Tag logging – the most relevant changes to timers, archives and tag tables.

• Text library – for entries in German, English, French, Italian, Spanish.

• User administrator

• Report Designer print jobs

• User archives • Other editor programs whose configuration data are saved in the project’s CS

database.



The diagram shows two tags which have been created as new (Insert EventType). One of the tags was then renamed (Update EventType).

The Document Control area covers changes in the following areas:

• C project functions (.fct), global and local C-actions (.pas)

• VBS project functions (.bmo), global and local VBS actions • Report layouts (.rpl) • Graphics documents (.pdl)

• Graphics runtime settings (Gracs.ini)

• All valid user documents in the project folder Misc. Documents

Checked documents are write-protected and must be checked out by a WinCC Audit user before changes are possible. When checking out, a comment must be specified. The document can be opened using the WinCC Audit Editor directly in the associated application.

When checking out a document, a copy is saved in the database so that it can be recovered if need be (rollback). The document’s history records all the users who have checked the document in and out.



7.7 Backing up the operating system and SIMATIC WinCC The operating system and the WinCC installation should be backed up as hard disk images. Such images can be used to restore the original state of the PC with little effort.

The required images • Create an image of the operating system installation with all drivers and all

settings relating to the network, user administration, etc. without SIMATIC WinCC.

• Create an image of the installed PCs with SIMATIC WinCC, WinCC options and WinCC premium add-ons.

• Create an image of the installed PCs with SIMATIC WinCC including all the projects.

Procedure for creating an image Several applications are available for creating an image, for example, SIMATIC PC/PG Image & Partition Creator. Note in this regard that the image is written to a free partition.

Note

The backups of the application software and the backup of the operating system with and without SIMATIC WinCC should be stored on external media (for example MOD, CD, DVD, network backup).

! Note An image can only be restored on a PC with identical hardware. For this reason, the hardware configuration of the PC must be adequately documented. Images of individual partitions cannot be exchanged between PCs because their settings, such as registry settings, differ.


8 System’s productive mode

8.1 Operational Change Control Changes on validated and operating systems must always be planned in consultation with the plant user, documented and only run and tested once approved.

The following chapters use examples to describe how to make changes to a WinCC project:

Changes in the WinCC project should not generally be undertaken during operation.

The effects of the changes to other parts of a WinCC application and the resulting tests must be specified as the basis of a risk assessment and documented.

3. Back up of the actual WinCC project

1. Release of change specification by plant owner

2. Description of the software change (e.g. FS)

4. Implementation of software change based on the new version

WinCC Audit is used to record changes in the engineering and document check in an Audit Trail. The version statuses of the project software and documents are also managed

5. Test of changes incl documentation (e.g. FAT)

6. Back up of the changed software incl. versioning

System’s productive mode


8.2 System recovery The procedure described in this chapter should enable the end user to restore the WinCC system after a disaster.

Disasters are taken to mean the following cases:

• Damage to the operating system or installed programs

• Damage to the system configuration data or configuration data

• Loss or damage to runtime data

The system is restored using the saved data. The backed up data (medium) and all the materials needed for the restoration (basic system, loading software, documentation) must be saved at the defined point. There must be a Disaster Recovery Plan which must be checked on a regular basis.

Restoring the operating system and installed software The operating system and installed software are restored by loading the corresponding images (see chapter 7.7 "Backing up the operating system and SIMATIC WinCC"). The instructions provided by the relevant tool manufacturer should be noted.

An image can only be restored on a PC with identical hardware. If a PC with an identical configuration is not available, the installation has to be run again from scratch. The documentation that contains descriptions of the installed software and the updates, upgrades and hot fixes also installed, can be used to qualify the software. The installation sequence described in chapter 4 "System installation" should be observed.

Restoring the application software The process for restoring the application software depends on the kind of backup.

• Retrieving data using the Version Trail software Version Trail lists all backup statuses with major and minor version and time stamp. To retrieve the data, the corresponding backup status is selected and the action started using the De-archive button.

• Retrieving data using the WinCC Audit Project Versioning software Even the WinCC Audit Versioning software lists the backup statuses created along with version ID and time stamp. To retrieve the data, the corresponding backup status is selected and the action started using the Restore Wizard button.

• Retrieving data from a manually created backup status Application software that has been copied using the WinCC Project Duplicator tool can be copied back using the same tool. A manually compressed backup status is copied from the external medium (network drive or CD/DVD) into the local project folder and unzipped.



• If a CAS (Central Archive Server) is being used in the system configuration, a separate engineering station (ES) must be set up for the CAS engineering, WinCC server and connected clients. In this case, the application software can be restored on the WinCC server by loading the server data from the ES to the WinCC server using Load destination system.

Restoring the runtime data Runtime data such as Alarm Logging data and Tag Logging data that has not been backed up using a backup configuration are lost in the event of a hard disk disaster.

To display lost data in WinCC Runtime, corresponding backup statuses ending with mdf and ldf are copied back onto the local computer and linked to the WinCC project in Tag Logging and/or Alarm Logging. The corresponding editor is opened in Windows Explorer for this purpose and the corresponding databases linked using Connect archive.

When using a CAS, the data do not have to be copied back. The data are displayed directly in the OCX Alarm Control or Trend Control / Table Control by selecting the lost time period.

Restoring a WinCC server in a redundant system In the event of a hard disk disaster in a redundant WinCC system, the runtime data are not yet available on the partner computer. Once the operating system, the software needed and the application software have been restored, the WinCC project is started. The runtime databases are automatically put through a redundant calibration by the system.



Restoring the long-term archive data on the CAS To prevent data being lost as a result of hard disk defects, RAID systems that allow the current data status to be used for future use should first be appointed.

Regular checks of the operating system’s event log and a Raid controller of sufficient performance are also required for this.

Restoration to a new hard disk by reinstalling StoragePlus is also possible if the StoragePlus configuration data is currently available.

Data not yet transferred from StoragePlus (archive) are not lost. At least this applies to the part which comes from the WinCC servers because – depending on how the times overlap – they usually still exist on the WinCC servers as part of the short-term archive that has not been overwritten.


9 System software updates and migration

9.1 Updates, service packs and hot fixes Updates to the system software of a validated system in operation must be agreed on with the operator. We are talking here about a system change that needs planning and processing in accordance with the valid change procedure. Similar to the description in chapter 8.1 "Operational Change Control", this roughly means the following steps:

• Description of the planned change

• Impact on functions / system parts / documentation, taking into account the system description of the new and changed functions in the Readme file / Release Notes

• Evaluation of risks

• Definition of the tests to be run in order to retain the validated status on the basis of the risk assessment

• Approval / refusal for the change (according to defined responsibilities)

• Update of the technical documentation

• Implementation of change in accordance with manufacturer’s details (once the system has also been approved for this)

• Documentation of the actions undertaken

• Qualification: Running and documenting the tests needed

The following may for example be of relevance when considering possible influences:

• Process pictures / objects / alarm system and process value archiving in function and illustration /

• Ports

• Impacts when loading

• Performance of the system

• Documentation (specification)

• New qualification tests and/or those to be repeated

Note

The SIMATIC Customer Support at http://support.automation.siemens.com provides support for software updating and project migration.


System software updates and migration


9.2 Migration of the application software The WinCC system software is upgraded with a migration, in other words, its range of functions is expanded or improved.

When there is a version change (for example from version 5.x to version 6) or a software update of the WinCC system software, it may be necessary to migrate or convert data created with the older version.

! Note The situations in which migration or conversion of the project data becomes necessary are described in the WinCC Information System of the new version in the section Upgrading WinCC > Notes on Migration of Projects.

The Project Migrator is available for migration. The project data is migrated offline, the WinCC system software must be completely closed down. Follow the instructions of the Project Migrator. If adaptation of the project is necessary, this requires validation.

The validation effort is specified in consultation with the plant user. Possible test points are the new functions available in WinCC and the correct installation of the software components required for migration.

Note

The migration procedure is described in detail in the WinCC Information System in the section "Migration".

Note A WinCC project that has been opened once using WinCC V6.2 cannot be edited or run again with version 6.0.


10 Additional hardware/software components

10.1 Uninterruptible power supply An uninterruptible power supply (UPS) is a system for buffering the line voltage. If the power supply from the line fails, the battery of the UPS takes over the power supply. When the power supply from the line resumes, the power supply from the UPS battery ceases and the battery begins to recharge. Some UPS systems offer monitoring of the line voltage in addition to buffering the power supply from the line. This guarantees output voltage at all times without interference voltage.

UPS systems are necessary so that process and Audit Trail data can continue to be recorded during power failures. The system operator needs to be consulted in regard to the design of the UPS, which should be specified in the URS, FS, or DS. The following points must be considered in this regard:

• Power consumption of the system to be supplied

• Capacity of the UPS

• Desired duration of the UPS buffering

The power consumption of the system to be buffered determines the size of the UPS. Another criterion for the selection is the priority of the systems. Systems with high priority are:

• Automation system (AS)

• Network components

• Archive server

• WinCC server

• WinCC clients

Field devices, which usually have relatively high power consumption, can be included in the buffering, depending on the performance capacity of the UPS. This should be based on the process category and selected in consultation with the system operator.

In any case, it is important to include the systems for reporting the data in the buffering. The time of the power failure should also be included in the reporting.

The use of UPS systems is a factor in the software installation. It needs to be installed and configured on the PC-based computer of the visualization system.

• Configuration of the alarming for power failure

• Specification of the time period for shutting down the PC

• Specification of the duration of the UPS buffering

The automation systems (PLC) should be programmed in a way that allows the process control system to be brought to a safe state with a specified buffer time in the event of power failure.

Due to varying requirements of individual devices, three classes have been established for the UPS context. These have been specified by the International

Additional hardware/software components


Engineering Consortium (IEC) under the product standard IEC 62040-3 by the European Union under EN 50091-3:

Standby or offline UPS

The simplest and least expensive UPS systems (according to IEC 62040-3.2.20 of UPS class 3) are standby or offline UPS systems. They only protect against power failure and transient voltage fluctuations and peaks. They do not compensate for undervoltage or overvoltage. Offline UPS systems automatically switch to battery mode when undervoltage or overvoltage occurs.

Network-interactive UPS

Network-interactive UPS systems (according to IEC 62040-3.2.18 of class 2) operate in a similar way to standby UPS systems. They protect against power failure and transient voltage peaks, and can continually compensate for voltage fluctuations using filters.

Online UPS

Double conversion or online UPS systems (according to IEC 62040-3.2.16 of Class 1) are considered real power generators that continuously generate their own line voltage. This means connected consumers are continuously supplied with line voltage without restrictions. The battery is charged at the same time.



10.1.1 Configuration of uninterruptible power supplies The configuration of uninterruptible power supplies (UPS) differs from case to case and must be described in the URS, DS or FS.

The two screenshots below are examples of the configuration of a UPS in Windows 2000/2003/XP.



The following table describes an example of configuring an uninterruptible power supply for an operator station in a process control system. The situation with automation systems (AS) is analogous.

Case Action Reaction

1 Power failure < 10 seconds

The WinCC computers are buffered by the UPS. An alarm using a digital input in WinCC documents the power failure.

2 Power failure > 20 minutes Power returns after 25 minutes

The WinCC computers are buffered by the UPS, for example for 20 minutes. An alarm in the PCS documents the power outage and the shutdown of the WinCC computers after 20 minutes. The UPS stops supplying power after a defined time (for example 25 minutes) so that an independent restart of the WinCC computers is possible once power has been restored.

3 Power failure > 1 hour

The WinCC computers are buffered by the UPS, for example for 20 minutes. An alarm in the PCS documents the power outage and the shutdown of the WinCC computers after 20 minutes. The UPS stops supplying power after a defined time so that an independent restart of the WinCC computers is possible when power returns.



10.1.2 UPS configuration over digital inputs In addition to the standard buffering provided by UPS devices, the option of monitoring the power supplies should be used. In this strategy, the phase is monitored over one or more digital inputs. The advantage of this is that power outages can be registered, signaled and archived.

UPS 24 V buffering (load voltage) The automation system CPU is supplied with power by the UPS 24 V module both during voltage fluctuations and during longer power outages. The phase monitoring module monitors the status change during a power failure using a digital input that should be designed as a failsafe input signal. If there is a power outage, an alarm can be generated to inform the operator of the power outage (alarm message). By logging the outage in the message system, the power failure can be researched later. Safety states can also be implemented based on power outage concepts that take effect immediately or after a certain time has elapsed (for example hold equipment phases, establish a safe plant status even after the return of the power etc.).



UPS 110 V / 220 V buffering (line voltage) In addition to the phase monitoring, the WinCC server is buffered by standard 110 V/220 V UPS modules. This ensures that the server remains in operation even after a power outage.

The operator is informed of the power outage by the UPS buffering, for example with alarm messages. Safe states can be initiated by the operator or by computer concepts.

The safe shutdown of the WinCC server can be signaled by WinCC alarm messages and put into effect if the power does not return within a specified time. This functionality increases the availability of the system on the return of the power.

Note

Siemens provides SITOP UPS for an uninterruptible power supply. A description of the quality requirement of the UPS can be found in entry ID 17241008. See also (http://support.automation.siemens.com/).

http://support.automation.siemens.com/)�

Guidelines for Implementing Automation Projects in a GMP Environment A5E01100604-02 Index-1

Index

2 21 CFR Part 11 ............................................... 17

A Access protection...................................... 30, 53 Access protection CAS ................................. 159 Add-on packages ............................................ 52 Add-on software packages ............................. 60 Alarm Logging................................................. 58 Application software - creation ...................... 129 Application software backup ........................... 40 Application software specification ................... 51 Approval and change procedure..................... 20 Archiving ......................................................... 36 Archiving - online ............................................ 58 Archiving - project ......................................... 203 Archiving/transfer - CAS ............................... 160 Audit trail ................................................. 34, 138 Audit Trail........................................................ 54 Audit Trail - CAS ........................................... 159 Audit Trail configuration - Alarm Logging ...... 143 Audit Trail configuration - WinCC Audit......... 138 Availability ....................................................... 61

B Backup - operating system ........................... 209 Backup configuration - Alarm Logging .......... 151 Backup configuration - Tag Logging ............. 152 Backup configuration

WinCC Audit - Audit Trails ........................ 142 Backup StoragePlus ..................................... 160 Batch control ................................................... 61 Batch documentation ...................................... 37 Batch reporting................................................ 37 Batch-based long-term archiving .................... 60 Biometric systems........................................... 31

C CAS - configuration....................................... 154 Central Archive Server (CAS) ......................... 59 Change control.......................................... 28, 56 Change control – configuration changes....... 207 Change Control during operation .................. 211 Concepts for time synchronization ................ 115 Configuration control....................................... 28 Configuration identification.............................. 28 Configuration management..................... 27, 121 ConfigurationTool............................................ 56 Connectivity pack............................................ 66

Creating scripts - C, VB.................................180 Creating the report layout for

WinCC Audit ..............................................171

D Data Backup....................................................39 Data communication via the

ODK programming interface......................179 Data communication with Industrial

DataBridge ................................................179 Data communication with the

connectivity pack .......................................178 Data communication with the

connectivity station ....................................178 Data communication with the

plant management level ............................178 Data display – CAS/StoragePlus...................161 Design specification ........................................15 Diagnostics for communication connections....97 Disabling the Windows level............................92

E Electronic batch data.......................................38 Electronic record .............................................38 Electronic signature...........................32, 53, 135 Electronic signature - biometric .......................33 Electronic signature - changing values..........134 Electronic signature - conventional..................32 Engineering software.......................................55 EU-GMP Guide ...............................................17 EU-GMP Guide – Annex 11 ............................18 EU-GMP Guide - Annex 18 .............................18

F FAT..................................................................16 FDA .................................................................17 FDA sets of regulations ...................................18 Functional specification ...................................15

G GAMP........................................................17, 18 GMP requirements ..........................................23 Guidelines .......................................................17

H Hardware categorization..................................24

Index

Guidelines for Implementing Automation Projects in a GMP Environment Index-2 A5E01100604-02

I Image & partition creator................................. 68 Implementation ............................................... 15 Installation - CAS ............................................ 91 Installation – operating system........................ 70 Installation - SIMATIC WinCC......................... 71 Installation - SIMATIC WinCC options ............ 74 Installation – utilities, drivers ........................... 75 Installation/configuration - SIMATIC Security

Control ........................................................ 73 Interfaces to process data............................... 65

L Life cycle model .............................................. 12 Lifebeat monitoring ....................................... 177 Logging - Audit Trail entries from

WinCC Audit ............................................. 169 Long-term archive server - setup .................... 90 Long-term archiving ................................ 59, 150 Long-term archiving - CAS............................ 152 Long-term archiving – PM-QUALITY ............ 161 Long-term archiving - WinCC........................ 150

M Manufacturing execution systems (MES)........ 67 Manufacturing log ........................................... 37 Migration ....................................................... 216

N NAMUR recommendation ............................... 18 Network security - CAS................................. 159

O Object-oriented configuration........................ 100 ODBC data source - creating........................ 169 Operator input message - create .................. 132 Options packages ........................................... 52 Overview pictures - creation ......................... 130

P Page layout editor ......................................... 165 Password .................................................. 31, 33 Permission management - WinCC User

administrator ............................................... 87 Picture windows............................................ 101 Planning qualification .................................... 196 PM-CONTROL................................................ 61 PM-QUALITY.................................................. 63 Print drivers............................................... 68, 75 Print jobs....................................................... 168 Process data backup ...................................... 41 Process pictures - creation ........................... 106 Process value archive - setup....................... 148 Project library ................................................ 108 Project settings ............................................... 95

Q Qualification.............................................16, 195 Qualification – application software ...............202 Qualification - hardware.................................197 Qualification - software ..................................199 Qualification - standard software ...................200 Qualification plan.............................................14 Qualification report ..........................................16 Quality and project plan...................................14

R Redundancy - configuration...........................111 Regulations .....................................................17 Report designer...............................................60 Reporting.................................................60, 164 Reporting – batch-oriented ..............................63 Reporting - Report Designer..........................164 Reporting with PM-QUALITY.........................174 Retrieving archived data..................................42 Retrieving archived data – CAS/StoragePlus 160

S S7 - connecting .............................................191 SAT .................................................................16 Script .............................................................109 Security setting - Windows audit trail..............82 Security setting - account ................................81 Security setting - password .............................80 Security settings in Windows...........................79 Security vulnerability in configuration ..............92 SIMATIC IT......................................................67 SIMATIC Logon...............................................53 SIMATIC Logon - PM-QUALITY / PM-

CONTROL setup .........................................89 SIMATIC Logon – WinCC Audit setup.............88 SIMATIC Logon configuration .........................84 SIMATIC NET - setting ..................................110 Smart card.......................................................31 Software categorization .............................21, 25 Software categorization of SIMATIC WinCC .199 Software creation ............................................29 Specification ....................................................14 Specification of system hardware....................47 Startup behavior ..............................................95 Structure tag..................................................102 Symbol library................................................107 System information channel ............................98 System installation ..........................................69 System network security..................................49 System recovery............................................212 System specification........................................45

T Tag Logging ....................................................58 Tag management ............................................55 Third-party component ....................................43 Third-party components - connecting ............193 Time stamping...............................................119 Time synchronization...............................35, 114

Index

Guidelines for Implementing Automation Projects in a GMP Environment A5E01100604-02 Index-3

Time synchronization - CAS ......................... 119 Time synchronization - configuring ............... 116 Typicals........................................................... 29

U Uninterruptible power supply - configuration. 219 Uninterruptible power supply (UPS).............. 217 Updates, service packs, hotfixes................... 215 User administrator........................................... 53 User archive.................................................... 63 User archive – setting up .............................. 149 User ID................................................ 30, 31, 33 User management .................................... 30, 53 User management – setup.............................. 76 User objects .................................................. 100 User requirements specification...................... 15

V Validation plan ................................................ 14 Validation report.............................................. 16 Version control - project .................................. 57 Version Trail.................................................... 57 Versioning....................................................... 28 Versioning – application software ................. 121 Versioning - manual ...................................... 205

Versioning - pictures......................................123 Versioning - project .......................................203 Versioning - reports .......................................127 Versioning - VB / C scripts.............................125 Versioning with SIMATIC Version Trail..........203 Versioning with WinCC Project Versioning....204 Versioning/backup of data of WinCC options /

WinCC premium add-ons ..........................206 Virus scanners...........................................68, 75

W Web access – configuration for

process operator input...............................181 Web access - configuration to display data ...185 Web access – operator permissions .............184 Web access - remote.....................................185 Web client – connecting ................................181 Web navigator .................................................65 WinCC Audit....................................................54 WinCC Audit ChangeControl...........................56 WinCC Audit Project Versioning......................58 WinCC DataMonitor.........................................66 WinCC flexible - connecting ..........................190 WinCC long-term archive server .....................59 Windows domains ...........................................78 Windows workgroup ........................................78

Index

Guidelines for Implementing Automation Projects in a GMP Environment Index-4 A5E01100604-02